Fasttracking using filter vs mangle

icsterm · November 16, 2019, 7:35pm

Hi,

Can someone tell me what is the difference between:

/ip firewall mangle chain=prerouting action=fasttrack-connection log=no log-prefix=""

vs

/ip firewall filter chain=forward action=fasttrack-connection connection-state=established,related log=no log-prefix=""

Also, I can mangle all 4 chains using fasttrack-connection action:

 > /ip firewall mangle print 
Flags: X - disabled, I - invalid, D - dynamic 
 0  D ;;; special dummy rule to show fasttrack counters
      chain=prerouting action=passthrough 

 1  D ;;; special dummy rule to show fasttrack counters
      chain=forward action=passthrough 

 2  D ;;; special dummy rule to show fasttrack counters
      chain=postrouting action=passthrough 

 3    chain=prerouting action=fasttrack-connection log=no log-prefix="" 

 4    chain=input action=fasttrack-connection log=no log-prefix="" 

 5    chain=output action=fasttrack-connection log=no log-prefix="" 

 6    chain=postrouting action=fasttrack-connection log=no log-prefix=""

Is there any benefit of fasttracking input/output/postrouting chains ?

Should I also include "established,related’ states if using mangle instead of filter ?

There is little info to be found on this topic.

According to the wiki:

ip firewall mangle:
“fasttrack-connection - shows fasttrack counters, useful for statistics”
ip firewall filter:
“fasttrack-connection - process packets from a connection using FastPath by enabling FastTrack for the connection”

The mangle part is not true, because my fasttrack packet counters increase while using mangle action fasttrack (without using filter action fasttrack).

fragtion · November 1, 2021, 6:04pm

Great question, with sadly no answer … I’m looking for these answers too.

esipoko · March 31, 2023, 5:35pm

The difference is in the position of marking.
Look at the packet flow diagram, I attached.
Fast tracking in prerouting chain of mangling occures sooner than input chain of filter or forward so I think that prevents some unnecessary process.

chechito · April 1, 2023, 1:34am

i think maybe it’s not so relevant

once the connection is marked for fasttrack, most of the subsequent packets of that connection are fast-tracked avoiding processing overhead, placement of fast-track rule does not change anything for those packet (most of them)

Fast track rule placement only impact first packets of a connection before that connection is marked for fast-track

mkx · April 1, 2023, 10:21am

Indeed.

Description of packet flow in new help page mentions briefly how fast track fits in packet flow. Text mentions that fast tracked packets skip connection tracking while graphics indicates some logic inside connection tracking parallelogram.

In any case, packets only enter prerouting chain but seemingly exit it before hitting mangle prerouting. And they definitely don’t enter forward (or input) chains. So they bypass all mangle and firewall (both raw and filter).

When it comes to marking fir fasttrack (tgere are only a small number of packets hitting those rules), my personal opinion is tgat full firewall rule is better choice simply because there are more matching criteria available to make a good matcher. Performance wise it doesn’t matter much.