Move a firewall rule to the end (V4.5)

OriiOn · February 25, 2010, 10:15am

I am trying to come up with a script, that adds 2 new filter rules, and after that makes sure the “drop” rule is moved to the end.

In this script I assume that what ever is at the end of the filter list BEFORE I add my rules, must be the drop rule. So I determine the index of that rule first.

/ip firewall filter
:global dropruleindex ([:len [/ip firewall filter find]]-1)
add action=accept chain=input comment=VPN disabled=no protocol=ipsec-esp
add action=accept chain=input comment=VPN disabled=no protocol=udp src-port=500
move $dropruleindex

However, it appears that the move command ignores the content of the $dropruleindex variable, even though that variables contains the correct index-number. What am I doing wrong? Any other way to achieve this?

SurferTim · February 25, 2010, 11:44am

I do not add or remove the rules. I enable and disable them with a script. Would that be good for you also?

OriiOn · February 25, 2010, 11:53am

Thanks for the reply! That depends how you do it, maybe that holds a hint for me how it could be done in a different way than the approach I am currently using.

So yes please, post a sample of your script

SurferTim · February 25, 2010, 12:08pm

I add a comment to each rule I want enabled or disabled. In this case, I would add the comment “test” to each rule I want to enable/disable.

To enable them:

:local rulelist [/ip firewall filter find comment=test]
:foreach i in=$rulelist do={
    /ip firewall filter enable $i
}

To disable them:

:local rulelist [/ip firewall filter find comment=test]
:foreach i in=$rulelist do={
    /ip firewall filter disable $i
}

Chupaka · February 25, 2010, 1:37pm

or just

/ip firewall filter disable [find comment="test"]

OriiOn · February 25, 2010, 1:57pm

Thanks for the replies. I know the “trick” with setting a comment for the rules, and reference them by their comment name. That works just fine.

However, my goal is to come up with a script that adds those rules right after the first time (self) configuration of the router. At this point all the comments for the filter rules are “default configuration”. I want to avoid having to manually set a comment named “drop” for the drop rule, before I run my script.

I am just a little surprised that the move command does not work when using variables. Presume the “drop” rule would be #3 in the list:

This WORKS:

### this will move number 3 to the end of the filter list
/ip firewall filter move 3

This does NOT work:

:global index 3
/ip firewall filter move $index

SurferTim · February 25, 2010, 2:17pm

I have no experience with adding them, but it may be the move parameter.
Have you tried adding the rule with the “place-before=X” parameter?
X is the line number you want the rule above in the list.
No promises. I haven’t tried it!

OriiOn · February 25, 2010, 3:50pm

In 4.5 move uses the “numbers” and “destination” parameters. But anyway, that does not work either.

However, it gets even more weird. For the “destination” parameter passing a variable seems to work! It’s just that for the “numbers” parameter passing a variable does not work. Btw, with “not work” I mean it fails with “no such item”.

This works:

move numbers=5 destination=$a

This does not work:

move numbers=$a destination=5

dssmiktik · February 26, 2010, 5:03am

It looks like move works with the internal .id and numeric only values (at least from my testing). This worked for me on v4.5:

Your code revised:

/ip firewall filter
add action=accept chain=input comment="VPN1" disabled=yes protocol=ipsec-esp
add action=accept chain=input comment="VPN2" disabled=yes protocol=udp src-port=500
:local fRules
# get current rule set
:set fRules [/ip firewall filter find]

# since we added two rules, move the last two rules up two positions (before last rule)
move [:pick $fRules ([:len $fRules] - 1)] [:tonum ([:len $fRules] - 3)]
move [:pick $fRules ([:len $fRules] - 2)] [:tonum ([:len $fRules] - 3)]

Possibly a better approach: You could simply move all ‘action=drop’ rules to the bottom
The below script will work whether it finds 0, 1, or more drop rules, it will move each of them to the last position in the filter table.

:local dropRules
:local allRules

/ip firewall filter
:set dropRules [find action="drop"]

:foreach f in=$dropRules do={
   :set allRules [/ip firewall filter find]
# Insert our rule just before bottom rule
   move [:toid $f]  [:tonum ([:len $allRules] - 2)]
   :set allRules [/ip firewall filter find]
# swap our rule with bottom rule (making our rule last)
   move [:toid [:pick $allRules ([:len $allRules] - 1)]] [:tonum ([:len $allRules] - 2)]
}

OriiOn · February 26, 2010, 3:12pm

Thank you for your very detailed answer! Both your suggestions work.

Then I gave this a try:

move [find action="drop"]

And it worked also…

jerryroy1 · June 20, 2014, 2:04am

How do I just insert rules between others?

/ip firewall filter
add action=accept chain=input comment=“Netgear Switch access” disabled=no src-address-list=“Netgear Switch Access”
add action=accept chain=input comment=“default configuration” disabled=no dst-port=123 protocol=udp
add action=accept chain=input disabled=no dst-port=22,80,443,8291 protocol=tcp src-address=216.231.192.0/20 ← insert this line here???
add action=accept chain=input disabled=no dst-port=22,80,443,8291 protocol=tcp src-address=216.231.195.0/24
add action=accept chain=input disabled=no dst-port=22,80,443,8291 protocol=tcp src-address=216.231.198.0/24

Also, If this works,

move [find action=“drop”]

Shouldnt this work?

remove [find src-address=“216.231.198.0/24”]

Chupaka · June 20, 2014, 11:04am

use ‘print’, then ‘add action=accept chain=input bla-bla-bla place-before=N’, where N is the number of the rule one from the bottom

sure it works