How to ACL filtering by User Defined Bytes in packet?
I need to redirect to CPU only the initial SYN packet of every new TCP session.
How can I do that in CRS326?
The ARM SoC “Marvell 98DX3236” with DualCore CPU and ASIC switch chip QCA8337 is used in the MikroTik CRS326 type switches as well in other models.
It is used also by other switch vendors. For example OPTOKON/ELTEX advertises the ACL features of their switch products with this SoC as follows:
ACL (Access Control Lists)
- L2-L3-L4 ACL
- Time-Based ACL
- IPv6 ACL
- ACL based on:
- Physical port number
- IEEE 802.1p
- VLAN ID
- EtherType
- DSCP
- Protocol type
- TCP/UDP port number
- User Defined Bytes
>
The documentation of the ASIC switch chip QCA8337 (that is bundled into the above SoC) says "**User-defined ACL, up to 48 bytes depth in layer 4/3/2**".
The RouterOS ACL documentation for CRS326 at https://wiki.mikrotik.com/wiki/Manual:CRS3xx_series_switches#Switch_Rules_.28ACL.29
does not mention this "User Defined Bytes" ACL function. Was it forgotten in the documentation or is that not possible in RouterOS?
The ACL (ie. the stateless hardware firewall) is fast, but I need to inspect the initial SYN packet of every TCP session's 3-way handshake.
For this, that initial SYN packet must be redirected to the slower CPU and processed there (ie. by "/ip firewall filter" or a similar "CPU firewall" in RouterOS).
Of course I need to redirect only that initial SYN packet to the CPU, not the rest of that TCP session.
How to do this in RouterOS' ACL for CRS326? (I think this question is valid generally for all CRS3xx, or all devices with the Marvell 98DX3236 SoC)