What is better among the two for marking packets in pre-routing chain in mangle coming from a specific sublet?

1. add action=mark-packet chain=prerouting comment="Internet Zone2--DN" disabled=no dst-address-list="Internet Zone2" \
new-packet-mark="Internet Zone2" passthrough=no
........... Internet Zone2 is defined in address-list as a subnet.

2. add action=mark-connection chain=prerouting comment="Internet Zone2--DN" disabled=no dst-address-list="Internet Zone2" \
new-connection-mark="Internet Zone2 Conn" passthrough=yes

add action=mark-packet chain=prerouting comment="Internet Zone2--DN" disabled=no connection-mark="Internet Zone2 Conn" \
new-packet-mark="Internet Zone2" passthrough=no

Which one is better and why?

Thanks,

Sudipta

The end result is having a packet mark, however, marking your connection is less CPU intensive. The PROPER or perferred way is the do the connection mark then the packet mark. This does two things, provides a simpler faster way to mark packets once the connection is identified. Two, depending on the connection and type, it will typically get traffic both directions vs just a single direction.