Ben Leggett

> Waypoint is not just for HTTP processing, it is really the integration mechanism for the traffic analysis that is potentially unsafe or costly. I think there are some cases...

> This might be intentional since we don't want Istio to reinvent the wheel. Well, we invented a codename/acronym, and we have to at least contend with that :D My...

https://istio.io/latest/docs/ambient/architecture/hbone/ is published now and is actually likely the most complete description of the protocol at this point, inward-or-outward-facing - between these two it's as described as it needs to...

> https://github.com/rust-lang/pkg-config-rs#external-configuration-via-target-scoped-environment-variables > > ~Possibly viable?~ > > Misread it. But their approach might be? Yep could be. Ideally I would prefer to fix upstream `boring` so it respects whatever...

> The pool is the outer connections, the inner connections are still accumulated though. This may actually impact applications as they will not be aware the peer closed the connection?...

> **Solution**: Let ztunnel support to set custom `SO_MARK` to local upstream. If we need to set optional packet marks for netns routing purposes, CNI/eBPF/iptables might be a better spot...

> @bleggett I optimized the iptables rules, and it worked. There is no need for zt to set `SO_MARK`, but I don't understand why istiod set 1337 mark for `envoy.filters.listener.original_src`...

> Does marking in ztunnle require NET_ADMIN ? We still want to make sure ztunnel as sidecar doesn't need N_ADMIN caps. Agree - I think @imroc has found we don't...

Semi-unrelated question - at some point do we plan to create a separate `build-tools-ztunnel` output image/stage, much like we have for `build-tools-proxy`? As we start adding more rust/cargo deps it...

This is merged along with doc update, so I am closing this as complete - feel free to reopen or raise issues if there are followups.