I label connections for purposes of policy based routing. I process all new connections, but only if they are unicast in order not to waste CPU resources. The mangle table starts with these rules:
/ip firewall mangle
add action=jump chain=prerouting comment="Handle new connections" connection-state=new jump-target=\
NewInPrerouting
add action=return chain=NewInPrerouting comment="Don't handle non-unicast connections" dst-address-type=\
!unicast in-interface=ether1_ISP
However, when I try to ping my router from the Internet the second rule catches icmp connections returning processing to the uplevel table, effectively preventing execution of the following rules. If I change dst-address-type from unicast to local, then the rule passes such connections, as intended. Can anyone explain, is this correct behavior or a bug (in case of unicast address type)?
RB3011UiAS, RouterOS v.7.4.