feature request: src/dst-addr-type connected

mbaute · Tue Jul 18, 2023 7:07 pm

it can be useful for mangle rules instead of maintaining lists of exclusions.

I understand that would be used in prerouting chain and by definition it doesn't know about routes yet, but as address-type=local does get a match, maybe ros also knows netmask of that local address at that stage and infer that is a connected route

Thanks! The show is great btw. It has a great storyline and the visuals are amazing and inspiring.

msatter · Tue Jul 18, 2023 7:41 pm

What did I just read!?

mbaute · Tue Jul 18, 2023 9:00 pm

oh I'm sorry I thought this was america

Consider the following:

/ip addr
add addr=10.1.10.1/24 iface=vlan10
add addr=10.1.20.1/24 iface=vlan20
add addr=10.1.30.1/24 iface=vlan30

/ip fire addr
add list=rfc1918 addr=192.168.0.0/16
add list=rfc1918 addr=10.0.0.0/8
add list=rfc1918 addr=172.16.0.0/12
add list=connected addr=10.1.10.0/24
add list=connected addr=10.1.20.0/24

/ip fire mangle
add chain=prerouting srcaddr=10.1.30.0/24 dst-address-list=connected action=accept
add chain=prerouting srcaddr=10.1.30.0/24 dst-address-list=rfc1918 action=markrouting new-routing-mark=sometable

/ip route
add gateway=somevpn routingtable=sometable

looking for this:

/ip address
add addr=10.1.10.1/24 iface=vlan10
add addr=10.1.20.1/24 iface=vlan20
add addr=10.1.30.1/24 iface=vlan30

/ip fire addr
add list=rfc1918 addr=192.168.0.0/16
add list=rfc1918 addr=10.0.0.0/8
add list=rfc1918 addr=172.16.0.0/12

/ip fire mangle
add chain=prerouting srcaddr=10.1.30.0/24 dst-address-type=connected action=accept
add chain=prerouting srcaddr=10.1.30.0/24 dst-address-list=rfc1918 action=markrouting new-routing-mark=sometable

/ip route
add gateway=somevpn routingtable=sometable

and forget about maintaining that list. I know it's lazy but I'm not ashamed

feature request: src/dst-addr-type connected

feature request: src/dst-addr-type connected

Re: feature request: src/dst-addr-type connected

Re: feature request: src/dst-addr-type connected