[Lxc-users] Firewalling ...
Gordon Henderson
gordon at drogon.net
Fri Jul 2 14:09:52 UTC 2010
On Fri, 2 Jul 2010, Daniel Lezcano wrote:
> On 07/02/2010 03:06 PM, Gordon Henderson wrote:
>> Further to my logging stuff, which I seem to be able to get round now, I'm
>> now wondering about the issues surrounding firewalling - wondering if it
>> might be more efficient to have one firewall on the host which hooks into
>> the forwarding table, (eth0 rather than br0?) or individual firewalls on
>> each container - all doing more or less the same thing....
>>
>> Any thoughts/comments?
>>
>
> I didn't look at the netfilter code within the kernel but at the first glance
> if the tables are 'namespacized', it would be more efficient to have the
> iptables rules per container because the tables will be smaller and then the
> lookup faster but *maybe* at the cost of an extra memory consumption. In the
> other hand, it could be preferable to keep all on the host to centralize the
> administration in a single network stack, that could be easier to configure.
> Moreover if there is a large number of container, hence a big number of veth
> attached to the bridge, the sooner the packet is dropped the better it is,
> that should reduce the packet processing on the bridge (eg. prevent to find
> the dest interface, deliver the packet to it, which result to a drop).
>
> IMHO it's a decision to be made against the containers number vs iptable
> rules number.
>
> Well these are random thoughts and assumptions, so don't give too much credit
> to it ;)
Always good to have another view on things though!
FWIW: I'm looking at up to 20 containers in a host for this application.
(virtual asterisk servers) and I'm probably leaning towards centralised
administration more than anything else...
Thanks,
Gordon
More information about the lxc-users
mailing list