MikroTik

Community discussions
https://forum.mikrotik.com/

Move a firewall rule to the end (V4.5)

https://forum.mikrotik.com/viewtopic.php?t=39531

Page 1 of 1

Move a firewall rule to the end (V4.5)

Posted: Thu Feb 25, 2010 12:15 pm
by OriiOn
I am trying to come up with a script, that adds 2 new filter rules, and after that makes sure the "drop" rule is moved to the end.

In this script I assume that what ever is at the end of the filter list BEFORE I add my rules, must be the drop rule. So I determine the index of that rule first.

/ip firewall filter
:global dropruleindex ([:len [/ip firewall filter find]]-1)
add action=accept chain=input comment=VPN disabled=no protocol=ipsec-esp
add action=accept chain=input comment=VPN disabled=no protocol=udp src-port=500
move $dropruleindex

However, it appears that the move command ignores the content of the $dropruleindex variable, even though that variables contains the correct index-number. What am I doing wrong? Any other way to achieve this?

Re: Move a firewall rule to the end (V4.5)

Posted: Thu Feb 25, 2010 1:44 pm
by SurferTim
I do not add or remove the rules. I enable and disable them with a script. Would that be good for you also?

Re: Move a firewall rule to the end (V4.5)

Posted: Thu Feb 25, 2010 1:53 pm
by OriiOn
Thanks for the reply! That depends how you do it, maybe that holds a hint for me how it could be done in a different way than the approach I am currently using.

So yes please, post a sample of your script :)

Re: Move a firewall rule to the end (V4.5)

Posted: Thu Feb 25, 2010 2:08 pm
by SurferTim
I add a comment to each rule I want enabled or disabled. In this case, I would add the comment "test" to each rule I want to enable/disable.

To enable them:
Code: Select all
:local rulelist [/ip firewall filter find comment=test]
:foreach i in=$rulelist do={
    /ip firewall filter enable $i
}
To disable them:
Code: Select all
:local rulelist [/ip firewall filter find comment=test]
:foreach i in=$rulelist do={
    /ip firewall filter disable $i
}

Re: Move a firewall rule to the end (V4.5)

Posted: Thu Feb 25, 2010 3:37 pm
by Chupaka
or just
Code: Select all
/ip firewall filter disable [find comment="test"]

Re: Move a firewall rule to the end (V4.5)

Posted: Thu Feb 25, 2010 3:57 pm
by OriiOn
Thanks for the replies. I know the "trick" with setting a comment for the rules, and reference them by their comment name. That works just fine.

However, my goal is to come up with a script that adds those rules right after the first time (self) configuration of the router. At this point all the comments for the filter rules are "default configuration". I want to avoid having to manually set a comment named "drop" for the drop rule, before I run my script.

I am just a little surprised that the move command does not work when using variables. Presume the "drop" rule would be #3 in the list:

This WORKS:
Code: Select all
### this will move number 3 to the end of the filter list
/ip firewall filter move 3
This does NOT work:
Code: Select all
:global index 3
/ip firewall filter move $index

Re: Move a firewall rule to the end (V4.5)

Posted: Thu Feb 25, 2010 4:17 pm
by SurferTim
I have no experience with adding them, but it may be the move parameter.
Have you tried adding the rule with the "place-before=X" parameter?
X is the line number you want the rule above in the list.
No promises. I haven't tried it!

Re: Move a firewall rule to the end (V4.5)

Posted: Thu Feb 25, 2010 5:50 pm
by OriiOn
In 4.5 move uses the "numbers" and "destination" parameters. But anyway, that does not work either.

However, it gets even more weird. For the "destination" parameter passing a variable seems to work! It's just that for the "numbers" parameter passing a variable does not work. Btw, with "not work" I mean it fails with "no such item".

This works:
Code: Select all
move numbers=5 destination=$a
This does not work:
Code: Select all
move numbers=$a destination=5

Re: Move a firewall rule to the end (V4.5)

Posted: Fri Feb 26, 2010 7:03 am
by dssmiktik
It looks like move works with the internal .id and numeric only values (at least from my testing). This worked for me on v4.5:

Your code revised:
Code: Select all
/ip firewall filter
add action=accept chain=input comment="VPN1" disabled=yes protocol=ipsec-esp
add action=accept chain=input comment="VPN2" disabled=yes protocol=udp src-port=500
:local fRules
# get current rule set
:set fRules [/ip firewall filter find]

# since we added two rules, move the last two rules up two positions (before last rule)
move [:pick $fRules ([:len $fRules] - 1)] [:tonum ([:len $fRules] - 3)]
move [:pick $fRules ([:len $fRules] - 2)] [:tonum ([:len $fRules] - 3)]
Possibly a better approach: You could simply move all 'action=drop' rules to the bottom
The below script will work whether it finds 0, 1, or more drop rules, it will move each of them to the last position in the filter table.
Code: Select all
:local dropRules
:local allRules

/ip firewall filter
:set dropRules [find action="drop"]

:foreach f in=$dropRules do={
   :set allRules [/ip firewall filter find]
# Insert our rule just before bottom rule
   move [:toid $f]  [:tonum ([:len $allRules] - 2)]
   :set allRules [/ip firewall filter find]
# swap our rule with bottom rule (making our rule last)
   move [:toid [:pick $allRules ([:len $allRules] - 1)]] [:tonum ([:len $allRules] - 2)]
}

Re: Move a firewall rule to the end (V4.5)

Posted: Fri Feb 26, 2010 5:12 pm
by OriiOn
Thank you for your very detailed answer! Both your suggestions work.

Then I gave this a try:
Code: Select all
move [find action="drop"]
And it worked also...

Re: Move a firewall rule to the end (V4.5)

Posted: Fri Jun 20, 2014 5:04 am
by jerryroy1
How do I just insert rules between others?

/ip firewall filter
add action=accept chain=input comment="Netgear Switch access" disabled=no src-address-list="Netgear Switch Access"
add action=accept chain=input comment="default configuration" disabled=no dst-port=123 protocol=udp
add action=accept chain=input disabled=no dst-port=22,80,443,8291 protocol=tcp src-address=216.231.192.0/20 <- insert this line here???
add action=accept chain=input disabled=no dst-port=22,80,443,8291 protocol=tcp src-address=216.231.195.0/24
add action=accept chain=input disabled=no dst-port=22,80,443,8291 protocol=tcp src-address=216.231.198.0/24

Also, If this works,

move [find action="drop"]

Shouldnt this work?

remove [find src-address="216.231.198.0/24"]

Re: Move a firewall rule to the end (V4.5)

Posted: Fri Jun 20, 2014 2:04 pm
by Chupaka
How do I just insert rules between others?

<...> <- insert this line here???
use 'print', then 'add action=accept chain=input bla-bla-bla place-before=N', where N is the number of the rule one from the bottom
If this works,

move [find action="drop"]

Shouldnt this work?

remove [find src-address="216.231.198.0/24"]
sure it works
All times are UTC+02:00
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/