Bug Report - find command problem

RouterOS General
1

We are running MikroTik v3.28 on a x86 system. We are seeing an issue with the ‘find’ command and ‘where’ clause in ‘print’ not being able to match src-address and dst-address. Below is a log of what I tried, there was no noticeable delay in running find and where as listed below. This is the first time I have tried these searches v3, but I know they worked fine in v2.8 and v2.9, we just upgraded to v3 for this box today. BTW, there are about 2500 mangle rules overall, split across different chains.

Thanks,
-Ryan


[admin@MikroTik] /ip firewall mangle> pr where  src-address=10.33.59.169
Flags: X - disabled, I - invalid, D - dynamic
[admin@MikroTik] /ip firewall mangle> pr where new-packet-mark=16296
Flags: X - disabled, I - invalid, D - dynamic
23   chain=chkdst59b action=mark-packet new-packet-mark=16296 passthrough=no
     dst-address=10.33.59.169

24   chain=chksrc59b action=mark-packet new-packet-mark=16296 passthrough=no
     src-address=10.33.59.169

25   chain=chkdst59a action=mark-packet new-packet-mark=16296 passthrough=no
     dst-address=10.33.59.118

26   chain=chksrc59a action=mark-packet new-packet-mark=16296 passthrough=no
     src-address=10.33.59.118
[admin@MikroTik] /ip firewall mangle> remove [find chain=chksrc59b action=mark-packet new-packet-mark=16296 passthrough=no src-address=10.33.59.169]
[admin@MikroTik] /ip firewall mangle> pr where new-packet-mark=16296                     
Flags: X - disabled, I - invalid, D - dynamic
23   chain=chkdst59b action=mark-packet new-packet-mark=16296 passthrough=no
     dst-address=10.33.59.169

24   chain=chksrc59b action=mark-packet new-packet-mark=16296 passthrough=no
     src-address=10.33.59.169

25   chain=chkdst59a action=mark-packet new-packet-mark=16296 passthrough=no
     dst-address=10.33.59.118

26   chain=chksrc59a action=mark-packet new-packet-mark=16296 passthrough=no
     src-address=10.33.59.118
[admin@MikroTik] /ip firewall mangle> remove [find src-address=10.33.59.169]            
[admin@MikroTik] /ip firewall mangle> pr where new-packet-mark=16296
Flags: X - disabled, I - invalid, D - dynamic
23   chain=chkdst59b action=mark-packet new-packet-mark=16296 passthrough=no
     dst-address=10.33.59.169

24   chain=chksrc59b action=mark-packet new-packet-mark=16296 passthrough=no
     src-address=10.33.59.169

25   chain=chkdst59a action=mark-packet new-packet-mark=16296 passthrough=no
     dst-address=10.33.59.118

26   chain=chksrc59a action=mark-packet new-packet-mark=16296 passthrough=no
     src-address=10.33.59.118
[admin@MikroTik] /ip firewall mangle> remove [find dst-address=10.33.59.169]
[admin@MikroTik] /ip firewall mangle> pr where new-packet-mark=16296
Flags: X - disabled, I - invalid, D - dynamic
23   chain=chkdst59b action=mark-packet new-packet-mark=16296 passthrough=no
     dst-address=10.33.59.169

24   chain=chksrc59b action=mark-packet new-packet-mark=16296 passthrough=no
     src-address=10.33.59.169

25   chain=chkdst59a action=mark-packet new-packet-mark=16296 passthrough=no
     dst-address=10.33.59.118

26   chain=chksrc59a action=mark-packet new-packet-mark=16296 passthrough=no
     src-address=10.33.59.118
[admin@MikroTik] /ip firewall mangle> pr where src-address=10.33.59.118
Flags: X - disabled, I - invalid, D - dynamic
[admin@MikroTik] /ip firewall mangle> pr where src-address=10.33.59.118/32
Flags: X - disabled, I - invalid, D - dynamic
[admin@MikroTik] /ip firewall mangle> remove [/ip firewall mangle find dst-address=10.33.59.169]
[admin@MikroTik] /ip firewall mangle> pr where new-packet-mark=16296                     
Flags: X - disabled, I - invalid, D - dynamic
23   chain=chkdst59b action=mark-packet new-packet-mark=16296 passthrough=no
     dst-address=10.33.59.169

