[Mikrotik follow-up needed] Address Lists

jeroenp · October 10, 2016, 3:57pm

A few things I wonder after reading http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Address_list are these:

Can you recurse Address Lists?

For example, does this work?

/ip firewall address-list add list=LAN_local address=192.168.71.0/24
/ip firewall address-list add list=LANs_remote address=192.168.124.0/24
/ip firewall address-list add list=LANs_remote address=192.168.171.0/24
/ip firewall address-list add list=LANs_remote address=192.168.172.0/24
/ip firewall address-list add list=LANs_remote address=192.168.178.0/24
/ip firewall address-list add list=LANs_all address=LAN_local
/ip firewall address-list add list=LANs_all address=LANs_remote

Can you use Address Lists outside the firewall realm?

For instance under /ip service in the address field or in static IP addresses.

–jeroen

ZeroByte · October 10, 2016, 5:41pm

No. Text supplied in the address field is interpreted as a hostname, which will be resolved in DNS and the results added to the list as dynamic entries having a timeout value equal to the TTL received in the DNS response.

pe1chl · October 10, 2016, 6:23pm

Support for this could probably be added easily, as the underlying Linux ipset mechanism already supports it:

list:set
The list:set type uses a simple list in which you can store set names.

By the ipset commad you can add, delete and test set names in a
list:set type of set.

By the set match or SET target of netfilter you can test, add or delete
entries in the sets added to the list:set type of set.