Feature Request: Address List From File

HughPH · May 22, 2016, 8:37am

Let’s say I want to mitigate attacks on my corporate network, and have a list of IP addresses that come from China. (I operate in the Western Hemisphere only and I’m not concerned about branching out to China at this time.)

I would like to be able to load that IP address list from file.

(Right now I would need to - and probably will - write my own code to turn it into an rsc file, and then import it.)

Better still, I’d like to be able to download the IP address list from time to time - so maybe we can get some better scripting functionality with wget availability?

pe1chl · May 22, 2016, 9:40am

This is all already available isn’t it?
wget functionality is available as /tool fetch
importing address list is also available.
converting a list of IP addresses into a importable list is a trivial operation.
so what do you really need?

HughPH · May 22, 2016, 10:00am

Thanks pe1chl! I obviously haven’t read enough of the manual - especially around scripting…

It’s not immediately obvious how to import an address list, do you mean that I’d need to do what I suggested above, or that there’s an inbuilt command? I can’t find anything under

/ip firewall address-list add

that would suggest I can add addresses in bulk, other than by applying a mask.

pe1chl · May 22, 2016, 10:32am

You can create a .rsc file on your server that contains:
/ip firewall address-list
add address=1.2.3.4 list=name
add address=4.5.6.0/24 list=name
etc

Then you can /tool fetch that file and /import the file in your script.

HughPH · May 22, 2016, 1:18pm

Thanks, that’s what I thought you meant. So I’d still need to perform some transformation from the source.

HughPH · May 23, 2016, 2:09pm

I looked into reading the file and performing the ‘transformation’ in-line - unfortunately the maximum size of a string is 4096 bytes, and it seems that the only way to get a file’s contents is through the contents property of the object (which is a string.)

So perhaps I should really be asking for some better scripting capabilities around reading files. Either into an array of strings, or to read one line at a time. The former would be more performant for larger files, but the latter would be kinder to RAM for huge files. RouterOS is also notably light on string manipulation functions.

ZeroByte · May 23, 2016, 2:16pm

Most people who do this accomplish it by doing the conversion from list → ROS commands on the server, and publish the resulting commands on their website.

So the webpage isn’t just this:
1.1.1.0/24
192.0.2.0/24
…

It’s commands like Pe1chl gave, and the Mikrotik just exexcutes it.

Personally, I’d prefer to use BGP to distribute these lists among my devices/servers but until ROS supports the route filter action: add prefix to address list, this isn’t immediately doable without scripts.