I was playing around with filtering traffic based on a destination address list and discovered that it was also matching anything to the IPv4 broadcast address (255.255.255.255).
I can understand why it matches but it wasn’t obvious to me how to get the intended result of matching specific addresses or ranges. My somewhat fuzzy recollection and background assumption is that broadcast traffic isn’t usually forwarded outside of the local segment.
Suggestions? Maybe using dst-address-type?
Broadcast traffic usually isn’t forwarded out the broadcast domain, that is true. Doing so requires helpers - DHCP helpers are an example. Those helpers listen on the router interface, take the broadcast packet, rewrite the packet header and send the payload unicast to a final destination. Just because a broadcast packet is matched by an address list doesn’t mean that it’s going to be forwarded out the broadcast domain. Maybe you can give more details on what exactly what you were trying, what you were observing, and what you were expecting.
Generally if you want to match an entire subnet but not the network or broadcast address, you can either match the entire subnet and use dst-address-type=unicast, or you can use a range in your address list:
/ip firewall address-list
add list=test address=192.168.0.0/24
/ip firewall filter
add chain=forward dst-address-list=test dst-address-type=unicast action=accept
/ip firewall address-list
add list=test address=192.168.0.1-192.168.0.254
/ip firewall filter
add chain=forward dst-address-list=test action=accept
I have no idea what the iptables code for either looks like, but one could potentially be far more efficient than the other (I don’t know how ranges are evaluated in the processor).
I was mostly playing with trying to block certain destinations (without blocking broadcast). Adding: dst-address-type=!broadcast to the filter rule seems to be doing what was intended.