Community discussions

MikroTik App
 
parscon
newbie
Topic Author
Posts: 35
Joined: Mon Dec 02, 2013 4:17 pm

Delete all connection in Firewall-Connections

Wed Jan 13, 2016 11:11 am

Hello to all
I need a Script that can delete all connections in IP--->Firewall--->Connections
I use this below script but it does not remove all .
/ ip firewall connection {:foreach r in=[find] do={remove $r}}
Please help me .
Best Regards
 
User avatar
boen_robot
Forum Guru
Forum Guru
Posts: 2400
Joined: Thu Aug 31, 2006 4:43 pm
Location: europe://Bulgaria/Plovdiv

Re: Delete all connection in Firewall-Connections

Wed Jan 13, 2016 1:58 pm

/ip firewall connection remove [find]
?
 
keithy
newbie
Posts: 26
Joined: Sat Aug 07, 2010 7:00 pm

Re: Delete all connection in Firewall-Connections

Wed Jan 13, 2016 10:28 pm

/ip firewall connection tracking set enabled=no
:delay 5s
/ip firewall connection tracking set enabled=yes


adjust delay depending upon how many or few connections you're trying to clear

HTH
 
tullaman
just joined
Posts: 1
Joined: Wed Nov 05, 2014 9:41 pm

Re: Delete all connection in Firewall-Connections

Mon Feb 05, 2018 1:18 pm

Hi All,

boen_robot's answer works for me.

The idea about enabling and disabling conn-tracking for a few secs and then re-enabling didn't work - I tried durations of up to a minute. Maybe reducing the standard connection timeout duration to something less that the period for which conn-track gets disabled would work? But as I said boen_robot's answer does the business.

/Tullaman.
 
User avatar
pothi
newbie
Posts: 46
Joined: Fri Sep 14, 2018 7:48 pm
Location: Srivilliputhur, Tamil Nadu, India
Contact:

Re: Delete all connection in Firewall-Connections

Sat Feb 02, 2019 5:29 am

Thanks @boen_robot .

Your code / answer still works. I had a small but annoying issue upon failover when the existing connections do not switch to the new ISP. Clearing the existing connections using your code solved the issue.
 
yreks
just joined
Posts: 9
Joined: Sat Aug 16, 2014 5:53 pm

Re: Delete all connection in Firewall-Connections

Sat Feb 02, 2019 7:56 am

If there are a lot of connections - about 5600,
then I had to run to clean

/ ip firewall connection remove [find]

5 times.

At first I received a response in the terminal

no such item (4)
 
User avatar
benlg
just joined
Posts: 10
Joined: Mon Jan 31, 2022 2:50 pm

Re: Delete all connection in Firewall-Connections

Mon Jan 31, 2022 3:21 pm

This works flawlessly whatever the number of connections to clear is :
:local e 1
:while ($e) do={
  :set e 0
  :do {/ip firewall connection remove [find]} on-error={:set e 1}
}
 
igoldstein
newbie
Posts: 25
Joined: Thu Dec 08, 2022 8:02 pm

Re: Delete all connection in Firewall-Connections

Fri Jan 13, 2023 5:58 pm

did you find how to clear the connections, and not get that error ?

If there are a lot of connections - about 5600,
then I had to run to clean

/ ip firewall connection remove [find]

5 times.

At first I received a response in the terminal

no such item (4)
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Delete all connection in Firewall-Connections

Fri Jan 13, 2023 7:40 pm

/ip fire conn
:foreach idc in=[find where timeout>60] do={
 remove [find where .id=$idc]
}
 
igoldstein
newbie
Posts: 25
Joined: Thu Dec 08, 2022 8:02 pm

Re: Delete all connection in Firewall-Connections

Wed Jan 24, 2024 2:50 am

If there are a lot of connections - about 5600,
then I had to run to clean

/ ip firewall connection remove [find]

5 times.

