In next RouterOS we will include small, but important change in firewall mangle. Every connection will have connection mark "no-mark" by default, and every packet will have packet mark "no-mark" by default.

This changes will greatly help to reduce complexity and efficiency of the mangle setups that require remarking of the connections and traffic. Traffic remarking will be avoidable.

For example with one rule it will be possible to ensure that this rule will mark only connections that was not marked before (connections with "no-mark" mark).

It will also allow to create queue for unmarked traffic, this way eliminating requirement that all traffic need to be marked in mangle to create proper QoS.

is this like adding hidden rules
? =)

can it help to reduce complexity in current version?

To Chupaka: it looks like only in your case you will need to reboot the router/conntrack to force all connections become new

One way or another it will help to get rid of at least 2 rules (more in more complex setups)

To Chupaka: it looks like only in your case you will need to reboot the router/conntrack to force all connections become new

are you sure you don't need to reboot a router to upgrade it to the next version?

In next RouterOS we will include small, but important change in firewall mangle. Every connection will have connection mark "no-mark" by default, and every packet will have packet mark "no-mark" by default.

This changes will greatly help to reduce complexity and efficiency of the mangle setups that require remarking of the connections and traffic. Traffic remarking will be avoidable.

For example with one rule it will be possible to ensure that this rule will mark only connections that was not marked before (connections with "no-mark" mark).

It will also allow to create queue for unmarked traffic, this way eliminating requirement that all traffic need to be marked in mangle to create proper QoS.

Should we care before upgrade to next version ? will our configuration affected or it does everything automatically ?

As far as I can see it it does nothing to your configuration, you can ether use it or not.

if you are using mangle and marking connections the way you do that - it will not bring you any difference. because initial marks are without checking any mark, because of presumption that there are none, then, even if you set something, it will be overwritten.

the things to be a bit more clear: now you are able to match connections and packets without marks in a native way. earlier you had to mark it with some temp mark to do that trick

it would be NICE to have an option to bypass this hidden process. I can imagine there are cases where you do not want this. What about performance, if I'm not even using packet marks at all are they now incurring additional CPU usage on the hidden marking process? Additional RAM usage?

PLEASE just have a checkbox / boolean flag on the mangle setup that allows you to turn it on and off. If you dont add it now, then you will just have confused a ton of people when you automatically start doing this, and in future versions I imagine it will be added and now more people will be confused. Make it an option, not a requirement.

I really HOPE that this is just firewall MATCHER improvement, not full redesign of whole conntrack system. if that's true - then no performance impact at all

previously if packet had no mark, returned value was nil, value you could not match against, now, in same case if you want to macth, you can do that, because returned value is no-mark. So, if you look at it in that way - all packets are considered marked now, no value set is a actually value set.

as I said, and as it should be

good work =)

connection-marks and packet-marks take up memory correct? I could be understand this wrong, but I just want to make sure that our really heavy loaded routers that we do not use any mangling aren't going to take a performance hit for marking and storing the value in memory.

This new change does not affect CPU or memory usage at all?

yes, no affect at all. just a bit changed logic

it's not really a mark. it's just a name for unmarked connections to make matching them easier.

Guess it is just a masked info. (nil = no-mark) As you may not be able to leave those fields in blank to have a match. This is great. Whenever you had a "blank" info, now ROS will show you that "nil = no-mark" without any variable attributions. Thanks!

Very useful and it significantly reduces complexity . I just came across the need for a default routing-mark=no-mark as well which is not implemented as of now (v6.28)

Wouldn't routing-mark=main be useable in your setup?

Wouldn't routing-mark=main be useable in your setup?

Yes you are right! This is equivalent to "no-mark" of connection & packet marks!
I can't hide that this is my first complex setup!
Thank you!

Very useful and it significantly reduces complexity . I just came across the need for a default routing-mark=no-mark as well which is not implemented as of now (v6.28)

This post is from 2009.

This is already working as described in 6.28.

@MirkoTik - Please lock this topic.