Are there performance gains (i.e. lower CPU utilization) doing it this way rather than marking the packet in the first step?
I would be grateful to anyone who can explain the benefits of this approach.
Please accept my thanks in advance,
It all depends on use case. That specific example isn’t too efficient.
Connection marks are based on the connection tracking facility. That is mandatory for doing any NAT, so if you do NAT you get connection marks for free.
If you have a complicated way of assigning connection marks (you check a lot of parameters, such as protocol, source address, destination port, TTL and time of day) then it’s best to do that once, and above that rule mark packets based on connection mark (based on just one comparison - the connection mark - and hence much cheaper than checking lots of parameters) and setting passthrough to ‘no’. Alternatively, you could add additional parameters on the rule that sets the connection mark and either check for ‘connection-mark=no-mark’ (this connection hasn’t been marked before) or ‘connection-state=new’ (this is a new connection and couldn’t have a mark) so that not each packet is checked against the expensive rule as well - after all you might just as well just mark the packet directly in that case.
Overall, though, unless you’re hitting over 50% CPU utilization at all times and are worried about router performance it is probably best not to optimize your mangle/filter rulesets for performance. You should rather write them in a way that makes sense to you and is easy to understand and troubleshoot so that you can take care of issues quickly when they arise. Who cares if your router is running at 20% utilization but could be running at 10%? But people do care when it takes 2 hours to figure out what’s wrong rather than the 10 minutes it might if you immediately could see what was going on.