├── tests ├── inventory └── test.yml ├── files └── tmp │ └── .gitignore ├── vars └── main.yml ├── handlers └── main.yml ├── meta └── main.yml ├── tasks ├── main.yml ├── nat.yml ├── raw.yml ├── services.yml ├── filter.yml ├── mangle.yml ├── address_list.yml └── connection_tracking.yml ├── templates ├── services.rsc.j2 ├── address_list.rsc.j2 ├── raw.rsc.j2 ├── nat.rsc.j2 ├── filter.rsc.j2 └── mangle.rsc.j2 ├── docs ├── raw.md ├── nat.md ├── filter.md └── mangle.md ├── README.md └── defaults └── main.yml /tests/inventory: -------------------------------------------------------------------------------- 1 | localhost 2 | 3 | -------------------------------------------------------------------------------- /files/tmp/.gitignore: -------------------------------------------------------------------------------- 1 | !.gitignore 2 | * 3 | -------------------------------------------------------------------------------- /vars/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # vars file for mikrotik-firewall -------------------------------------------------------------------------------- /handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # handlers file for mikrotik-firewall -------------------------------------------------------------------------------- /tests/test.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - hosts: localhost 3 | remote_user: root 4 | roles: 5 | - mikrotik-firewall -------------------------------------------------------------------------------- /meta/main.yml: -------------------------------------------------------------------------------- 1 | galaxy_info: 2 | author: Martin Dulin 3 | description: Mikrotik firewall automation 4 | company: Dulin 5 | license: MIT 6 | 7 | min_ansible_version: 1.9 8 | 9 | platforms: 10 | - name: RouterOS 11 | versions: 12 | - all 13 | 14 | categories: 15 | - networking 16 | 17 | galaxy_tags: 18 | - networking 19 | - mikrotik 20 | - routeros 21 | - firewall 22 | 23 | 24 | dependencies: [] 25 | # List your role dependencies here, one per line. Be sure to remove the '[]' above, 26 | # if you add dependencies to this list. 27 | -------------------------------------------------------------------------------- /tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - include: connection_tracking.yml 3 | tags: [ 'role::mikrotik_firewall::connection_tracking'] 4 | 5 | - include: services.yml 6 | tags: [ 'role::mikrotik_firewall:services' ] 7 | 8 | - include: address_list.yml 9 | tags: [ 'role::mikrotik_firewall:address_list' ] 10 | 11 | - include: raw.yml 12 | tags: [ 'role::mikrotik_firewall:raw' ] 13 | 14 | - include: mangle.yml 15 | tags: [ 'role::mikrotik_firewall:mangle' ] 16 | 17 | - include: nat.yml 18 | tags: [ 'role::mikrotik_firewall:nat' ] 19 | 20 | - include: filter.yml 21 | tags: [ 'role::mikrotik_firewall:filter' ] 22 | -------------------------------------------------------------------------------- /templates/services.rsc.j2: -------------------------------------------------------------------------------- 1 | {% for service in mikrotik_firewall.service_port_rules %} 2 | :if ([/ip firewall service-port find name={{service.name}} disabled={{service.disabled}}\ 3 | {% if service.sip_direct_media is defined %} 4 | sip-direct-media={{service.sip_direct_media}}\ 5 | {% endif %} 6 | {% if service.ports is defined %} 7 | ports={{service.ports}}\ 8 | {% endif %} 9 | ] ="") do={ 10 | /ip firewall service-port set {{service.name}} disabled={{service.disabled}} \ 11 | {% if service.sip_direct_media is defined %}sip-direct-media={{service.sip_direct_media}} \{% endif %} 12 | {% if service.ports is defined %}ports={{service.ports}}{% endif %} 13 | } 14 | {% endfor %} 15 | 16 | -------------------------------------------------------------------------------- /docs/raw.md: -------------------------------------------------------------------------------- 1 | raw_rules: 2 | ---------- 3 | ``` 4 | chain: 5 | action: 6 | fragment: 7 | log_prefix: 8 | psd: 9 | address_list: 10 | hotspot: 11 | nth: 12 | random: 13 | address_list_timeout: 14 | icmp_options: 15 | out_bridge_port: 16 | src_address: 17 | comment: 18 | in_bridge_port: 19 | out_bridge_port_list: 20 | src_address_list: 21 | content: 22 | in_bridge_port_list: 23 | out_interface: 24 | src_address_type: 25 | copy_from: 26 | in_interface: 27 | out_interface_list: 28 | src_mac_address: 29 | disabled: 30 | in_interface_list: 31 | packet_mark: 32 | src_port: 33 | dscp: 34 | ingress_priority: 35 | packet_size: 36 | tcp_flags: 37 | dst_address: 38 | ipsec_policy: 39 | per_connection_classifier: 40 | tcp_mss: 41 | dst_address_list: 42 | ipv4_options: 43 | place_before: 44 | time: 45 | dst_address_type: 46 | jump_target: 47 | port: 48 | ttl: 49 | dst_limit: 50 | limit: 51 | priority: 52 | dst_port: 53 | log: 54 | protocol: 55 | ``` -------------------------------------------------------------------------------- /tasks/nat.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Generate firewall-nat-{{inventory_hostname}}.rsc to check and add user 3 | template: src=nat.rsc.j2 dest={{role_path}}/files/tmp/firewall-nat-{{inventory_hostname}}.rsc 4 | delegate_to: localhost 5 | 6 | - name: Send firewall-nat-{{inventory_hostname}}.rsc script 7 | command: scp -P {{ansible_port}} {{role_path}}/files/tmp/firewall-nat-{{inventory_hostname}}.rsc {{ansible_user}}@{{ansible_host}}:/firewall-nat-{{inventory_hostname}}.rsc 8 | delegate_to: localhost 9 | 10 | - name: Delete temporary firewall-nat-{{inventory_hostname}}.rsc file 11 | file: path={{role_path}}/files/tmp/firewall-nat-{{inventory_hostname}}.rsc state=absent 12 | delegate_to: localhost 13 | 14 | - name: Run firewall-nat-{{inventory_hostname}}.rsc on router 15 | raw: "/import firewall-nat-{{inventory_hostname}}.rsc" 16 | tags: mikrotik_firewall_services 17 | 18 | - name: Remove firewall-nat-{{inventory_hostname}}.rsc from router 19 | raw: "/file remove firewall-nat-{{inventory_hostname}}.rsc" 20 | -------------------------------------------------------------------------------- /tasks/raw.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Generate firewall-raw-{{inventory_hostname}}.rsc to check and add user 3 | template: src=raw.rsc.j2 dest={{role_path}}/files/tmp/firewall-raw-{{inventory_hostname}}.rsc 4 | delegate_to: localhost 5 | 6 | - name: Send firewall-raw-{{inventory_hostname}}.rsc script 7 | command: scp -P {{ansible_port}} {{role_path}}/files/tmp/firewall-raw-{{inventory_hostname}}.rsc {{ansible_user}}@{{ansible_host}}:/firewall-raw-{{inventory_hostname}}.rsc 8 | delegate_to: localhost 9 | 10 | - name: Delete temporary firewall-raw-{{inventory_hostname}}.rsc file 11 | file: path={{role_path}}/files/tmp/firewall-raw-{{inventory_hostname}}.rsc state=absent 12 | delegate_to: localhost 13 | 14 | - name: Run firewall-raw-{{inventory_hostname}}.rsc on router 15 | raw: "/import firewall-raw-{{inventory_hostname}}.rsc" 16 | tags: mikrotik_firewall_services 17 | 18 | - name: Remove firewall-raw-{{inventory_hostname}}.rsc from router 19 | raw: "/file remove firewall-raw-{{inventory_hostname}}.rsc" 20 | -------------------------------------------------------------------------------- /tasks/services.