Community discussions

MikroTik App
 
sizeofbool
just joined
Topic Author
Posts: 17
Joined: Fri Oct 13, 2017 2:09 pm

Few simple questions about custom chains in RouterOS

Thu Nov 02, 2017 8:49 pm

Let's assume we have this set of rules:
...
chain=input action=jump jump-target=someconn connection-state=new protocol=tcp in-interface=ether1 dst-port=88
chain=someconn action=add-src-to-address-list protocol=tcp address-list=somelist in-interface=ether1 dst-port=88
...
chain=input action=drop in-interface=ether1

Question 1: What happens with the packet after it finishes going through "someconn" chain?
My (probably wrong) answer: Since action "add-src-to-address-list" is not blocking type, packet will return to previous chain (input chain in this case) and continue going through until it hits default rule or chain policy. In case of RouterOS default policy of built-in chains is accept.

I'm asking because of this quote from MikroTik wiki:
When processing a chain, rules are taken from the chain in the order they are listed there from top to bottom. If a packet matches the criteria of the rule, then the specified action is performed on it, and no more rules are processed in that chain (the exception is the passthrough action). If a packet has not matched any rule within the built-in chain, then it is accepted.
Is this the same for custom chains?

Question 2: Can I safely nest custom chains, assuming no loops will be involved? How deep nesting can go?

Question 3: Does it matter where set of rules of custom chain is located within the same table?
 
Feklar
Forum Guru
Forum Guru
Posts: 1724
Joined: Tue Dec 01, 2009 11:46 pm

Re: Few simple questions about custom chains in RouterOS

Thu Nov 02, 2017 9:34 pm

1.) Unless you tell it to return to the chain from which it jumped from or have a catch all rule, it will fall through to a default accept.
2.) Yes you can nest chains if so desired, but you don't want to make things too complex, it can hurt router throughput, or just make things a pain to work on in the future. The simpler you can keep things the better.
3.) Rules are processed in order from top to bottom within the same chain. You can have a custom chain wherever you want within a table, but for your own sanity, try and keep things separate and clean. I.E. keep all input rules together, keep all forward rules together, etc.
 
sizeofbool
just joined
Topic Author
Posts: 17
Joined: Fri Oct 13, 2017 2:09 pm

Re: Few simple questions about custom chains in RouterOS

Thu Nov 02, 2017 9:59 pm

1.) Unless you tell it to return to the chain from which it jumped from or have a catch all rule, it will fall through to a default accept.
So, I have to always add additional rule at the end of every custom chain to force some final action on packet and if I don't do that packet will be accepted? Did I understand this correctly?
That's odd, in case of "iptables" and the same conditions, packet, if it wasn't matched by rule of terminating type, will return to previous chain at the end of custom chain, without additional rules.
2.) Yes you can nest chains if so desired, but you don't want to make things too complex, it can hurt router throughput, or just make things a pain to work on in the future. The simpler you can keep things the better.
You are right, the less rules the better, but custom chains are the main instrument to implement rules without hurting throughput. If they are done right of course.
3.) Rules are processed in order from top to bottom within the same chain. You can have a custom chain wherever you want within a table, but for your own sanity, try and keep things separate and clean. I.E. keep all input rules together, keep all forward rules together, etc.
This is probably main reason why I asking these questions, to keep things clean and effective. And to learn some weird quirks about packet filter in RouterOS.
 
Feklar
Forum Guru
Forum Guru
Posts: 1724
Joined: Tue Dec 01, 2009 11:46 pm

Re: Few simple questions about custom chains in RouterOS

Thu Nov 02, 2017 10:28 pm

Did some quick googling, you were actually correct, it's default action is to return to the parent chain.

The firewall in RouterOS is IPChains under the hood, so if you understand how IPChains work, you just need to understand the syntax differences.

Who is online

Users browsing this forum: Nickster and 18 guests