timeout value in address list

estebandipietro · Sun Jul 09, 2023 1:35 am

Hello, how can I access to read the timeout value of an entry in the address list of the firewall within a script?
Greetings and thank you very much.

optio · Sun Jul 09, 2023 2:19 am

ROS 7.x code

:foreach list in=[/ip/firewall/address-list/find where list=<LIST_NAME>] do={
  :local timeout [get value-name=timeout $list]
}

Replace <LIST_NAME> with name of list from which record you want to get timeout, $timeout variable will contain timeout value.

rextended · Sun Jul 09, 2023 8:12 pm

Basically there are 8 different types of item in the address-list
1) Static IP / IPv6
2) Static IP-prefix / IPv6-prefix
3) Static DNS to be solved into IP(s) / IPv6(s)
4) Dynamic IP / IPv6 from resolved DNS, is present until reboot, they do not expire, but change following the DNS TTL
5) Dynamic IP / IPv6, lost on reboot
6) Dynamic IP-prefix / IPv6-prefix, lost on reboot
7) Dynamic IP / IPv6 by time, and in any case are lost on reboot
8) Dynamic IP-prefix / IPv6-prefix by time, and in any case are lost on reboot

Thus, only type 7 and 8 can return a (valid) timeout, the others cannot.
All RouterOS 6 and 7 versions:

/ip firewall address-list
:foreach item in=[find where ([:typeof $timeout]!="nil")] do={
  :put [get $item]
}

@estebandipietro If you are more specific about how to identify the entry, a more precise script can be provided.

rextended · Sun Jul 09, 2023 8:31 pm

@optio if it's not something that's only on 7, like for example wireguard, better provide a syntax that works on any version...
Why not write no-frills code? Perhaps with variables consistent with what they contain, and without using names that are also words that could create problems?

:foreach list item in=[/ip/ firewall/ address-list/ find where list="<LIST_NAME>"] do={
:local timeout tout [get value-name=timeout $list $item timeout]
}

/ip firewall address-list 
{
:local listName    "test"
:local itemTimeout 0
 :foreach item in=[find where list=$listName] do={
     :set itemTimeout [get $item timeout]
     :if ([:typeof $itemTimeout]="nil") do={:set itemTimeout 0}
     :put "Timeout is $itemTimeout for IP $[get $item address] on address list $listName"
 }
}

optio · Sun Jul 09, 2023 11:31 pm

@optio if it's not something that's only on 7, like for example wireguard, better provide a syntax that works on any version...

I don't own device pre ROS 7 version, so I cannot check syntax on other versions, thats why specified it because it's checked. Since OP author did not specify on which ROS version needs code this may or not may be useful to him, if is not, I guess he will reply that is not working and someone else will reply like you for eg.

Why not write no-frills code? Perhaps with variables consistent with what they contain, and without using names that are also words that could create problems?

I overlooked that, yes same var. name as property should be avoided.

/ip firewall address-list 
{
:local listName    "test"
:local itemTimeout 0
 :foreach item in=[find where list=$listName] do={
     :set itemTimeout [get $item timeout]
     :if ([:typeof $itemTimeout]="nil") do={:set itemTimeout 0}
     :put "Timeout is $itemTimeout for IP $[get $item address] on address list $listName"
 }
}

Why add unnecessary condition check if timeout exists, maybe OP wants to check timeout on item in list that always contains timeout? It was not specified, from question in OP I guessed it is that case. If you want, you can add more conditions, like add condition to get timeout for certain ip/host in address list if there are more in it, etc... It easy to add "improvements" to code when you don't know exact requirement.

rextended · Mon Jul 10, 2023 3:35 am

the first script return all entry with a timeout,

the second script do not check if the timeout exist or not, but if timeout do not exist, return 0, for prevent errors on succesive steps...

msatter · Mon Jul 10, 2023 3:39 pm

Again, check status not value!

