Community discussions

MikroTik App
 
thedoble
just joined
Topic Author
Posts: 2
Joined: Thu Mar 31, 2016 12:24 pm

Error when trying to clear firewall connections

Thu Apr 07, 2016 2:39 am

Hi folks

I've written a script to clear firewall connections. It works fine but occasionally it will error out with the following:

no such item (4)

I think this is due to the way RouterOS is processing the connection list. The script is as follows:

:local ConnectionList [/ ip firewall connection find]
:foreach Connection in=[$ConnectionList] \
do={/ip firewall connection remove $Connection}

I think what is happening is that between storing the connections as an array and then removing them, if a connection closes, the 'remove' command runs against a connection which doesn't exist, which results in the error.

I've tried adding an 'on-error={' condition to this, but I can't get it to work, I always get syntax errors.

Can anyone tell me a way that I can either prevent this error from occurring, or handle the error gracefully?

Thanks
 
User avatar
pcunite
Forum Guru
Forum Guru
Posts: 1345
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Error when trying to clear firewall connections

Thu Apr 07, 2016 6:29 am

Try setting the TCP Established time to 5 minutes. If the socket is in use, I think it stays open?
 
Zebble
Frequent Visitor
Frequent Visitor
Posts: 50
Joined: Mon Oct 17, 2011 4:07 am

Re: Error when trying to clear firewall connections

Mon Apr 11, 2016 2:16 am

You could also just turn off connection tracking to clear the connections, and then turn it back on.

/ip firewall connection tracking set enabled=no
/ip firewall connection tracking set enabled=yes (or auto)

-wade
 
thedoble
just joined
Topic Author
Posts: 2
Joined: Thu Mar 31, 2016 12:24 pm

Re: Error when trying to clear firewall connections

Mon Apr 11, 2016 10:23 am

Try setting the TCP Established time to 5 minutes. If the socket is in use, I think it stays open?
Sorry, I'm not sure what the result of this would be? Could you explain a bit more?
You could also just turn off connection tracking to clear the connections, and then turn it back on.

/ip firewall connection tracking set enabled=no
/ip firewall connection tracking set enabled=yes (or auto)

-wade
Thanks, that would work to begin with, however long-term I am wanting the script to only clear certain connections (in this case, for VoIP phones) so I need to be able to pick which connections I clear.
 
User avatar
vklpt
newbie
Posts: 36
Joined: Mon Feb 18, 2019 1:13 pm
Location: Izhevsk
Contact:

Re: Error when trying to clear firewall connections

Tue Nov 29, 2022 4:00 pm

This works:
# 2022.11.29 
# UDP only
local funDebug do={
    if ( true ) do={ log info ("    KILL_CONNECTIONS: " . $1) }
}
$funDebug ("start")
/ip firewall connection
:local arrConnections [find protocol=udp];
:local numErr 0;
:foreach conn in=$arrConnections do={
  :do {
    remove $conn
  } on-error={
    # $funDebug ("error on $conn")
    :set numErr ($numErr + 1)
  }
};
$funDebug ("count: " . [:len $arrConnections] . ", errors: .$numErr")
$funDebug ("finish")
It is convenient to test with torrent, because it creates a lot of connections.
Last edited by vklpt on Tue Nov 29, 2022 8:35 pm, edited 1 time in total.
 
User avatar
eworm
Forum Guru
Forum Guru
Posts: 1070
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: Error when trying to clear firewall connections

Tue Nov 29, 2022 5:51 pm

Why do you try to do this in a loop? This should work just fine:
/ip/firewall/connection/remove [ find ];
 
User avatar
vklpt
newbie
Posts: 36
Joined: Mon Feb 18, 2019 1:13 pm
Location: Izhevsk
Contact:

Re: Error when trying to clear firewall connections

Tue Nov 29, 2022 6:35 pm

eworm, please read the first post. It's an old and well-known problem.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Error when trying to clear firewall connections

Tue Nov 29, 2022 8:25 pm

vklpt, please search in the forum. It's an old and well-known problem, and already solved on better way.
viewtopic.php?p=853803&hilit=find+where+timeout#p853803
 
User avatar
vklpt
newbie
Posts: 36
Joined: Mon Feb 18, 2019 1:13 pm
Location: Izhevsk
Contact:

Re: Error when trying to clear firewall connections

Tue Nov 29, 2022 8:28 pm

I don't see any advantage in a double search
 
User avatar
eworm
Forum Guru
Forum Guru
Posts: 1070
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: Error when trying to clear firewall connections

Wed Nov 30, 2022 1:28 pm

Sure, there can be timing issues with a lot of connections in the table. But if just want to drop some SIP connections (that was the use case for original poster I think) this could still work as expected with the correct filtering:
/ip/firewall/connection/remove [ find where protocol=udp dst-address~":5060\$" ];
Use the loop if it does not.
 
User avatar
vklpt
newbie
Posts: 36
Joined: Mon Feb 18, 2019 1:13 pm
Location: Izhevsk
Contact:

Re: Error when trying to clear firewall connections

Thu Dec 01, 2022 10:13 am

Use the loop if it does not.
So why don't I use my own solution?
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Error when trying to clear firewall connections

Thu Dec 01, 2022 7:25 pm

Use the loop if it does not.
So why don't I use my own solution?
I don't see any advantage in your own solution, especially from one who cannot read and understand,
and then the "if (true) do={" doesn't make a good impression to leave pieces thrown there at random...
and then on-horror-resume-next never bodes well..
 
User avatar
vklpt
newbie
Posts: 36
Joined: Mon Feb 18, 2019 1:13 pm
Location: Izhevsk
Contact:

Re: Error when trying to clear firewall connections

Thu Dec 01, 2022 7:59 pm

and then the "if (true) do={" doesn't make a good impression to leave pieces thrown there at random...
and then on-horror-resume-next never bodes well..
Admirable argumentation from the author of a better solution that does not even work properly (and shouldn't) lol:
You do not have the required permissions to view the files attached to this post.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Error when trying to clear firewall connections

Thu Dec 01, 2022 8:26 pm

better to provide arguments than to write at random

still paste this on winbox, and I do not give any error:
/ip fire conn
:foreach idc in=[find where timeout>60 and (!(dst-address~":8291\$"))] do={
    remove [find where .id=$idc]
}

Who is online

Users browsing this forum: Bing [Bot], Google [Bot], loloski and 21 guests