I have many corner case rules in mangle prerouting that happen only very seldomly.
Unfortunately, passing “normal” traffic has to be processed against all of them, burdening CPU resources.
Since “normal” traffic can be specified with relatively few conditions, it makes sense to catch them before they reach these many mangle rules, saving CPU resources.
Are packets accepted in mangle prerouting still processed in mangle forward and filter forward?
yes, they are.
It is separate chain and actually in some cases, it is necessary (for example mangle-prerouting happens before dst-nat but you need to later check, if connection is dst-natted)
the “accept” applies always only for the particular chain. (accepts packet and skips the rest of the chain)
****ps1: the image you presented is easy to read but not really complete (for example
Thank you for the clarification. So, since the particular chain in question is the prerouting chain, does that mean, the accepted packets will not undergo dst-nat anymore? Since it’s also in the prerouting chain?
Oh! Sorry for such mistake. I didn’t realize it may be interpreted that way.
They will definitely go through it.
Mangle prerouting / raw prerouting / nat prerouting, filter forward / filter input etc etc… (every combination) these are all different blocks on the diagram. Every block is processed as chain of rules. If packet is accepted, it will skip rest of rules in that chain = in that specific block.
but it can be intercepted by another rule in next chain / block of rules.
To be more specific and use your words, the “particular chain” is actually not “prerouting” but “mangle prerouting”
Ok, thanks, I get it now. Apparently the terminology doesn’t pose as a problem when you’re configuring using Webfig or Winbox, since the rules are segregated into different tables first. So when you look at a particular table, “accept” really does make the packet skip the rest of the “chain”, in the particular table you are looking at.
