The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

  • My work

  • My badges

  • Twitter Updates

  • My Flickr Stream

  • Pages

  • All categories

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 1,842 other followers

Archive for the ‘MikroTik’ Category

Mikrotik Router OS 6.37.1 – scripts and schedules – what policies they need to run

Posted by jpluimers on 2017/10/19

minimum schedule and script policies: read/write/policy/test

minimum schedule and script policies: read/write/policy/test

A year later, Mikrotik still needs to update their documentation, so from my question at [WayBack[Mikrotik follow-up needed] Router OS 6.37.1 – scheduled script cannot execute script – MikroTik RouterOS.

TL;DR:

  • use the same policies for scripts and schedules
  • use these policies as a minimum for scripts and schedules:
    • read
    • write
    • policy
    • test

Forum post:

I found out two things:

  1. the testFunctionScript needs at least these policies to call a function: read, write, policy, test
  2. a schedule needs at least the same permissions as a script in order to run the script at all

This is how the various permissions affect the testFunctionScript script:

  • no policies only allow :log info "testFunctionScript"; .
  • read allows the above and :local testFunctionJobs [/system script job print as-value detail]; which then is be logged with :log info "testFunctionJobs=$testFunctionJobs";
  • only write seems equivalent to no policies as it will only allow :log info "testFunctionScript";
  • read and write is equivalent to read
  • a lone policy or test policy (talk about confusion!) do not add functionality, so any combinations of just policy or testwith read and/or write get the same functionality as above
  • policy and test without any other seem equivalent to no policies as they result in only :log info "testFunctionScript"; to execute
  • the combined policies read, write, policy, test allow full script functionality including the function call and using the function call result

The above findings show that more logging is needed: the scheduler should log when (and why!) it does not have enough permissions to run a script. Right now you’re in the dark on when (and why!) a script isn’t ran by the scheduler.

The above findings show that these parts of the documentation need updating:

http://wiki.mikrotik.com/wiki/Manual:Sc … repository (update with info about the above policy combinations)
http://wiki.mikrotik.com/wiki/Manual:Ro … Properties (update with info about the above policy combinations)
http://wiki.mikrotik.com/wiki/Manual:System/Scheduler (does not document anything about policies at all)

The various scripts (apply your mix of policies that you need)

## logon as user jeroenp

/system script environment remove [ /system script environment find where name="testFunction" ];
:global testFunction do={
  :local result [/system resource get uptime];
  :return $result;
}

/system script environment print detail where name=testFunction
# 0 name="testFunction" value=";(eval /system scheduler  (eval /localname=$result;value=(eval (eval /system resource getvalue-name=uptime))) (eval /returnvalue=$result))" 

:log info "direct execution of testFunction"

{
:global testFunction;
:local testFunctionType [:typeof testFunction];
:local testFunctionResult [$testFunction];
:log info "testFunctionScript";
:log info "testFunctionType=$testFunctionType";
:log info "testFunctionResult=$testFunctionResult";
:log info "testFunction=$testFunction";
}

/log print where buffer=memory && (message~"testFunction" || topics~"info")

/system script remove [ /system script find where name="testFunctionScript" ];
/system script add name=testFunctionScript owner=jeroenp policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":global testFunction;\r\
    \n:log info \"testFunctionScript\";\r\
    \n:local testFunctionType [:typeof testFunction];\r\
    \n:local testFunctionResult [\$testFunction];\r\
    \n:log info \"testFunctionType=\$testFunctionType\";\r\
    \n:log info \"testFunctionResult=\$testFunctionResult\";\r\
    \n:log info \"testFunction=\$testFunction\";\r\
    \n"

:log info "execution of testFunction via testFunctionScript"

/system script run testFunctionScript

/log print where buffer=memory && (message~"testFunction" || topics~"info")

/system scheduler remove [ /system scheduler find where name="testFunctionScriptSchedule" ];
/system scheduler add interval=10s name=testFunctionScriptSchedule on-event=testFunctionScript policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive start-date=sep/22/2015 start-time=12:02:37

:log info "execution of testFunction via testFunctionScriptSchedule calling testFunctionScript"
:delay 20s
/system scheduler disable testFunctionScriptSchedule

/log print where buffer=memory && (message~"testFunction" || topics~"info")

/system scheduler print detail where name="testFunctionScriptSchedule"

–jeroen

Posted in Development, Internet, MikroTik, Power User, RouterOS, Routers, Scripting, Software Development | Leave a Comment »

Script job killer – MikroTik RouterOS

Posted by jpluimers on 2017/10/09

After reading [WayBackScript job killer – MikroTik RouterOS I put lines like these into a few of my frequently running scripts:

/system script environment get systemScriptJobCountTypeIsCommand
:global systemScriptJobCountTypeIsCommand

:local scriptsOfTypeCommandCount [$systemScriptJobCountTypeIsCommand];

:if ($scriptsOfTypeCommandCount > 4) do={
  $outputError value=("$scriptName; too many runnings commands ($scriptsOfTypeCommandCount); bailing out early");
  :return -1;
}

They in turn use this underlying function:

:local scriptName "Function.systemScriptJobCountTypeIsCommand.rsc"
/system script environment remove [ find where name="systemScriptJobCountTypeIsCommand" ];

:global systemScriptJobCountTypeIsCommand do={
  :local result [:len [/system script job find where type=command]];
#  :put "result=$result"
  :return $result;
}

## Example:
## /import scripts/Function.systemScriptJobCountTypeIsCommand.rsc
## :put [$systemScriptJobCountTypeIsCommand];

–jeroen

Posted in Internet, MikroTik, Power User, Routers | Leave a Comment »

Mikrotik – viewing when users logged in/out (on/off) when logging is high-volume

Posted by jpluimers on 2017/09/27

When logging on a Mikrotik is high-volume, then you need to have either:

  • separate logging actions (they end up in logging buffers each having the same name as the action) and logging rules for specific information that you want to retain
  • log to file in stead of memory

Since my devices have plenty memory, I made a separate accountAction with a rule sending the topic account to accountAction which I then can query like either of these:

/log print detail where message~"logged"

/log print detail where message~"logged" && buffer=accountAction

Here is the /system logging export condensed result:

/system logging action add name=accountAction target=memory
/system logging add action=accountAction topics=account

–jeroen

Posted in Development, Internet, MikroTik, Power User, RouterOS, Routers, Scripting, Software Development | Leave a Comment »

Mikrotik functions -> hopefully I can translate this to the new syntax

Posted by jpluimers on 2017/09/21

Reminder to self as it would be useful to have these Mikrotik functions in the new function syntax:

–jeroen

Posted in Internet, MikroTik, Power User, Routers | Leave a Comment »

Blacklist Filters on MikroTik RouterOS

Posted by jpluimers on 2017/09/08

Some blacklist filters you can use on Mikrotik RouterOS devices:

You might consider to use these instead of action=drop:

–jeroen

Read the rest of this entry »

Posted in Development, Internet, MikroTik, Power User, RouterOS, Routers, Scripting, Software Development | Leave a Comment »

 
%d bloggers like this: