Thanks Jayapal. I don't have any comparative study yet, but I'll explore this in future if we can get away without marking (mangling) packets which is generally an expensive task.
- Rohit <https://cloudstack.apache.org> ________________________________ From: Jayapal Uradi <jayapal.ur...@accelerite.com> Sent: Thursday, April 19, 2018 10:33:25 AM To: dev@cloudstack.apache.org Cc: us...@cloudstack.apache.org Subject: Re: [DISCUSS] Why we MARK packets? Rohit, My comments inline. rohit.ya...@shapeblue.comĀ www.shapeblue.com 53 Chandos Place, Covent Garden, London WC2N 4HSUK @shapeblue On Apr 19, 2018, at 1:52 AM, Rohit Yadav <rohit.ya...@shapeblue.com<mailto:rohit.ya...@shapeblue.com>> wrote: Nevermind, found the use of custom routing tables. In case someone want to refer, hints are here: https://github.com/apache/cloudstack/pull/2514#issuecomment-382510915 Jayapal and others - I've another one, is there a way to do routing without marking packets at all, even in case of VRs with additional public interfaces? AFAIK marking is the only way to do it. Do you have any performance numbers with and without mark rules. - Rohit <https://cloudstack.apache.org<https://cloudstack.apache.org/>> ________________________________ From: Rohit Yadav <rohit.ya...@shapeblue.com<mailto:rohit.ya...@shapeblue.com>> Sent: Wednesday, April 18, 2018 10:39:02 PM To: dev@cloudstack.apache.org<mailto:dev@cloudstack.apache.org>; us...@cloudstack.apache.org<mailto:us...@cloudstack.apache.org> Subject: [DISCUSS] Why we MARK packets? All, I could not find any history around 'why' we MARK or CONNMARK packets in mangle table in VRs? I found an issue in case of VPCs where `MARK` iptable rules failed hair-pin nat (as described in this PR: https://github.com/apache/cloudstack/pull/2514) The valid usage I found was wrt VPN_STATS, however, the usage is not exported at all, it is commented: https://github.com/apache/cloudstack/blob/master/systemvm/debian/opt/cloud/bin/vpc_netusage.sh#L141 Other than for debugging purposes in the VR, marking packets and connections I could not find any valid use. Please do share if you're using marked packets (such as VPN ones etc) outside of VR scope? I propose we remove MARK on packets which is cpu intensive and slows the traffic (a bit), instead CONNMARK can still be used to mark connections and debug VRs without actually changing the packet marking permanently. Thoughts? - Rohit <https://cloudstack.apache.org> rohit.ya...@shapeblue.com<mailto:rohit.ya...@shapeblue.com> www.shapeblue.com<http://www.shapeblue.com/><http://www.shapeblue.com<http://www.shapeblue.com/>> 53 Chandos Place, Covent Garden, London WC2N 4HSUK @shapeblue rohit.ya...@shapeblue.com<mailto:rohit.ya...@shapeblue.com> www.shapeblue.com<http://www.shapeblue.com/> 53 Chandos Place, Covent Garden, London WC2N 4HSUK @shapeblue DISCLAIMER ========== This e-mail may contain privileged and confidential information which is the property of Accelerite, a Persistent Systems business. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are not authorized to read, retain, copy, print, distribute or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. Accelerite, a Persistent Systems business does not accept any liability for virus infected mails.