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Generate firewall-services-{{inventory_hostname}}.rsc to check and add user 3 | template: src=services.rsc.j2 dest={{role_path}}/files/tmp/firewall-services-{{inventory_hostname}}.rsc 4 | delegate_to: localhost 5 | 6 | - name: Send firewall-services-{{inventory_hostname}}.rsc script 7 | command: scp -P {{ansible_port}} {{role_path}}/files/tmp/firewall-services-{{inventory_hostname}}.rsc {{ansible_user}}@{{ansible_host}}:/firewall-services-{{inventory_hostname}}.rsc 8 | delegate_to: localhost 9 | 10 | - name: Delete temporary firewall-services-{{inventory_hostname}}.rsc file 11 | file: path={{role_path}}/files/tmp/firewall-services-{{inventory_hostname}}.rsc state=absent 12 | delegate_to: localhost 13 | 14 | - name: Run firewall-services-{{inventory_hostname}}.rsc on router 15 | raw: "/import firewall-services-{{inventory_hostname}}.rsc" 16 | 17 | - name: Remove firewall-services-{{inventory_hostname}}.rsc from router 18 | raw: "/file remove firewall-services-{{inventory_hostname}}.rsc" 19 | -------------------------------------------------------------------------------- /tasks/filter.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Generate firewall-filter-{{inventory_hostname}}.rsc to check and add user 3 | template: src=filter.rsc.j2 dest={{role_path}}/files/tmp/firewall-filter-{{inventory_hostname}}.rsc 4 | delegate_to: localhost 5 | 6 | - name: Send firewall-filter-{{inventory_hostname}}.rsc script 7 | command: scp -P {{ansible_port}} {{role_path}}/files/tmp/firewall-filter-{{inventory_hostname}}.rsc {{ansible_user}}@{{ansible_host}}:/firewall-filter-{{inventory_hostname}}.rsc 8 | delegate_to: localhost 9 | 10 | - name: Delete temporary firewall-filter-{{inventory_hostname}}.rsc file 11 | file: path={{role_path}}/files/tmp/firewall-filter-{{inventory_hostname}}.rsc state=absent 12 | delegate_to: localhost 13 | 14 | - name: Run firewall-filter-{{inventory_hostname}}.rsc on router 15 | raw: "/import firewall-filter-{{inventory_hostname}}.rsc" 16 | tags: mikrotik_firewall_services 17 | 18 | - name: Remove firewall-filter-{{inventory_hostname}}.rsc from router 19 | raw: "/file remove firewall-filter-{{inventory_hostname}}.rsc" 20 | -------------------------------------------------------------------------------- /tasks/mangle.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Generate firewall-mangle-{{inventory_hostname}}.rsc to check and add user 3 | template: src=mangle.rsc.j2 dest={{role_path}}/files/tmp/firewall-mangle-{{inventory_hostname}}.rsc 4 | delegate_to: localhost 5 | 6 | - name: Send firewall-mangle-{{inventory_hostname}}.rsc script 7 | command: scp -P {{ansible_port}} {{role_path}}/files/tmp/firewall-mangle-{{inventory_hostname}}.rsc {{ansible_user}}@{{ansible_host}}:/firewall-mangle-{{inventory_hostname}}.rsc 8 | delegate_to: localhost 9 | 10 | - name: Delete temporary firewall-mangle-{{inventory_hostname}}.rsc file 11 | file: path={{role_path}}/files/tmp/firewall-mangle-{{inventory_hostname}}.rsc state=absent 12 | delegate_to: localhost 13 | 14 | - name: Run firewall-mangle-{{inventory_hostname}}.rsc on router 15 | raw: "/import firewall-mangle-{{inventory_hostname}}.rsc" 16 | tags: mikrotik_firewall_services 17 | 18 | - name: Remove firewall-mangle-{{inventory_hostname}}.rsc from router 19 | raw: "/file remove firewall-mangle-{{inventory_hostname}}.rsc" 20 | -------------------------------------------------------------------------------- /docs/nat.md: -------------------------------------------------------------------------------- 1 | nat_rules: 2 | ---------- 3 | ``` 4 | chain: 5 | action: 6 | hotspot: 7 | out_bridge_port: 8 | same_not_by_dst: 9 | address_list: 10 | icmp_options: 11 | out_bridge_port_list: 12 | src_address: 13 | address_list_timeout: 14 | in_bridge_port: 15 | out_interface: 16 | src_address_list: 17 | comment: 18 | in_bridge_port_list: 19 | out_interface_list: 20 | src_address_type: 21 | connection_bytes: 22 | connection_limit: 23 | connection_mark: 24 | connection_rate: 25 | connection_type: 26 | in_interface: 27 | packet_mark: 28 | src_mac_address: 29 | content: 30 | in_interface_list: 31 | packet_size: 32 | src_port: 33 | copy_from: 34 | ingress_priority: 35 | per_connection_classifier: 36 | tcp_mss: 37 | disabled: 38 | ipsec_policy: 39 | place_before: 40 | time: 41 | dscp: 42 | ipv4_options: 43 | port: 44 | to_addresses: 45 | dst_address: 46 | jump_target: 47 | priority: 48 | to_ports: 49 | dst_address_list: 50 | layer7_protocol: 51 | protocol: 52 | ttl: 53 | dst_address_type: 54 | limit: 55 | psd: 56 | dst_limit: 57 | log: 58 | random: 59 | dst_port: 60 | log_prefix: 61 | routing_mark: 62 | fragment: 63 | nth: 64 | routing_table: 65 | ``` -------------------------------------------------------------------------------- /tasks/address_list.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Generate firewall-address_list-{{inventory_hostname}}.rsc to check and add user 3 | template: src=address_list.rsc.j2 dest={{role_path}}/files/tmp/firewall-address_list-{{inventory_hostname}}.rsc 4 | delegate_to: localhost 5 | 6 | - name: Send firewall-address_list-{{inventory_hostname}}.rsc script 7 | command: scp -P {{ansible_port}} {{role_path}}/files/tmp/firewall-address_list-{{inventory_hostname}}.rsc {{ansible_user}}@{{ansible_host}}:/firewall-address_list-{{inventory_hostname}}.rsc 8 | delegate_to: localhost 9 | 10 | - name: Delete temporary firewall-address_list-{{inventory_hostname}}.rsc file 11 | file: path={{role_path}}/files/tmp/firewall-address_list-{{inventory_hostname}}.rsc state=absent 12 | delegate_to: localhost 13 | 14 | - name: Run firewall-address_list-{{inventory_hostname}}.rsc on router 15 | raw: "/import firewall-address_list-{{inventory_hostname}}.rsc" 16 | tags: mikrotik_firewall_services 17 | 18 | - name: Remove firewall-address_list-{{inventory_hostname}}.rsc from router 19 | raw: "/file remove firewall-address_list-{{inventory_hostname}}.rsc" 20 | -------------------------------------------------------------------------------- /docs/filter.md: -------------------------------------------------------------------------------- 1 | filter_rules: 2 | ------------- 3 | ``` 4 | chain: 5 | action: 6 | hotspot: 7 | out_bridge_port: 8 | routing_mark: 9 | address_list: 10 | icmp_options: 11 | out_bridge_port_list: 12 | routing_table: 13 | address_list_timeout: 14 | in_bridge_port: 15 | out_interface: 16 | src_address: 17 | comment: 18 | in_bridge_port_list: 19 | out_interface_list: 20 | src_address_list: 21 | connection_bytes: 22 | connection_mark: 23 | connection_rate: 24 | connection_type: 25 | connection_limit: 26 | connection_nat_state: 27 | connection_state: 28 | in_interface: 29 | p2p: 30 | src_address_type: 31 | content: 32 | in_interface_list: 33 | packet_mark: 34 | src_mac_address: 35 | copy_from: 36 | ingress_priority: 37 | packet_size: 38 | src_port: 39 | disabled: 40 | ipsec_policy: 41 | per_connection_classifier: 42 | tcp_flags: 43 | dscp: 44 | ipv4_options: 45 | place_before: 46 | tcp_mss: 47 | dst_address: 48 | jump_target: 49 | port: 50 | time: 51 | dst_address_list: 52 | layer7_protocol: 53 | priority: 54 | ttl: 55 | dst_address_type: 56 | limit: 57 | protocol: 58 | dst_limit: 59 | log: 60 | psd: 61 | dst_port: 62 | log_prefix: 63 | random: 64 | fragment: 65 | nth: 66 | reject_with: 67 | ``` -------------------------------------------------------------------------------- /templates/address_list.rsc.j2: -------------------------------------------------------------------------------- 1 | {% if mikrotik_firewall.remove_old_address_list == true %} 2 | /ip firewall address-list remove [/ip firewall address-list find where dynamic=no] 3 | {% endif %} 4 | # Remove not defined 5 | /ip firewall address-list remove [/ip firewall address-list find where !