LIST ALL QUEUES AND APPLY A FIREWALL.

samubaruffi · June 4, 2009, 6:31pm

Hello.

I’m trying do a script then i can get all the ip’s of the client’s and aply a firewall, the clients make part of a parent, this parent also have a ip, but this ip doesn’t have apply a firewall.

How can i get all the ip of the cliente.

I know how to the a ip of a specific cliente:

:global a [/queue simple get User target-addresses]
:put $a
[/ip firewall filter add chain=forward src-address=$a action=accept]

This script take the ip of a queue and put in the screen and apply a firewall

I need urgently a scrip that do this with all queues.

mrz · June 5, 2009, 4:32am

:foreach i in=[/queue simple find] do={
/ip firewall filter add chain=forward src-address=[/queue simple get $i target-address] action=accept
}

samubaruffi · June 5, 2009, 11:59am

Ohhh guy thanks.

That’s good.

Now i have more three doubts.

First: How can i list only the queues that have a parent?

Second: I need run this scrip all five minutes during all. (Scheduller)

Third: When i run the scrip some times, the script do any same ip firewall rules, i need that if the script already is created, don’t do the rule.

Thanks for the help.

mrz · June 5, 2009, 12:04pm

add check - if parent!=“none” then do your script
add scheduler with interval=5m
add another check - run through all firewall filters, search for specific src-address. If rule with that address is already added then do nothing, otherwise add.

samubaruffi · June 5, 2009, 12:13pm

Ohh Thanks.

How can i put in the script that if parent!=“none” do { ?

Hummm, can you help me put ine my script this?

This is my script until now:

/queue simple
:foreach n in=[/queue simple find priority=8] do={
:local interfacename [/queue simple get [$n] target-addresses]
:local c [/queue simple get [$n] name]
:local parent [/queue simple get [$n] parent]
/ip firewall filter add chain=foward src-address=“$interfacename” action=accept comment=“$c”
}

Thanks guy.

mrz · June 5, 2009, 12:26pm

:foreach n in=[/queue simple find priority=8 parent!="none" ] do={ 
  :local newIP;
  :local ipaddress [:tostr [/queue simple get $n target-addresses]];
  :for i from=( [:len $ipaddress] - 1) to=0 do={ 
     :if ( [:pick $ipaddress $i] = "/") do={ 
        :put  [:pick $ipaddress 0 $i];
        :set newIP [:pick $ipaddress 0 $i];
     } 
  }
  :local c [/queue simple get $n name];
  :put $c;
  :if ([:len [/ip firewall filter find comment=$c]] = 0) do={
     /ip firewall filter add chain=foward src-address=$newIP action=accept comment=$c;
  } else={
     :put "already added";
  }
}

samubaruffi · June 5, 2009, 12:41pm

Ohhhh really thanks guy.

But the script doesn’t do the rules, any idea?

And how can i do the scheduller.

Have u msn, e-mail?

Where u from guy?

Thanks.

mrz · June 5, 2009, 1:13pm

ok added lines to remove netmask, this should work.

Chupaka · June 5, 2009, 1:43pm

what if you have a queue named ‘none’? =) maybe you should forbid such name…

samubaruffi · June 5, 2009, 2:53pm

Hummm.

The script isn’t add the rules.

Do you know why?

:local ipaddress [:tostr [/queue simple get $n target-addresses]]; → What do the comand “tostr”?

What do you do here?

:for i from=( [:len $ipaddress] - 1) to=0 do={
:if ( [:pick $ipaddress $i] = “/”) do={
:put [:pick $ipaddress 0 $i];
:set newIP [:pick $ipaddress 0 $i];

My mikrotik is the version v3.20, this really will ok?

Really thanks guy.

mrz · June 5, 2009, 3:17pm

Works for me on v3.24

tostr converts ip address to string (not necessary in this case but script will work anyway)

Queu taget-address contains netmask (for example “1.1.1.1/32”), but src-address in firewall is not allowing to add ip addresses with netmasks at the end. So that is waht I am doing - removing netmaks.

samubaruffi · June 5, 2009, 3:45pm

Hummm.

Thanks now i understood.

Look until where did:

:foreach n in=[/queue simple find priority=8 parent!=“none”] do={
:local interfacename [/queue simple get $n target-addresses];
:local c [/queue simple get $n name];
:put $c;
:if ([:len [/ip firewall filter find comment=$c]] = 0) do={
/ip firewall filter add chain=foward src-address=$interfacename action=accept comment=$c;
}

Now i would like post a log, example if the script run , post a log “Scritp “name” sucessfully” or not.

How ever?

Thanks.

mrz · June 8, 2009, 4:10am

at the end of the script add following line:

:log info “type your log message”

mrz · June 8, 2009, 6:49am

Well it is hard to make everything foolproof. Just don’t use “none” as queue name.

samubaruffi · June 8, 2009, 10:55am

Hi guys.
Thanks for the help.

Now i have more problems ehehehe, .

Let’s look my script until now:

:foreach n in=[/queue simple find priority=8 parent!=“none”] do={
:local ipnumber [/queue simple get $n target-addresses];
:local comentario [/queue simple get $n name];
:put $comentario;
:if ([:len [/ip firewall filter find comment=$comentario]] = 0) do={
/ip firewall filter add chain=foward src-address=$ipnumber action=accept comment=$comentario;
:log info “A regra de firewall do queue $comentario com ip $ipnumber foi adicionada com sucesso.”;
}
}

This script do some things that i want, bu no all that i need.

Now, i i’m into a very hard problem:

When i go to delete/rename a queue, the rule of firewall created by the script, don’t be removed and don’t remoned, like this:

I go delete a queue, when i deleted this queue, i need that the script verify all the queues, and if exists a firewall rule, that the comment isn’t equal of the queue name, the script remove the queue, that do the same thing if a queue is renamed, the script remove the old rule, and after with a scheduler the script create the new queue with new name.