Address List triggers

saied · July 16, 2024, 2:29pm

I would like to Utilize the Mikrotik scripting to do certain events when an IP is added / removed to an address list. Is this possible?

optio · July 16, 2024, 2:36pm

See this topic - http://forum.mikrotik.com/t/mikrotik-events-script-new-abroach/176282/1

rextended · July 16, 2024, 3:19pm

The linked example work only on added or changed address, not when removed.
When removed create empty logs: you can not know what address is removed.
And when is changed, do not know what are the previous IP...

:global EventHandlerAddList do={
    :local addnum $1
    :local addlist $2
    /log info "Address >$1< changed or added to address list >$2<"
    :return 0
}

:execute {
    :global EventHandler
    /ip firewall address-list print follow-only where list="listname" [$EventHandlerAddList $address $list]
}

Yu need something that monitor logs, not directly the address list
that monitor this logs:

address list entry added by winbox-3.40/tcp-msg(winbox):rex@1.1.1.1 (*6D = /ip firewall address-list add address=6.6.6.6 disabled=no list=test)
address list entry changed by winbox-3.40/tcp-msg(winbox):rex@1.1.1.1 (/ip firewall address-list set *6D address=9.9.9.9 disabled=no list=test)
address list entry removed by winbox-3.40/tcp-msg(winbox):rex@1.1.1.1 (/ip firewall address-list remove *6D)

But still you can monitor only added or changed address, not what addresses are deleted.

optio · July 16, 2024, 4:47pm

Yes, diff cannot be tracked unless some mirror address list is maintained with event function by comparing IPs from mirror list and monitored list, eg. if new IP is added into monitored list that list will have one more item and this address needs to be added into mirror list; if changed, item numbers will be the same, address that not exists in mirror list is changed and needs to be updated in mirror list; if removed, monitored list will have one less item, address from mirror list that not exists in monitored list is deleted and needs to be removed from mirror list.

rextended · July 16, 2024, 7:26pm

If router have enough memory, just at the start create in memory one array with all IDs and address pairs.
When something is removed just call the ID from the array, without any time consuming search or find and you have the results…

for example if the log is “/ip firewall address-list remove *6D” just read *6D on the array for get the address and the list where IP is removed, without create CPU consuming loops…

(when something is added, add the item on the array, when something is modified you have previous value, then update the array, etc. etc etc.)

optio · July 16, 2024, 8:25pm

It will be faster for sure, but it depends on device memory and it needs to be populated on device startup as you mentioned. If there are no often changes CPU impact when using address list is not significant and saves RAM. It all depends on use case and used device, how large address list is expected to be, how often will change…

rextended · July 16, 2024, 9:36pm

/ip firewall address-list
:global test [:toarray ""]
[print as-value where [:set ($test->[:tostr $".id"]) $address]]]
:put $test

3 seconds on CCR1036-12G-4S with ~8000 items on address-list (mixed dynamic and static, of all address-lists).
The free memory apparently not change.

For specific list

/ip firewall address-list
:global test [:toarray ""]
[print as-value where [:if ($list="AAA_ip_DROP") do={:set ($test->[:tostr $".id"]) $address}]]
:put $test

Only for dynamic

/ip firewall address-list
:global test [:toarray ""]
[print as-value where [:if ($dynamic) do={:set ($test->[:tostr $".id"]) $address}]]
:put $test

Only for not dynamic

/ip firewall address-list
:global test [:toarray ""]
[print as-value where [:if ($dynamic = false) do={:set ($test->[:tostr $".id"]) $address}]]
:put $test

Obviously conditions can be added and mixed…

So, if array containing this:
[…];*598=208.12.64.0/19;*599=210.57.128.0/18;*59A=210.57.192.0/20;*59B=212.87.204.0/24;*59C=212.192.8.0/24;*59D=212.192.241.0/24;[…]
and log are one from:
address list entry changed by winbox-3.40/tcp-msg(winbox):rex@1.1.1.1 (/ip firewall address-list set *59A address=210.57.219.0/20 disabled=no list=AAA_ip_DROP)
address list entry removed by winbox-3.40/tcp-msg(winbox):rex@1.1.1.1 (/ip firewall address-list remove *59A)
with
:put ($test->"*59A")
you can obtain the addres changed from set, or removed “210.57.192.0/20”

Just make synced the array and the address list (removing removed, add added, update updated)

rextended · July 16, 2024, 10:03pm

Mmmmmmmmmmm…

All this got me thinking about new ways to efficiently import and update blacklists from large lists…

diamuxin · July 17, 2024, 11:01am

Bravo Rex! (as always)