(\ 6 | {% for list in mikrotik_firewall.address_list %} 7 | {% if iter is defined %} or {% endif %}(list={{list.list}} and disabled={{list.disabled}} and address={{list.address}} and comment="Ansible managed: [{{list.comment}}]") \ 8 | {% set iter = true %} 9 | {% endfor %} 10 | ) and dynamic=no] 11 | # Add all values 12 | {% for list in mikrotik_firewall.address_list %} 13 | :if ([/ip firewall address-list find list={{list.list}} disabled={{list.disabled}} address={{list.address}} comment="Ansible managed: [{{list.comment}}]"] = "") do={ 14 | :log info "Add address: {{list.address}} to address-list: {{list.list}}..." 15 | /ip firewall address-list add list={{list.list}} {% if list.disabled is defined %}disabled={{list.disabled}} {%endif%}address={{list.address}}\ 16 | {% if list.comment is defined %} 17 | comment="Ansible managed: [{{list.comment}}]" 18 | {% endif %} 19 | } 20 | {% endfor %} 21 | -------------------------------------------------------------------------------- /docs/mangle.md: -------------------------------------------------------------------------------- 1 | mangle_rules: 2 | ------------- 3 | ``` 4 | chain: 5 | action: 6 | in_bridge_port: 7 | new_routing_mark: 8 | random: 9 | address_list: 10 | in_bridge_port_list: 11 | new_ttl: 12 | route_dst: 13 | address_list_timeout: 14 | in_interface: 15 | nth: 16 | routing_mark: 17 | comment: 18 | in_interface_list: 19 | out_bridge_port: 20 | routing_table: 21 | connection_bytes: 22 | connection_mark: 23 | connection_rate: 24 | connection_type: 25 | connection_limit: 26 | connection_nat_state: 27 | connection_state: 28 | ingress_priority: 29 | out_bridge_port_list: 30 | sniff_id: 31 | content: 32 | ipsec_policy: 33 | out_interface: 34 | sniff_target: 35 | copy_from: 36 | ipv4_options: 37 | out_interface_list: 38 | sniff_target_port: 39 | disabled: 40 | jump_target: 41 | p2p: 42 | src_address: 43 | dscp: 44 | layer7_protocol: 45 | packet_mark: 46 | src_address_list: 47 | dst_address: 48 | limit: 49 | packet_size: 50 | src_address_type: 51 | dst_address_list: 52 | log: 53 | passthrough: 54 | src_mac_address: 55 | dst_address_type: 56 | log_prefix: 57 | per_connection_classifier: 58 | src_port: 59 | dst_limit: 60 | new_connection_mark: 61 | place_before: 62 | tcp_flags: 63 | dst_port: 64 | new_dscp: 65 | port: 66 | tcp_mss: 67 | fragment: 68 | new_mss: 69 | priority: 70 | time: 71 | hotspot: 72 | new_packet_mark: 73 | protocol: 74 | ttl: 75 | icmp_options: 76 | new_priority: 77 | psd: 78 | ``` -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | Role Name 2 | ========= 3 | 4 | A brief description of the role goes here. 5 | 6 | Requirements 7 | ------------ 8 | 9 | Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required. 10 | 11 | Role Variables 12 | -------------- 13 | 14 | A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well. 15 | 16 | Dependencies 17 | ------------ 18 | 19 | A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles. 20 | 21 | Example Playbook 22 | ---------------- 23 | 24 | Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too: 25 | 26 | - hosts: servers 27 | roles: 28 | - { role: username.rolename, x: 42 } 29 | 30 | License 31 | ------- 32 | 33 | BSD 34 | 35 | Author Information 36 | ------------------ 37 | 38 | An optional section for the role authors to include contact information, or a website (HTML is not allowed). 39 | -------------------------------------------------------------------------------- /defaults/main.yml: -------------------------------------------------------------------------------- 1 | mikrotik_firewall: 2 | connection_tracking: 3 | enabled: "yes" 4 | tcp_syn_sent_timeout: 5s 5 | tcp_syn_received_timeout: 5s 6 | tcp_established_timeout: 1d 7 | tcp_fin_wait_timeout: 10s 8 | tcp_close_wait_timeout: 10s 9 | tcp_last_ack_timeout: 10s 10 | tcp_time_wait_timeout: 10s 11 | tcp_close_timeout: 10s 12 | tcp_max_retrans_timeout: 5m 13 | tcp_unacked_timeout: 5m 14 | udp_timeout: 10s 15 | udp_stream_timeout: 3m 16 | icmp_timeout: 10s 17 | generic_timeout: 10m 18 | 19 | remove_old_filter_rules: false 20 | filter_rules: [] 21 | remove_old_nat_rules: false 22 | nat_rules: [] 23 | remove_old_mangle_rules: false 24 | mangle_rules: [] 25 | remove_old_raw_rules: false 26 | raw_rules: [] 27 | service_port_rules: 28 | # Mikrotik defaults 29 | - name: ftp 30 | ports: 21 31 | sip_direct_media: "no" 32 | disabled: "no" 33 | - name: h323 34 | sip_direct_media: "no" 35 | disabled: "no" 36 | - name: irc 37 | ports: 6667 38 | sip_direct_media: "no" 39 | disabled: "no" 40 | - name: pptp 41 | sip_direct_media: "no" 42 | disabled: "no" 43 | - name: sip 44 | ports: 5060,5061 45 | sip_direct_media: "yes" 46 | disabled: "no" 47 | - name: tftp 48 | ports: 69 49 | disabled: "no" 50 | remove_old_address_list: false 51 | address_list: [] 52 | remove_old_layers7_protocols: false 53 | layers7_protocols: [] 54 | -------------------------------------------------------------------------------- /tasks/connection_tracking.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: "Setting enabled={{ mikrotik_firewall.connection_tracking.enabled }}" 3 | raw: :if ([/ip firewall connection tracking get enabled] != "{{ mikrotik_firewall.connection_tracking.enabled }}") do={:put "enabled"; /ip firewall connection tracking set enabled={{ mikrotik_firewall.connection_tracking.enabled }} } 4 | when: mikrotik_firewall.connection_tracking.enabled is defined 5 | register: enabled 6 | changed_when: enabled.stdout_lines[0] is defined and enabled.stdout_lines[0] == "enabled" 7 | failed_when: enabled.stdout_lines[0] is defined and enabled.stdout_lines[0] != "enabled" 8 | 9 | - name: "Setting tcp-syn-sent-timeout={{ mikrotik_firewall.connection_tracking.tcp_syn_sent_timeout }}" 10 | raw: :if ([/ip firewall connection tracking get tcp-syn-sent-timeout] != {{ mikrotik_firewall.connection_tracking.tcp_syn_sent_timeout }}) do={:put "tcp-syn-sent-timeout"; /ip firewall connection tracking set tcp-syn-sent-timeout={{ mikrotik_firewall.connection_tracking.tcp_syn_sent_timeout }} } 11 | when: mikrotik_firewall.connection_tracking.tcp_syn_sent_timeout is defined 12 | register: tcp_syn_sent_timeout 13 | changed_when: tcp_syn_sent_timeout.stdout_lines[0] is defined and tcp_syn_sent_timeout.stdout_lines[0] == "tcp-syn-sent-timeout" 14 | failed_when: tcp_syn_sent_timeout.stdout_lines[0] is defined and tcp_syn_sent_timeout.stdout_lines[0] != "tcp-syn-sent-timeout" 15 | 16 | - name: "Setting