[SOLVED] Mangle packet counters

_saik0 · April 1, 2013, 10:53am

Hi,

I’m having issues with packet counters on the mangle rules.
Packet counters for mangle marking rules in the prerouting chain don’t get incremented when forwarding chain overwrites those markings i.e. when I start a 10Mbps http download the global-out (forward) is seeing the whole traffic. But at the same time the ‘http_load’ leaf in global-in (prerouting) gets only… 500kbps of http traffic. If I disable the forward mangling rule the prerouting rules packet counters suddenly start incrementing properly i.e. see the complete traffic (10Mbps).

Prerouting is before forward, so the marking of the prerouting would be overwritten by forward i know that, but how come the packet/byte counters are affected?

Marking in both chains is used for Prioritization/PCQ QoS.

Connection tracking is enabled.

Thanks for all the suggestions.

ROS 5.24 @ RB2011UAS-2HND

/ip firewall mangle
add action=mark-connection chain=prerouting connection-bytes=500000-0 disabled=\
    no dst-port=80,443 new-connection-mark=http_load-conn passthrough=yes \
    protocol=tcp src-address=10.2.0.0/24
add action=mark-packet chain=prerouting connection-mark=http_load-conn \
    disabled=no new-packet-mark=http_load passthrough=no
add action=mark-connection chain=prerouting connection-bytes=0-500000 disabled=\
    no dst-port=80,443 new-connection-mark=http_req-conn passthrough=yes \
    protocol=tcp src-address=10.2.0.0/24
add action=mark-packet chain=prerouting connection-mark=http_req-conn disabled=\
    no new-packet-mark=http_req passthrough=no
add action=mark-connection chain=forward disabled=no new-connection-mark=\
    all_us-conn out-interface=ether10-gateway passthrough=yes
add action=mark-packet chain=forward connection-mark=all_us-conn disabled=no \
    new-packet-mark=all_us out-interface=ether10-gateway passthrough=no
add action=mark-connection chain=forward disabled=no in-interface=\
    ether10-gateway new-connection-mark=all_ds-conn passthrough=yes
add action=mark-packet chain=forward connection-mark=all_ds-conn disabled=no \
    in-interface=ether10-gateway new-packet-mark=all_ds passthrough=no

_saik0 · April 4, 2013, 9:29pm

I suspect the issue was related to the fact i’m using masquerade/nat so the connection tracking didn’t like the combination of the rules.

I’m successfully using these rules now:

(...)
add action=mark-connection chain=prerouting connection-bytes=0-500000 \
    new-connection-mark=http_req-conn port=80,443 protocol=tcp
add action=mark-packet chain=prerouting connection-mark=http_req-conn \
    in-interface=ether10-gateway new-packet-mark=http_req-ds passthrough=no
add action=mark-packet chain=prerouting connection-mark=http_req-conn \
    new-packet-mark=http_req-us passthrough=no
add action=mark-connection chain=prerouting connection-bytes=500000-0 \
    new-connection-mark=http_load-conn port=80,443 protocol=tcp
add action=mark-packet chain=prerouting connection-mark=http_load-conn \
    in-interface=ether10-gateway new-packet-mark=http_load-ds passthrough=no
add action=mark-packet chain=prerouting connection-mark=http_load-conn \
    new-packet-mark=http_load-us passthrough=no
(...)