Hi Jayapal,
Thanks for replying. Can you point me to the code/rules that use the marking for packet routing (in case of additional public nics) in latest 4.11 or master branch? Don't we have routing tables and nat rules for routing across interfaces? This started from reviewing Rafael's PR, whose fix I could not validate: https://github.com/apache/cloudstack/pull/2514 I tested and found in my env that removing MARK rules in mangle table fixed access related issues for me, based on which I opened the PR: https://github.com/apache/cloudstack/pull/2579 In case of VPC VRs and isolated network VRs, the nic number/order is different whose nic number/id is used to mark packets. I found that networking always failed when packets were marked with 0x1, but worked when 0x2 was used. I don't have an explaination for this. My test env was 4.11 based. - Rohit <https://cloudstack.apache.org> ________________________________ From: Jayapal Uradi <jayapal.ur...@accelerite.com> Sent: Wednesday, April 18, 2018 10:50:27 PM To: dev@cloudstack.apache.org Cc: us...@cloudstack.apache.org Subject: Re: [DISCUSS] Why we MARK packets? Hi, Below are the uses of marking packets. 1. Marking is required to route the packets into correct interface in case additional public interfaces in VR. 2. Packets with VPN marking are accepted in first place of NAT POSTROUTING. Without marking these packets source ip will be replaced with source-nat IP. Thanks, Jayapal rohit.ya...@shapeblue.comĀ www.shapeblue.com 53 Chandos Place, Covent Garden, London WC2N 4HSUK @shapeblue > On Apr 18, 2018, at 10:39 PM, Rohit Yadav <rohit.ya...@shapeblue.com> wrote: > > All, > > > I could not find any history around 'why' we MARK or CONNMARK packets in > mangle table in VRs? I found an issue in case of VPCs where `MARK` iptable > rules failed hair-pin nat (as described in this PR: > https://github.com/apache/cloudstack/pull/2514) > > > The valid usage I found was wrt VPN_STATS, however, the usage is not exported > at all, it is commented: > > https://github.com/apache/cloudstack/blob/master/systemvm/debian/opt/cloud/bin/vpc_netusage.sh#L141 > > > Other than for debugging purposes in the VR, marking packets and connections > I could not find any valid use. Please do share if you're using marked > packets (such as VPN ones etc) outside of VR scope? > > > I propose we remove MARK on packets which is cpu intensive and slows the > traffic (a bit), instead CONNMARK can still be used to mark connections and > debug VRs without actually changing the packet marking permanently. Thoughts? > > > - Rohit > > <https://cloudstack.apache.org> > > > > rohit.ya...@shapeblue.com > www.shapeblue.com<http://www.shapeblue.com> > 53 Chandos Place, Covent Garden, London WC2N 4HSUK > @shapeblue > > > DISCLAIMER ========== This e-mail may contain privileged and confidential information which is the property of Accelerite, a Persistent Systems business. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are not authorized to read, retain, copy, print, distribute or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. Accelerite, a Persistent Systems business does not accept any liability for virus infected mails.