Page 1 of 1

how many marks on a packet

Posted: Sat Jan 03, 2015 8:19 pm
by sejtam
Can one use mangle to set more than one packet-mark , connection-mark etc on a packet/connection?

If so, what is the limit?

Is there a way to print/log packets with all the marks they have (for testing)?

Re: how many marks on a packet

Posted: Sat Jan 03, 2015 8:42 pm
by jacekes
As far as I remember, one mark of each type can be used.
So a packet can have a packet mark, be part of a marked connection and be routed accordingly to a routing mark.

Re: how many marks on a packet

Posted: Sun Jan 04, 2015 4:37 am
by sejtam
Ok obvious next question.: action=mark* is then a terminal action right?

Re: how many marks on a packet

Posted: Sun Jan 04, 2015 5:26 am
by boen_robot
I thought that there can be multiple marks applied on the packet... But that it's just that the first mark matched is processed. Whether further marks are added/matched is determined by whether the firewall action has "passthrough", so that further rules can be applied.

(But I haven't experimented too much myself, nor I can find a definitive answer about that in the manual...)

Re: how many marks on a packet

Posted: Fri Jan 09, 2015 9:01 am
by sejtam
Ok. it seems there can only ever be one connection-mark and one routing mark.

I tested like this:
/ip firewall mangle> print chain=prerouting
Flags: X - disabled, I - invalid, D - dynamic
 0    chain=prerouting action=mark-connection new-connection-mark=CM1 passthrough=yes src-address= log=no log-prefix=""
 1    chain=prerouting action=mark-connection new-connection-mark=CM2 passthrough=yes src-address= log=no log-prefix=""
 2    chain=prerouting action=mark-connection new-connection-mark=CM3 passthrough=yes src-address= log=no log-prefix=""
 3    chain=prerouting action=mark-connection new-connection-mark=CM4 passthrough=yes src-address= log=no log-prefix=""
 4    chain=prerouting action=mark-connection new-connection-mark=CM5 passthrough=yes src-address= log=no log-prefix=""
 5    chain=prerouting action=mark-connection new-connection-mark=CM6 passthrough=yes src-address= log=no log-prefix=""
 6    chain=prerouting action=mark-connection new-connection-mark=CM7 passthrough=yes src-address= log=no log-prefix=""
 7    chain=prerouting action=mark-packet new-packet-mark=Test1 passthrough=yes src-address= log=no log-prefix=""
 8    chain=prerouting action=mark-packet new-packet-mark=Test2 passthrough=yes src-address= log=no log-prefix=""
 9    chain=prerouting action=mark-packet new-packet-mark=Test3 passthrough=yes src-address= log=no log-prefix=""
10    chain=prerouting action=mark-packet new-packet-mark=Test4 passthrough=yes src-address= log=no log-prefix=""
11    chain=prerouting action=mark-packet new-packet-mark=Test5 passthrough=yes src-address= log=no log-prefix=""
12    chain=prerouting action=mark-packet new-packet-mark=Test6 passthrough=yes src-address= log=no log-prefix=""
13    chain=prerouting action=mark-packet new-packet-mark=Test7 passthrough=yes src-address= log=no log-prefix=""
/ip firewall filter> print chain=dump-marks
Flags: X - disabled, I - invalid, D - dynamic
 0    chain=dump-marks action=log packet-mark=Test1 log=no log-prefix="P-M: Test1"
 1    chain=dump-marks action=log packet-mark=Test2 log=no log-prefix="P-M: Test2"
 2    chain=dump-marks action=log packet-mark=Test3 log=no log-prefix="P-M: Test3"
 3    chain=dump-marks action=log packet-mark=Test4 log=no log-prefix="P-M: Test4"
 4    chain=dump-marks action=log packet-mark=Test5 log=no log-prefix="P-M: Test5"
 5    chain=dump-marks action=log packet-mark=Test6 log=no log-prefix="P-M: Test6"
 6    chain=dump-marks action=log packet-mark=Test7 log=no log-prefix="P-M: Test7"
 7    chain=dump-marks action=log packet-mark=Test8 log=no log-prefix="P-M: Test8"
 8    chain=dump-marks action=log packet-mark=Test9 log=no log-prefix="P-M: Test9"
 9    chain=dump-marks action=log packet-mark=Test10 log=no log-prefix="P-M: Test10"
10    chain=dump-marks action=log packet-mark=Test11 log=no log-prefix="P-M: Test11"
11    chain=dump-marks action=log packet-mark=Test12 log=no log-prefix="P-M: Test12"
12    chain=dump-marks action=log packet-mark=Test13 log=no log-prefix="P-M: Test13"
13    chain=dump-marks action=log packet-mark=Test14 log=no log-prefix="P-M: Test14"
14    chain=dump-marks action=log packet-mark=Test15 log=no log-prefix="P-M: Test15"
15    chain=dump-marks action=log packet-mark=Test16 log=no log-prefix="P-M: Test16"
16    chain=dump-marks action=log packet-mark=Test17 log=no log-prefix="P-M: Test17"
17    chain=dump-marks action=log packet-mark=Test18 log=no log-prefix="P-M: Test18"
18    chain=dump-marks action=log connection-mark=CM1 log=no log-prefix="C-M: CM1"
19    chain=dump-marks action=log connection-mark=CM2 log=no log-prefix="C-M: CM2"
20    chain=dump-marks action=log connection-mark=CM3 log=no log-prefix="C-M: CM3"
21    chain=dump-marks action=log connection-mark=CM4 log=no log-prefix="C-M: CM4"
22    chain=dump-marks action=log connection-mark=CM5 log=no log-prefix="C-M: CM5"
23    chain=dump-marks action=log connection-mark=CM6 log=no log-prefix="C-M: CM6"
and early in the input chain I have:
 3    chain=input action=jump jump-target=dump-marks log=no log-prefix=""

This results in
14:53:04 firewall,info P-M: Test7 dump-marks: in:bridge-local out:(none), src-mac 10:9a:dd:60:aa:fa, proto ICMP (type 8, code 0),>, len 84
14:53:04 firewall,info C-M: CM7 dump-marks: in:bridge-local out:(none), src-mac 10:9a:dd:60:aa:fa, proto ICMP (type 8, code 0),>, len 84
As one can see, only the last assigned mark survived.

I find this somewhat of a disadvantage. It would have been useful had there been a way to have multiple marks, so that one can classify traffic by several criteria at the same time, so that several chains can do their own thing with it, without having to manage a separate mark for each combination of factors..

Re: how many marks on a packet

Posted: Fri Jan 09, 2015 2:01 pm
by Caci99
Well, a packet can have only one mark, but if you are trying to achieve some QOS you should definitely know the flow diagram. You can a mark packet in prerouting chain and apply that mark in global-in queue, and then remark the packet in forward chain to apply it in global out queue.
Check the Janis Megis explanation on double QOS ... is_qos.pdf