What is faster?

forne · February 22, 2011, 2:20pm

What is faster: to mark a connection with the same mark on every packet flow or to mark it only once but every time check if it already has a mark?

I.e. what does consume less CPU cycles from these two:

1. /ip firewall mangle add action=mark-connection chain=prerouting disabled=no \
    in-interface=iface new-connection-mark=test passthrough=no

2. /ip firewall mangle add action=mark-connection chain=prerouting disabled=no \
    in-interface=iface new-connection-mark=test connection-mark=no-mark passthrough=no

Feklar · February 22, 2011, 3:51pm

Both of your rules are basically going to be the same. To save resources add in connection-state=new. This way the rule only fires when a new connection is being set up and not on subsequent packets after that. Every packet coming through as part of that connection will still receive the same packet mark.

forne · February 22, 2011, 4:08pm

What is the difference in resource consumption between the conditions “connection-mark=no-mark” and “connection-state=new”? In both cases the rule will fire only once per connection.

Feklar · February 22, 2011, 5:06pm

My understanding is this.

The no-mark needs to check every packet to make sure if it has a mark or not, so each packet is still being processed against the rule. The connect-state=new will only fire for packets that start a connection and no subsequent packets are checked against the rule.

Ibersystems · February 22, 2011, 9:46pm

+1

forne · February 26, 2011, 2:46am

Sorry, but I don’t believe it. An explanation from MK support would be good.