From dev-return-111322-archive-asf-public=cust-asf.ponee.io@cloudstack.apache.org Fri Apr 20 17:24:04 2018 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by mx-eu-01.ponee.io (Postfix) with SMTP id 00E31180645 for ; Fri, 20 Apr 2018 17:24:03 +0200 (CEST) Received: (qmail 90495 invoked by uid 500); 20 Apr 2018 15:23:58 -0000 Mailing-List: contact dev-help@cloudstack.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cloudstack.apache.org Delivered-To: mailing list dev@cloudstack.apache.org Received: (qmail 90469 invoked by uid 99); 20 Apr 2018 15:23:57 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd2-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 20 Apr 2018 15:23:57 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd2-us-west.apache.org (ASF Mail Server at spamd2-us-west.apache.org) with ESMTP id F208B1A079A for ; Fri, 20 Apr 2018 15:23:56 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd2-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 0 X-Spam-Level: X-Spam-Status: No, score=0 tagged_above=-999 required=6.31 tests=[SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=disabled Received: from mx1-lw-us.apache.org ([10.40.0.8]) by localhost (spamd2-us-west.apache.org [10.40.0.9]) (amavisd-new, port 10024) with ESMTP id B2HllB9E1HGV for ; Fri, 20 Apr 2018 15:23:54 +0000 (UTC) Received: from smtp.artifact-software.com (modemcable202.79-37-24.static.videotron.ca [24.37.79.202]) by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTP id 6D1325F238 for ; Fri, 20 Apr 2018 15:23:54 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp.artifact-software.com (Postfix) with ESMTP id 981A8212E07B for ; Fri, 20 Apr 2018 11:23:48 -0400 (EDT) X-Virus-Scanned: amavisd-new at artifact-software.com Received: from smtp.artifact-software.com ([127.0.0.1]) by localhost (smtp.artifact-software.com [127.0.0.1]) (amavisd-new, port 10024) with LMTP id f4cD521AxmC4 for ; Fri, 20 Apr 2018 11:23:46 -0400 (EDT) Received: from [192.168.3.198] (unknown [192.168.3.198]) by smtp.artifact-software.com (Postfix) with ESMTPSA id D050320AFA0D for ; Fri, 20 Apr 2018 11:23:45 -0400 (EDT) Reply-To: rwheeler@artifact-software.com Subject: Re: [DISCUSS] Why we MARK packets? To: dev@cloudstack.apache.org References: <15AE77DF-0302-4B26-8E60-2265A6993993@persistent.co.in> From: Ron Wheeler Organization: Artifact Software Message-ID: Date: Fri, 20 Apr 2018 11:23:41 -0400 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.7.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit Content-Language: en-CA https://markandruth.co.uk/2016/08/08/testing-the-performance-of-the-linux-firewall Does not directly address marking but does benchmark a number of iptables filtering tasks which may give some insight into the performance implications of using iptables for routing and filtering. https://www.digitalocean.com/community/tutorials/a-deep-dive-into-iptables-and-netfilter-architecture A nice article on iptables. No performance info but a good read for anyone who needs to tackle routing and marking.  https://www.markusschade.com/papers/firewall.pdf Has some performance info and a discussion about the host limit with MARK. I am a bit skeptical that MARK adds a lot of overhead but this is only based on the belief that CPUs are orders of magnitude faster than networks. The decision process on entry and exit are both pretty simple and depending on the implementation of the internal table should not take a lot of memory of CPU to do the table lookups I did not read all 60,400 links returned by Google but in the ones that I did read did not warn of any big problem with performance using MARK. I use a simple static MARK configuration in my firewall to solve a routing problem but the performance requirements are not relevant to an datacentre with hundreds of CPUs and hundreds of entries in the MARK routing map. I hope that this helps. Ron On 20/04/2018 9:04 AM, Rohit Yadav wrote: > Thanks Jayapal. I don't have any comparative study yet, but I'll explore this in future if we can get away without marking (mangling) packets which is generally an expensive task. > > > - Rohit > > > > > > ________________________________ > From: Jayapal Uradi > Sent: Thursday, April 19, 2018 10:33:25 AM > To: dev@cloudstack.apache.org > Cc: users@cloudstack.apache.org > Subject: Re: [DISCUSS] Why we MARK packets? > > Rohit, > > My comments inline. > > > rohit.yadav@shapeblue.com > www.shapeblue.com > 53 Chandos Place, Covent Garden, London WC2N 4HSUK > @shapeblue > > > > On Apr 19, 2018, at 1:52 AM, Rohit Yadav > wrote: > > Nevermind, found the use of custom routing tables. In case someone want to refer, hints are here: > > https://github.com/apache/cloudstack/pull/2514#issuecomment-382510915 > > > Jayapal and others - I've another one, is there a way to do routing without marking packets at all, even in case of VRs with additional public interfaces? > > AFAIK marking is the only way to do it. > Do you have any performance numbers with and without mark rules. > > - Rohit > > > > > > > ________________________________ > From: Rohit Yadav > > Sent: Wednesday, April 18, 2018 10:39:02 PM > To: dev@cloudstack.apache.org; users@cloudstack.apache.org > Subject: [DISCUSS] Why we MARK packets? > > All, > > > I could not find any history around 'why' we MARK or CONNMARK packets in mangle table in VRs? I found an issue in case of VPCs where `MARK` iptable rules failed hair-pin nat (as described in this PR: https://github.com/apache/cloudstack/pull/2514) > > > The valid usage I found was wrt VPN_STATS, however, the usage is not exported at all, it is commented: > > https://github.com/apache/cloudstack/blob/master/systemvm/debian/opt/cloud/bin/vpc_netusage.sh#L141 > > > Other than for debugging purposes in the VR, marking packets and connections I could not find any valid use. Please do share if you're using marked packets (such as VPN ones etc) outside of VR scope? > > > I propose we remove MARK on packets which is cpu intensive and slows the traffic (a bit), instead CONNMARK can still be used to mark connections and debug VRs without actually changing the packet marking permanently. Thoughts? > > > - Rohit > > > > > > rohit.yadav@shapeblue.com > www.shapeblue.com> > 53 Chandos Place, Covent Garden, London WC2N 4HSUK > @shapeblue > > > > > rohit.yadav@shapeblue.com > www.shapeblue.com > 53 Chandos Place, Covent Garden, London WC2N 4HSUK > @shapeblue > > DISCLAIMER > ========== > This e-mail may contain privileged and confidential information which is the property of Accelerite, a Persistent Systems business. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are not authorized to read, retain, copy, print, distribute or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. Accelerite, a Persistent Systems business does not accept any liability for virus infected mails. -- Ron Wheeler President Artifact Software Inc email: rwheeler@artifact-software.com skype: ronaldmwheeler phone: 866-970-2435, ext 102