[Beowulf] iptaled (was: hpl size problems)
Bogdan Costescu
Bogdan.Costescu at iwr.uni-heidelberg.de
Thu Sep 29 06:03:36 PDT 2005
RGB writes:
> In other words, it contributes to per-connection latency but not
> much to streaming traffic once a connection is made. So one might
> expect that udp (connectionless) traffic would be more expensive
> overall than sustained tcp connections...?
Once you turn on iptables, each and every packet has to be inspected
for rules matching - it's all or nothing. For each packet there is:
- code that has to be executed, that takes precious time, and code
that takes (code) cache size which might kick part of your
application's innermost loop out
- data that has to be inspected, that takes (data) cache size which
might kick part of your application's hot data out
The fact that in some cases (earlier matches) there is less code to be
executed and less data to be inspected is IMHO not so relevant: the
end result is cache misses anyway. Especially when you use optimized
libraries or optimizing compilers which make some assumptions about
the cache size(s), how much of the theoretical peak performance are
you willing to pay for iptables ? ;-)
Furthermore, I think that it's rather impractical to use iptables with
MPI jobs. For LAM/MPI for example, you need to allow between all nodes
TCP connections between high random ports (between application
instances) and UDP packets between high random ports (for the LAM
daemons). Isn't then better to just put the whole network behind some
firewall and forget about protection ?
--
Bogdan Costescu
IWR - Interdisziplinaeres Zentrum fuer Wissenschaftliches Rechnen
Universitaet Heidelberg, INF 368, D-69120 Heidelberg, GERMANY
Telephone: +49 6221 54 8869, Telefax: +49 6221 54 8868
E-mail: Bogdan.Costescu at IWR.Uni-Heidelberg.De
More information about the Beowulf
mailing list