首頁 » 好用的 Router System » RouterOS

routeros - script

由 datahunter 在 一, 22/02/2016 - 18:32 發表

最後更新: 2024-10-18

目錄

 

Configure Script

 

# Cli

/system script               # add, remove, enable, disable

# Add

/system script

add name=notify-ipsec-down source={/tool e-mail send to=tim@mydomain subject="ipsec down" body="ipsec down" start-tls=no}

e-mail 設定

# print

system script> print [detail] [brief]

Flags: I - invalid
 0   name="notify-ipsec-down" owner="admin" 
     policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive run-count=0
     source=/tool e-mail send to=tim@mydomain subject="ipsec down" body="ipsec down" start-tls=no

# Run Script

/system script run NAME

OR

/system script run ID

 

Permission

 

dont-require-permissions (yes | no; Default: no)

Bypass permissions check when script is being executed,
useful when scripts are being executed from services that have limited permissions
such as Netwatch

policy

  • ftp - can log on remotely via ftp and send and retrieve files from the router
  • read - can retrieve the configuration
  • test - can run ping, traceroute, bandwidth test
  • policy - manage user policies, add and remove user
  • reboot - can reboot the router
  • password - change passwords
  • sensitive - allows to change "hide sensitive" parameter
  • sniff - can run sniffer, torch etc
  • write - can change the configuration
  • ...

 

Netwatch

 

Netwatch monitors state of hosts on the network.

It does so by sending ICMP pings to the list of specified IP addresses.

/tool netwatch

  • down-script (string; Default: )
  • host (IP; Default: 0.0.0.0)
  • interval (time; Default: 1m)
  • timeout (time; Default: 1s)
  • up-script (string; Default: )

 * Since RouterOS v6.42 Netwatch is limited to read,write,test,reboot script policies.
    (It is possible to disable permission checking for RouterOS scripts "dont-require-permissions")

應用:

  • Failover Default Gateway

 

輸出螢幕

 

:put [get [find list=test] value-name=address]

e.g.

# print "test msg" on console

:put "test msg"

# "[...]" 係成功包的數量

:put [/ping 192.168.1.1 count=3]

  SEQ HOST                                     SIZE TTL TIME  STATUS
    0 192.168.1.1                                56  64 2ms
    1 192.168.1.1                                56  64 2ms
    2 192.168.1.1                                56  64 3ms
    sent=3 received=3 packet-loss=0% min-rtt=2ms avg-rtt=2ms max-rtt=3ms

 

Beep

 

script no need permission

i.e.

Super Mario Bross Theme Sound Beep script

:beep frequency=660 length=100ms;
:delay 150ms;
:beep frequency=660 length=100ms;
:delay 300ms;
:beep frequency=660 length=100ms;
:delay 300ms;
:beep frequency=510 length=100ms;
:delay 100ms;
:beep frequency=660 length=100ms;
:delay 300ms;
:beep frequency=770 length=100ms;
:delay 550ms;
:beep frequency=380 length=100ms;
:delay 575ms;

...

 

Comments

 

 * Whitespace or any other symbols are not allowed before hash symbol.

# this is a comment
 # bad comment

 * If "#" character appear inside string it is not considered a comment.

 

General Commands

 

  • print
  • find
  • move
  • add
  • remove
  • set
  • edit

find

Returns a list which contain internal numbers of all items
that have the same values of arguments as specified.

print

where

show only items that match specified criteria.
The syntax of where the property is similar to the find command.

應用 filter output in console

/ip firewall connection> print where protocol=gre

remove

Removes specified item(s) from a list

e.g.

/ip firewall connection remove [/ip firewall connection find where protocol=gre]

 

Script Sytax

 

Syntax:

[prefix] [path] command [uparam] [param=[value]] .. [param=[value]]

prefix

 ":" or "/" character which indicates if command is "global command" or path.

global command: global, local, delay, put, log, put, set ...

path

relative path to the desired menu level. May or may not be required.

 * The end of command line is represented by the token “;” or NEWLINE.

 * Single command inside (), [] or {} does not require any end of command character.

