Community discussions

MikroTik App
 
User avatar
rextended
Forum Guru
Forum Guru
Topic Author
Posts: 11968
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

BUG or not BUG? /ip firewall nat add chain=[dstnat|srcnat]

Fri Jul 30, 2021 5:50 pm

Is it a BUG that a (useless?) NAT rule can be created with
/ip firewall nat add chain=dstnat
# OR
/ip firewall nat add chain=srcnat

Why doesn't the CLI ask for at least one action?

On WinBox can't happen because for default the action is declared.

If anyone knows why and what it is for, please explain.

Thank you all.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18960
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: BUG or not BUG? /ip firewall nat add chain=[dstnat|srcnat]

Fri Jul 30, 2021 6:41 pm

Because they expect you to know better if you are using CLI ?? ;-PPP
They know I will need help (being a winbox user). :-)

Winbox user:
trainingwheels.jpg

CLI user:
You do not have the required permissions to view the files attached to this post.
 
User avatar
rextended
Forum Guru
Forum Guru
Topic Author
Posts: 11968
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: BUG or not BUG? /ip firewall nat add chain=[dstnat|srcnat]

Fri Jul 30, 2021 7:00 pm

Ok... this is my keyboard... Is full of snipplets / password / username... Has 12 key x 3 bank of memory...
logitech-g110-4.jpg
With that keyboard is really easy open dozen of CLI and paste commands without API, SSL, etc.....
The snipplets, username, paswords, etc. are saved on PC memory, if someone steal the Keyboard, still not have the... Keys :lol:
You do not have the required permissions to view the files attached to this post.
 
andriys
Forum Guru
Forum Guru
Posts: 1526
Joined: Thu Nov 24, 2011 1:59 pm
Location: Kharkiv, Ukraine

Re: BUG or not BUG? /ip firewall nat add chain=[dstnat|srcnat]

Sat Jul 31, 2021 10:40 am

The default action is "accept" (here's a documentation link), so those rules are not useless at all.
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: BUG or not BUG? /ip firewall nat add chain=[dstnat|srcnat]

Sat Jul 31, 2021 10:47 am

Correct, the default action is the same whether using CLI or Winbox...
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18960
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: BUG or not BUG? /ip firewall nat add chain=[dstnat|srcnat]

Sat Jul 31, 2021 6:17 pm

Good to know!
I am going to start using drop all else rules at the end of the NAT chain, just so I am not as lazy as rextended as I like positive affirmation of what the action is...... ;-)
 
User avatar
rextended
Forum Guru
Forum Guru
Topic Author
Posts: 11968
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: BUG or not BUG? /ip firewall nat add chain=[dstnat|srcnat]

Sat Jul 31, 2021 6:58 pm

The default action is "accept" (here's a documentation link), so those rules are not useless at all.

Correct, the default action is the same whether using CLI or Winbox...

As usual, the answers are given without reading what one has written,
or at least they give the impression that one has answered without reading.

I didn't ask what the default action for action is, but if inserting a NO ACTION rule is a BUG or does something ...

The "default action" when is NOT ACTION?

If I export the rules:
/ip firewall nat add chain=dstnat
/ip firewall nat add chain=srcnat
action DO NOT APPEAR
on winbox appear action with "accept" inside only because on winbox the field can't be set empty and opening the rule simply the field is not removed
 
andriys
Forum Guru
Forum Guru
Posts: 1526
Joined: Thu Nov 24, 2011 1:59 pm
Location: Kharkiv, Ukraine

Re: BUG or not BUG? /ip firewall nat add chain=[dstnat|srcnat]

Sat Jul 31, 2021 11:15 pm

I didn't ask what the default action for action is, but if inserting a NO ACTION rule is a BUG or does something ...
C'mon! You are playing on words, aren't you?

And in case you are not, action in a firewall filter/NAT/mangle rule is nothing more than just another parameter. The default value of a parameter, by the very definition, is what becomes active when that parameter is omitted (i.e. not explicitly specified).
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18960
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: BUG or not BUG? /ip firewall nat add chain=[dstnat|srcnat]

Sun Aug 01, 2021 12:43 am

Hi andyrys, this is good point you are making and not intuitively clear.
Having it stated in the documentation would be of benefit to many.

My guess is that many people would assume that the parameter is applied in the default config sourcenat rule with action=accept when reading the MT file.
I dont believe many would think If there is no action parameter then we should assume there is actually an invisible action parameter in effect with an action of accept.
 
User avatar
rextended
Forum Guru
Forum Guru
Topic Author
Posts: 11968
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: BUG or not BUG? /ip firewall nat add chain=[dstnat|srcnat]

Sun Aug 01, 2021 2:27 am

C'mon! You are playing on words, aren't you?
Nono, I do not joke, please consider the fact can I not explain well for language...

paste this on terminal
/ip firewall nat
add chain=dstnat
add chain=srcnat

and when "/ip fire nat export verbose"
/ip firewall nat
add chain=dstnat
add chain=srcnat

or with "/ip fire nat export verbose terse"
/ip firewall nat add chain=dstnat
/ip firewall nat add chain=srcnat

no "action" parameters...

on verbose are usually displayed also default values not exported with compact, but in this case... nothig....

Why you think I joke?
Everyone can try....
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18960
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: BUG or not BUG? /ip firewall nat add chain=[dstnat|srcnat]

Sun Aug 01, 2021 3:14 am

The invisible parameter strikes again...........
 
andriys
Forum Guru
Forum Guru
Posts: 1526
Joined: Thu Nov 24, 2011 1:59 pm
Location: Kharkiv, Ukraine

Re: BUG or not BUG? /ip firewall nat add chain=[dstnat|srcnat]

Sun Aug 01, 2021 12:36 pm

My guess is that many people would assume that the parameter is applied in the default config sourcenat rule with action=accept when reading the MT file.
I don't think I understand what you meant here.

I dont believe many would think If there is no action parameter then we should assume there is actually an invisible action parameter in effect with an action of accept.
Any rule has some effect. Any rule consists of filters, which define what packets this rule should be applied to, and action, which defines what to do. Both filters and actions are defined by the corresponding parameters. And the action parameter is not the only parameter that defines action. For example the to-addresses and to-ports parameters also define/shape action. When some parameter is not specified it is either an error (when no reasonable default value exists/defined) or the default value is applied (assumed). There is nothing unique to RouterOS here.

on verbose are usually displayed also default values not exported with compact, but in this case... nothig....
Well, I would probably consider this an export bug.
 
User avatar
rextended
Forum Guru
Forum Guru
Topic Author
Posts: 11968
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: BUG or not BUG? /ip firewall nat add chain=[dstnat|srcnat]

Sun Aug 01, 2021 2:49 pm

...I would probably consider this an export bug....
Thanks, I do not have think about that, and is more plausible...
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18960
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: BUG or not BUG? /ip firewall nat add chain=[dstnat|srcnat]

Sun Aug 01, 2021 4:51 pm

Understood, so the verbose bit probably a bug, not invisible just not recorded where it should be.
Implied anything is always a bit tricky, it means one has to remember that that parameter has a default setting and what that default setting is............ and thus the effect on the config.
I would prefer that the action be communicated more directly less implicitly and thus the parameter and its setting is always shown. Personal preference I suppose.

Similarly I dont like bridge port settings for PVID in the sense that they implicitly create bridge vlan interfaces that will not show up on a config.
Nice that it does that (time saver etc....) but for troubleshooting and/or gauging if someone understands bridge vlan filtering its an impediment.

Who is online

Users browsing this forum: Andrey05, Google [Bot], ivicask and 90 guests