[Lxc-users] Firewalling ...

Daniel Lezcano daniel.lezcano at free.fr
Fri Jul 2 13:38:24 UTC 2010


On 07/02/2010 03:06 PM, Gordon Henderson wrote:
> Further to my logging stuff, which I seem to be able to get round now, I'm
> now wondering about the issues surrounding firewalling - wondering if it
> might be more efficient to have one firewall on the host which hooks into
> the forwarding table, (eth0 rather than br0?) or individual firewalls on
> each container - all doing more or less the same thing....
>
> Any thoughts/comments?
>    

I didn't look at the netfilter code within the kernel but at the first 
glance if the tables are 'namespacized', it would be more efficient to 
have the iptables rules per container because the tables will be smaller 
and then the lookup faster but *maybe* at the cost of an extra memory 
consumption. In the other hand, it could be preferable to keep all on 
the host to centralize the administration in a single network stack, 
that could be easier to configure. Moreover if there is a large number 
of container, hence a big number of veth attached to the bridge, the 
sooner the packet is dropped the better it is, that should reduce the 
packet processing on the bridge (eg. prevent to find the dest interface, 
deliver the packet to it, which result to a drop).

IMHO it's a decision to be made against the containers number vs iptable 
rules number.

Well these are random thoughts and assumptions, so don't give too much 
credit to it ;)

Thanks
   -- Daniel




More information about the lxc-users mailing list