[5.0RC1] Firewall Mangle Passthrough bug?

Pada · Thu Oct 21, 2010 9:40 pm

I have already posted this in the General Support section, but I haven't received any replies yet since I probably posted it in the wrong section: http://forum.mikrotik.com/viewtopic.php?f=2&t=45996

My problem is that after the rule matched in the Firewall : Mangle table and I've set passthrough=no, it still continues to find matches.
You can see with the packet count that even though most of the packets matched with the first rule in the custom chain, the last rule in that custom chain still picked up ALL the packets:

Here's the applicable code in /ip/firewall/mangle:

add action=jump chain=prerouting disabled=no in-interface=ether5-ADSL-MWeb \
    jump-target=prerouting_internet
add action=mark-packet chain=prerouting_internet comment=\
    "Mark incoming large download packets" connection-bytes=50000-0 disabled=\
    no new-packet-mark=low-priority-in passthrough=no protocol=tcp src-port=\
    21,80
add action=mark-packet chain=prerouting_internet comment=\
    "Mark incoming small download packets" disabled=no new-packet-mark=\
    Internet-In passthrough=no protocol=tcp src-port=21,80
add action=mark-packet chain=prerouting_internet comment=\
    "Mark incoming newshost packets" disabled=no new-packet-mark=\
    low-priority-in passthrough=no protocol=tcp src-port=119
add action=mark-packet chain=prerouting_internet comment=\
    "Mark incoming game packets" disabled=no new-packet-mark=Game-In \
    passthrough=no protocol=udp src-port=27005-27020,27215,28015-28020
add action=mark-packet chain=prerouting_internet comment=\
    "Mark incoming game packets" disabled=no new-packet-mark=Game-In \
    passthrough=no protocol=tcp src-port=6110-6119
add action=mark-packet chain=prerouting_internet comment=\
    "Mark incoming Steam packets" disabled=no new-packet-mark=Steam-In \
    passthrough=no protocol=udp src-port=27025-27050
add action=mark-packet chain=prerouting_internet comment=\
    "Mark incoming Steam packets" disabled=no new-packet-mark=Steam-In \
    passthrough=no protocol=tcp src-port=27025-27050
add action=mark-packet chain=prerouting_internet comment=\
    "Mark incoming Internet packets" disabled=no new-packet-mark=\
    low-priority-in passthrough=no

As a workaround, which is definitely not ideal, I have set the packet-mark=no-mark in the rules.

Chupaka · Sat Oct 23, 2010 3:32 am

MT Staff already answered, that it's a 'feature' with marks and 'passthrough'. wait for RC2 - it was fixed there

Pada · Sat Oct 23, 2010 5:42 am

Thank you Chupaka. I didn't know about this "feature".

I can't wait for RC2

fmenard123 · Thu Oct 28, 2010 1:31 pm

What's new in 5.0rc2 (2010-Oct-27 16:20):
*) wireless nv2 - encryption support;
*) tool fetch - support ftp STOR;
*) ospf - fixed crash when working with external LSA that contain
forwarding addess;
*) ipsec - supports NAT-T drafts;
*) ipsec - added debug logging, to maintain same log verbosity as before with
'ipsec' topic now use topics 'ipsec,debug,!packet';
*) ipsec - make it work with EoIP, GRE, PPTP and L2TP;
*) support for Atheros AR9271 wireless chip;
*) added support for more Intel 82575/82576 PCI-Express Gigabit Ethernet cards;
*) added support for idle detection on RB1xx/RB5xx in /tool profile;
*) fixed Wireless manual tx power configuration for 11n rates in WinBox;
*) fixed torch;

So I have a question:

It appears not to be Mikrotik's policy to acknowledge every fix done in their release notes.

This makes it hard to keep track of bugs acknowledged, then fixed, but then not noted to be fixed.

If it was me, I would add another line to the release notes....

*) other small fixes.

Then again, I would also have the same question - what are they ...

Any opinion ?

F.

[5.0RC1] Firewall Mangle Passthrough bug?

[5.0RC1] Firewall Mangle Passthrough bug?

Re: [5.0RC1] Firewall Mangle Passthrough bug?

Re: [5.0RC1] Firewall Mangle Passthrough bug?

Re: [5.0RC1] Firewall Mangle Passthrough bug?

Who is online