With timeout:

/ip/firewall/address-list> /ip/firewall/address-list/; :foreach item in=[find list=<LISTNAME> timeout] do={:put [get $item]}

Without timeout:

/ip/firewall/address-list> /ip/firewall/address-list/; :foreach item in=[find list=<LISTNAME> !timeout] do={:put [get $item]}

rextended · Mon Jul 10, 2023 6:15 pm

Thank you, I appreciate your suggestions, ALWAYS.

**************************

Do not work on v6.... or better, work only when timeout is not present:

v6/v7 compatible syntax

/ip firewall address-list
add list=test timeout=2m address=6.6.6.6 disabled=no comment="test"
add list=test address=7.7.7.7 disabled=no comment="test"
:foreach item in=[find list=test timeout] do={:put [get $item]}
:foreach item in=[find list=test !timeout] do={:put [get $item]}

on v6 not work

test on v6 terminal code

[@] /ip firewall address-list> /ip firewall address-list
[@] /ip firewall address-list> add list=test timeout=2m address=6.6.6.6 disabled=no comment="test"
[@] /ip firewall address-list> add list=test address=7.7.7.7 disabled=no comment="test"
[@] /ip firewall address-list> :foreach item in=[find list=test timeout] do={:put [get $item]}
[@] /ip firewall address-list> :foreach item in=[find list=test !timeout] do={:put [get $item]}
.id=*dee1;address=7.7.7.7;comment=test;creation-time=jul/10/2023 17:14:35;disabled=false;dynamic=false;list=test
[@] /ip firewall address-list>

on v7 work

test on v7 terminal code

[@] /ip/firewall/address-list> /ip firewall address-list
[@] /ip/firewall/address-list> add list=test timeout=2m address=6.6.6.6 disabled=no comment="test"
[@] /ip/firewall/address-list> add list=test address=7.7.7.7 disabled=no comment="test"
[@] /ip/firewall/address-list> :foreach item in=[find list=test timeout] do={:put [get $item]}
.id=*1005;address=6.6.6.6;comment=test;creation-time=2023-07-10 17:17:15;disabled=false;dynamic=true;list=test;timeout=00:01:52
[@] /ip/firewall/address-list> :foreach item in=[find list=test !timeout] do={:put [get $item]}
.id=*1006;address=7.7.7.7;comment=test;creation-time=2023-07-10 17:17:15;disabled=false;dynamic=false;list=test

For make compatible the script also for v6 "with timeout":

/ip firewall address-list ; :foreach item in=[find list=test [:typeof $timeout]!="nil"] do={:put [get $item]}

msatter · Mon Jul 10, 2023 9:22 pm

ROS v6:

:foreach item in=[find list=<LIST NAME> timeout~"."] do={:put [get $item]}

:foreach item in=[find list=<LIST NAME> !timeout] do={:put [get $item]}

Flags: X - disabled, D - dynamic 
 #   LIST                                       ADDRESS                                                        CREATION-TIME        TIMEOUT             
 0   ;;; test
     test                                       7.7.7.7                                                        jul/10/2023 19:46:53
 1 D test                                       1.1.1.1                                                        jul/10/2023 19:57:09 1h39m51s            
 2 D test                                       192.168.255.255                                                jul/10/2023 20:07:14

@ /ip firewall address-list> :foreach item in=[find list=test timeout~"."] do={:put [get $item]}
.id=*6;address=1.1.1.1;creation-time=jul/10/2023 19:57:09;disabled=false;dynamic=true;list=test;timeout=01:43:30

@ /ip firewall address-list> :foreach item in=[find list=test !dynamic] do={:put [get $item]}
.id=*2;address=7.7.7.7;comment=test;creation-time=jul/10/2023 19:46:53;disabled=false;dynamic=false;list=test

@ /ip firewall address-list> :foreach item in=[find list=test dynamic !timeout] do={:put [get $item]}
.id=*c;address=192.168.255.255;creation-time=jul/10/2023 20:07:14;disabled=false;dynamic=true;list=test

rextended · Tue Jul 11, 2023 10:26 am

timeout~"."

Nice.... effectively, it's more elegant than mine.

In both cases, RouterOS still has to do some more operations, on v7 logically have fied that.