Community discussions

MikroTik App
 
ilium007
Member Candidate
Member Candidate
Topic Author
Posts: 206
Joined: Sun Jan 31, 2010 9:58 am
Location: Newcastle, Australia

Scripted firewall rule ordering fails

Wed Sep 16, 2020 10:14 am

[admin@router01] > /system/routerboard/print
       routerboard: yes
             model: RBD53G-5HacD2HnD
     serial-number: C8CA0CB0B626
     firmware-type: ipq4000L
  factory-firmware: 7.0beta6
  current-firmware: 7.0beta6
  upgrade-firmware: 7.1beta2
[admin@router01] >

Due to the backup recovery issue I'm facing I decided to put together a bunch of commands to rebuild the router until I can get the recovery to work as it is taking a long time to rebuild the router between testing attempts.

I need to order firewall rules for my Wireguard instance.

There is an existing rule #3 that I want to put all Wireguard rules in front of:
[admin@router01] > /ip/firewall/filter/print
Flags: X - disabled, I - invalid; D - dynamic
 0  D ;;; special dummy rule to show fasttrack counters
      chain=forward action=passthrough

 1    ;;; defconf: accept established,related,untracked
      chain=input action=accept connection-state=established,related,untracked

 2    ;;; defconf: drop invalid
      chain=input action=drop connection-state=invalid

 3    ;;; defconf: accept ICMP
      chain=input action=accept protocol=icmp

 4    ;;; defconf: accept to local loopback (for CAPsMAN)
      chain=input action=accept dst-address=127.0.0.1

 5    ;;; defconf: drop all not coming from LAN
      chain=input action=drop in-interface-list=!LAN

 6    ;;; defconf: accept in ipsec policy
      chain=forward action=accept ipsec-policy=in,ipsec

 7    ;;; defconf: accept out ipsec policy
      chain=forward action=accept ipsec-policy=out,ipsec

 8    ;;; defconf: fasttrack
      chain=forward action=fasttrack-connection connection-state=established,related

 9    ;;; defconf: accept established,related, untracked
      chain=forward action=accept connection-state=established,related,untracked

10    ;;; defconf: drop invalid
      chain=forward action=drop connection-state=invalid

11    ;;; defconf: drop all from WAN not DSTNATed
      chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN
[admin@router01] >

I decided to use the "place-before" argument and place all rules in front of existing rule #3 and leave the rule I want at #3 to be the last rule imported like this:
/ip firewall filter add action=accept chain=input comment="wireguard accept dns" dst-port=53 in-interface=wireguard1 protocol=udp place-before=3
/ip firewall filter add action=accept chain=input comment="wireguard accept ssh" dst-port=22 in-interface=wireguard1 protocol=tcp src-address-list=support place-before=3
/ip firewall filter add action=accept chain=input comment="wireguard accept winbox" dst-port=8291 in-interface=wireguard1 protocol=tcp src-address-list=support place-before=3
/ip firewall filter add action=accept chain=input comment="wireguard accept http/https" dst-port=80,443 in-interface=wireguard1 protocol=tcp src-address-list=support place-before=3
/ip firewall filter add action=accept chain=forward comment="wireguard accept to lan" dst-address=192.168.10.0/24 in-interface=wireguard1 src-address-list=support place-before=3
/ip firewall filter add action=accept chain=input comment="wireguard accept" dst-port=13231 in-interface=lte1 protocol=udp place-before=3

I expected that by doing the above the rule "wireguard accept" should have ended up at position number 3 but it doesn't, it ends up at the bottom of the block as if it is still evaluating "3 ;;; defconf: accept ICMP" as being at position #3.


I end up with this:
[admin@router01] > /ip/firewall/filter/print
Flags: X - disabled, I - invalid; D - dynamic
 0  D ;;; special dummy rule to show fasttrack counters
      chain=forward action=passthrough

 1    ;;; defconf: accept established,related,untracked
      chain=input action=accept connection-state=established,related,untracked

 2    ;;; defconf: drop invalid
      chain=input action=drop connection-state=invalid

 3    ;;; wireguard accept dns
      chain=input action=accept protocol=udp in-interface=wireguard1 dst-port=53

 4    ;;; wireguard accept ssh
      chain=input action=accept protocol=tcp src-address-list=support in-interface=wireguard1 dst-port=22

 5    ;;; wireguard accept winbox
      chain=input action=accept protocol=tcp src-address-list=support in-interface=wireguard1 dst-port=8291

 6    ;;; wireguard accept http/https
      chain=input action=accept protocol=tcp src-address-list=support in-interface=wireguard1 dst-port=80,443