tcp-syn-received-timeout={{ mikrotik_firewall.connection_tracking.tcp_syn_received_timeout }}" 17 | raw: :if ([/ip firewall connection tracking get tcp-syn-received-timeout] != {{ mikrotik_firewall.connection_tracking.tcp_syn_received_timeout }}) do={:put "tcp-syn-received-timeout"; /ip firewall connection tracking set tcp-syn-received-timeout={{ mikrotik_firewall.connection_tracking.tcp_syn_received_timeout }} } 18 | when: mikrotik_firewall.connection_tracking.tcp_syn_received_timeout is defined 19 | register: tcp_syn_received_timeout 20 | changed_when: tcp_syn_received_timeout.stdout_lines[0] is defined and tcp_syn_received_timeout.stdout_lines[0] == "tcp-syn-received-timeout" 21 | failed_when: tcp_syn_received_timeout.stdout_lines[0] is defined and tcp_syn_received_timeout.stdout_lines[0] != "tcp-syn-received-timeout" 22 | 23 | - name: "Setting tcp-established-timeout={{ mikrotik_firewall.connection_tracking.tcp_established_timeout }}" 24 | raw: :if ([/ip firewall connection tracking get tcp-established-timeout] != {{ mikrotik_firewall.connection_tracking.tcp_established_timeout }}) do={:put "tcp-established-timeout"; /ip firewall connection tracking set tcp-established-timeout={{ mikrotik_firewall.connection_tracking.tcp_established_timeout }} } 25 | when: mikrotik_firewall.connection_tracking.tcp_established_timeout is defined 26 | register: tcp_established_timeout 27 | changed_when: tcp_established_timeout.stdout_lines[0] is defined and tcp_established_timeout.stdout_lines[0] == "tcp-established-timeout" 28 | failed_when: tcp_established_timeout.stdout_lines[0] is defined and tcp_established_timeout.stdout_lines[0] != "tcp-established-timeout" 29 | 30 | - name: "Setting tcp-fin-wait-timeout={{ mikrotik_firewall.connection_tracking.tcp_fin_wait_timeout }}" 31 | raw: :if ([/ip firewall connection tracking get tcp-fin-wait-timeout] != {{ mikrotik_firewall.connection_tracking.tcp_fin_wait_timeout }}) do={:put "tcp-fin-wait-timeout"; /ip firewall connection tracking set tcp-fin-wait-timeout={{ mikrotik_firewall.connection_tracking.tcp_fin_wait_timeout }} } 32 | when: mikrotik_firewall.connection_tracking.tcp_fin_wait_timeout is defined 33 | register: tcp_fin_wait_timeout 34 | changed_when: tcp_fin_wait_timeout.stdout_lines[0] is defined and tcp_fin_wait_timeout.stdout_lines[0] == "tcp-fin-wait-timeout" 35 | failed_when: tcp_fin_wait_timeout.stdout_lines[0] is defined and tcp_fin_wait_timeout.stdout_lines[0] != "tcp-fin-wait-timeout" 36 | 37 | - name: "Setting tcp-close-wait-timeout={{ mikrotik_firewall.connection_tracking.tcp_close_wait_timeout }}" 38 | raw: :if ([/ip firewall connection tracking get tcp-close-wait-timeout] != {{ mikrotik_firewall.connection_tracking.tcp_close_wait_timeout }}) do={:put "tcp-close-wait-timeout"; /ip firewall connection tracking set tcp-close-wait-timeout={{ mikrotik_firewall.connection_tracking.tcp_close_wait_timeout }} } 39 | when: mikrotik_firewall.connection_tracking.tcp_close_wait_timeout is defined 40 | register: tcp_close_wait_timeout 41 | changed_when: tcp_close_wait_timeout.stdout_lines[0] is defined and tcp_close_wait_timeout.stdout_lines[0] == "tcp-close-wait-timeout" 42 | failed_when: tcp_close_wait_timeout.stdout_lines[0] is defined and tcp_close_wait_timeout.stdout_lines[0] != "tcp-close-wait-timeout" 43 | 44 | - name: "Setting tcp-last-ack-timeout={{ mikrotik_firewall.connection_tracking.tcp_last_ack_timeout }}" 45 | raw: :if ([/ip firewall connection tracking get tcp-last-ack-timeout] != {{ mikrotik_firewall.connection_tracking.tcp_last_ack_timeout }}) do={:put "tcp-last-ack-timeout"; /ip firewall connection tracking set tcp-last-ack-timeout={{ mikrotik_firewall.connection_tracking.tcp_last_ack_timeout }} } 46 | when: mikrotik_firewall.connection_tracking.tcp_last_ack_timeout is defined 47 | register: tcp_last_ack_timeout 48 | changed_when: tcp_last_ack_timeout.stdout_lines[0] is defined and tcp_last_ack_timeout.stdout_lines[0] == "tcp-last-ack-timeout" 49 | failed_when: tcp_last_ack_timeout.stdout_lines[0] is defined and tcp_last_ack_timeout.stdout_lines[0] != "tcp-last-ack-timeout" 50 | 51 | - name: "Setting tcp-time-wait-timeout={{ mikrotik_firewall.connection_tracking.tcp_time_wait_timeout }}" 52 | raw: :if ([/ip firewall connection tracking get tcp-time-wait-timeout] != {{ mikrotik_firewall.connection_tracking.tcp_time_wait_timeout }}) do={:put "tcp-time-wait-timeout"; /ip firewall connection tracking set tcp-time-wait-timeout={{ mikrotik_firewall.connection_tracking.tcp_time_wait_timeout }} } 53 | when: mikrotik_firewall.connection_tracking.tcp_time_wait_timeout is defined 54 | register: tcp_time_wait_timeout 55 | changed_when: tcp_time_wait_timeout.stdout_lines[0] is defined and tcp_time_wait_timeout.stdout_lines[0] == "tcp-time-wait-timeout" 56 | failed_when: tcp_time_wait_timeout.stdout_lines[0] is defined and tcp_time_wait_timeout.stdout_lines[0] != "tcp-time-wait-timeout" 57 | 58 | - name: "Setting tcp-close-timeout={{ mikrotik_firewall.connection_tracking.tcp_close_timeout }}" 59 | raw: :if ([/ip firewall connection tracking get tcp-close-timeout] != {{ mikrotik_firewall.connection_tracking.tcp_close_timeout }}) do={:put "tcp-close-timeout"; /ip firewall connection tracking set tcp-close-timeout={{ mikrotik_firewall.connection_tracking.tcp_close_timeout }} } 60 | when: mikrotik_firewall.connection_tracking.tcp_close_timeout is defined 61 | register: tcp_close_timeout 62 | changed_when: tcp_close_timeout.stdout_lines[0] is defined and tcp_close_timeout.stdout_lines[0] == "tcp-close-timeout" 63 | failed_when: tcp_close_timeout.stdout_lines[0] is defined and tcp_close_timeout.stdout_lines[0] != "tcp-close-timeout" 64 | 65 | - name: "Setting tcp-max-retrans-timeout={{ mikrotik_firewall.connection_tracking.tcp_max_retrans_timeout }}" 66 | raw: :if ([/ip firewall connection tracking get tcp-max-retrans-timeout] != {{ mikrotik_firewall.connection_tracking.tcp_max_retrans_timeout }}) do={:put "tcp-max-retrans-timeout"; /ip firewall connection tracking set tcp-max-retrans-timeout={{ mikrotik_firewall.connection_tracking.tcp_max_retrans_timeout }} } 67 | when: mikrotik_firewall.connection_tracking.tcp_max_retrans_timeout is defined 68 | register: tcp_max_retrans_timeout 69 | changed_when: tcp_max_retrans_timeout.stdout_lines[0] is defined and tcp_max_retrans_timeout.stdout_lines[0] == "tcp-max-retrans-timeout" 70 | failed_when: tcp_max_retrans_timeout.stdout_lines[0] is defined and tcp_max_retrans_timeout.stdout_lines[0] != "tcp-max-retrans-timeout" 71 | 72 | - name: "Setting tcp-unacked-timeout={{ mikrotik_firewall.connection_tracking.tcp_unacked_timeout }}" 73 | raw: :if ([/ip firewall connection tracking get tcp-unacked-timeout] != {{ mikrotik_firewall.connection_tracking.tcp_unacked_timeout }}) do={:put "tcp-unacked-timeout"; /ip firewall connection tracking set tcp-unacked-timeout={{ mikrotik_firewall.connection_tracking.tcp_unacked_timeout }} } 74 | when: mikrotik_firewall.connection_tracking.tcp_unacked_timeout is defined 75 | register: tcp_unacked_timeout 76 | changed_when: tcp_unacked_timeout.stdout_lines[0] is defined and