Professional Documents
Culture Documents
Mangle is a kind of 'marker' that marks packets for future processing with special marks. Many other
facilities in RouterOS make use of these marks, e.g. queue trees, NAT, routing. They identify a
packet based on its mark and process it accordingly. The mangle marks exist only within the router,
they are not transmitted across the network.
Additionally, the mangle facility is used to modify some fields in the IP header, like TOS (DSCP) and
TTL fields.
Properties
Property
action (action name; Default: accept) Action to take if packet is matched by the r
address-list-timeout (time; Default: 00:00:00) Time interval after which the address will b
list parameter. Used in conjunction with
list actions
Value of 00:00:00 will leave the address
connection-state (estabilished | invalid | new | related; Default: ) Interprets the connection tracking analysis
dst-limit (integer[/time],integer,dst-address | dst-port | src- Matches packets until a given pps limit is e
address[/time]; Default: ) IP address / destination port has it's own li
format: count[/time],burst,mode[/ex
ipsec-policy (in | out, ipsec | none; Default: ) Matches the policy used by IpSec. Value is
Used to select whether to match the policy
encapsulation.
jump-target (name; Default: ) Name of the target chain to jump to. Applic
protocol (name or protocol ID; Default: tcp) Matches particular IP protocol specified by
psd (integer,time,integer,integer; Default: ) Attempts to detect TCP and UDP scans. P
DelayThreshold, LopPortWeight, Hi
random (integer: 1..99; Default: ) Matches packets randomly with given prob
routing-mark (string; Default: ) Matches packets marked by mangle facilit
src-address (IP/Netmask, IP range; Default: ) Matches packets where source is equal to
src-address-list (name; Default: ) Matches source address of a packet again
src-address-type (unicast | local | broadcast | multicast; Default: )
Matches source address type:
src-port (integer[-integer]: 0..65535; Default: ) List of source ports and ranges of source p
src-mac-address (MAC address; Default: ) Matches source MAC address of the pack
tcp-flags (ack | cwr | ece | fin | psh | rst | syn | urg; Default: ) Matches specified TCP flags
Stats
/ip firewall filter print stats will show additional read-only properties
Property
bytes (integer) Total amount of bytes matched by the rule
packets (integer) Total amount of packets matched by the ru
By default print is equivalent to print static and shows only static rules.
Basic examples
Change MSS
It is a well known fact that VPN links have smaller packet size due to encapsulation overhead. A
large packet with MSS that exceeds the MSS of the VPN link should be fragmented prior to sending
it via that kind of connection. However, if the packet has DF flag set, it cannot be fragmented and
should be discarded. On links that have broken path MTU discovery (PMTUD) it may lead to a
number of problems, including problems with FTP and HTTP data transfer and e-mail services.
In case of link with broken PMTUD, a decrease of the MSS of the packets coming through the VPN
link solves the problem. The following example demonstrates how to decrease the MSS value via
mangle:
Marking packets
Marking each packet is quite resource expensive especially if rule has to match against many
parameters from IP header or address list containing hundreds of entries.
Lets say we want to
mark all tcp packets except tcp/80 and match these packets against first address list
mark all udp packets and match them against second address list.
Setup looks quite simple and probably will work without problems in small networks. Now multiply
count of rules by 10, add few hundred entries in address list, run 100Mbit of traffic over this router
and you will see how rapidly CPU usage is increasing. The reason for such behavior is that each
rule reads IP header of every packet and tries to match collected data against parameters specified
in firewall rule.
Fortunately if connection tracking is enabled, we can use connection marks to optimize our setup.
Now first rule will try to match data from IP header only from first packet of new connection and add
connection mark. Next rule will no longer check IP header for each packet, it will just compare
connection marks resulting in lower CPU consumption. Additionally passthrough=no was added
that helps to reduce CPU consumption even more.