Mangle
Document revision: | 3 (Fri Nov 04 19:22:14 GMT 2005) |
Applies to: | V2.9 |
General Information
Summary
The mangle facility allows to mark IP packets with special marks. These marks are used by various other router facilities to identify the packets. Additionaly, the mangle facility is used to modify some fields in the IP header, like TOS (DSCP) and TTL fields.
Specifications
Packages required: systemLicense required: Level1
Submenu level: /ip firewall mangle
Standards and Technologies: IP
Hardware usage: Increases with count of mangle rules
Related Documents
Mangle
Submenu level: /ip firewall mangleDescription
Mangle is a kind of 'marker' that marks packets for future processing with special marks. Many other facilities in RouterOS make use of these marks, e.g. queue trees and NAT. They identify a packet based on its mark and process it accordingly. The mangle marks exist only within the router, they are not transmitted across the network.
Property Description
action (accept | add-dst-to-address-list | add-src-to-address-list | change-mss | change-tos | change-ttl | jump | log | mark-connection | mark-packet | mark-routing | passthrough | return | strip-ipv4-options; default: accept) - action to undertake if the packet matches the ruleadd-dst-to-address-list - add destination address of an IP packet to the address list specified by address-list parameter
add-src-to-address-list - add source address of an IP packet to the address list specified by address-list parameter
change-mss - change Maximum Segment Size field value of the packet to a value specified by the new-mss parameter
change-tos - change Type of Service field value of the packet to a value specified by the new-tos parameter
change-ttl - change Time to Live field value of the packet to a value specified by the new-ttl parameter
jump - jump to the chain specified by the value of the jump-target parameter
log - each match with this action will add a message to the system log
mark-connection - place a mark specified by the new-connection-mark parameter on the entire connection that matches the rule
mark-packet - place a mark specified by the new-packet-mark parameter on a packet that matches the rule
mark-routing - place a mark specified by the new-routing-mark parameter on a packet. This kind of marks is used for policy routing purposes only
passthrough - ignore this rule go on to the next one
return - pass control back to the chain from where the jump took place
strip-ipv4-options - strip IPv4 option fields from the IP packet
local - match addresses assigned to router's interfaces
broadcast - the IP packet is sent from one point to all other points in the IP subnetwork
multicast - this type of IP addressing is responsible for transmission from one or more points to a set of other points
Time - specifies the time interval over which the packet rate is measured
Burst - number of packets to match in a burst
Mode - the classifier(-s) for packet rate limiting
Expire - specifies interval after which recorded IP addresses / ports will be deleted
auth - true, if a packet comes from authenticted client
local-dst - true, if a packet has local destination IP address
hotspot - true, if it is a TCP packet from client and either the transparent proxy on port 80 is enabled or the client has a proxy address configured and this address is equal to the address:port pair of the IP packet
loose-source-routing - match packets with loose source routing option. This option is used to route the internet datagram based on information supplied by the source
no-record-route - match packets with no record route option. This option is used to route the internet datagram based on information supplied by the source
no-router-alert - match packets with no router alter option
no-source-routing - match packets with no source routing option
no-timestamp - match packets with no timestamp option
record-route - match packets with record route option
router-alert - match packets with router alter option
strict-source-routing - match packets with strict source routing option
timestamp - match packets with timestamp
Time - specify the time interval over which the packet rate is measured
Burst - number of packets to match in a burst
max-throughput - maximize throughput (ToS=8)
min-cost - minimize monetary cost (ToS=2)
min-delay - minimize delay (ToS=16)
normal - normal service (ToS=0)
increment - the value of the TTL field will be incremented for value
set: - the value of the TTL field will be set to value
Counter - specifies which counter to use. A counter increments each time the rule containing nth match matches
Packet - match on the given packet number. The value by obvious reasons must be between 0 and Every. If this option is used for a given counter, then there must be at least Every+1 rules with this option, covering all values between 0 and Every inclusively.
