MikroTik

I have and
most ICMP packets are accepted only from raw, but sometimes (1/8 from all ICMP packets) packet is accepted from raw and filter rules. I don't understand why sometimes packet accepted in preroute chain goes into input chain

Packets pass through multiple chains:

https://wiki.mikrotik.com/wiki/Manual:P ... ng_Diagram

Raw prerouting is first, then there are few others, followed by decision whether destination is router itself or something external. If it's router, you'll see them in input, otherwise they'll go in forward.

I don't speak about "some" packet, but about the concrete packet processed with concrete rules, that is accepted in preroute. I have 4514 ICMP packets that are accepted in raw (every ICMP is accepted in preroute chain) now, but 398 from this ICMP packets go into input and they are accepted in input too. Why packet that is accepted in preroute go into input too?

If you accept packet in raw prerouting, it means that it can continue further to other chains, it's not the end. And why those numbers differ is because prerouting is common for all packets, but only some of those are for router and will go in input, others are not for router and will go in forward.

Edit: And even if they are all for router, if you have standard stateful firewall, some will be accepted by "accept estanblished & related" rule.

Is it possible to accept packet (or drop) direct in preroute without moving into input or forward chain?

Raw prerouting can drop it and that's the end for that packet. It can't accept packet and let it avoid further chains. Closest to that is to mark it as untracked (action=notrack) and allow it at the beginning of e.g. filter, where you can match it using connection-state=untracked (default firewall does that).