> In a default install of xen-3.0-testing, I just noticed that
> it automatically adds in some iptables rules when a domain is
> created. This is with the default of vif-bridge.
>
> In my case I don''t use iptables on this server, so these
> iptables rules are completely unnecessary and can''t do
> anything useful for performance.
>
> Does anyone have any comments on how much difference having
> iptables loaded makes for throughput, and if this is
> something we should be worrying about?
Connection tracking certainly isn''t great for performance, but I doubt
the current rules need that.
I believe we added them because they were necessary to make DHCP in the
guest work with the default RH and SuSE firewall settings. I don''t
believe the IP anti-spoof stuff is enabled by default.
Perhaps it should be configurable whether any iptables rules are added
at all. If you mv the iptables binary out the way things should still
work.
Ian
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel