Community discussions

 
mtkvvv
just joined
Topic Author
Posts: 7
Joined: Sun Jun 23, 2019 7:42 am

Bug? routeros logs one packet multiple times in same chain

Sun Jun 23, 2019 8:15 am

Hello,

I have set of rules for portscanners (one way of doing it):

* input drop anything present in addresslist aa99
* input targeting any of my unused ports, jump to aachain
* aachain if srcip present in aa03 list, add to aa99
* aachain if srcip present in aa02 list, add to aa03
* aachain if srcip present in aa01 list, add to aa02
* aachain add any srcip to aa01 list
* return from aachain

And now sometimes i get unusual log output, as if packet matched jump rule and in aachain it matched 2 or more rules all at once. Which as far as I can tell, shouldnt happen - first matching rule stops processing unless its action is passthru or log or something like this?

* log rows showing normal behavior, 5 consequent packets arrive
jumprule-match remoteip:someport->mywanip:someport
aachain-aa01-match remoteip:someport->mywanip:someport
...
jumprule-match remoteip:someport->mywanip:someport
aachain-aa01to02-match remoteip:someport->mywanip:someport
...
jumprule-match remoteip:someport->mywanip:someport
aachain-aa02to03-match remoteip:someport->mywanip:someport
...
jumprule-match remoteip:someport->mywanip:someport
aachain-aa03to99-match remoteip:someport->mywanip:someport
...
blockrulerule-aa99-match remoteip:someport->mywanip:someport


* actual logrows, one version:
jumprule-match remoteip:someport->mywanip:someport
aachain-aa03to99-match remoteip:someport->mywanip:someport
aachain-aa02to03-match remoteip:someport->mywanip:someport
aachain-aa01-match remoteip:someport->mywanip:someport

* actual logrows, second version:
jumprule-match remoteip:someport->mywanip:someport
aachain-aa02to03-match remoteip:someport->mywanip:someport
aachain-aa01-match remoteip:someport->mywanip:someport

* actual logrows, third version:
jumprule-match remoteip:someport->mywanip:someport
aachain-aa01to02-match remoteip:someport->mywanip:someport
aachain-aa01-match remoteip:someport->mywanip:someport

* actual logrows, fourth version:
jumprule-match remoteip:someport->mywanip:someport
aachain-aa03to99-match remoteip:someport->mywanip:someport
aachain-aa02to03-match remoteip:someport->mywanip:someport
aachain-aa01to02-match remoteip:someport->mywanip:someport
aachain-aa01-match remoteip:someport->mywanip:someport
blockrulerule-aa99-match remoteip:someport->mywanip:someport

* these are just handpicked sets, possibly some more variants available...


Anyhow, with that last case, I printed this ip from addresslist and this output doesnt agree with logrows:

$ ssh admin@myrouter '/ip firewall address-list print where address="remoteip"'
Flags: X - disabled, D - dynamic
# LIST ADDRESS CREATION-TIME
0 D aa01 remoteip jun/23/2019 07:26:00
1 D aa02 remoteip jun/23/2019 07:26:00
2 D aa03 remoteip jun/23/2019 07:26:02
3 D aa99 remoteip jun/23/2019 07:26:06

It seems at least some records have different times, so couldnt be they all matched at the same moment like log rows seem to suggest.


Does that remind you of some known bug?
Router is rb750gl, os is 6.45beta62

m

Who is online

Users browsing this forum: MSN [Bot] and 88 guests