Hi.
I used firewall rules with Layer7 expressions for a long time. The task was simple: add server addresses to the lists based on certain responses (HTTP error 451, for example).
/ip firewall layer7-protocol
add name=451 regexp="HTTP\\/1\\.1 451"
/ip firewall filter
add action=add-src-to-address-list address-list=rkn-blocked \
address-list-timeout=4w2d chain=forward comment="Error 451" \
connection-limit=100,0 fragment=no layer7-protocol=451 limit=1,5:packet \
log=yes log-prefix=error-451 protocol=tcp src-address-list=!rkn-blocked \
src-port=80
Everything worked great before, but today I noticed that these rules are not working. I can’t say when exactly it stopped working. I tried versions 7.1beta6, 6.48.3 and 6.47.10 without any success.
I tried to create super simple rule:
/ip firewall layer7-protocol add name=test regexp=^HTTP
/ip firewall filter add action=passthrough chain=forward comment=test layer7-protocol=test log=yes log-prefix=l7test protocol=tcp
And it’s not working too:
/ip firewall filter print stats
Flags: X - disabled, I - invalid, D - dynamic
# CHAIN ACTION BYTES PACKETS
0 D ;;; special dummy rule to show fasttrack counters
forward passthrough 53 436 584 71 980
1 ;;; test
forward passthrough 0 0
The same rule without layer7 option
/ip firewall filter add action=passthrough chain=forward comment=test log=yes log-prefix=l7test protocol=tcp
works fine:
/ip firewall filter print stats
Flags: X - disabled, I - invalid, D - dynamic
# CHAIN ACTION BYTES PACKETS
0 D ;;; special dummy rule to show fasttrack counters
forward passthrough 57 216 164 79 034
1 ;;; test
forward passthrough 860 072 2 003
The problem is not only with processing responses, filter created for requests is not working too:
/ip firewall layer7-protocol add name=get regexp=^GET
I have no idea what’s wrong. Help.