Hey,
I’ve been trying to get layer 7 connection marking to work correctly with a more specific regex than a lot of the examples I’ve seen people using.
Any idea what flavour of regex Mikroitk uses?
If I try to use, what I see as a fairly normal and basic regex -
If I use, what I see as a overly broad expression, I get hits on the rule but I’m concerned it will catch too much given . is not escaped -
taylorag.local|taylorag.com.au|taylorag.farm
Even if I go more basic and simply escaping the . so it’s not an anything character, I get no matches -
taylorag\.local|taylorag\.com\.au|taylorag\.farm
As you may of guessed, it’s to perform conditional DNS forwarding, since this feature is strangely missing from ROS (I’m used to more enterprise equipment). Has anyone else had any luck with regex and layer 7 rules? Any thoughts?
You need to know that DNS packets do not contain the full domain name as a dot-separated path so
matching with . is not going to work. The DNS packets contain separate “labels” which are \0 separated.
They are “accidentally” matched by a full.domain.name pattern where the . wildcard matches the \0
There are no dots nor null bytes as separators. Instead, in front of each part there’s a byte with value equal to length of next part:
\x08taylorag(\x05local|\x03com\x02au|\x04farm)
It has null byte after last part, but RouterOS won’t allow you to use null bytes in regexps. The result might be some false positives, e.g. taylorag.com.au.example.net will match too.
it should also take care of false positives. It looks like RouterOS simply eats all null bytes. So first “.” is for non-null query type and \x01 for class.
(.*).taylorag.local$ expands to any string ending with “.taylorag.local” so router needs to assembly full line till “$” to check if it is matching your expression.
I have brought my 1100AHx2 to its knees with “too wide” L7 expressions.