In next RouterOS we will include small, but important change in firewall mangle. Every connection will have connection mark “no-mark” by default, and every packet will have packet mark “no-mark” by default.
This changes will greatly help to reduce complexity and efficiency of the mangle setups that require remarking of the connections and traffic. Traffic remarking will be avoidable.
For example with one rule it will be possible to ensure that this rule will mark only connections that was not marked before (connections with “no-mark” mark).
It will also allow to create queue for unmarked traffic, this way eliminating requirement that all traffic need to be marked in mangle to create proper QoS.
if you are using mangle and marking connections the way you do that - it will not bring you any difference. because initial marks are without checking any mark, because of presumption that there are none, then, even if you set something, it will be overwritten.
the things to be a bit more clear: now you are able to match connections and packets without marks in a native way. earlier you had to mark it with some temp mark to do that trick
it would be NICE to have an option to bypass this hidden process. I can imagine there are cases where you do not want this. What about performance, if I’m not even using packet marks at all are they now incurring additional CPU usage on the hidden marking process? Additional RAM usage?
PLEASE just have a checkbox / boolean flag on the mangle setup that allows you to turn it on and off. If you dont add it now, then you will just have confused a ton of people when you automatically start doing this, and in future versions I imagine it will be added and now more people will be confused. Make it an option, not a requirement.
I really HOPE that this is just firewall MATCHER improvement, not full redesign of whole conntrack system. if that’s true - then no performance impact at all
previously if packet had no mark, returned value was nil, value you could not match against, now, in same case if you want to macth, you can do that, because returned value is no-mark. So, if you look at it in that way - all packets are considered marked now, no value set is a actually value set.
connection-marks and packet-marks take up memory correct? I could be understand this wrong, but I just want to make sure that our really heavy loaded routers that we do not use any mangling aren’t going to take a performance hit for marking and storing the value in memory.
This new change does not affect CPU or memory usage at all?
Guess it is just a masked info. (nil = no-mark) As you may not be able to leave those fields in blank to have a match. This is great. Whenever you had a “blank” info, now ROS will show you that “nil = no-mark” without any variable attributions. Thanks!
Very useful and it significantly reduces complexity . I just came across the need for a default routing-mark=no-mark as well which is not implemented as of now (v6.28)
