ipv6 firewall filter src-address-list matching seems broken

struggling · December 14, 2012, 6:26pm

I’ve configured the filter rules below in an attempt to cut a single log record
each time a new IPv6 address appears on my network. I’m using an address
list to cache known addresses. Rule 14 is intended to prevent the log or
add-src-to-address-list actions from firing for known addresses.

I expect the number of times these rules (16, 17) are triggered to be pretty
close to the number of addresses appearing in the src-cache list, but
this is not what is happening.

Am I missing something, or is src-address-list matching not working?

 >> /ipv6 firewall filter print  where (chain=fwd-source) or (jump-target =fwd-source )   
Flags: X - disabled, I - invalid, D - dynamic 
11   ;;; track addresses we're responsible for
     chain=forward action=jump jump-target=fwd-source src-address=2001:db8:13f::/48 src-address-list=!src-cache 

14   ;;; maintain source address cache for forwarded traffic
     chain=fwd-source action=return src-address-list=src-cache 

15 X chain=fwd-source action=passthrough src-address-list=!src-cache 

16   chain=fwd-source action=log src-address-list=!src-cache log-prefix="src-cache" 

17   chain=fwd-source action=add-src-to-address-list address-list=src-cache address-list-timeout=1h 

18   chain=fwd-source action=return 
 >> /ipv6 firewall filter print input stats where (chain=fwd-source ) and ( disabled =no )
Flags: X - disabled, I - invalid, D - dynamic 
 #   CHAIN                                                    ACTION                            BYTES         PACKETS
14   ;;; maintain source address cache for forwarded traffic
     fwd-source                                               return                                          0               0
16   fwd-source                                               log                                 1 549 389           5 361
17   fwd-source                                               add-src-to-address-list       1 549 389           5 361
18   fwd-source                                               return                              1 549 389           5 361
[admin@MikroTik] > [b]/ipv6 firewall address-list print where list =src-cache[/b]                               
Flags: X - disabled, D - dynamic 
 #   LIST                                                                 ADDRESS                                    
19 D src-cache                                                            2001:db8:13f::220:4aff:fec8:2261/128       
20 D src-cache                                                            2001:db8:13f:1:c90f:75b8:4627:3c31/128     
22 D src-cache                                                            2001:db8:13f::230:18ff:feac:c0b6/128       
23 D src-cache                                                            2001:db8:13f::a5d4:cad8:5642:a4f8/128      
24 D src-cache                                                            2001:db8:13f::210:4bff:fe70:7dd/128        
 >> system resource print
                   uptime: 3h45m39s
                  version: 5.22
          free-memory: 47620KiB
          total-memory: 62184KiB
                      cpu: MIPS 24Kc V7.4
                cpu-count: 1
            cpu-frequency: 400MHz
                 cpu-load: 1%
           free-hdd-space: 29084KiB
          total-hdd-space: 61440KiB
  write-sect-since-reboot: 1934
         write-sect-total: 2165132
               bad-blocks: 0%
        architecture-name: mipsbe
              board-name: RB751G-2HnD
                 platform: MikroTik
 >> system routerboard pr
          routerboard: yes
                  model: 751G-2HnD
       serial-number: 2F7A028D32DF
   current-firmware: 3.0
  upgrade-firmware: 3.0
 >>

struggling · December 16, 2012, 1:39am

Similar problem happens in script shown below. Existing ipv6 address-list items are not found, even though corresponding command entered at console finds the items. Similar script referring to /ip arp instead of /ipv6 neighbour just works.

       # Adapted from https://ispforum.cz/viewtopic.php?f=3&t=8416
       
       :local ipaddr;
       :local macaddr;
       :local iface;
       :local count;
       :set count 0;
       /ipv6 neighbor;
       :foreach i in=[ /ipv6 neighbor find mac-address ~ "." ] do={
       :set ipaddr [get $i address];
       :set macaddr [get $i mac-address];
       :set iface [get $i interface];
       # --- Both following alternatives work when entered from console using literal values ---
       # :if ([/ipv6 firewall address-list find list="arpwatch" comment=$macaddr address=$ipaddr] = "") do {
       :if (0 = [:len [/ipv6 firewall address-list find list="arpwatch" comment=$macaddr address=$ipaddr]]) do={
       /ipv6 firewall address-list add list="arpwatch" disabled=yes comment=$macaddr address=$ipaddr;
       :log info ("arpwatch: found $macaddr using $ipaddr on $iface");
       :set count (1+$count);
       }
       }
       :log info ("arpwatch: added $count (IPv6)");

sdragger · December 26, 2012, 6:26am

it seems that using address lists in ipv4 firewall filter are not working correctly either. matched traffic to/from address lists counts as a match, yet passes on to next rule. also negate (“!”) in address list seems to have no effect determining matches. using 5.22. anyone have any idea of the latest ros rev hasn’t these issues?

infused · January 6, 2013, 8:30pm

Make sure you mark this topic for support.