Community discussions

MikroTik App
 
oacyscom
just joined
Topic Author
Posts: 5
Joined: Tue Sep 20, 2005 7:57 pm

Bug Report - find command problem

Sat Aug 15, 2009 2:43 am

We are running MikroTik v3.28 on a x86 system. We are seeing an issue with the 'find' command and 'where' clause in 'print' not being able to match src-address and dst-address. Below is a log of what I tried, there was no noticeable delay in running find and where as listed below. This is the first time I have tried these searches v3, but I know they worked fine in v2.8 and v2.9, we just upgraded to v3 for this box today. BTW, there are about 2500 mangle rules overall, split across different chains.

Thanks,
-Ryan

[admin@MikroTik] /ip firewall mangle> pr where  src-address=10.33.59.169
Flags: X - disabled, I - invalid, D - dynamic
[admin@MikroTik] /ip firewall mangle> pr where new-packet-mark=16296
Flags: X - disabled, I - invalid, D - dynamic
23   chain=chkdst59b action=mark-packet new-packet-mark=16296 passthrough=no
     dst-address=10.33.59.169

24   chain=chksrc59b action=mark-packet new-packet-mark=16296 passthrough=no
     src-address=10.33.59.169

25   chain=chkdst59a action=mark-packet new-packet-mark=16296 passthrough=no
     dst-address=10.33.59.118

26   chain=chksrc59a action=mark-packet new-packet-mark=16296 passthrough=no
     src-address=10.33.59.118
[admin@MikroTik] /ip firewall mangle> remove [find chain=chksrc59b action=mark-packet new-packet-mark=16296 passthrough=no src-address=10.33.59.169]
[admin@MikroTik] /ip firewall mangle> pr where new-packet-mark=16296                     
Flags: X - disabled, I - invalid, D - dynamic
23   chain=chkdst59b action=mark-packet new-packet-mark=16296 passthrough=no
     dst-address=10.33.59.169

24   chain=chksrc59b action=mark-packet new-packet-mark=16296 passthrough=no
     src-address=10.33.59.169

25   chain=chkdst59a action=mark-packet new-packet-mark=16296 passthrough=no
     dst-address=10.33.59.118

26   chain=chksrc59a action=mark-packet new-packet-mark=16296 passthrough=no
     src-address=10.33.59.118
[admin@MikroTik] /ip firewall mangle> remove [find src-address=10.33.59.169]            
[admin@MikroTik] /ip firewall mangle> pr where new-packet-mark=16296
Flags: X - disabled, I - invalid, D - dynamic
23   chain=chkdst59b action=mark-packet new-packet-mark=16296 passthrough=no
     dst-address=10.33.59.169

24   chain=chksrc59b action=mark-packet new-packet-mark=16296 passthrough=no
     src-address=10.33.59.169

25   chain=chkdst59a action=mark-packet new-packet-mark=16296 passthrough=no
     dst-address=10.33.59.118

26   chain=chksrc59a action=mark-packet new-packet-mark=16296 passthrough=no
     src-address=10.33.59.118
[admin@MikroTik] /ip firewall mangle> remove [find dst-address=10.33.59.169]
[admin@MikroTik] /ip firewall mangle> pr where new-packet-mark=16296
Flags: X - disabled, I - invalid, D - dynamic
23   chain=chkdst59b action=mark-packet new-packet-mark=16296 passthrough=no
     dst-address=10.33.59.169

24   chain=chksrc59b action=mark-packet new-packet-mark=16296 passthrough=no
     src-address=10.33.59.169

25   chain=chkdst59a action=mark-packet new-packet-mark=16296 passthrough=no
     dst-address=10.33.59.118

26   chain=chksrc59a action=mark-packet new-packet-mark=16296 passthrough=no
     src-address=10.33.59.118
[admin@MikroTik] /ip firewall mangle> pr where src-address=10.33.59.118
Flags: X - disabled, I - invalid, D - dynamic
[admin@MikroTik] /ip firewall mangle> pr where src-address=10.33.59.118/32
Flags: X - disabled, I - invalid, D - dynamic
[admin@MikroTik] /ip firewall mangle> remove [/ip firewall mangle find dst-address=10.33.59.169]
[admin@MikroTik] /ip firewall mangle> pr where new-packet-mark=16296                     
Flags: X - disabled, I - invalid, D - dynamic
23   chain=chkdst59b action=mark-packet new-packet-mark=16296 passthrough=no
     dst-address=10.33.59.169

24   chain=chksrc59b action=mark-packet new-packet-mark=16296 passthrough=no
     src-address=10.33.59.169

25   chain=chkdst59a action=mark-packet new-packet-mark=16296 passthrough=no
     dst-address=10.33.59.118