tcp_unacked_timeout.stdout_lines[0] == "tcp-unacked-timeout" 77 | failed_when: tcp_unacked_timeout.stdout_lines[0] is defined and tcp_unacked_timeout.stdout_lines[0] != "tcp-unacked-timeout" 78 | 79 | - name: "Setting udp-timeout={{ mikrotik_firewall.connection_tracking.udp_timeout }}" 80 | raw: :if ([/ip firewall connection tracking get udp-timeout] != {{ mikrotik_firewall.connection_tracking.udp_timeout }}) do={:put "udp-timeout"; /ip firewall connection tracking set udp-timeout={{ mikrotik_firewall.connection_tracking.udp_timeout }} } 81 | when: mikrotik_firewall.connection_tracking.udp_timeout is defined 82 | register: udp_timeout 83 | changed_when: udp_timeout.stdout_lines[0] is defined and udp_timeout.stdout_lines[0] == "udp-timeout" 84 | failed_when: udp_timeout.stdout_lines[0] is defined and udp_timeout.stdout_lines[0] != "udp-timeout" 85 | 86 | - name: "Setting udp-stream-timeout={{ mikrotik_firewall.connection_tracking.udp_stream_timeout }}" 87 | raw: :if ([/ip firewall connection tracking get udp-stream-timeout] != {{ mikrotik_firewall.connection_tracking.udp_stream_timeout }}) do={:put "udp-stream-timeout"; /ip firewall connection tracking set udp-stream-timeout={{ mikrotik_firewall.connection_tracking.udp_stream_timeout }} } 88 | when: mikrotik_firewall.connection_tracking.udp_stream_timeout is defined 89 | register: udp_stream_timeout 90 | changed_when: udp_stream_timeout.stdout_lines[0] is defined and udp_stream_timeout.stdout_lines[0] == "udp-stream-timeout" 91 | failed_when: udp_stream_timeout.stdout_lines[0] is defined and udp_stream_timeout.stdout_lines[0] != "udp-stream-timeout" 92 | 93 | - name: "Setting icmp-timeout={{ mikrotik_firewall.connection_tracking.icmp_timeout }}" 94 | raw: :if ([/ip firewall connection tracking get icmp-timeout] != {{ mikrotik_firewall.connection_tracking.icmp_timeout }}) do={:put "icmp-timeout"; /ip firewall connection tracking set icmp-timeout={{ mikrotik_firewall.connection_tracking.icmp_timeout }} } 95 | when: mikrotik_firewall.connection_tracking.icmp_timeout is defined 96 | register: icmp_timeout 97 | changed_when: icmp_timeout.stdout_lines[0] is defined and icmp_timeout.stdout_lines[0] == "icmp-timeout" 98 | failed_when: icmp_timeout.stdout_lines[0] is defined and icmp_timeout.stdout_lines[0] != "icmp-timeout" 99 | 100 | - name: "Setting generic-timeout={{ mikrotik_firewall.connection_tracking.generic_timeout }}" 101 | raw: :if ([/ip firewall connection tracking get generic-timeout] != {{ mikrotik_firewall.connection_tracking.generic_timeout }}) do={:put "generic-timeout"; /ip firewall connection tracking set generic-timeout={{ mikrotik_firewall.connection_tracking.generic_timeout }} } 102 | when: mikrotik_firewall.connection_tracking.generic_timeout is defined 103 | register: generic_timeout 104 | changed_when: generic_timeout.stdout_lines[0] is defined and generic_timeout.stdout_lines[0] == "generic-timeout" 105 | failed_when: generic_timeout.stdout_lines[0] is defined and generic_timeout.stdout_lines[0] != "generic-timeout" 106 | -------------------------------------------------------------------------------- /templates/raw.rsc.j2: -------------------------------------------------------------------------------- 1 | {% if mikrotik_firewall.remove_old_raw_rules == true %} 2 | /ip firewall raw remove [/ip firewall raw find where dynamic=no] 3 | {% endif %} 4 | 5 | 6 | /ip firewall raw remove [/ip firewall raw find where !(\ 7 | {% for raw in mikrotik_firewall.raw_rules %} 8 | {% if iter is defined %} or {% endif %}(chain="{{raw.chain}}" \ 9 | {% if raw.action is defined %}and action="{{raw.action}}" {%endif%} 10 | {% if raw.fragment is defined %}and fragment="{{raw.fragment}}" {%endif%} 11 | {% if raw.log_prefix is defined %}and log-prefix="{{raw.log_prefix}}" {%endif%} 12 | {% if raw.psd is defined %}and psd="{{raw.psd}}" {%endif%} 13 | {% if raw.address_list is defined %}and address-list="{{raw.address_list}}" {%endif%} 14 | {% if raw.hotspot is defined %}and hotspot="{{raw.hotspot}}" {%endif%} 15 | {% if raw.nth is defined %}and nth="{{raw.nth}}" {%endif%} 16 | {% if raw.random is defined %}and random="{{raw.random}}" {%endif%} 17 | {% if raw.address_list_timeout is defined %}and address-list-timeout="{{raw.address_list_timeout}}" {%endif%} 18 | {% if raw.icmp_options is defined %}and icmp-options="{{raw.icmp_options}}" {%endif%} 19 | {% if raw.out_bridge_port is defined %}and out-bridge-port="{{raw.out_bridge_port}}" {%endif%} 20 | {% if raw.src_address is defined %}and src-address="{{raw.src_address}}" {%endif%} 21 | {% if raw.comment is defined %}and comment="Ansible managed: [{{raw.comment}}]" {%endif%} 22 | {% if raw.in_bridge_port is defined %}and in-bridge-port="{{raw.in_bridge_port}}" {%endif%} 23 | {% if raw.out_bridge_port_list is defined %}and out-bridge-port-list="{{raw.out_bridge_port_list}}" {%endif%} 24 | {% if raw.src_address_list is defined %}and src-address-list="{{raw.src_address_list}}" {%endif%} 25 | {% if raw.content is defined %}and content="{{raw.content}}" {%endif%} 26 | {% if raw.in_bridge_port_list is defined %}and in-bridge-port-list="{{raw.in_bridge_port_list}}" {%endif%} 27 | {% if raw.out_interface is defined %}and out-interface="{{raw.out_interface}}" {%endif%} 28 | {% if raw.src_address_type is defined %}and src-address-type="{{raw.src_address_type}}" {%endif%} 29 | {% if raw.copy_from is defined %}and copy-from="{{raw.copy_from}}" {%endif%} 30 | {% if raw.in_interface is defined %}and in-interface="{{raw.in_interface}}" {%endif%} 31 | {% if raw.out_interface_list is defined %}and out-interface-list="{{raw.out_interface_list}}" {%endif%} 32 | {% if raw.src_mac_address is defined %}and src-mac-address="{{raw.src_mac_address}}" {%endif%} 33 | {% if raw.disabled is defined %}and disabled={{raw.disabled}} {%endif%} 34 | {% if raw.in_interface_list is defined %}and in-interface-list="{{raw.in_interface_list}}" {%endif%} 35 | {% if raw.packet_mark is defined %}and packet-mark="{{raw.packet_mark}}" {%endif%} 36 | {% if raw.src_port is defined %}and src-port="{{raw.src_port}}" {%endif%} 37 | {% if raw.dscp is defined %}and dscp="{{raw.dscp}}" {%endif%} 38 | {% if raw.ingress_priority is defined %}and ingress-priority="{{raw.ingress_priority}}" {%endif%} 39 | {% if raw.packet_size is defined %}and packet-size="{{raw.packet_size}}" {%endif%} 40 | {% if raw.tcp_flags is defined %}and tcp-flags="{{raw.tcp_flags}}" {%endif%} 41 | {% if raw.dst_address is defined %}and dst-address="{{raw.dst_address}}" {%endif%} 42 | {% if raw.ipsec_policy is defined %}and ipsec-policy="{{raw.ipsec_policy}}" {%endif%} 43 | {% if raw.per_connection_classifier is defined %}and per-connection-classifier="{{raw.per_connection_classifier}}" {%endif%} 44 | {% if raw.tcp_mss is defined %}and tcp-mss="{{raw.tcp_mss}}" {%endif%} 45 | {% if raw.dst_address_list is defined %}and dst-address-list="{{raw.dst_address_list}}" {%endif%} 46 | {% if raw.ipv4_options is defined %}and ipv4-options="{{raw.ipv4_options}}" {%endif%} 47 | {% if raw.place_before is defined %}and place-before="{{raw.place_before}}" {%endif%} 48 | {% if raw.time is defined %}and time="{{raw.time}}" {%endif%} 49 | {% if raw.dst_address_type is defined %}and dst-address-type="{{raw.dst_address_type}}" {%endif%} 50 | {% if raw.jump_target is defined %}and jump-target="{{raw.jump_target}}" {%endif%} 51 | {% if raw.port is defined %}and port="{{raw.port}}" {%endif%} 52 | {% if raw.ttl is defined %}and ttl="{{raw.ttl}}" {%endif%} 53 | {% if raw.dst_limit is defined %}and dst-limit="{{raw.dst_limit}}" {%endif%} 54 | {% if raw.limit is defined %}and limit="{{raw.limit}}" {%endif%} 55 | {% if raw.priority is defined %}and priority="{{raw.priority}}" {%endif%} 56 | {% if raw.dst_port is defined %}and dst-port="{{raw.dst_port}}" {%endif%} 57 | {% if raw.log is defined %}and log="{{raw.log}}" {%endif%} 58 | {% if raw.protocol is defined %}and protocol="{{raw.protocol}}" {%endif%}) \ 59 | {% set iter = true %} 60 | {%endfor%} 61 | ) and dynamic=no] 62 | 63 | {% for raw in mikrotik_firewall.raw_rules %} 64 | :if ([/ip firewall raw find chain="{{raw.chain}}" {% if raw.action is defined %}action="{{raw.action}}" {%endif%} 65 | {% if raw.fragment is defined %}fragment="{{raw.fragment}}" {%endif%} 66 | {% if raw.log_prefix is defined %}log-prefix="{{raw.log_prefix}}" {%endif%} 67 | {% if raw.psd is defined %}psd="{{raw.psd}}" {%endif%} 68 | {% if raw.address_list is defined %}address-list="{{raw.address_list}}" {%endif%} 69 | {% if raw.hotspot is defined %}hotspot="{{raw.hotspot}}" {%endif%} 70 | {% if raw.nth is defined %}nth="{{raw.nth}}" {%endif%} 71 | {% if raw.random is defined %}random="{{raw.random}}" {%endif%} 72 | {% if raw.address_list_timeout is defined %}address-list-timeout="{{raw.address_list_timeout}}" {%endif%} 73 | {% if raw.icmp_options is defined %}icmp-options="{{raw.icmp_options}}" {%endif%} 74 | {% if raw.out_bridge_port is defined %}out-bridge-port="{{raw.out_bridge_port}}" {%endif%} 75 | {% if raw.src_address is defined %}src-address="{{raw.src_address}}" {%endif%} 76 | {% if raw.comment is defined %}comment="Ansible managed: [{{raw.comment}}]" {%endif%} 77 | {% if raw.in_bridge_port is defined %}in-bridge-port="{{raw.in_bridge_port}}" {%endif%} 78 | {% if raw.out_bridge_port_list is defined %}out-bridge-port-list="{{raw.out_bridge_port_list}}" {%endif%} 79 | {% if raw.src_address_list is defined %}src-address-list="{{raw.src_address_list}}" {%endif%} 80 | {% if raw.content is defined %}content="{{raw.content}}" {%endif%} 81 | {% if raw.in_bridge_port_list is defined %}in-bridge-port-list="{{raw.in_bridge_port_list}}" {%endif%} 82 | {% if raw.out_interface is defined %}out-interface="{{raw.out_interface}}" {%endif%} 83 | {% if raw.src_address_type is defined %}src-address-type="{{raw.src_address_type}}" {%endif%} 84 | {% if raw.copy_from is defined %}copy-from="{{raw.copy_from}}" {%endif%} 85 | {% if raw.in_interface is defined %}in-interface="{{raw.in_interface}}" {%endif%} 86 | {% if raw.out_interface_list is defined %}out-interface-list="{{raw.out_interface_list}}" {%endif%} 87 | {% if raw.src_mac_address is defined %}src-mac-address="{{raw.src_mac_address}}" {%endif%} 88 | {% if raw.disabled is defined %}disabled={{raw.disabled}} {%endif%} 89 | {% if raw.in_interface_list is defined %}in-interface-list="{{raw.in_interface_list}}" {%endif%} 90 | {% if raw.packet_mark is defined %}packet-mark="{{raw.packet_mark}}" {%endif%} 91 | {% if raw.src_port is defined %}src-port="{{raw.src_port}}" {%endif%} 92 | {% if raw.dscp is defined %}dscp="{{raw.dscp}}" {%endif%} 93 | {% if raw.ingress_priority is defined %}ingress-priority="{{raw.ingress_priority}}" {%endif%} 94 | {% if raw.packet_size is defined %}packet-size="{{raw.packet_size}}" {%endif%} 95 | {% if raw.tcp_flags is defined %}tcp-flags="{{raw.tcp_flags}}" {%endif%} 96 | {% if raw.dst_address is defined %}dst-address="{{raw.dst_address}}" {%endif%} 97 | {% if raw.ipsec_policy is defined %}ipsec-policy="{{raw.ipsec_policy}}" {%endif%} 98 | {% if raw.per_connection_classifier is defined %}per-connection-classifier="{{raw.per_connection_classifier}}" {%endif%} 99 | {% if raw.tcp_mss is defined %}tcp-mss="{{raw.tcp_mss}}" {%endif%} 100 | {% if raw.dst_address_list is defined %}dst-address-list="{{raw.dst_address_list}}" {%endif%} 101 | {% if raw.ipv4_options is defined %}ipv4-options="{{raw.ipv4_options}}" {%endif%} 102 | {% if raw.place_before is defined %}place-before="{{raw.place_before}}" {%endif%} 103 | {% if raw.time is defined %}time="{{raw.time}}" {%endif%} 104 | {% if raw.dst_address_type is defined %}dst-address-type="{{raw.dst_address_type}}" {%endif%} 105 | {% if raw.jump_target is defined %}jump-target="{{raw.jump_target}}" {%endif%} 106 | {% if raw.port is defined %}port="{{raw.port}}" {%endif%} 107 | {% if raw.ttl is defined %}ttl="{{raw.ttl}}" {%endif%} 108 | {% if raw.dst_limit is defined %}dst-limit="{{raw.dst_limit}}" {%endif%} 109 | {% if raw.limit is defined %}limit="{{raw.limit}}" {%endif%} 110 | {% if raw.priority is defined %}priority="{{raw.priority}}" {%endif%} 111 | {% if raw.dst_port is defined %}dst-port="{{raw.dst_port}}" {%endif%} 112 | {% if raw.log is defined %}log="{{raw.log}}" {%endif%} 113 | {% if raw.protocol is defined %}protocol="{{raw.protocol}}" {%endif%}] = "") do={ 114 | /ip firewall raw add chain={{raw.chain}} {% if raw.action is defined %}action={{raw.action}} {%endif%} 115 | {% if raw.fragment is defined %}fragment={{raw.fragment}} {%endif%} 116 | {% if raw.log_prefix is defined %}log-prefix="{{raw.log_prefix}}" {%endif%} 117 | {% if raw.psd is defined %}psd={{raw.psd}} {%endif%} 118 | {% if raw.address_list is defined %}address-list={{raw.address_list}} {%endif%} 119 | {% if raw.hotspot is defined %}hotspot={{raw.hotspot}} {%endif%} 120 | {% if raw.nth is defined %}nth={{raw.nth}} {%endif%} 121 | {% if raw.random is defined %}random={{raw.random}} {%endif%} 122 | {% if raw.address_list_timeout is defined %}address-list-timeout={{raw.address_list_timeout}} {%endif%} 123 | {% if raw.icmp_options is defined %}icmp-options={{raw.icmp_options}} {%endif%} 124 | {% if raw.out_bridge_port is defined %}out-bridge-port={{raw.out_bridge_port}} {%endif%} 125 | {% if raw.src_address is defined %}src-address={{raw.src_address}} {%endif%} 126 | {% if raw.comment is defined %}comment="Ansible managed: [{{raw.comment}}]" {%endif%} 127 | {% if raw.in_bridge_port is defined %}in-bridge-port={{raw.in_bridge_port}} {%endif%} 128 | {% if raw.out_bridge_port_list is defined %}out-bridge-port-list={{raw.out_bridge_port_list}} {%endif%} 129 | {% if raw.src_address_list is defined %}src-address-list={{raw.src_address_list}} {%endif%} 130 | {% if raw.content is defined %}content={{raw.content}} {%endif%} 131 | {% if raw.in_bridge_port_list is defined %}in-bridge-port-list={{raw.in_bridge_port_list}} {%endif%} 132 | {% if raw.out_interface is defined %}out-interface={{raw.out_interface}} {%endif%} 133 | {% if raw.src_address_type is defined %}src-address-type={{raw.src_address_type}} {%endif%} 134 | {% if raw.copy_from is defined %}copy-from={{raw.copy_from}} {%endif%} 135 | {% if raw.in_interface is defined %}in-interface={{raw.in_interface}} {%endif%} 136 | {% if raw.out_interface_list is defined %}out-interface-list={{raw.out_interface_list}} {%endif%} 