Strange problem with address-list and scripting

krsz · March 26, 2019, 9:23pm

Hello everyone.
I just try make some script with will be cooperate with VRRP. Nothing special. I configured whole firewall on main router and i exported everything to backup router. Now.. I wont to make changes only on main router. So I wrote script:

if ([:len [/file find name=fw_address.rsc]]>0) do={/file remove fw_address.rsc}
if ([:len [/file find name=fw_filter.rsc]]>0) do={/file remove fw_filter.rsc}
if ([:len [/file find name=fw_layer7-protocol.rsc]]>0) do={/file remove fw_layer7-protocol.rsc}
if ([:len [/file find name=fw_mangle.rsc]]>0) do={/file remove fw_mangle.rsc}
if ([:len [/file find name=fw_nat.rsc]]>0) do={/file remove fw_nat.rsc}
if ([:len [/file find name=fw_service-port.rsc]]>0) do={/file remove fw_service-port.rsc}

/tool fetch mode=ftp address=... port=... src-path=fw_address.rsc user=red password=...
/tool fetch mode=ftp address=... port=... src-path=fw_filter.rsc user=red password=...
/tool fetch mode=ftp address=... port=... src-path=fw_layer7-protocol.rsc user=red password=...
/tool fetch mode=ftp address=... port=... src-path=fw_mangle.rsc user=red password=...
/tool fetch mode=ftp address=... port=... src-path=fw_nat.rsc user=red password=...
/tool fetch mode=ftp address=... port=... src-path=fw_service-port.rsc user=red password=...


if ([:len [/file find name=fw_address.rsc]]>0) do={
   foreach i in=[/ip firewall address-list find ] do={
      /ip firewall address-list remove $i
   }
   import fw_address.rsc
}

if ([:len [/file find name=fw_filter.rsc]]>0) do={
   foreach i in=[/ip firewall filter find ] do={
      /ip firewall filter remove $i
   }
   import fw_filter.rsc
}

if ([:len [/file find name=fw_layer7-protocol.rsc]]>0) do={
   foreach i in=[/ip firewall layer7-protocol find ] do={
      /ip firewall layer7-protocol remove $i
   }
   import fw_layer7-protocol.rsc
}

if ([:len [/file find name=fw_mangle.rsc]]>0) do={
   foreach i in=[/ip firewall mangle find ] do={
      /ip firewall mangle remove $i
   }
   import fw_mangle.rsc
}

if ([:len [/file find name=fw_nat.rsc]]>0) do={
   foreach i in=[/ip firewall nat find ] do={
      /ip firewall nat remove $i
   }
   import fw_nat.rsc
}

if ([:len [/file find name=fw_service-port.rsc]]>0) do={
   foreach i in=[/ip firewall service-port find ] do={
      /ip firewall service-port remove $i
   }
   import fw_service-port.rsc
}

Each part of firewall is exported separately because i was looking for problematic part. And i found it. This script sometime (50/50 changes) can’t erase all address-list entry. Script can erase only 20 of those. And exactly first 20 of imported. When i put this part:

 
foreach i in=[/ip firewall address-list find ] do={
      /ip firewall address-list remove $i
}

nothing will be change.
So i can’t understand what is wrong.
Why sometimes whole 31 entry was erased, and why sometime script can erase only 20 and whole script is stopped.
I had the same problem when i exported and imported whole firewall config (/ip firewall export …)

Can somebody help me ?
sorry for my bad English.

BlackVS · April 3, 2019, 11:55am

One notice - tool fetch asynchoronous i.e. returns immediately but not wait until download finished.
Download is done in background.
As variant you importing files which not yet fully downloaded…
To check this just addd something like:

delay 10s

after last tool fetch

krsz · July 30, 2019, 10:25pm

After long time i found problem.
I had one dynamic item. I meant with “address” section directed to dns name. I that case You generate two items. One static and one dynamic. When script will delete static one then dynamic one will gone and it is impossible to erase it. So that will make problem with script.