26   chain=chksrc59a action=mark-packet new-packet-mark=16296 passthrough=no
     src-address=10.33.59.118
[admin@MikroTik] /ip firewall mangle> remove 24
[admin@MikroTik] /ip firewall mangle> pr where new-packet-mark=16296
Flags: X - disabled, I - invalid, D - dynamic
23   chain=chkdst59b action=mark-packet new-packet-mark=16296 passthrough=no
     dst-address=10.33.59.169

25   chain=chkdst59a action=mark-packet new-packet-mark=16296 passthrough=no
     dst-address=10.33.59.118

26   chain=chksrc59a action=mark-packet new-packet-mark=16296 passthrough=no
     src-address=10.33.59.118
[admin@MikroTik] /ip firewall mangle> remove 23
[admin@MikroTik] /ip firewall mangle> pr where new-packet-mark=16296
Flags: X - disabled, I - invalid, D - dynamic
25   chain=chkdst59a action=mark-packet new-packet-mark=16296 passthrough=no
     dst-address=10.33.59.118

26   chain=chksrc59a action=mark-packet new-packet-mark=16296 passthrough=no
     src-address=10.33.59.118
[admin@MikroTik] /ip firewall mangle>
 
fewi
Forum Guru
Forum Guru
Posts: 7717
Joined: Tue Aug 11, 2009 3:19 am

Re: Bug Report - find command problem

Sat Aug 15, 2009 2:47 am

IP addresses need to be enclosed in quotation marks for 'find' and 'where'.
[admin@MikroTik] /ip firewall mangle> add chain=madeup src-address=10.1.0.1 action=accept
[admin@MikroTik] /ip firewall mangle> print where src-address=10.1.0.1
Flags: X - disabled, I - invalid, D - dynamic
[admin@MikroTik] /ip firewall mangle> print where src-address="10.1.0.1"
Flags: X - disabled, I - invalid, D - dynamic
 2   chain=madeup action=accept src-address=10.1.0.1
[admin@MikroTik] /ip firewall mangle>
Hope that helps,
Felix
 
oacyscom
just joined
Topic Author
Posts: 5
Joined: Tue Sep 20, 2005 7:57 pm

Re: Bug Report - find command problem

Sat Aug 15, 2009 3:36 am

Thanks, it looks like that works with the quotes. However, my automated removal still doesn't work with the following command:
remove [find action=mark-packet chain=chkdst61a disabled=no dst-address="10.33.61.55" new-packet-mark=1293 passthrough=yes]

Do any other paramters need to be quoted? Is this just something new in v3?

Thanks,
-Ryan
 
oacyscom
just joined
Topic Author
Posts: 5
Joined: Tue Sep 20, 2005 7:57 pm

Re: Bug Report - find command problem

Sat Aug 15, 2009 3:49 am

I just found that the removal will work only once I remove the chk for the disabled= and quote the action= param
remove [find action=mark-packet chain=chkdst61a disabled=no dst-address="10.33.61.55" new-packet-mark=1293 passthrough=yes]
becomes
remove [find action="mark-packet" chain=chkdst61a dst-address="10.33.61.55" new-packet-mark=1293 passthrough=yes]
Is this is a bug or is it by design??
 
fewi
Forum Guru
Forum Guru
Posts: 7717
Joined: Tue Aug 11, 2009 3:19 am

Re: Bug Report - find command problem

Sat Aug 15, 2009 3:53 am

Going through things quickly it seems like the values for passthrough and disabled must not be quoted, new-packet-mark and chain may be quoted and action must be quoted.

Therefore
/ip firewall mangle print where action="mark-packet" chain=chkdst61a disabled=no dst-address="10.33.61.55" new-packet-mark=1293 passthrough=yes
should work. Though you may prefer quoting as much as possible if behavior changed in the past. I haven't used versions before 3.x so I can't comment on when certain parameters started requiring quotes.

--

Didn't see your update. As far as I understand it, certain parameter values are of type string. Comparing values of different types is always a boolean false, so you must coerce your value into string by quoting it in order to successfully compare to another, system internal string (the actual value of the entry).
Can't comment on why you have to leave out 'disabled=no'. Printing rules filtering via where just on that parameter is successful for me.

HTH,
Felix
 
dssmiktik
Forum Veteran
Forum Veteran
Posts: 732
Joined: Fri Aug 17, 2007 8:42 am

Re: Bug Report - find command problem

Wed Aug 19, 2009 12:59 pm

I've had problems with find as well when narrowing searches. I've had success with a basic find loop, searching each item's properties for query criteria.

/ip firewall filter
foreach f in=[find] do={
:if ([get $f comment] = "mycomment" && [get $f src-address] = 192.168.1.1) do={
:put "execute commands here"
}
}
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8709
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: Bug Report - find command problem

Thu Aug 20, 2009 3:30 pm

try [get $f src-address]="192.168.1.1"

Who is online

Users browsing this forum: Amazon [Bot], Bing [Bot], britgent, Google [Bot], mozerd, rextended, rjuho and 105 guests