Hello everyone,
What is the difference between selecting “Connection State = New” or “not marking” it when we are marking the connections?
add chain=prerouting protocol=tcp dst-port=80,443 connection-state=new action=mark-connection new-connection-mark=HTTP passthrough=yes OR
add chain=prerouting protocol=tcp dst-port=80,443 action=mark-connection new-connection-mark=HTTP passthrough=yes
Effectivity. With connection-state=new, the rule matches only first packet of connection (that’s all you need). Without it, if matches every single packet of connection.
So if you do not check the option, would we be marking all connections constantly and using resources unnecessarily?
Thanks.
Well, I suppose there may be some optimizations, i.e. if the new mark would be the same as the old one, it’s detected early and it doesn’t need as much resources as actually setting new mark. Also the order in which are the individual conditions checked is probably optimized to do easy ones first, and connection state is probably some simple flag and it should be faster to check that, than multiple ports. I’m just guessing, but it would make sense. It would be interesting to test that, generate predictable traffic and see how much difference there is.
A “connection” is a context which the firewall builds when the connection-establishing packet arrives and destroys when the connection is actively terminated (like a TCP session) or times out (like a bi-directional UDP stream or ICMP conversation). As the connection-mark is an attribute of the connection, there is no need to assign, using a rule, a connection mark over and over again each time a new packet belonging to that connection arrives. As soon as a packet is found to belong to an existing connection, it obtains the connection mark from the context, so if any rule checks for presence of that connection mark, the check succeeds.