cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jayapal Uradi <jayapal.ur...@accelerite.com>
Subject Re: [DISCUSS] Why we MARK packets?
Date Wed, 18 Apr 2018 17:20:27 GMT
Hi,

Below are the uses of marking packets.

1. Marking is required to route the packets into correct interface in case additional public
interfaces in VR.
2. Packets with VPN marking are accepted in first place of NAT POSTROUTING. Without marking
these packets source ip will be replaced with source-nat IP.

Thanks,
Jayapal


> On Apr 18, 2018, at 10:39 PM, Rohit Yadav <rohit.yadav@shapeblue.com> wrote:
> 
> All,
> 
> 
> I could not find any history around 'why' we MARK or CONNMARK packets in mangle table
in VRs? I found an issue in case of VPCs where `MARK` iptable rules failed hair-pin nat (as
described in this PR: https://github.com/apache/cloudstack/pull/2514)
> 
> 
> The valid usage I found was wrt VPN_STATS, however, the usage is not exported at all,
it is commented:
> 
> https://github.com/apache/cloudstack/blob/master/systemvm/debian/opt/cloud/bin/vpc_netusage.sh#L141
> 
> 
> Other than for debugging purposes in the VR, marking packets and connections I could
not find any valid use. Please do share if you're using marked packets (such as VPN ones etc)
outside of VR scope?
> 
> 
> I propose we remove MARK on packets which is cpu intensive and slows the traffic (a bit),
instead CONNMARK can still be used to mark connections and debug VRs without actually changing
the packet marking permanently. Thoughts?
> 
> 
> - Rohit
> 
> <https://cloudstack.apache.org>
> 
> 
> 
> rohit.yadav@shapeblue.com 
> www.shapeblue.com
> 53 Chandos Place, Covent Garden, London  WC2N 4HSUK
> @shapeblue
> 
> 
> 

DISCLAIMER
==========
This e-mail may contain privileged and confidential information which is the property of Accelerite,
a Persistent Systems business. It is intended only for the use of the individual or entity
to which it is addressed. If you are not the intended recipient, you are not authorized to
read, retain, copy, print, distribute or use this message. If you have received this communication
in error, please notify the sender and delete all copies of this message. Accelerite, a Persistent
Systems business does not accept any liability for virus infected mails.


Mime
View raw message