very simple script to enable/disable rules

RouterOS Scripting
1

hi everybody. this little script works perfect but only with the chain 0 when i try to enable/disable chain 1, doesnt work, i have only two chains in /ip firewall filter, remember WORKS perfect with chain 0 but dont with chain 1 simply doens nothing with chain 1

[admin@router-gelo] > /ip firewal filter pr
Flags: X - disabled, I - invalid, D - dynamic
0 X ;;; 208
chain=input action=drop protocol=icmp dst-address=192.168.208.1

1 X ;;; 209
chain=input action=drop protocol=icmp dst-address=192.168.209.1



THIS WORKS PERFECT
:global activa208 ([/interface get [/interface find name=“ether1-aba208”] disabled]);
:log info “eth1-208 DOWN: $activa208”;
:if ($activa208) do={/ip firewall filter enable numbers=0} else={
/ip firewall filter disable numbers=0};

THIS DOESNT WORK I ONLY CHANGE THE NUMBERS=0 FOR 1

:global activa208 ([/interface get [/interface find name=“ether1-aba208”] disabled]);
:log info “eth1-208 DOWN: $activa208”;
:if ($activa208) do={/ip firewall filter enable numbers=1} else={
/ip firewall filter disable numbers=1};

thanks

Timed Firewall Rul
2

What version are you using? Does second script log “eth1-208 DOWN: $activa208” part or only disable rule is the one that does not work? What is the result if you paste it directly into terminal? Also i suggest to check script policies.

3

instead of /ip firewall filter disable numbers=1 use following command

/ip firewall filter disable [find comment="209"];
4

hello, as mrz suggest it works perfect, it’s the actual way i yet implemented to work, but i just want an easy and direct way, without put a comment. but why doesnt work with 1?

5

Because ‘numbers’ isn’t a valid parameter. Try it without the ‘numbers=’ part:

/ip firewall filter disable 1
6

Thanks for your help, as i told with numbers=0 works perfect, i try with and without numbers= but with parameter 1, and doesnt work

7

like he said, because it’s not correct. use what mrz suggested.

8

numbers, even if they work once, wont work forever, if you introduce any new rule and move it somewhere, all your scripts will disable/enable wrong rules, that is why you have to use find clause and get rules other way.

In API you can get permanent entry IDs and work then them, they wont change, even not after reboot (for static interfaces)

9

OK acknowledge boss, thanks a lot, my doubt is now clear…

10

Could someone help please?

Don’t understand at all, what’s wrong with if-do-else. Looks like something wrong with do expression. = after do is highlighted

[Antdm1n@MikroTik] /ip firewall filter>> if ( [find comment=“test”] disabled = yes) do={ enable [find comment=“test”] } else={disable [find comment=“test”]}
syntax error (line 1 column 46)

I want to enable/disable commented rule with one command.

11

Try this:

:if ([get [find comment="test" ] disabled ]=true) do={...

There may be a shorter way to do this, but this should also work:

:if ([get [find comment="test" ] disabled ]) do={...
12

Missing : before if,
missing “get” for obtain “disabled status”
missing on get…disabled
missing (for me) where after find
= yes can be omitted as @Jotne say,

but i do not like errors, I added a section to check if “test” exist…
Must exist only one time, or “get” do errors if it not exist or if are present multiple rules with test as comment.


/ip firewall filter
:if ([:len [find where comment="test"]] = 1) do={
    :if ([get [find where comment="test"] disabled]) do={
        enable [find where comment="test"]
    } else={
        disable [find where comment="test"]
    }
}

or simply:

/ip firewall filter
:foreach r in=[find where comment="test"] do={
    :if ([get $r disabled]) do={
        enable $r
    } else={
        disable $r
    }
}

on this way can be present more rules with “test”