Modyfing firewall rule with API

RouterOS Scripting
1

Hi,

I’m trying to find a way to do the following:
For example, I have dnat rule

[admin@MikroTik] > ip firewall nat  print
Flags: X - disabled, I - invalid, D - dynamic 
 0   chain=dstnat action=dst-nat to-addresses=172.17.2.1 to-ports=2404 protocol=tcp src-address=10.0.0.5 dst-address=10.0.0.1 dst-port=2404

I need a way to modify this rule and remove src-address and/or dst-address from it. Not replace it with something else, just remove.
When I use API call /ip/firewall/nat/set not specifying the addresses it just edits parts that I did specify, leaving src-address and dat-address intact.
What is the right way to do what I want?

2

add some way how to recognize it, like comment, get ID value, using the ID alter settings.

3

I didn’t quite understood you.
What I do is issue the command

/ip/firewall/nat/print

and receive the result

!re=
=.id=*8
=chain=dstnat
=action=dst-nat
=to-addresses=172.17.2.1
=to-ports=2404
=protocol=tcp
=src-address=10.0.0.5
=dst-address=10.0.0.1
=dst-port=2404
=invalid=false
=dynamic=false
=disabled=false

after that I try to modify this rule

/ip/firewall/nat/set
=.id=*8
=chain=dstnat
=action=dst-nat
=to-addresses=172.17.2.1
=to-ports=2404
=protocol=tcp
=dst-port=2404

And it won’t get modified at all.
If I try to issue command

/ip/firewall/nat/set
=.id=*8
=chain=dstnat
=action=dst-nat
=to-addresses=172.17.2.1
=to-ports=2404
=protocol=tcp
=src-address=
=dst-address=
=dst-port=2404

I get the error:

ERROR: value of range expects range of ip addresses; value of range expects range of ip addresses;

What I need to know is what do I pass as a parameter to clear src-address and dst-address?

4

What’s printed out, and what you modify seem to be the same things, so the fact they’re not modified seems like the right thing to have happened. When you use “set”, properties that are not modified stay the same, and in your case, all other properties are the same anyways.

As for that last error message… src-address and dst-address must be an IP range (e.g. 10.0.0.1/32). They can’t be an empty value.

If you want to unset them, you need to use the “unset” command, e.g.

/ip/firewall/nat/unset
=numbers=*8
=value-name=src-address
5

That’s exactly what I needed, thanks! Somehow I missed the unset command :frowning:
One more thing. In your example you used “=numbers=*8” parameter. I use “=.id=*8”
Is it the same, or there are some differences?

6

it is the same.