 7    ;;; wireguard accept to lan
      chain=forward action=accept dst-address=192.168.10.0/24 src-address-list=support in-interface=wireguard1

 8    ;;; wireguard accept
      chain=input action=accept protocol=udp in-interface=lte1 dst-port=13231

 9    ;;; defconf: accept ICMP
      chain=input action=accept protocol=icmp

10    ;;; defconf: accept to local loopback (for CAPsMAN)
      chain=input action=accept dst-address=127.0.0.1

11    ;;; defconf: drop all not coming from LAN
      chain=input action=drop in-interface-list=!LAN

12    ;;; defconf: accept in ipsec policy
      chain=forward action=accept ipsec-policy=in,ipsec

13    ;;; defconf: accept out ipsec policy
      chain=forward action=accept ipsec-policy=out,ipsec

14    ;;; defconf: fasttrack
      chain=forward action=fasttrack-connection connection-state=established,related

15    ;;; defconf: accept established,related, untracked
      chain=forward action=accept connection-state=established,related,untracked

16    ;;; defconf: drop invalid
      chain=forward action=drop connection-state=invalid

17    ;;; defconf: drop all from WAN not DSTNATed
      chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN
[admin@router01] >
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Scripted firewall rule ordering fails

Wed Sep 16, 2020 11:19 am

When I look at your result, the order is the same as you pushed it in, so try it in reverse order and see what the result is then.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: Scripted firewall rule ordering fails

Wed Sep 16, 2020 11:49 am

It is not possible to use ordering sequence numbers in a script! These are only valid in terminal sessions, and only after a print command.
When you do a print on the terminal, it shows you the lines with the numbers and at the same time builds a table of numbers and the corresponding line.
Then you can refer to those numbers in commands, and they are translated back to the references to the lines.

In a script this is not done, so you cannot use line numbers in scripts.
The way to do this is to place a comment on the line you want to reference, and then use [find where comment="xxx"] to refer to it.
 
ilium007
Member Candidate
Member Candidate
Topic Author
Posts: 206
Joined: Sun Jan 31, 2010 9:58 am
Location: Newcastle, Australia

Re: Scripted firewall rule ordering fails

Wed Sep 16, 2020 11:53 am

It is not possible to use ordering sequence numbers in a script!

Wow ok! So I guess I'm confused by the point of "place-before" if rules can't be referenced by an array index number.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: Scripted firewall rule ordering fails

Wed Sep 16, 2020 12:19 pm

You can use place-before but you should not use a line number.
E.g. use place-before=[find where comment="xxx"]
You should agree that this is much better than using a line number when it is done in a script. The script cannot know if other lines have been inserted by the admin that move the line number, but the comment will stay at the same place.
 
ilium007
Member Candidate
Member Candidate
Topic Author
Posts: 206
Joined: Sun Jan 31, 2010 9:58 am
Location: Newcastle, Australia

Re: Scripted firewall rule ordering fails

Wed Sep 16, 2020 12:23 pm

You should agree that this is much better than using a line number when it is done in a script.

I suppose it is. Thanks.
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Scripted firewall rule ordering fails

Wed Sep 16, 2020 2:33 pm

The "print without-paging" (runs in script) and comment tagging I have used in the past, however I am doing it differently by using "find dynamic" rule as list generator and it works as dream. I think it will also work when no dynamic rules are present and then it would be 0+2=2
add place-before=("$[:len [find dynamic]]"+2)............. 
I use this to put be able to adapt to the changing numbers of dynamic lines in NAT due to several IKEv2 connections.

Update:
My obsolete thouhgt script part:
     /ip firewall nat;\
     print without-paging; # to have a correct line numbers in the table
Update 2:
Oops, I am still using "print without-paging" in my active script so this generates for me the line numbers needed! And not the "find dynamic".

Update 3:

I found also the support request to Mikrotik on this:
Thank you for contacting MikroTik Support.

Adding print to the script is the correct way of letting the script know which line is currently used and based on that it will recognize and use it for inserting the next item.
Last edited by msatter on Wed Sep 16, 2020 3:08 pm, edited 5 times in total.
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Scripted firewall rule ordering fails

Wed Sep 16, 2020 2:45 pm

It is not possible to use ordering sequence numbers in a script! These are only valid in terminal sessions, and only after a print command.
When you do a print on the terminal, it shows you the lines with the numbers and at the same time builds a table of numbers and the corresponding line.
Then you can refer to those numbers in commands, and they are translated back to the references to the lines.

In a script this is not done, so you cannot use line numbers in scripts.
The way to do this is to place a comment on the line you want to reference, and then use [find where comment="xxx"] to refer to it.
And how about "print without-paging" in a script?

Who is online

Users browsing this forum: No registered users and 25 guests