It seems like when Mangle based rules are proposed for further matching by NAT or Filter the responses are typically negative - avoid Mangle and implement the pattern matching directly in NAT and/or Filter. The comment is usually something like “now every packet has to be considered”.
I don’t understand this at all. The packet flow diagram shows every packet going through Mangle and then NAT and/or Filter as appropriate. Other than sequence, how are Mangle matching rules different from the other tables and why would Mangle rules result in higher processing?
I don’t think there’s typically negative response. I’m aware of only one, and that’s mine in this thread of yours, and it was more like small note, one among others, about your solution, which I think was unnecessarily complicated.
It’s true that every packet passes through prerouting, but it’s different if it needs to be checked against ten rules or hundered. So it you can reach the goal with less rules, it’s better. Well, it’s not completely true, some conditions are more difficult to evaluate than others, so more simple rules could be actually more efficient than fewer more demanding ones. But the basic idea stays, the less work the router needs to do, the better. You want to optimize stuff, don’t add unnecessary rules if there’s better way, etc.
Fasttrack is shortcut, it’s a way how connection can bypass a lot of other processing, including mangle. In most cases it’s one or the other. You can combine both, e.g. if you let some initial traffic use regular chains and then fasttrack connection later (with the help of connection-bytes condition), but usually you won’t have that.
In other words: you can have either without much consideration. Or you can have both but have to tinker a lot to make pig fly.
And then you have to be really sure that what you want can not be done without using mangle because not using fasttrack costs resources (which means money).
As @Sob already wrote: fasttrack is a shortcut which allows certain packets to pass router without much processing. However, mangled packets have to be fully processed. As I wrote, it is possible to mangle some packets and fasttrack the rest, but rules needed to do it are not trivial to construct (there are no cookbook recipes for those rules, they have to exactly match intended behaviour).
