Skip to content

Commit

Permalink
Implement firewall address-list output for MikroTik
Browse files Browse the repository at this point in the history
In RouterOS v7 we can setup filters based on firewall address-list.
Thus output prefixes into address-list can be very useful.
Semantics of firewall address-list remain the same in RouterOS v6
as well.

-E option is selected for firewall address-list function.

Ref: https://help.mikrotik.com/docs/display/ROS/Address-lists

Signed-off-by: Jiaxun Yang <jiaxun.yang@flygoat.com>
  • Loading branch information
FlyGoat committed Nov 22, 2023
1 parent 7050450 commit ddb7720
Show file tree
Hide file tree
Showing 2 changed files with 51 additions and 3 deletions.
15 changes: 12 additions & 3 deletions main.c
Original file line number Diff line number Diff line change
Expand Up @@ -85,9 +85,10 @@ usage(int ecode)
printf(" -3 : assume that your device is asn32-safe (default)\n");
printf(" -A : try to aggregate prefix-lists/route-filters\n");
printf(" -E : generate extended access-list (Cisco), "
"route-filter (Juniper)\n"
" [ip|ipv6]-prefix-list (Nokia) or prefix-set "
"(OpenBGPD)\n");
"route-filter (Juniper),\n"
" [ip|ipv6]-prefix-list (Nokia), "
"prefix-set (OpenBGPD),\n"
" or firewall address-list (MikroTik)\n");
printf(" -f number : generate input as-path access-list\n");
printf(" -G number : generate output as-path access-list\n");
printf(" -H number : generate origin as-lists (JunOS only)\n");
Expand Down Expand Up @@ -582,6 +583,14 @@ main(int argc, char* argv[])
exit(1);
}

if (aggregate
&& (expander.vendor == V_MIKROTIK6 || expander.vendor == V_MIKROTIK7)
&& expander.generation == T_EACL) {
sx_report(SX_FATAL, "Sorry, aggregation (-A) is not supported with "
"firewall address-list (-E) on MikroTik.\n");
exit(1);
}

if (refine
&& (expander.vendor == V_NOKIA_MD || expander.vendor == V_NOKIA || expander.vendor == V_NOKIA_SRL)
&& expander.generation != T_PREFIXLIST) {
Expand Down
39 changes: 39 additions & 0 deletions printer.c
Original file line number Diff line number Diff line change
Expand Up @@ -1896,6 +1896,41 @@ bgpq4_print_mikrotik_prefixlist(FILE *f, struct bgpq_expander *b)
}
}

static void
bgpq4_print_mikrotik_address(struct sx_radix_node *n, void *ff)
{
char prefix[128];
FILE *f = (FILE*)ff;

if (!f)
f = stdout;

if (n->isGlue)
goto checkSon;

sx_prefix_snprintf_sep(n->prefix, prefix, sizeof(prefix), "/");

fprintf(f,"/%s firewall address-list add list=\"%s\" address=%s\n",
n->prefix->family == AF_INET ? "ip" : "ipv6",
bname, prefix);

checkSon:
if (n->son)
bgpq4_print_mikrotik_address(n->son, ff);
}

static void
bgpq4_print_mikrotik_addresslist(FILE *f, struct bgpq_expander *b)
{
bname = b->name ? b->name : "NN";

if (!sx_radix_tree_empty(b->tree)) {
sx_radix_tree_foreach(b->tree, bgpq4_print_mikrotik_address, f);
} else {
fprintf(f, "# generated prefix-list %s is empty\n", bname);
}
}

void
bgpq4_print_prefixlist(FILE *f, struct bgpq_expander *b)
{
Expand Down Expand Up @@ -1969,6 +2004,10 @@ bgpq4_print_eacl(FILE *f, struct bgpq_expander *b)
case V_NOKIA_SRL:
bgpq4_print_nokia_srl_aclipfilter(f, b);
break;
case V_MIKROTIK6:
case V_MIKROTIK7:
bgpq4_print_mikrotik_addresslist(f, b);
break;
default:
sx_report(SX_FATAL, "unreachable point\n");
}
Expand Down

0 comments on commit ddb7720

Please sign in to comment.