24   chain=chksrc59b action=mark-packet new-packet-mark=16296 passthrough=no
     src-address=10.33.59.169

25   chain=chkdst59a action=mark-packet new-packet-mark=16296 passthrough=no
     dst-address=10.33.59.118

26   chain=chksrc59a action=mark-packet new-packet-mark=16296 passthrough=no
     src-address=10.33.59.118
[admin@MikroTik] /ip firewall mangle> remove 24
[admin@MikroTik] /ip firewall mangle> pr where new-packet-mark=16296
Flags: X - disabled, I - invalid, D - dynamic
23   chain=chkdst59b action=mark-packet new-packet-mark=16296 passthrough=no
     dst-address=10.33.59.169

25   chain=chkdst59a action=mark-packet new-packet-mark=16296 passthrough=no
     dst-address=10.33.59.118

26   chain=chksrc59a action=mark-packet new-packet-mark=16296 passthrough=no
     src-address=10.33.59.118
[admin@MikroTik] /ip firewall mangle> remove 23
[admin@MikroTik] /ip firewall mangle> pr where new-packet-mark=16296
Flags: X - disabled, I - invalid, D - dynamic
25   chain=chkdst59a action=mark-packet new-packet-mark=16296 passthrough=no
     dst-address=10.33.59.118

26   chain=chksrc59a action=mark-packet new-packet-mark=16296 passthrough=no
     src-address=10.33.59.118
[admin@MikroTik] /ip firewall mangle>
2

IP addresses need to be enclosed in quotation marks for ‘find’ and ‘where’.

[admin@MikroTik] /ip firewall mangle> add chain=madeup src-address=10.1.0.1 action=accept
[admin@MikroTik] /ip firewall mangle> print where src-address=10.1.0.1
Flags: X - disabled, I - invalid, D - dynamic
[admin@MikroTik] /ip firewall mangle> print where src-address="10.1.0.1"
Flags: X - disabled, I - invalid, D - dynamic
 2   chain=madeup action=accept src-address=10.1.0.1
[admin@MikroTik] /ip firewall mangle>

Hope that helps,
Felix

3

Thanks, it looks like that works with the quotes. However, my automated removal still doesn’t work with the following command:
remove [find action=mark-packet chain=chkdst61a disabled=no dst-address=“10.33.61.55” new-packet-mark=1293 passthrough=yes]

Do any other paramters need to be quoted? Is this just something new in v3?

Thanks,
-Ryan

4

I just found that the removal will work only once I remove the chk for the disabled= and quote the action= param

remove [find action=mark-packet chain=chkdst61a disabled=no dst-address="10.33.61.55" new-packet-mark=1293 passthrough=yes]

becomes

remove [find action="mark-packet" chain=chkdst61a dst-address="10.33.61.55" new-packet-mark=1293 passthrough=yes]

Is this is a bug or is it by design??

5

Going through things quickly it seems like the values for passthrough and disabled must not be quoted, new-packet-mark and chain may be quoted and action must be quoted.

Therefore

/ip firewall mangle print where action="mark-packet" chain=chkdst61a disabled=no dst-address="10.33.61.55" new-packet-mark=1293 passthrough=yes

should work. Though you may prefer quoting as much as possible if behavior changed in the past. I haven’t used versions before 3.x so I can’t comment on when certain parameters started requiring quotes.

Didn’t see your update. As far as I understand it, certain parameter values are of type string. Comparing values of different types is always a boolean false, so you must coerce your value into string by quoting it in order to successfully compare to another, system internal string (the actual value of the entry).
Can’t comment on why you have to leave out ‘disabled=no’. Printing rules filtering via where just on that parameter is successful for me.

HTH,
Felix

6

I’ve had problems with find as well when narrowing searches. I’ve had success with a basic find loop, searching each item’s properties for query criteria.

/ip firewall filter
foreach f in=[find] do={
:if ([get $f comment] = “mycomment” && [get $f src-address] = 192.168.1.1) do={
:put “execute commands here”
}
}

7

try [get $f src-address]=“192.168.1.1”