Script doesn't work

dragon2611 · July 29, 2011, 9:53pm

I have a couple of scripts that’s triggered by netwatch that quite simply turns on a mangle rule to tag packets to take a different route if one of my Wan connections drops.

The ones “BEup” and “BEdown” function as expected , the other 2 do not seem to actually do anything when run regardless of if they’re run by netwatch or manually by me.

Yet copying the content of the script and running it in the CLI works fine

here are the scripts.

[admin@MikroTik] > system script print from=BEup
Flags: I - invalid
 0   name="BEup" owner="admin" policy=read,write
     last-started=jul/29/2011 21:33:41 run-count=5
     source=/ip firewall mangle enable numbers=0 ;

[admin@MikroTik] > system script print from=BEdown
Flags: I - invalid
 0   name="BEdown" owner="admin" policy=read,write
     last-started=jul/29/2011 21:33:39 run-count=3
     source=/ip firewall mangle disable numbers=0 ;

[admin@MikroTik] > system script print from=Otherup
Flags: I - invalid
 0   name="Otherup" owner="admin" policy=read,write,policy
     last-started=jul/29/2011 21:43:28 run-count=19
     source=/ip firewall mangle disable numbers=1;
[admin@MikroTik] >

[admin@MikroTik] > system script print from=Otherdown
Flags: I - invalid
 0   name="Otherdown" owner="admin" policy=read,write,policy
     last-started=jul/29/2011 21:39:51 run-count=37
     source=/ip firewall mangle enable numbers=1 ;
[admin@MikroTik] >

I’ve tried changing the policy settings on the 3rd-4th ones to match the first 2 (forgot to set them back) but didn’t seem to make any difference.

Presume I’ve done something wrong.

fewi · July 29, 2011, 10:31pm

Don’t use numbers in scripts. Numbers are only for interactive use. Instead, set a comment on the mangle rule, and find it programmatically in your script via the comment, and then disable/enable the found item.

By way of example:

/ip firewall mangle
add chain=prerouting action=accept comment="this is the rule"

The below in a script disables that rule:

/ip firewall mangle { disable [find comment="this is the rule"] };

dragon2611 · July 29, 2011, 10:36pm

Oh right.

I’d have thought referencing the numeric ID for the rule would be a lot less resource intensive than searching for a comment.

The only reason I can presume they disallow this is in case rules get re-orderd?

fewi · July 29, 2011, 10:44pm

There’s that, though it’s not disallowed. The real reason as I understand it that numbers might not work is that the numbers are generated by the CLI on the fly for interactive reference.

If you run this on the CLI:

:put [/ip firewall mangle find comment="this ist the rule"]

you’ll find you get back an odd looking value such as “*1”. That’s the actual reference to the configuration item, it’s a pointer in the classic sense. When you issue a “print” command the router dynamically generates numbers for humans to use that map to those pointers, so those numbers are then good for a human to use. A scheduled script doesn’t run in that environment, so the numbers haven’t been generated. People used to “print” in scripts first, and then use numbers. If you simply use a find command you’re guaranteed to get the correct pointer to the configuration object. I tend to use find commands in all my scripts I run manually in the CLI as well, just to get around re-ordering issues. It isn’t much more to type, and unlike the numbers it is entirely unambiguous. Unless you have HUGE lists of configuration items to traverse the hit on resources to find the item is negligible - and if you have that many mangle rules you’re having CPU issues, anyway, just during packet processing of those rules. Not using find commands for resource reasons in my opinion would be very premature optimization.