Community discussions

MUM Europe 2020
just joined
Topic Author
Posts: 4
Joined: Wed May 17, 2017 2:34 pm
Location: Indonesia

[ASK] Firewall JUMP rule

Sun Dec 01, 2019 7:11 pm

Hai, anyone here could explain best description on how firewall JUMP action working and also some explanation script? Thank in advance.

Sent from my Redmi 5 using Tapatalk

Forum Guru
Forum Guru
Posts: 4887
Joined: Mon Apr 20, 2009 9:11 pm

Re: [ASK] Firewall JUMP rule

Sun Dec 01, 2019 7:59 pm

It jumps to different chain and continues with rules there. And either finds one that does something, or reaches the end, jumps back to original chain and continues there. It can save a lot or processing.

For example, let's say you have hundered external addresses and hundered forwarded ports from each:
/ip firewall nat
add chain=dstnat dst-address=x.x.x.1 protocol=tcp dst-port=10001 action=dst-nat to-addresses=a.a.a.1
<other rules with dst-address=x.x.x.1>
add chain=dstnat dst-address=x.x.x.1 protocol=tcp dst-port=10100 action=dst-nat to-addresses=a.a.a.100

add chain=dstnat dst-address=x.x.x.2 protocol=tcp dst-port=10001 action=dst-nat to-addresses=b.b.b.1
<other rules with dst-address=x.x.x.2>
add chain=dstnat dst-address=x.x.x.2 protocol=tcp dst-port=10100 action=dst-nat to-addresses=b.b.b.100

<rules with many other dst-addresses>

add chain=dstnat dst-address=x.x.x.100 protocol=tcp dst-port=10001 action=dst-nat to-addresses=c.c.c.1
<other rules with dst-address=x.x.x.100>
add chain=dstnat dst-address=x.x.x.100 protocol=tcp dst-port=10100 action=dst-nat to-addresses=c.c.c.100
So it's ten thousands rules. The worse case scenario is that incoming connection matches neither one of them. It means that router will have to check the packet against all ten thousands rules. Or you could use jumps like this:
/ip firewall nat
add chain=dstnat dst-address=x.x.x.1 action=jump jump-target=fwd1
add chain=dstnat dst-address=x.x.x.2 action=jump jump-target=fwd2
<other rules for dst-address=x.x.x.3-99>
add chain=dstnat dst-address=x.x.x.100 action=jump jump-target=fwd100

add chain=fwd1 protocol=tcp dst-port=10001 action=dst-nat to-addresses=a.a.a.1
<other rules for dst-port=10002-10099>
add chain=fwd1 protocol=tcp dst-port=10100 action=dst-nat to-addresses=a.a.a.100
add chain=fwd1 action=accept

add chain=fwd2 protocol=tcp dst-port=10001 action=dst-nat to-addresses=b.b.b.1
<other rules for dst-port=10002-10099>
add chain=fwd2 protocol=tcp dst-port=10100 action=dst-nat to-addresses=b.b.b.100
add chain=fwd2 action=accept

<many other rules for chain=fwd3-99>

add chain=fwd100 protocol=tcp dst-port=10001 action=dst-nat to-addresses=c.c.c.1
<other rules for dst-port=10002-10099>
add chain=fwd100 protocol=tcp dst-port=10100 action=dst-nat to-addresses=c.c.c.100
add chain=fwd100 action=accept
You won't save any rules, in fact you'll have two hundered more (jumps and ending accepts). But processing will be much more efficient. Not only the worst case will mean checking only two hundered rules, but rules in fwdX chains don't need to check dst-address all over again.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
Forum Guru
Forum Guru
Posts: 4191
Joined: Mon Dec 04, 2017 9:19 pm

Re: [ASK] Firewall JUMP rule

Sun Dec 01, 2019 9:20 pm

Just one additional point - although the action name is jump, the actual functionality is more a call, because if no rule in the jump-target chain matches (or if a rule with action=return in that chain does match), the processing of the packet continues in the calling chain, starting by the first rule following the jump one. So I routinely use things like

chain=forward action=accept connection-state=established,related
chain=forward action=jump jump-target=forward-to-ether2 out-interface=ether2
chain=forward action=jump jump-target=forward-to-ether3 out-interface=ether3
chain=forward action=drop

chain=forward-to-ether2 src-address-list=permitted-clients-of-ether2

chain=forward-to-ether3 src-address-list=permitted-clients-of-ether3

I.e. there is just a single "drop the rest" rule in the end of the forward chain, and the individual chains for each out-interface just contain the exception rules from this final drop one.

Or, when connection-marking packets in LAN->WAN direction in /ip firewall mangle, you need to assign a routing-mark also to packets which have just been connection-marked, but at the same time you want to keep the number of rules handling each packet as low as possible. So I do

chain=prerouting action=jump jump-target=pr-conn-mark connection-mark=no-mark
chain=prerouting action=mark-routing new-routing-mark=RM1 connection-mark=CM1 passthrough=no
chain=prerouting action=mark-routing new-routing-mark=RM2 connection-mark=CM2 passthrough=no

chain=pr-conn-mark action=mark-connection new-connection-mark=CM1 <... match conditions for assigning CM 1...>
chain=pr-conn-mark action=mark-connection new-connection-mark=CM2 connection-mark=no-mark <... match conditions for assigning CM 2...>
chain=pr-conn-mark action=mark-connection new-connection-mark=use-main connection-mark=no-mark

Here again, the chain pr-conn-mark is "called" when necessary, to assign a connection-mark to first packets of connections, and the processing then continues by eventually assigning a routing-mark based on the connection-mark.

The match condition in the first rule could as well be connection-state=new rather than connection-mark=no-mark, which would make the connection-mark value use-main redundant, but I deem the way with connection-mark=no-mark more comprehensible for the reader.

Another remark just for the case, the passthrough=no is there only to prevent matching the packet against the subsequent rules in chain=prerouting once the routing-mark has been assigned, as it would be a useless waste of CPU. It is not there to prevent the packets to get to chain pr-conn-mark which follows chain prerouting in the configuration - the packets don't jump from one chain to another without being explicitly told so using action=jump.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.

Who is online

Users browsing this forum: Google [Bot] and 63 guests