Difference between revisions of "Manual:IP/Firewall/Mangle"
|Line 262:||Line 262:|
<td><var><b>out-interface</b></var> (<em></em>; Default: <b></b>)</td>
<td><var><b>out-interface</b></var> (<em></em>; Default: <b></b>)</td>
<td>Interface the packet is leaving the router</td>
<td>Interface the packet is leaving the router</td>
Revision as of 17:52, 20 September 2018
/ip firewall mangle
Mangle is a kind of 'marker' that marks packets for future processing with special marks. Many other facilities in RouterOS make use of these marks, e.g. queue trees, NAT, routing. They identify a packet based on its mark and process it accordingly. The mangle marks exist only within the router, they are not transmitted across the network.
Additionally, the mangle facility is used to modify some fields in the IP header, like TOS (DSCP) and TTL fields.
|action (action name; Default: accept)||Action to take if packet is matched by the rule:
|address-list (string; Default: )||Name of the address list to be used. Applicable if action is
|address-list-timeout (time; Default: 00:00:00)||Time interval after which the address will be removed from the address list specified by
|chain (name; Default: )||Specifies to which chain the rule will be added. If the input does not match the name of an already defined chain, a new chain will be created.|
|comment (string; Default: )||Descriptive comment for the rule.|
|connection-bytes (integer-integer; Default: )||Matches packets only if a given amount of bytes has been transfered through the particular connection. 0 - means infinity, for example
|connection-limit (integer,netmask; Default: )||Restrict connection limit per address or address block|
|connection-mark (no-mark | string; Default: )||Matches packets marked via mangle facility with particular connection mark. If no-mark is set, rule will match any unmarked connection.|
|connection-nat-state (srcnat | dstnat; Default: )||Can match connections that are srcnatted, dstnatted or both. Note that connection-state=related connections connection-nat-state is determined by direction of the first packet. and if connection tracking needs to use dst-nat to deliver this connection to same hosts as main connection it will be in connection-nat-state=dstnat even if there are no dst-nat rules at all.|
|connection-rate (Integer 0..4294967295; Default: )||Connection Rate is a firewall matcher that allows the capture of traffic based on the present speed of the connection.
|connection-state (estabilished | invalid | new | related; Default: )||Interprets the connection tracking analysis data for a particular packet:
|connection-type (ftp | h323 | irc | pptp | quake3 | sip | tftp; Default: )||Matches packets from related connections based on information from their connection tracking helpers. A relevant connection helper must be enabled under /ip firewall service-port|
|content (string; Default: )||Match packets that contain specified text|
|dscp (integer: 0..63; Default: )||Matches DSCP IP header field.|
|dst-address (IP/netmask | IP range; Default: )||Matches packets where destination is equal to specified IP or falls into specified IP range.|
|dst-address-list (name; Default: )||Matches destination address of a packet against user-defined address list|
|dst-address-type (unicast | local | broadcast | multicast; Default: )||Matches destination address type:
|dst-limit (integer[/time],integer,dst-address | dst-port | src-address[/time]; Default: )||Matches packets until a given pps limit is exceeded. As opposed to the limit matcher, every destination IP address / destination port has it's own limit. Parameters are written in following format:
|dst-port (integer[-integer]: 0..65535; Default: )||List of destination port numbers or port number ranges|
|fragment (yes|no; Default: )||Matches fragmented packets. First (starting) fragment does not count. If connection tracking is enabled there will be no fragments as system automatically assembles every packet|
|hotspot (auth | from-client | http | local-dst | to-client; Default: )|
|icmp-options (integer:integer; Default: )||Matches ICMP "type:code" fields|
|in-bridge-port (name; Default: )||Actual interface the packet has entered the router, if incoming interface is bridge|
|in-interface (name; Default: )||Interface the packet has entered the router|
|ingress-priority (integer: 0..63; Default: )||Matches ingress priority of the packet. Priority may be derived from VLAN, WMM or MPLS EXP bit.
|ipsec-policy (in | out, ipsec | none; Default: )||Matches the policy used by IpSec. Value is written in following format:
For example, if router receives Ipsec encapsulated Gre packet, then rule
|ipv4-options (any | loose-source-routing | no-record-route | no-router-alert | no-source-routing | no-timestamp | none | record-route | router-alert | strict-source-routing | timestamp; Default: )||Matches IPv4 header options.
|jump-target (name; Default: )||Name of the target chain to jump to. Applicable only if
|layer7-protocol (name; Default: )||Layer7 filter name defined in layer7 protocol menu.|
|limit (integer,time,integer; Default: )||Matches packets until a given pps limit is exceeded. Parameters are written in following format:
|log-prefix (string; Default: )||Adds specified text at the beginning of every log message. Applicable if
|new-connection-mark (string; Default: )|
|new-dscp (integer: 0..63; Default: )|
|new-mss (integer; Default: )|
|new-packet-mark (string; Default: )|
|new-priority (integer; Default: )|
|new-routing-mark (string; Default: )|
|new-ttl (decrement | increment | set:integer; Default: )|
|nth (integer,integer; Default: )||Matches every nth packet.
|out-bridge-port (name; Default: )||Actual interface the packet is leaving the router, if outgoing interface is bridge|
|out-interface (; Default: )||Interface the packet is leaving the router|
|packet-mark (no-mark | string; Default: )||Matches packets marked via mangle facility with particular packet mark. If no-mark is set, rule will match any unmarked packet.|
|packet-size (integer[-integer]:0..65535; Default: )||Matches packets of specified size or size range in bytes.|
|passthrough (yes|no; Default: yes)||whether to let the packet to pass further (like action passthrough) into firewall or not (property only valid some actions).|
|per-connection-classifier (ValuesToHash:Denominator/Remainder; Default: )||PCC matcher allows division of traffic into equal streams with ability to keep packets with specific set of options in one particular stream.