137 | {% if raw.src_mac_address is defined %}src-mac-address={{raw.src_mac_address}} {%endif%} 138 | {% if raw.disabled is defined %}disabled={{raw.disabled}} {%endif%} 139 | {% if raw.in_interface_list is defined %}in-interface-list={{raw.in_interface_list}} {%endif%} 140 | {% if raw.packet_mark is defined %}packet-mark={{raw.packet_mark}} {%endif%} 141 | {% if raw.src_port is defined %}src-port={{raw.src_port}} {%endif%} 142 | {% if raw.dscp is defined %}dscp={{raw.dscp}} {%endif%} 143 | {% if raw.ingress_priority is defined %}ingress-priority={{raw.ingress_priority}} {%endif%} 144 | {% if raw.packet_size is defined %}packet-size={{raw.packet_size}} {%endif%} 145 | {% if raw.tcp_flags is defined %}tcp-flags={{raw.tcp_flags}} {%endif%} 146 | {% if raw.dst_address is defined %}dst-address={{raw.dst_address}} {%endif%} 147 | {% if raw.ipsec_policy is defined %}ipsec-policy={{raw.ipsec_policy}} {%endif%} 148 | {% if raw.per_connection_classifier is defined %}per-connection-classifier={{raw.per_connection_classifier}} {%endif%} 149 | {% if raw.tcp_mss is defined %}tcp-mss={{raw.tcp_mss}} {%endif%} 150 | {% if raw.dst_address_list is defined %}dst-address-list={{raw.dst_address_list}} {%endif%} 151 | {% if raw.ipv4_options is defined %}ipv4-options={{raw.ipv4_options}} {%endif%} 152 | {% if raw.place_before is defined %}place-before={{raw.place_before}} {%endif%} 153 | {% if raw.time is defined %}time={{raw.time}} {%endif%} 154 | {% if raw.dst_address_type is defined %}dst-address-type={{raw.dst_address_type}} {%endif%} 155 | {% if raw.jump_target is defined %}jump-target={{raw.jump_target}} {%endif%} 156 | {% if raw.port is defined %}port={{raw.port}} {%endif%} 157 | {% if raw.ttl is defined %}ttl={{raw.ttl}} {%endif%} 158 | {% if raw.dst_limit is defined %}dst-limit={{raw.dst_limit}} {%endif%} 159 | {% if raw.limit is defined %}limit={{raw.limit}} {%endif%} 160 | {% if raw.priority is defined %}priority={{raw.priority}} {%endif%} 161 | {% if raw.dst_port is defined %}dst-port={{raw.dst_port}} {%endif%} 162 | {% if raw.log is defined %}log={{raw.log}} {%endif%} 163 | {% if raw.protocol is defined %}protocol={{raw.protocol}} {%endif%} 164 | } 165 | {%endfor%} 166 | -------------------------------------------------------------------------------- /templates/nat.rsc.j2: -------------------------------------------------------------------------------- 1 | {% if mikrotik_firewall.remove_old_nat_rules == true %} 2 | /ip firewall nat remove [/ip firewall nat find where dynamic=no] 3 | {% endif %} 4 | # Remove not defined 5 | /ip firewall nat remove [/ip firewall nat find where !(\ 6 | {% for nat in mikrotik_firewall.nat_rules %}{% if iter is defined %} or {% endif %}(chain="{{nat.chain}}" \ 7 | {% if nat.action is defined %}and action="{{nat.action}}" {%endif%} 8 | {% if nat.hotspot is defined %}and hotspot="{{nat.hotspot}}" {%endif%} 9 | {% if nat.out_bridge_port is defined %}and out-bridge-port="{{nat.out_bridge_port}}" {%endif%} 10 | {% if nat.same_not_by_dst is defined %}and same-not-by-dst="{{nat.same_not_by_dst}}" {%endif%} 11 | {% if nat.address_list is defined %}and address-list="{{nat.address_list}}" {%endif%} 12 | {% if nat.icmp_options is defined %}and icmp-options="{{nat.icmp_options}}" {%endif%} 13 | {% if nat.out_bridge_port_list is defined %}and out-bridge-port-list="{{nat.out_bridge_port_list}}" {%endif%} 14 | {% if nat.src_address is defined %}and src-address="{{nat.src_address}}" {%endif%} 15 | {% if nat.address_list_timeout is defined %}and address-list-timeout="{{nat.address_list_timeout}}" {%endif%} 16 | {% if nat.in_bridge_port is defined %}and in-bridge-port="{{nat.in_bridge_port}}" {%endif%} 17 | {% if nat.out_interface is defined %}and out-interface="{{nat.out_interface}}" {%endif%} 18 | {% if nat.src_address_list is defined %}and src-address-list="{{nat.src_address_list}}" {%endif%} 19 | {% if nat.comment is defined %}and comment="Ansible managed: [{{nat.comment}}]" {%endif%} 20 | {% if nat.in_bridge_port_list is defined %}and in-bridge-port-list="{{nat.in_bridge_port_list}}" {%endif%} 21 | {% if nat.out_interface_list is defined %}and out-interface-list="{{nat.out_interface_list}}" {%endif%} 22 | {% if nat.src_address_type is defined %}and src-address-type="{{nat.src_address_type}}" {%endif%} 23 | {% if nat.connection_bytes is defined %}and connection-bytes="{{nat.connection_bytes}}" {%endif%} 24 | {% if nat.connection_limit is defined %}and connection-limit="{{nat.connection_limit}}" {%endif%} 25 | {% if nat.connection_mark is defined %}and connection-mark="{{nat.connection_mark}}" {%endif%} 26 | {% if nat.connection_rate is defined %}and connection-rate="{{nat.connection_rate}}" {%endif%} 27 | {% if nat.connection_type is defined %}and connection-type="{{nat.connection_type}}" {%endif%} 28 | {% if nat.in_interface is defined %}and in-interface="{{nat.in_interface}}" {%endif%} 29 | {% if nat.packet_mark is defined %}and packet-mark="{{nat.packet_mark}}" {%endif%} 30 | {% if nat.src_mac_address is defined %}and src-mac-address="{{nat.src_mac_address}}" {%endif%} 31 | {% if nat.content is defined %}and content="{{nat.content}}" {%endif%} 32 | {% if nat.in_interface_list is defined %}and in-interface-list="{{nat.in_interface_list}}" {%endif%} 33 | {% if nat.packet_size is defined %}and packet-size="{{nat.packet_size}}" {%endif%} 34 | {% if nat.src_port is defined %}and src-port="{{nat.src_port}}" {%endif%} 35 | {% if nat.copy_from is defined %}and copy-from="{{nat.copy_from}}" {%endif%} 36 | {% if nat.ingress_priority is defined %}and ingress-priority="{{nat.ingress_priority}}" {%endif%} 37 | {% if nat.per_connection_classifier is defined %}and per-connection-classifier="{{nat.per_connection_classifier}}" {%endif%} 38 | {% if nat.tcp_mss is defined %}and tcp-mss="{{nat.tcp_mss}}" {%endif%} 39 | {% if nat.disabled is defined %}and disabled={{nat.disabled}} {%endif%} 40 | {% if nat.ipsec_policy is defined %}and ipsec-policy="{{nat.ipsec_policy}}" {%endif%} 41 | {% if nat.place_before is defined %}and place-before="{{nat.place_before}}" {%endif%} 42 | {% if nat.time is defined %}and time="{{nat.time}}" {%endif%} 43 | {% if nat.dscp is defined %}and dscp="{{nat.dscp}}" {%endif%} 44 | {% if nat.ipv4_options is defined %}and ipv4-options="{{nat.ipv4_options}}" {%endif%} 45 | {% if nat.port is defined %}and port="{{nat.port}}" {%endif%} 46 | {% if nat.to_addresses is defined %}and to-addresses="{{nat.to_addresses}}" {%endif%} 47 | {% if nat.dst_address is defined %}and dst-address="{{nat.dst_address}}" {%endif%} 48 | {% if nat.jump_target is defined %}and jump-target="{{nat.jump_target}}" {%endif%} 49 | {% if nat.priority is defined %}and priority="{{nat.priority}}" {%endif%} 50 | {% if nat.to_ports is defined %}and to-ports="{{nat.to_ports}}" {%endif%} 51 | {% if nat.dst_address_list is defined %}and dst-address-list="{{nat.dst_address_list}}" {%endif%} 52 | {% if nat.layer7_protocol is defined %}and layer7-protocol="{{nat.layer7_protocol}}" {%endif%} 53 | {% if nat.protocol is defined %}and protocol="{{nat.protocol}}" {%endif%} 54 | {% if nat.ttl is defined %}and ttl="{{nat.ttl}}" {%endif%} 