When I add an address to an address list in the rules lines I can set instead of a expiration time for that specific entry. This can be done by setting a time-out time or none dynamic or none static.
I wanted to do this also in the terminal but those two options beside the time are not available. I have read about a ‘magic time’ number that lets RouterOS threat this as Dynamic so that the address is not save on disk and not kept between reboots.
What is that number? From the terminal line I got as maximum for the timeout “35w3d13:13:56”?
I’m afraid no such value exists or maybe does exist internally but cannot be entered due to value range check. 35w3d13h13m56s is a “nearly-round” value if counted in centisecond units (0x7fffffd0 or 21474836), but if you enter it, it is counted down as any other value, and you cannot enter more. Even entering 0x7fffffff or 0x80000000 by cheating the value range check does not change this.
Can you illustrate a scenario where it would be useful to add a dynamic address list item with an “until reboot” lifetime using a script? I can only imagine sourcing the address list from some external device if you would like to save space in the internal flash memory.
I make regularly a backup and a RSC file from the configuration as it is good practice. So having the lists present in the files takes more place on the backup disk.
Some lists have a limited lifetime of a few hours till 7 days before being regenerated externally. These will not be included in the backups but addresses that are ‘static’ will.
Thanks for numbers and should have a look at the lines in the backup RSC file see what is stated if using “none dynamic”.
No dynamic items, including the “dynamic, unlimited” items, become part of configuration, so /export doesn’t show them. So if the motivation of the question was to determine a match condition to filter out these items from the backup files, it is simply not necessary.
[me@MyTik] > ip firewall address-list print
Flags: X - disabled, D - dynamic
# LIST ADDRESS CREATION-TIME TIMEOUT
[me@MyTik] > ip firewall address-list export
# may/27/2018 12:29:00 by RouterOS 6.42.1
# software id = AR5X-1RXT
#
# model = RouterBOARD 952Ui-5ac2nD
[me@MyTik] > ip firewall address-list print
Flags: X - disabled, D - dynamic
# LIST ADDRESS CREATION-TIME TIMEOUT
0 D test01 192.168.10.91 may/27/2018 12:29:15
[me@MyTik] > ip firewall address-list export
# may/27/2018 12:29:24 by RouterOS 6.42.1
# software id = AR5X-1RXT
#
# model = RouterBOARD 952Ui-5ac2nD
You are correct. I can’t see them in the export because they are not exported…I should have known that.
So now I tried to add an address from the terminal with an time-out of 00:00:00 and that is interpreted as a static entry and this could be used as a “none dynamic” (no timeout, dynamic). A negative number is dynamic but times out on the next refresh.
In the decision table underneath I have changed the interpretation in IP - Firewall - Address Lists on the CLI.
if timeout = none then the entry is static (becomes part of the configuration) → “none static” in Winbox
If timeout = 00:00:00 then it is dynamic without end time (erased on reboot / not in export/backup / Flags: D) → “none dynamic” in Winbox
if timeout = 00:00:01 - 35w3d13h13m56s then it is dynamic with an end-time (erased on reboot / not in export/backup / Flags: D)
Not sure what version you’ve used to verify that, but in my 6.42.1, timeout=0 does not make the item added using CLI dynamic. In this release, a direct addition of a dynamic-unlimited address to a list is not possible using CLI.
I can help you on that and my signature reflects my current Mikrotik uage.
When I am in Winbox I have a three seconds refresh time (I call it heartbeat) so I see the 00:00:00 entry with Flag: D and after three seconds it disappears.
I will write to support to make this also possible from the CLI. RouterOS is already using this but just not accessible from the CLI and using “00:00:00” or “0” or any negative number.
Well, that’s a different can of worms that the address list item remains in the list still a couple of seconds (5 I think) after its remaining lifetime reaches 0. I never had enough determination to check whether it only affects the /print or whether the actual operation of the firewall is also affected (meaning that those 5 seconds would be the minimum effective lifetime).
But if I enter /ip firewall address-list add list=mylist address=1.2.3.4 timeout=0, a static item is created. Changing the 0 to 0:0:0 or 0s makes no difference.
BTW, reflecting the current state of affairs in the automatic signature is good for real-time conversations but not really helpful for people googling the topics three months later because the current value of the signature is used when displaying any post, new or old.
There was a magic number for none-dynamic, but it doesn’t work anymore. Too bad, it could be useful sometimes. They should just support timeout=none-dynamic the same way there’s address-list-timeout=none-dynamic for mangle rules.
Or, but don’t take this seriously, you could write a script that would send packets to addresses you want to add to list, then you could catch them with mangle rule and create dynamic list this way.
Well, my similar idea was to ping a single bogus address, let the firewall add it to the address list, and then change the address in the list item to the one you really want it to be.
But the question remains, what would be the use case?
Some kind of dynamic blacklist, for example. Something containing tons of addresses, what gets updated regularly and it wouldn’t be useful to save it to disk as persistent config. Or a workaround for tiny 16MB disk in almost all recent devices (like that poor guy in other thread who wanted something like this for DNS).
So in a box, an external storage (or source) of the address-list addresses. This was the only application which came to my mind, but I was a bit scared of the process of keeping the “executive” (internal) list in sync with the “reference” (external) one, and also of the speed of creating the dynamic items after reboot even if our ridiculous workaround would not have to be used because your suggestion to support timeout=none-dynamic would get implemented.
I mean, without external storage, I can see little advantage in adding none-dynamic as compared to any timeout larger than a month even if it is done by a firewall rule, let alone by a CLI command. So the use of CLI command implies that the list is created outside, and there the issue of initial sync after reboot (time?) and continuous sync during runtime (reliability?) bothers me.
I’m not saying it’s flawless, but it’s up to you what you do with it. It’s all in your hands. How you handle synchronization with external source, if you perhaps rather block all traffic after reboot, until a list gets loaded, etc..
Not having the list as part of persistent config makes sense to me. For example, I regularly backup configs from routers (using scheduled script) and save them into Git repository, so I have full history of changes. Most of the time there are none and it’s very easy to see when something did change. If I had an always changing address list like this, it would completely screw it for me.
My main point is that if I can create none-dynamic entries using firewall rules, there is no reason why I shouldn’t be able to also create them manually.
By using execute, you prevent the main script from waiting for the ping response timeout; by using interval=10ms, you minimize the number of pings waiting for a response in the background.
Maybe there are ways to send a packet from the 'Tik without waiting for a response at all but I don’t know them.
In chain=output of /ip firewall mangle, the first rule would be action=add-dst-to-address-list dst-address=4.4.4.4 address-list=the-list, the next one would be action=drop dst-address=4.4.4.4 for the sake of environment protection.
If you knew how long several people have been torturing their brain to reduce size size of the files till Chupaka make us sit next to our chairs from astonishment. This all because compression is not available in RouterOS.
Using find is the same as shooting yourself with a gun in the face when using long lists.
There is a complete ecosystem to control updates to lists by using a DNS system but Dave has stopped that a few months ago.
And it should go as fast as router is able to keep up. I didn’t try it, because I’m so bad with RouterOS scripting that even a simple loop for reading addresses from file is something I’d have to find in existing example, and I’m feeling a little lazy now.
But better ask MikroTik to support this directly, it doesn’t make sense to have to rely on such hacks like these.
Darn I can’t switch easily from one screen to an other on my tablet and search so I got person wrong setting us on the right track with reducing the size of the address lists. It was Chupaka and we own him still a lot of thanks for that eye opener.
