Filter rule

IBREDSOPORTE · July 22, 2022, 1:13pm

Hi community,

I need to add the same filter rule in serveral routers in position 1. Is there a way to add it using the same command?

I know you can create it and then move it, but I want to know if it’s possible to create it in position 1.

Thanks

BrookXVll · July 23, 2022, 11:21am

The place-before parameter is responsible for this.

ip firewall filter add chain=forward place-before=0

Adds the rule to the first position

rextended · July 23, 2022, 1:08pm

NO, is not the right method…
Sometime you have:
/ip firewall filter add chain=forward place-before=0
item referred by ‘place-before’ does not exist (11)
Because that 0 is not valid until you do not print before.
0 is a temporary value.

The right method is, on same line without other commands:

/ip firewall filter add chain=forward place-before=([find]->0)

But both methods do error if no previous rules are presents.

This move last rule on the top:

move ([find]->([:len [find]]-1)) ([find]->0)

But the other problem is if are present some dynamic rules, for example for display fasttrack, better do not move anything before that rules,
then is necessary a check for move the rule before the first static rule

/ip firewall filter add chain=forward place-before=([find where dynamic=no]->0)

the same for move:

move ([find]->([:len [find]]-1)) ([find where dynamic=no]->0)

But, in general, you have to use the utmost precaution, because if you move over “drop everything unclassified”… you cut everything, also your access…

BrookXVll · July 23, 2022, 1:46pm

I completely agree with you. Your answer is more extended, I just showed an example of the command.

IBREDSOPORTE · July 27, 2022, 6:43am

NO, is not the right method...
Sometime you have:
/ip firewall filter add chain=forward place-before=0
item referred by 'place-before' does not exist (11)
Because that 0 is not valid until you do not print before.
0 is a temporary value.

The right method is, on same line without other commands:
/ip firewall filter add chain=forward place-before=([find]->0)
But both methods do error if no previous rules are presents.

This move last rule on the top:
move ([find]->([:len [find]]-1)) ([find]->0)
But the other problem is if are present some dynamic rules, for example for display fasttrack, better do not move anything before that rules,
then is necessary a check for move the rule before the first static rule
/ip firewall filter add chain=forward place-before=([find where dynamic=no]->0)
the same for move:
move ([find]->([:len [find]]-1)) ([find where dynamic=no]->0)
But, in general, you have to use the utmost precaution, because if you move over "drop everything unclassified"... you cut everything, also your access...

Works great!

Thanks all!