Max - specifies upper boundary of the size range
DelayThreshold - delay for the packets with different destination ports coming from the same host to be treated as possible port scan subsequence
LowPortWeight - weight of the packets with privileged (<=1024) destination port
HighPortWeight - weight of the packet with non-priviliged destination port
local - matches addresses assigned to router's interfaces
broadcast - the IP packet is sent from one point to all other points in the IP subnetwork
multicast - this type of IP addressing is responsible for transmission from one or more points to a set of other points
cwr - congestion window reduced
ece - ECN-echo flag (explicit congestion notification)
fin - close connection
psh - push function
rst - drop connection
syn - new connection
urg - urgent data
max-throughput - maximize throughput (ToS=8)
min-cost - minimize monetary cost (ToS=2)
min-delay - minimize delay (ToS=16)
normal - normal service (ToS=0)
Notes
Instead of making two rules if you want to mark a packet, connection or routing-mark and finish mangle table processing on that event (in other words, mark and simultaneously accept the packet), you may disable the set by default passthrough property of the marking rule.
Usually routing-mark is not used for P2P, since P2P traffic always is routed over a default getaway.
Application Examples
Description
The following section discusses some examples of using the mangle facility.
Peer-to-Peer Traffic Marking
To ensure the quality of service for network connection, interactive traffic types such as VoIP and HTTP should be prioritized over non-interactive, such as peer-to-peer network traffic. RouterOS QOS implementation uses mangle to mark different types of traffic first, and then place them into queues with different limits.
The following example enforces the P2P traffic will get no more than 1Mbps of the total link capacity when the link is heavily used by other traffic otherwice expanding to the full link capacity:
[admin@MikroTik] > /ip firewall mangle add chain=forward \ \... p2p=all-p2p action=mark-connection new-connection-mark=p2p_conn [admin@MikroTik] > /ip firewall mangle add chain=forward \ \... connection-mark=p2p_conn action=mark-packet new-packet-mark=p2p [admin@MikroTik] > /ip firewall mangle add chain=forward \ \... connection-mark=!p2p_conn action=mark-packet new-packet-mark=other [admin@MikroTik] > /ip firewall mangle print Flags: X - disabled, I - invalid, D - dynamic 0 chain=forward p2p=all-p2p action=mark-connection new-connection-mark=p2p_conn 1 chain=forward connection-mark=p2p_conn action=mark-packet new-packet-mark=p2p 2 chain=forward packet-mark=!p2p_conn action=mark-packet new-packet-mark=other [admin@MikroTik] > [admin@MikroTik] > /queue tree add parent=Public packet-mark=p2p limit-at=1000000 \ \... max-limit=100000000 priority=8 [admin@MikroTik] > /queue tree add parent=Local packet-mark=p2p limit-at=1000000 \ \... max-limit=100000000 priority=8 [admin@MikroTik] > /queue tree add parent=Public packet-mark=other limit-at=1000000 \ \... max-limit=100000000 priority=1 [admin@MikroTik] > /queue tree add parent=Local packet-mark=other limit-at=1000000 \ \... max-limit=100000000 priority=1
Mark by MAC address
To mark traffic from a known MAC address which goes to the router or through it, do the following:
[admin@MikroTik] > / ip firewall mangle add chain=prerouting \ \... src-mac-address=00:01:29:60:36:E7 action=mark-connection new-connection-mark=known_mac_conn [admin@MikroTik] > / ip firewall mangle add chain=prerouting \ \... connection-mark=known_mac_conn action=mark-packet new-packet-mark=known_mac
Change MSS
It is a well known fact that VPN links have smaller packet size due to incapsulation overhead. A large packet with MSS that exceeds the MSS of the VPN link should be fragmented prior to sending it via that kind of connection. However, if the packet has DF flag set, it cannot be fragmented and should be discarded. On links that have broken path MTU discovery (PMTUD) it may lead to a number of problems, including problems with FTP and HTTP data transfer and e-mail services.
In case of link with broken PMTUD, a decrease of the MSS of the packets coming through the VPN link solves the problem. The following example demonstrates how to decrease the MSS value via mangle:
[admin@MikroTik] > /ip firewall mangle add out-interface=pppoe-out \ \... protocol=tcp tcp-flags=syn action=change-mss new-mss=1300 chain=forward [admin@MikroTik] > /ip firewall mangle print Flags: X - disabled, I - invalid, D - dynamic 0 chain=forward out-interface=pppoe-out protocol=tcp tcp-flags=syn action=change-mss new-mss=1300 [admin@MikroTik] >