[Beowulf] hpl size problems

Robert G. Brown rgb at phy.duke.edu
Wed Sep 28 08:21:36 PDT 2005

On Wed, 28 Sep 2005, Mark Hahn wrote:

>> workstations, because of both security and performance.  Things like
>> ipchains or ipfilters tend to be "expensive" overhead on all TCP/UDP
>> connections, and overhead in parallel computations is anathema.  So one
> has anyone actually measured this?  I suspect that the marginal overhead
> for iptables is ~1 us, and at least with gigabit, that's almost in the
> noise (say 3%).  I don't think anyone who is satisfied with gigabit
> would care...

I haven't measured it per se, so this is perhaps anecdotal.  However,
anecdotally I've observed an effect (or thought I did) in years past,
sometimes to the point where it was annoying in interactive operation.
I used to turn it off altogether on many systems.

Looking again for the answer to this I did find this:


which is basically EVERYTHING you could ever have wanted to know about
iptables except how expensive it is.  Which they likely cannot say
because after all it depends on the complexity of the iptables ruleset,
right?  Which does damn near regexp-like matching of damn near arbitrary
combinations of damn near any relevant networking field (src, dst, port,
service, ip ranges...).

If they've moved this "into" the TCP stack it may have sped it up a lot
from my early experiences, but there are still a lot of conditionals to
traverse to make a decision per rule per packet and, may be a lot of
rules.  So maybe I'm wrong here -- it would be lovely if I were, at
least for a minimal/default (ssh only inbound) firewall.


Robert G. Brown	                       http://www.phy.duke.edu/~rgb/
Duke University Dept. of Physics, Box 90305
Durham, N.C. 27708-0305
Phone: 1-919-660-2567  Fax: 919-660-2525     email:rgb at phy.duke.edu

More information about the Beowulf mailing list