[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Xen-devel] iptables rules added by default

> In a default install of xen-3.0-testing, I just noticed that 
> it automatically adds in some iptables rules when a domain is 
> created. This is with the default of vif-bridge.
> In my case I don't use iptables on this server, so these 
> iptables rules are completely unnecessary and can't do 
> anything useful for performance.
> Does anyone have any comments on how much difference having 
> iptables loaded makes for throughput, and if this is 
> something we should be worrying about?

Connection tracking certainly isn't great for performance, but I doubt
the current rules need that.

I believe we added them because they were necessary to make DHCP in the
guest work with the default RH and SuSE firewall settings. I don't
believe the IP anti-spoof stuff is enabled by default.

Perhaps it should be configurable whether any iptables rules are added
at all. If you mv the iptables binary out the way things should still


Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.