[Lxc-users] Firewalling ...
Daniel Lezcano
daniel.lezcano at free.fr
Fri Jul 2 13:38:24 UTC 2010
On 07/02/2010 03:06 PM, Gordon Henderson wrote:
> Further to my logging stuff, which I seem to be able to get round now, I'm
> now wondering about the issues surrounding firewalling - wondering if it
> might be more efficient to have one firewall on the host which hooks into
> the forwarding table, (eth0 rather than br0?) or individual firewalls on
> each container - all doing more or less the same thing....
>
> Any thoughts/comments?
>
I didn't look at the netfilter code within the kernel but at the first
glance if the tables are 'namespacized', it would be more efficient to
have the iptables rules per container because the tables will be smaller
and then the lookup faster but *maybe* at the cost of an extra memory
consumption. In the other hand, it could be preferable to keep all on
the host to centralize the administration in a single network stack,
that could be easier to configure. Moreover if there is a large number
of container, hence a big number of veth attached to the bridge, the
sooner the packet is dropped the better it is, that should reduce the
packet processing on the bridge (eg. prevent to find the dest interface,
deliver the packet to it, which result to a drop).
IMHO it's a decision to be made against the containers number vs iptable
rules number.
Well these are random thoughts and assumptions, so don't give too much
credit to it ;)
Thanks
-- Daniel
More information about the lxc-users
mailing list