I asked this in the forum ( http://forum.mikrotik.com/t/how-to-acl-filtering-by-user-defined-bytes-in-packet/139867/1 ), and also asked the support (SUP-17576),
but it seems this feature is not available in RouterOS yet:
In ACL comparing user defined offset-bytes (or words, dwords) in the packet header.
This feature would allow to redirect-to-cpu for example only the initial SYN packet of a TCP session.
Or is there currently any alternative or workaround possible?
The firewall has a lot of attributes to filter on:
/ip firewall filter add protocol=tcp connection-state=new ...
@eworm, it’s about the ACL, ie. the “hardware firewall in the switch-chip ASIC”.
On the newer devices, especially CRS3xx, “Hardware Offloading” is the default, so packets go to the ACL first, and mostly only,
unless one does redirect-to-cpu in the ACL.
That means: on such devices with Hardware Offloading, not all packets are by default available in the usual firewall locations like “/ip firewall filter” ! Believe me, I already have made some bad experiences in that respect… 
Search “ACL” in the forum archive, as well in the wiki etc.
FYI: the ACL is a very fast, but stateless, firewall, ie. w/o connection-state. But since it has an action called “redirect-to-cpu”,
then the stateful “CPU firewall” (ie. the “/ip firewall filter” etc.) can be used for that. IMO a very useful combination.
On my CRS326 switch-router device the majority of my firewall rules is in the ACL, for performance reasons.
A follow-up on this:
The Support Team in a support ticket asked me:
…
Could you please provide more details about the necessity of it?
It might help to reconsider implementing it sooner.
and I made the following proposal:
mutluit 29/05/20 11:36:17
Hello,
the necessity for this functionality is firewall performance, for example by doing redirect-to-cpu only for the initial SYN packet of a TCP session as described in this Feature Request: > http://forum.mikrotik.com/t/feature-request-acl-compare-user-defined-bytes/139938/1
There are obviously many other useful use-cases for this.
Below is a proposal/suggestion by me to add this functionality into the ACL API.
If you have any further questions, let me know, I’ll try to help.
Proposal: ACL Compare User Defined Value
New properties to > https://wiki.mikrotik.com/wiki/Manual:CRS3xx_series_switches#Switch_Rules_.28ACL.29 > :
match-byte=offset,value
match-word=offset,value
match-dword=offset,valueOffset is the offset into the packet, from 0 to len-1.
If offset is out of bounds, then of course an error abort shall happen.User has to check whether packet contains the optional 802.1q (VLAN) header, and appropriately set his offset. In practice this means user has to use it mandatorily together with “vlan-header=present|not-present”, ie. user has to use two exclusive rules, like this:
- vlan-header=present match-byte=myoffset,myvalue …
- vlan-header=not-present match-byte=myoffset,myvalue …
It would suffice if you could add just “match-byte=”, the other 2 variants above (“match-word=” and “match-dword=”) would be just nice-to-have.