[Beowulf] iptaled

Gerry Creager N5JXS gerry.creager at tamu.edu
Thu Sep 29 06:29:01 PDT 2005

Bogdan Costescu wrote:
> RGB writes:
>> In other words, it contributes to per-connection latency but not much 
>> to streaming traffic once a connection is made.  So one might expect 
>> that udp (connectionless) traffic would be more expensive overall than 
>> sustained tcp connections...?
> Once you turn on iptables, each and every packet has to be inspected for 
> rules matching - it's all or nothing. For each packet there is:
> - code that has to be executed, that takes precious time, and code that 
> takes (code) cache size which might kick part of your application's 
> innermost loop out
> - data that has to be inspected, that takes (data) cache size which 
> might kick part of your application's hot data out
> The fact that in some cases (earlier matches) there is less code to be 
> executed and less data to be inspected is IMHO not so relevant: the end 
> result is cache misses anyway. Especially when you use optimized 
> libraries or optimizing compilers which make some assumptions about the 
> cache size(s), how much of the theoretical peak performance are you 
> willing to pay for iptables ? ;-)
> Furthermore, I think that it's rather impractical to use iptables with 
> MPI jobs. For LAM/MPI for example, you need to allow between all nodes 
> TCP connections between high random ports (between application 
> instances) and UDP packets between high random ports (for the LAM 
> daemons). Isn't then better to just put the whole network behind some 
> firewall and forget about protection ?

It's certainly more efficient at this time to just place the cluster 
behind a stateful, switching firewall.  I've not investigated a 
switiching firewall on, eg., the head node looking at the compute nodes, 
but our network security data indicate that an isolated switching 
iptables system is both transparent to most attacks, and considerably 
(anecdotally 3x or so) faster than a host-based iptables install.

What we do with the switching box is inspect, then accept or dump with 
as little processing as possible.  No masquerade, no port translation at 
that point, etc.  KISS is the key here for speed.

The point made earlier about lots of rules and code execution is germane.

Gerry Creager -- gerry.creager at tamu.edu
Texas Mesonet -- AATLT, Texas A&M University	
Cell: 979.229.5301 Office: 979.458.4020 FAX: 979.847.8578
Page: 979.228.0173
Office: 903A Eller Bldg, TAMU, College Station, TX 77843

More information about the Beowulf mailing list