Community discussions

MikroTik App
 
jeroenp
Member Candidate
Member Candidate
Topic Author
Posts: 159
Joined: Mon Mar 17, 2014 11:30 am
Location: Amsterdam
Contact:

[Answered] Where are ip firewall address-list timeout values documented

Wed Oct 12, 2016 6:40 pm

http://wiki.mikrotik.com/wiki/Manual:IP ... dress_list doesn't tell how `timeout` values can be formulated. It only has one example `5m` which I guess is minutes.

What other units or combination of units are possible to specify a valid timeout?

--jeroen
Last edited by jeroenp on Wed Oct 12, 2016 9:19 pm, edited 1 time in total.
 
User avatar
Splash
Member Candidate
Member Candidate
Posts: 159
Joined: Fri Oct 16, 2015 10:09 am
Location: Johannesburg, South Africa

Re: Where are ip firewall address-list timeout values documented

Wed Oct 12, 2016 7:01 pm

Address-List timers work in the same was as any other times made available within Mikrotik

Examples:
1d 00:00:00 - 1 day or 24hrs
12:00:00 - 12 hours
00:05:00 - 5 min
Example Code:
/ip firewall address-list add list=ddd address=2.2.2.2 timeout="1d 00:00:00"
MTCNA, MTCRE, MTCINE, MTCTCE, MTCIPv6E, MTCUME, MTCSE
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4051
Joined: Wed May 11, 2011 6:08 pm

Re: Where are ip firewall address-list timeout values documented

Wed Oct 12, 2016 8:06 pm

I haven't seen anything specific to the format of these time tokens, but the firewall add-to-address-list timeout is documented here:
http://wiki.mikrotik.com/wiki/Manual:IP ... Properties

You got me interested, so I played around with it and here's what I've found:

It seems to take the same format as any other similar duration-related input I've encountered:
a raw number is interpreted as seconds
You can specify a number as another duration with tokens:
s = seconds (default)
m = minutes
h = hours
d = days
w = weeks

You can combine them in any order - whitespace is ignored: eg: "2s 2h 2w"

e.g.:
1w2d3h4m5s works
tokens can be in any order (5s4m3h2d1w also works)

Days and weeks just get added together. If you specify 1w8d, this is the same as 2w1d

The last value specified may be in h:m:s format or in h:m (omit seconds)

Interestingly, if you mix and match, they just get added:
"1d 2h 12:30" -> "1d 14:30:00"

Values larger than 536870911 seconds are stored and tracked but when displayed show as 0sec.
(248 days, 13:13:55)

The maximum value is 4294967295 seconds (which is the maximum 32-bit value)
This decodes to: 7101w3d6h28m15s as the largest value....
(7101 weeks is ~136 years counting for leap years, by the way)
When given a spoon,
you should not cling to your fork.
The soup will get cold.
 
jeroenp
Member Candidate
Member Candidate
Topic Author
Posts: 159
Joined: Mon Mar 17, 2014 11:30 am
Location: Amsterdam
Contact:

Re: [Answered] Where are ip firewall address-list timeout values documented

Wed Oct 12, 2016 9:23 pm

Thanks guys. Mikrotik should hire you to improve the documentation.

--jeroen
 
jphconstantin
Frequent Visitor
Frequent Visitor
Posts: 88
Joined: Fri Sep 22, 2017 7:17 pm
Location: Switzerland

Re: [Answered] Where are ip firewall address-list timeout values documented

Wed Nov 15, 2017 8:26 pm

For me, "1d 00:00:00" works but "1w2d3h4m5s" and "1d 2h 12:30" don't work in the winbox. OK in the CLI.
The correct syntax is not described in the wiki !
ccr1009-7g-1c-pc
router os v 6.46.4
 
sindy
Forum Guru
Forum Guru
Posts: 5658
Joined: Mon Dec 04, 2017 9:19 pm

Re: [Answered] Where are ip firewall address-list timeout values documented

Sat Mar 24, 2018 4:38 pm

As this seems to be the only place dealing with details of address-list-timeout, I'm adding some observations here.

In my project I needed to monitor connected devices' activity and take some action if it disappears. So I am using firewall filter rules adding the addresses of these devices to dedicated address lists with a timeout, and I am running a script every second which checks for existence of address list items and takes action based on their absence.

However, the items remain in the list for a couple of seconds (about 5) after their timeout value decreases to 0s. So the time needed to notice the disappearance of network activity of a device is those 5 seconds higher than expected.

This is true as of 6.42rc49 / March 2018, may change in future.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.

Who is online

Users browsing this forum: Bing [Bot] and 119 guests