"No such item (4)" while counting connections

voltsifer · September 22, 2018, 12:56pm

Hello!
Please help me understand why I get “no such item” error in this code:

[admin1@MT1] > /ip firewall connection print count-only where dst-address~"1.1.1.1|2.2.2.2|3.3.3.3|4.4.4.4|5.5.5.5"
212
no such item (4)
[admin1@MT1] > /ip firewall connection print count-only where dst-address~"1.1.1.1|2.2.2.2|3.3.3.3|4.4.4.4|5.5.5.5"
413
[admin1@MT1] > /ip firewall connection print count-only where dst-address~"1.1.1.1|2.2.2.2|3.3.3.3|4.4.4.4|5.5.5.5"
268
no such item (4)
[admin1@MT1] > /ip firewall connection print count-only where dst-address~"1.1.1.1|2.2.2.2|3.3.3.3|4.4.4.4|5.5.5.5"
413

ADahi · September 22, 2018, 6:28pm

/ip firewall connection print count-only where dst-address~"[1-5]+\\.[1-5]+\\.[1-5]+\\.[1-5]+"

OR

/ip firewall connection print count-only where (dst-address~"1.1.1.1" || dst-address~"2.2.2.2" || dst-address~"3.3.3.3" || dst-address~"4.4.4.4" || dst-address~"5.5.5.5")

voltsifer · September 23, 2018, 11:41am

Thanks for your explanation, but it does not solve the problem.
In fact, I get “no such item” error even without using logical operations and searching for a single IP address.

[admin1@MT1] > /ip firewall connection print count-only where dst-address="1.1.1.1"
0
no such item (4)
[admin1@MT1] > /ip firewall connection print count-only where dst-address="1.1.1.1"
0
[admin1@MT1] > /ip firewall connection print count-only where dst-address~"1.1.1.1"
235
no such item (4)
[admin1@MT1] > /ip firewall connection print count-only where dst-address~"1.1.1.1" 
436

It is interesting that the problem occurs only in about half the cases.

Also, it is related to the number of entries in the connection table.
The more entries - the higher the probability of “no such item” error.

pe1chl · September 23, 2018, 12:04pm

Likely the “where” clause is walking through the connections list and while it is doing so some connections disappear.
The more users/connections you have, the more likely that probably is to occur.

This is always a problem in such “first/next” walking through lists that are not static.
Whether that should have been covered in RouterOS and handled invisibly from the users is a matter for debate…

voltsifer · September 23, 2018, 12:29pm

The main problem is that this error terminates the script execution and I do not understand how to ignore this error.
Suppose I have this script:

  ... Some code ....
/ip firewall connection print count-only where dst-address~"1.1.1.1" 
Getting "no such item" - Script terminating.
  ... Some code - 2 ....

The code “Some code - 2” will not be executed.

Is it possible to force ROS ignore “no such item” error and continue code execution?

pe1chl · September 23, 2018, 1:41pm

You should read the manual on Scripting before attempting anything serious… because there are so many pitfalls!
https://wiki.mikrotik.com/wiki/Manual:Scripting#Catch_run-time_errors
https://wiki.mikrotik.com/wiki/Manual:Scripting_Tips_and_Tricks

voltsifer · September 23, 2018, 2:20pm

Thanks for reply.
I tried do {} on-error = {}
But it did not solve my problem.

Code:

:global result

:log info ("Step1")
:do {
      :set result [/ip firewall connection print count-only where dst-address~":80"];
} on-error={:log info ("Error1")};
:log info ("Result1: $result")

:log info ("Step2")
:do {
      :set result [/ip firewall connection print count-only where dst-address~":80"];
} on-error={:log info ("Error2")};
:log info ("Result2: $result")

Result:

[admin1@MT1] > 
17:15:49 echo: script,info Step1
[admin1@MT1] > 
17:16:07 echo: script,error script error: no such item (4)

The script is terminated. (((

Is there something wrong with my code?

On the low-loaded Mikrotik this code is executed successfully…

nostromog · September 23, 2018, 3:27pm

I think using

:set result [:len [/ip firewall connection find where dst-address~":80"]]

is cleaner. And in my experience, for some arcane reason, avoids the non-atomic list traversal.

voltsifer · September 23, 2018, 3:45pm

On Router (CRS125-24G-1S-2HnD) with 200 active connection entries:

[admin1@MikroTik] > :put [:len [/ip firewall connection find where dst-address~":80"]]          
4
[admin1@MikroTik] >

On Router (CCR1036-12G-4S) with 80000 active connection entries:

[admin1@MT1] > :put [:len [/ip firewall connection find where dst-address~":80"]]
no such item (4)
[admin1@MT1] >

Any ideas?

mrz · September 25, 2018, 8:35am

Connection tracking is large periodically changing table. While processing entries that entry could already be removed, so you will get no such item.

pe1chl · September 25, 2018, 9:09am

That is what I expected, but why is the error not handled by do {} on-error = {} ?

voltsifer · September 26, 2018, 12:45pm

Is it possible to perform a search in large periodically changing table without errors?

[admin1@MT1] > /ip firewall connection print where dst-address~":80"
Flags: E - expected, S - seen-reply, A - assured, C - confirmed, D - dying, F - fasttrack, s - srcnat, d - dstnat 
 #          PROTOCOL SRC-ADDRESS           DST-ADDRESS           TCP-STATE   TIMEOUT     ORIG-RATE REPL-RATE ORIG-PACKETS REPL-PACKETS      ORIG-BYTES      REPL-BYTES
 0  SAC  s  tcp      172.16.9.21:49346     203.119.201.254:80    established 17m58s           0bps      0bps          233          244          15 214          15 212
 1  SAC     tcp      x.x.x.x:7178   162.252.21.64:80      established 19m54s           0bps      0bps          908          908          37 228          36 320
 2  SAC  s  tcp      172.16.12.110:49003   185.221.47.112:80     established 19m59s      269.0kbps  19.7Mbps    3 182 536    7 845 361     134 840 136  11 591 313 145
 3  SAC  s  tcp      172.16.8.82:41163     140.205.195.98:80     established 19m38s           0bps      0bps          188          183          12 856          12 004
 4  SAC     tcp       x.x.x.x:50112   77.234.43.26:80       established 17m6s            0bps      0bps          118          199          20 810         112 745
 5  SAC     tcp       x.x.x.x:57974  203.119.205.0:80      established 17m19s           0bps      0bps          923        1 764          73 454         108 782
 6  SAC     udp       x.x.x.x:35529   47.91.93.96:8000                  1m19s            0bps      0bps        4 310        4 297         310 320         274 768
 7  SAC     tcp       x.x.x.x:58013  47.254.151.183:8080   established 18m32s           0bps      0bps        3 088        1 739         186 779         178 340
......................

Thats ok!

But

:put [/ip firewall connection find dst-address~":80"]
no such item (4)

WHY???
Is there another way to search the large connection table that does not cause errors?