At first I received a response in the terminal

no such item (4)
what does " no such item (4)" mean ?
and how do i know how many times to add "/ip firewall connection remove [find]" command in my script?


this is my DOWN script, which netwatch runs when it detects the primary internet is down

:log warning "PRIMARY link seems to be DOWN - Running Down script" 

/ip route set [find comment="Default Route"] distance=15

/ip firewall connection {:foreach i in [find protocol="tcp"] do={remove $i}}
/ip firewall connection {:foreach i in [find protocol="udp"] do={remove $i}}

/ip  firewall filter set [find comment ="tcp reset"] disabled=no

delay delay-time=10

/ip  firewall filter set [find comment ="tcp reset"] disabled=yes

/system script run DynDnsF

/tool e-mail send to=myemailaddress@noemail.com subject="$[/system identity get name] network change"  body="Primary connection failed and successfully connected to secondary"
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Delete all connection in Firewall-Connections

Wed Jan 24, 2024 10:41 am

I already answered 1 year ago...
You must add "where timeout>60" like my example because closed connections during the run of the script break anything.
 
elico
Member Candidate
Member Candidate
Posts: 143
Joined: Mon Nov 07, 2016 3:23 am

Re: Delete all connection in Firewall-Connections

Sun Mar 03, 2024 12:31 pm

The next script works great on RouterOS V7.x but I prefer a foreach one if possible.
The issue is that I have a device with more then 60k Connections tracked and when I am trying one of the scripts above with foreach it does a "find" per connection and it takes forever to flush the connections.
{
 do {
	:local e 1;
	:while ($e=1 ) do {
	  :set e 0;
	  :do {
			/ip/firewall/connection/remove [find];
		} on-error={
			:set e 1;
			:log info "error 1 removing FW connection";
		}
	}
	:log info "SUCCESS removing FW connection";
	} on-error={
		:log info "error 2 removing FW connection";
	}
}
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Delete all connection in Firewall-Connections

Mon Mar 04, 2024 12:52 pm

Ignoring wrong way of programming with useless do={...} and other things...

still missing "where timeout>60" that make completely useless on-error...

faster way code

/ip firewall connection print where (timeout>60) [remove $".id"]
If the device is fast enough, the timeout can be decreased from 60 to at least 10 seconds
 
elico
Member Candidate
Member Candidate
Posts: 143
Joined: Mon Nov 07, 2016 3:23 am

Re: Delete all connection in Firewall-Connections

Fri Mar 15, 2024 10:46 pm

So basically if you want all your FW connection tracking rules to be flushed you can't do it with a button click on winbox but with
/ip/firewall/connection/print where (timeout>15) [remove $".id"]
I can check it but my script worked fine, maybe this specific one liner is better or faster to some degree.
But, Error handling is normal in programming so I do not see why I should prefer a one liner? what makes it better?
The only difference is that there is a loop but technically speaking what's the real difference between using a one liner to implement inside a for loop or a while loop compared to an "on-error"?
I can run a for loop on every single one of the entries (30-40k) and with a do { } on-error {} on a single remove action.
{
	:log info "Starting FW connection tacking cleanup";
	:do {
		:foreach entery in=[/ip/firewall/connection/find] do={	
				/ip/firewall/connection/remove $entery;	
		}
	} on-error={
			:log info "error 1 removing FW connection";
	}
	:log info "Fininshed FW connection tacking cleanup";
}
The above will run even without making sure any 10 or 15 or 30 or 60...
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3272
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: Delete all connection in Firewall-Connections

Fri Mar 15, 2024 11:33 pm

Geez.... This is like a compare-and-contrast in functional and procedural programming.

But if we're voting... @rextended's very clear winner.

@elico's version is fine if he likes that style. But it's just not efficient or clean if we're voting ;). Some nits however
1- Now on-error= to protect the [remove] is reasonable – e.g. possible it's closed between find and remove with very poor timing.
2- Newline is a perfectly valid line terminator. There is no need for semi-colons, so an unnecessary char to process if you're getting hyper-efficient (e.g. you have two command terminators, the ; and \n).


The subtlety in @rextended's approach using the "print pipeline" (my term, some scripting things don't have names) – this one is more functional programming – is what stands out in approaches.

faster way code

/ip firewall connection print where (timeout>60) [remove $".id"]

You'll note the "print" itself calls a cmd during iteration – no "loop" required. You could add an "as-value" to cleanup the output. IDK but I think still be possible for remove to fail, so possible to add a ":retry" (which will retry again upon an error). (e.g. vs. a :while loop that theoretically could loop forever if kept erroring out, although unlikely)
Last edited by Amm0 on Sat Mar 16, 2024 12:16 am, edited 1 time in total.
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3272
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: Delete all connection in Firewall-Connections

Fri Mar 15, 2024 11:47 pm

The above will run even without making sure any 10 or 15 or 30 or 60...
If you remove the (timeout>60) matcher in @rextended version, it should still work against all records. The "where" still has something to do e.g. [:remove $".id"], even without matchers.

Who is online

Users browsing this forum: diamuxin, G00dm4n, Kataius and 16 guests