[Lxc-users] Firewalling ...

Gordon Henderson gordon at drogon.net
Fri Jul 2 14:09:52 UTC 2010


On Fri, 2 Jul 2010, Daniel Lezcano wrote:

> On 07/02/2010 03:06 PM, Gordon Henderson wrote:
>> Further to my logging stuff, which I seem to be able to get round now, I'm
>> now wondering about the issues surrounding firewalling - wondering if it
>> might be more efficient to have one firewall on the host which hooks into
>> the forwarding table, (eth0 rather than br0?) or individual firewalls on
>> each container - all doing more or less the same thing....
>> 
>> Any thoughts/comments?
>> 
>
> I didn't look at the netfilter code within the kernel but at the first glance 
> if the tables are 'namespacized', it would be more efficient to have the 
> iptables rules per container because the tables will be smaller and then the 
> lookup faster but *maybe* at the cost of an extra memory consumption. In the 
> other hand, it could be preferable to keep all on the host to centralize the 
> administration in a single network stack, that could be easier to configure. 
> Moreover if there is a large number of container, hence a big number of veth 
> attached to the bridge, the sooner the packet is dropped the better it is, 
> that should reduce the packet processing on the bridge (eg. prevent to find 
> the dest interface, deliver the packet to it, which result to a drop).
>
> IMHO it's a decision to be made against the containers number vs iptable 
> rules number.
>
> Well these are random thoughts and assumptions, so don't give too much credit 
> to it ;)

Always good to have another view on things though!

FWIW: I'm looking at up to 20 containers in a host for this application. 
(virtual asterisk servers) and I'm probably leaning towards centralised 
administration more than anything else...

Thanks,

Gordon




More information about the lxc-users mailing list