perfSONAR User Q&A and Other Discussion

[Hyojoon Kim <>]

Hello Mark, 

Thank you for this explanation! 

One possible way to have *some* level of security could be through just using stateless iptables rules. Adding *stateless* iptables rules does not enable the nf_conntrack kernel modules, thus does not degrade the bw performance of the LIVA box (i.e., iptables rules without '-m state' option). 

However, I am not sure if stateless iptables rules are enough and what are the consequences when the box only has stateless rules :-P

Thanks, 

Joon 

On Jan 4, 2016, at 10:43 AM, Mark Feit <> wrote:

Hyojoon Kim writes:

“lsmod" command shows that nf_conntrack-related kernel modules become loaded after the perfsonar security package installation, along with several iptables rules. After this happens, bwctl measurement will never go over 700Mbps when the test is initiated from the LIVA X box. Flushing the iptables rules and disabling the nf_conntrack-related modules fixes the issue, restoring the bwctl measurement to 940Mbps. 

Can someone confirm this? 

I can’t confirm it for the LIVA because I don’t have one, but iptables is well-known to be a drag in high-traffic situations.  You won’t notice this as much on bigger machines because they tend to have enough horsepower that the extra processing time doesn’t matter.  Your change effectively disables all of it, so the increase in throughput makes perfect sense.  The tradeoff is that the machine is no longer protected from the outside.

Iptables processes the rules in each chain in the order they appear, and the perfSONAR chain isn't arranged to get time- and rate-sensitive traffic processed as quickly as possible.

I wrote a bug on this:  https://github.com/perfsonar/toolkit/issues/82. 

—Mark