cloudstack-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rohit Yadav <>
Subject [DISCUSS] Why we MARK packets?
Date Wed, 18 Apr 2018 17:09:02 GMT

I could not find any history around 'why' we MARK or CONNMARK packets in mangle table in VRs?
I found an issue in case of VPCs where `MARK` iptable rules failed hair-pin nat (as described
in this PR:

The valid usage I found was wrt VPN_STATS, however, the usage is not exported at all, it is

Other than for debugging purposes in the VR, marking packets and connections I could not find
any valid use. Please do share if you're using marked packets (such as VPN ones etc) outside
of VR scope?

I propose we remove MARK on packets which is cpu intensive and slows the traffic (a bit),
instead CONNMARK can still be used to mark connections and debug VRs without actually changing
the packet marking permanently. Thoughts?

- Rohit


53 Chandos Place, Covent Garden, London  WC2N 4HSUK

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message