|port (integer[-integer]: 0..65535; Default: )||Matches if any (source or destination) port matches the specified list of ports or port ranges. Applicable only if
|protocol (name or protocol ID; Default: tcp)||Matches particular IP protocol specified by protocol name or number|
|psd (integer,time,integer,integer; Default: )||Attempts to detect TCP and UDP scans. Parameters are in following format
|random (integer: 1..99; Default: )||Matches packets randomly with given probability.|
|routing-mark (string; Default: )||Matches packets marked by mangle facility with particular routing mark|
|src-address (IP/Netmask, IP range; Default: )||Matches packets where source is equal to specified IP or falls into specified IP range.|
|src-address-list (name; Default: )||Matches source address of a packet against user-defined address list|
|src-address-type (unicast | local | broadcast | multicast; Default: )||
Matches source address type:
|src-port (integer[-integer]: 0..65535; Default: )||List of source ports and ranges of source ports. Applicable only if protocol is TCP or UDP.|
|src-mac-address (MAC address; Default: )||Matches source MAC address of the packet|
|tcp-flags (ack | cwr | ece | fin | psh | rst | syn | urg; Default: )||Matches specified TCP flags
|tcp-mss (integer[-integer]: 0..65535; Default: )||Matches TCP MSS value of an IP packet|
|time (time-time,sat | fri | thu | wed | tue | mon | sun; Default: )||Allows creation of a filter based on the packets' arrival time and date or, for locally generated packets, departure time and date|
|tls-host (string; Default: )||Allows to match traffic based on TLS hostname. Accepts GLOB syntax for wildcard matching. Note that matcher will not be able to match hostname if TLS handshake frame is fragmented into multiple TCP segments (packets).|
|ttl (equal | greater-than | less-than | not-equal : integer(0..255); Default: )||Matches packets TTL value.|
/ip firewall filter print stats will show additional read-only properties
|bytes (integer)||Total amount of bytes matched by the rule|
|packets (integer)||Total amount of packets matched by the rule|
By default print is equivalent to print static and shows only static rules.
[admin@dzeltenais_burkaans] /ip firewall mangle> print stats Flags: X - disabled, I - invalid, D - dynamic # CHAIN ACTION BYTES PACKETS 0 prerouting mark-routing 17478158 127631 1 prerouting mark-routing 782505 4506
To print also dynamic rules use print all.
[admin@dzeltenais_burkaans] /ip firewall mangle> print all stats Flags: X - disabled, I - invalid, D - dynamic # CHAIN ACTION BYTES PACKETS 0 prerouting mark-routing 17478158 127631 1 prerouting mark-routing 782505 4506 2 D forward change-mss 0 0 3 D forward change-mss 0 0 4 D forward change-mss 0 0 5 D forward change-mss 129372 2031
Or to print only dynamic rules use print dynamic
[admin@dzeltenais_burkaans] /ip firewall mangle> print stats dynamic Flags: X - disabled, I - invalid, D - dynamic # CHAIN ACTION BYTES PACKETS 0 D forward change-mss 0 0 1 D forward change-mss 0 0 2 D forward change-mss 0 0 3 D forward change-mss 132444 2079
Menu specific commands
|reset-counters (id)||Reset statistics counters for specified firewall rules.|
|reset-counters-all ()||Reset statistics counters for all firewall rules.|
It is a well known fact that VPN links have smaller packet size due to encapsulation overhead. A large packet with MSS that exceeds the MSS of the VPN link should be fragmented prior to sending it via that kind of connection. However, if the packet has DF flag set, it cannot be fragmented and should be discarded. On links that have broken path MTU discovery (PMTUD) it may lead to a number of problems, including problems with FTP and HTTP data transfer and e-mail services.
In case of link with broken PMTUD, a decrease of the MSS of the packets coming through the VPN link solves the problem. The following example demonstrates how to decrease the MSS value via mangle:
/ip firewall mangle add out-interface=pppoe-out protocol=tcp tcp-flags=syn action=change-mss new-mss=1300 chain=forward tcp-mss=1301-65535
Marking each packet is quite resource expensive especially if rule has to match against many parameters from IP header or address list containing hundreds of entries.
Lets say we want to
- mark all tcp packets except tcp/80 and match these packets against first address list
- mark all udp packets and match them against second address list.
/ip firewall mangle add chain=forward protocol=tcp port=!80 dst-address-list=first action=mark-packet new-packet-mark=first add chain=forward protocol=udp dst-address-list=second action=mark-packet new-packet-mark=second
Setup looks quite simple and probably will work without problems in small networks. Now multiply count of rules by 10, add few hundred entries in address list, run 100Mbit of traffic over this router and you will see how rapidly CPU usage is increasing. The reason for such behavior is that each rule reads IP header of every packet and tries to match collected data against parameters specified in firewall rule.
Fortunately if connection tracking is enabled, we can use connection marks to optimize our setup.
/ip firewall mangle add chain=forward protocol=tcp port=!80 dst-address-list=first connection-state=new action=mark-connection \ new-connection-mark=first add chain=forward connection-mark=first action=mark-packet new-packet-mark=first passthrough=no add chain=forward protocol=udp dst-address-list=second connection-state=new action=mark-connection \ new-connection-mark=second add chain=forward connection-mark=second action=mark-packet new-packet-mark=second passthrough=no
Now first rule will try to match data from IP header only from first packet of new connection and add connection mark. Next rule will no longer check IP header for each packet, it will just compare connection marks resulting in lower CPU consumption. Additionally
passthrough=no was added that helps to reduce CPU consumption even more.