[Beowulf] iptaled (was: hpl size problems)

Bogdan Costescu Bogdan.Costescu at iwr.uni-heidelberg.de
Thu Sep 29 06:03:36 PDT 2005

RGB writes:

> In other words, it contributes to per-connection latency but not 
> much to streaming traffic once a connection is made.  So one might 
> expect that udp (connectionless) traffic would be more expensive 
> overall than sustained tcp connections...?

Once you turn on iptables, each and every packet has to be inspected 
for rules matching - it's all or nothing. For each packet there is:
- code that has to be executed, that takes precious time, and code 
that takes (code) cache size which might kick part of your 
application's innermost loop out
- data that has to be inspected, that takes (data) cache size which 
might kick part of your application's hot data out

The fact that in some cases (earlier matches) there is less code to be 
executed and less data to be inspected is IMHO not so relevant: the 
end result is cache misses anyway. Especially when you use optimized 
libraries or optimizing compilers which make some assumptions about 
the cache size(s), how much of the theoretical peak performance are 
you willing to pay for iptables ? ;-)

Furthermore, I think that it's rather impractical to use iptables with 
MPI jobs. For LAM/MPI for example, you need to allow between all nodes 
TCP connections between high random ports (between application 
instances) and UDP packets between high random ports (for the LAM 
daemons). Isn't then better to just put the whole network behind some 
firewall and forget about protection ?

Bogdan Costescu

IWR - Interdisziplinaeres Zentrum fuer Wissenschaftliches Rechnen
Universitaet Heidelberg, INF 368, D-69120 Heidelberg, GERMANY
Telephone: +49 6221 54 8869, Telefax: +49 6221 54 8868
E-mail: Bogdan.Costescu at IWR.Uni-Heidelberg.De

More information about the Beowulf mailing list