Community discussions

MikroTik App
 
User avatar
genesispro
Member Candidate
Member Candidate
Topic Author
Posts: 283
Joined: Fri Mar 14, 2014 12:33 pm

ROS 7 - Routing Rules - Address list - and NOT option would be nice!

Fri Mar 10, 2023 11:16 am

In ROS7 routing Rules...
it would be handy in source and destination to be able to add an address list.
Also to be able to add the NOT option.
Don't you think?
Would it be possible?
 
pe1chl
Forum Guru
Forum Guru
Posts: 10195
Joined: Mon Jun 08, 2015 12:09 pm

Re: ROS 7 - Routing Rules - Address list - and NOT option would be nice!

Fri Mar 10, 2023 11:59 am

No, that would not be possible. At least not without modification of the Linux kernel (it does not support address lists in routing rules, and no NOT option either).
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: ROS 7 - Routing Rules - Address list - and NOT option would be nice!

Fri Mar 10, 2023 2:01 pm

Yes would love an address list function in routing rules
or a better keep alive schema for WG when the server IP disappears but
only after...............
an options package for zero trust cloudflare tunnel !!!
 
User avatar
Larsa
Forum Guru
Forum Guru
Posts: 1041
Joined: Sat Aug 29, 2015 7:40 pm
Location: The North Pole, Santa's Workshop

Re: ROS 7 - Routing Rules - Address list - and NOT option would be nice!

Fri Mar 10, 2023 4:36 pm

Pe1chl: No, that would not be possible. At least not without modification of the Linux kernel (it does not support address lists in routing rules, and no NOT option either).

Well, it might be a question of interpretation but IMO it's not a limitation in the kernel itself but rather in the RoS rule engine. There are close to no limitations at all when using Netfilter/[e]BPF with iptables/nftables, it's just a matter of how the rule engine interpret and applies things to the network stack.


Anav: an options package for zero trust cloudflare tunnel !!!

Yes, but of course! LOL :-D
 
pe1chl
Forum Guru
Forum Guru
Posts: 10195
Joined: Mon Jun 08, 2015 12:09 pm

Re: ROS 7 - Routing Rules - Address list - and NOT option would be nice!

Fri Mar 10, 2023 5:49 pm

Pe1chl: No, that would not be possible. At least not without modification of the Linux kernel (it does not support address lists in routing rules, and no NOT option either).

Well, it might be a question of interpretation but IMO it's not a limitation in the kernel itself but rather in the RoS rule engine. There are close to no limitations at all when using Netfilter/[e]BPF with iptables/nftables, it's just a matter of how the rule engine interpret and applies things to the network stack.
"routing rules" are not processed using iptables/nftables but they are a separate feature accessible in Linux via "ip rule". It does not support address lists or the NOT operator.
Of course you could work around that using route marking mangle rules, but that is already possible in RouterOS. It has limitations, e.g. w.r.t. using "fasttrack".
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3250
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: ROS 7 - Routing Rules - Address list - and NOT option would be nice!

Fri Mar 10, 2023 5:51 pm

But the idea with /routing/rules is that they are a direct map in the kernel, and operate without needing conntrack (outside of resulting NAT).

Not saying there shouldn't be a UI to make this easier, but not sure the routing rules is the best place. It's actually handy that these are are pretty direct map to the Linux kernel, which is going to be more important as more chipset support L3 offloading.

I posted this another thread, but if you group the IP together within the same prefix range, say a /27 or /28 or whatever... you can use that prefix in the routing rules to select that group for different routing treatment.
 
User avatar
Larsa
Forum Guru
Forum Guru
Posts: 1041
Joined: Sat Aug 29, 2015 7:40 pm
Location: The North Pole, Santa's Workshop

Re: ROS 7 - Routing Rules - Address list - and NOT option would be nice!

Fri Mar 10, 2023 6:25 pm

"routing rules" are not processed using iptables/nftables but they are a separate feature accessible in Linux via "ip rule". It does not support address lists or the NOT operator.

You are correct and it was sloppily expressed on my part. The point I was trying to make is that there are actually no direct limitations in the kernel even though the routing management itself is not available using the XYtables interfaces.

Who is online

Users browsing this forum: Amazon [Bot], GoogleOther [Bot], jhbarrantes, kub1x, Valerio5000 and 82 guests