Varable

# Set Varable

:global a 5;
:local host1   "8.8.8.8";

# Print varable to screen

:put $a;

Logical Operators

  • "!"
  • "&&"
  • "||"
  • "in"
:put (1.1.1.1/32 in 1.0.0.0/8);

output: true

Concatenation Operators

"."     concatenates two strings

e.g.

:put ("concatenate" . " " . "string");

","     concatenates two arrays or adds element to array

e.g.

:put ({1;2;3} , 5 );

Operators

  • "$"         # substitution operator (相當於 call varable. eg. :put $a)
  • "[]"        # command substitution. Can contain only single command line
  • "()"        # sub expression or grouping operator

Expressions inside strings

# By using $[] and $()

i.e.

subject="$[/system clock get time]"

POSIX extended regular expression ("~")

# 找出 src ip 是 223.19 開頭的

/ip firewall connection
print where src-address~"^223.19."

 

 

Flow Control

 

if ... else ...

:if (<condition>) do={<commands>} else={<commands>} <expression>

:local RemoteIP "10.3.0.1"
:if ([/ping $RemoteIP count=3] = 0) do={
    /system script run notify-vpn-down;
}

for

 * "=" 兩邊不可以有空格

:for i from=0 to=9 do={ :put $i }

 

Variables

 

Scripting language has two types of variables:

  • global - accessible from all scripts created by current user, defined by global keyword;
  • local - accessible only within the current scope, defined by local keyword.
    Each local scope is enclosed in curly braces "{ }"

  * Every variable, except for built in RouterOS variables, must be declared before usage

  * Variable names are case sensitive.

  * Do not define global variables inside local scopes

{
   :local a 3;
   {
       :global b 4;
   }
   :put ($a+$b);
}

Code:

[方式1]

:global myVar;
:set myVar "my value";
:put $myVar;

[方式2]

:global RemoteIP 192.168.1.1
:put $RemoteIP

 

Log

 

Syntax

:log <topic> <message>

topic: debug, info, warning and error(紅色字)

i.e.

:log warning test123   # 藍色字

 

Useful Script

 

[1] Keep ping the tunnel every second

/system script

add name=ping-ipsec-tunnel source={
    # BC
    /ping 192.168.1.254 interface=bridge1 count=1;
    # CB
    /ping 192.168.3.254 interface=bridge1 count=1;
}

/system scheduler

add disabled=no interval=1s name="ping-ipsec-tunnel" on-event=ping-ipsec-tunnel

[2] Script to mon Ipsec

# config mail server

/tool e-mail
set from="R1@mydomain" address="x.x.x.x" port="1025"

# setup script

/system script

[1] Script: notify-ipsec-down

add name=notify-ipsec-down source={/tool e-mail send to=sysadmin@mydomain subject="VPN Down - XXX" body="$[/system clock get time]" start-tls=no}

Test mail

/system script run notify-ipsec-down

[2] Script: ipsec-monitor

# 在 10s 內每 2s ping 1 次 remote, 如果有 4 次 fail 就 call script "ipsec-down"

add name=ipsec-monitor source={
  :local RemoteIP "192.168.1.1"
  :local i 0;
  :local F 0;
  :for i from=1 to=5 do={
    :if ([/ping $RemoteIP interface=bridge1 count=1]=0) do={:set F ($F + 1)}
    :delay 2;
  };
  :if (($F>3)) do={
    :put "sent mail to admin"
    /system script run ipsec-down;
  }
}

簡化版

# "[/ping...]" 的 return 係成功包的數量

# 以下設定係 3 個包全失才行 script

add name=ipsec-monitor source={
  :local RemoteIP "192.168.1.1"
  :if ([/ping $RemoteIP interface=bridge1 count=3] = 0) do={
    /system script run notify-ipsec-down;
  }
}

# config scheduler (run script(ipsec-monitor) minutely)

# 每分鐘行一次 "ipsec-monitor"

/system scheduler
add disabled=no interval=1m name="Mon-IPSEC-Conn" on-event=ipsec-monitor

 

Doc

 

http://wiki.mikrotik.com/wiki/Manual:Scripting

 

 

»
  • 瀏覽次數: 2161

Creative Commons license icon Creative Commons license icon