Use host names in firewall rules

herophil322 · Thu Aug 29, 2013 2:51 am

I want to use this easy script, to drop the complete dynamic host with one firewall rule.

http://wiki.mikrotik.com/wiki/Use_host_ ... wall_rules

But since the FW 6.2 released, the script seems to be incompatible with the FW 6.2.

Knows anyone why? Thank you for any help:)

I mean this script:

/system script add \
name=resolvehostnames policy=write,read \
source="# define variables\r\
\n:local list\r\
\n:local comment\r\
\n:local newip\r\
\n:local oldip\r\
\n\r\
\n# Loop through each entry in the address list.\r\
\n:foreach i in=[/ip firewall address-list find] do={\r\
\n\r\
\n# Get the first five characters of the list name\r\
\n :set list [:pick [/ip firewall address-list get \$i list] 0 5]\r\
\n\r\
\n# If they're 'host_', then we've got a match - process it\r\
\n :if (\$list = \"host_\") do={\r\
\n\r\
\n# Get the comment for this address list item (this is the host name to u\
se)\r\
\n :set comment [/ip firewall address-list get \$i comment]\r\
\n :set oldip [/ip firewall address-list get \$i address]\r\
\n\r\
\n# Resolve it and set the address list entry accordingly.\r\
\n : if (\$newip != \$oldip) do={:set newip [:resolve \$comment]\r\
\n /ip firewall address-list set \$i address=\$newip}\r\
\n }\r\
\n }"

skot · Sat Aug 31, 2013 2:03 am

The problem seems to be with the line:

ros code

:if ($newip != $oldip) do={...

It wouldn't work for me using either != or =, not sure what's going on with that, but then I noticed the script doesn't make sense at that point anyway. $newip will never equal $oldip, so it will always resolve the address and it set the address list even if the IPs has not changed.

ros code

:if ($newip != $oldip) do={:set newip [:resolve $comment]
  /ip firewall address-list set $i address=$newip}
}

I fixed that problem, and then it was working on v6.2. This script resolves the address for each one, but only changes the IP if it's different.

ros code

# define variables
:local list
:local comment
:local newip
:local oldip

# Loop through each entry in the address list.
:foreach i in=[/ip firewall address-list find] do={

# Get the first five characters of the list name
  :set list [:pick [/ip firewall address-list get $i list] 0 5]

# If they're 'host_', then we've got a match - process it
  :if ($list = "host_") do={
 
# Get the comment for this address list item (this is the host name to use)
    :set comment [/ip firewall address-list get $i comment]
    :set oldip [/ip firewall address-list get $i address]
    :set newip [:resolve $comment]

# Resolve it and set the address list entry accordingly.
    :if ($newip != $oldip) do={
      /ip firewall address-list set $i address=$newip
    }
  }
}

efaden · Sat Aug 31, 2013 2:10 am

Here is what I use.

ros code

#.* by RouterOS
#
# Dynamic Address List
# Set Comment = "+<hostname>"

#
# Script <Don't Edit Below This>
#
/ip firewall address-list {
    :foreach i in=[find comment~"^\\+([^+]*)\$"] do={
        :local commentString [get $i comment]
        :local currentHostname [:pick $commentString 1 [:len $commentString]]
        :local currentAddress [:resolve $currentHostname]

        set [find comment=$commentString] address=$currentAddress
    }
}