55 | {% if nat.dst_address_type is defined %}and dst-address-type="{{nat.dst_address_type}}" {%endif%} 56 | {% if nat.limit is defined %}and limit="{{nat.limit}}" {%endif%} 57 | {% if nat.psd is defined %}and psd="{{nat.psd}}" {%endif%} 58 | {% if nat.dst_limit is defined %}and dst-limit="{{nat.dst_limit}}" {%endif%} 59 | {% if nat.log is defined %}and log="{{nat.log}}" {%endif%} 60 | {% if nat.random is defined %}and random="{{nat.random}}" {%endif%} 61 | {% if nat.dst_port is defined %}and dst-port="{{nat.dst_port}}" {%endif%} 62 | {% if nat.log_prefix is defined %}and log-prefix="{{nat.log_prefix}}" {%endif%} 63 | {% if nat.routing_mark is defined %}and routing-mark="{{nat.routing_mark}}" {%endif%} 64 | {% if nat.fragment is defined %}and fragment="{{nat.fragment}}" {%endif%} 65 | {% if nat.nth is defined %}and nth="{{nat.nth}}" {%endif%} 66 | {% if nat.routing_table is defined %}and routing-table="{{nat.routing_table}}" {%endif%}) \ 67 | {% set iter = true %} 68 | {%endfor%} 69 | ) and dynamic=no] 70 | # ADD 71 | {% for nat in mikrotik_firewall.nat_rules %} 72 | :if ([/ip firewall nat find chain="{{nat.chain}}" {% if nat.action is defined %}action="{{nat.action}}" {%endif%} 73 | {% if nat.hotspot is defined %}hotspot="{{nat.hotspot}}" {%endif%} 74 | {% if nat.out_bridge_port is defined %}out-bridge-port="{{nat.out_bridge_port}}" {%endif%} 75 | {% if nat.same_not_by_dst is defined %}same-not-by-dst="{{nat.same_not_by_dst}}" {%endif%} 76 | {% if nat.address_list is defined %}address-list="{{nat.address_list}}" {%endif%} 77 | {% if nat.icmp_options is defined %}icmp-options="{{nat.icmp_options}}" {%endif%} 78 | {% if nat.out_bridge_port_list is defined %}out-bridge-port-list="{{nat.out_bridge_port_list}}" {%endif%} 79 | {% if nat.src_address is defined %}src-address="{{nat.src_address}}" {%endif%} 80 | {% if nat.address_list_timeout is defined %}address-list-timeout="{{nat.address_list_timeout}}" {%endif%} 81 | {% if nat.in_bridge_port is defined %}in-bridge-port="{{nat.in_bridge_port}}" {%endif%} 82 | {% if nat.out_interface is defined %}out-interface="{{nat.out_interface}}" {%endif%} 83 | {% if nat.src_address_list is defined %}src-address-list="{{nat.src_address_list}}" {%endif%} 84 | {% if nat.comment is defined %}comment="Ansible managed: [{{nat.comment}}]" {%endif%} 85 | {% if nat.in_bridge_port_list is defined %}in-bridge-port-list="{{nat.in_bridge_port_list}}" {%endif%} 86 | {% if nat.out_interface_list is defined %}out-interface-list="{{nat.out_interface_list}}" {%endif%} 87 | {% if nat.src_address_type is defined %}src-address-type="{{nat.src_address_type}}" {%endif%} 88 | {% if nat.connection_bytes is defined %}connection-bytes="{{nat.connection_bytes}}" {%endif%} 89 | {% if nat.connection_limit is defined %}connection-limit="{{nat.connection_limit}}" {%endif%} 90 | {% if nat.connection_mark is defined %}connection-mark="{{nat.connection_mark}}" {%endif%} 91 | {% if nat.connection_rate is defined %}connection-rate="{{nat.connection_rate}}" {%endif%} 92 | {% if nat.connection_type is defined %}connection-type="{{nat.connection_type}}" {%endif%} 93 | {% if nat.in_interface is defined %}in-interface="{{nat.in_interface}}" {%endif%} 94 | {% if nat.packet_mark is defined %}packet-mark="{{nat.packet_mark}}" {%endif%} 95 | {% if nat.src_mac_address is defined %}src-mac-address="{{nat.src_mac_address}}" {%endif%} 96 | {% if nat.content is defined %}content="{{nat.content}}" {%endif%} 97 | {% if nat.in_interface_list is defined %}in-interface-list="{{nat.in_interface_list}}" {%endif%} 98 | {% if nat.packet_size is defined %}packet-size="{{nat.packet_size}}" {%endif%} 99 | {% if nat.src_port is defined %}src-port="{{nat.src_port}}" {%endif%} 100 | {% if nat.copy_from is defined %}copy-from="{{nat.copy_from}}" {%endif%} 101 | {% if nat.ingress_priority is defined %}ingress-priority="{{nat.ingress_priority}}" {%endif%} 102 | {% if nat.per_connection_classifier is defined %}per-connection-classifier="{{nat.per_connection_classifier}}" {%endif%} 103 | {% if nat.tcp_mss is defined %}tcp-mss="{{nat.tcp_mss}}" {%endif%} 104 | {% if nat.disabled is defined %}disabled={{nat.disabled}} {%endif%} 105 | {% if nat.ipsec_policy is defined %}ipsec-policy="{{nat.ipsec_policy}}" {%endif%} 106 | {% if nat.place_before is defined %}place-before="{{nat.place_before}}" {%endif%} 107 | {% if nat.time is defined %}time="{{nat.time}}" {%endif%} 108 | {% if nat.dscp is defined %}dscp="{{nat.dscp}}" {%endif%} 109 | {% if nat.ipv4_options is defined %}ipv4-options="{{nat.ipv4_options}}" {%endif%} 110 | {% if nat.port is defined %}port="{{nat.port}}" {%endif%} 111 | {% if nat.to_addresses is defined %}to-addresses="{{nat.to_addresses}}" {%endif%} 112 | {% if nat.dst_address is defined %}dst-address="{{nat.dst_address}}" {%endif%} 113 | {% if nat.jump_target is defined %}jump-target="{{nat.jump_target}}" {%endif%} 114 | {% if nat.priority is defined %}priority="{{nat.priority}}" {%endif%} 115 | {% if nat.to_ports is defined %}to-ports="{{nat.to_ports}}" {%endif%} 116 | {% if nat.dst_address_list is defined %}dst-address-list="{{nat.dst_address_list}}" {%endif%} 117 | {% if nat.layer7_protocol is defined %}layer7-protocol="{{nat.layer7_protocol}}" {%endif%} 118 | {% if nat.protocol is defined %}protocol="{{nat.protocol}}" {%endif%} 119 | {% if nat.ttl is defined %}ttl="{{nat.ttl}}" {%endif%} 120 | {% if nat.dst_address_type is defined %}dst-address-type="{{nat.dst_address_type}}" {%endif%} 121 | {% if nat.limit is defined %}limit="{{nat.limit}}" {%endif%} 122 | {% if nat.psd is defined %}psd="{{nat.psd}}" {%endif%} 123 | {% if nat.dst_limit is defined %}dst-limit="{{nat.dst_limit}}" {%endif%} 124 | {% if nat.log is defined %}log="{{nat.log}}" {%endif%} 125 | {% if nat.random is defined %}random="{{nat.random}}" {%endif%} 126 | {% if nat.dst_port is defined %}dst-port="{{nat.dst_port}}" {%endif%} 127 | {% if nat.log_prefix is defined %}log-prefix="{{nat.log_prefix}}" {%endif%} 128 | {% if nat.routing_mark is defined %}routing-mark="{{nat.routing_mark}}" {%endif%} 129 | {% if nat.fragment is defined %}fragment="{{nat.fragment}}" {%endif%} 130 | {% if nat.nth is defined %}nth="{{nat.nth}}" {%endif%} 131 | {% if nat.routing_table is defined %}routing-table="{{nat.routing_table}}" {%endif%}] = "") do={ 132 | /ip firewall nat add chain={{nat.chain}} {% if nat.action is defined %}action={{nat.action}} {%endif%} 133 | {% if nat.hotspot is defined %}hotspot={{nat.hotspot}} {%endif%} 134 | {% if nat.out_bridge_port is defined %}out-bridge-port={{nat.out_bridge_port}} {%endif%} 135 | {% if nat.same_not_by_dst is defined %}same-not-by-dst={{nat.same_not_by_dst}} {%endif%} 136 | {% if nat.address_list is defined %}address-list={{nat.address_list}} {%endif%} 137 | {% if nat.icmp_options is defined %}icmp-options={{nat.icmp_options}} {%endif%} 138 | {% if nat.out_bridge_port_list is defined %}out-bridge-port-list={{nat.out_bridge_port_list}} {%endif%} 139 | {% if nat.src_address is defined %}src-address={{nat.src_address}} {%endif%} 140 | {% if nat.address_list_timeout is defined %}address-list-timeout={{nat.address_list_timeout}} {%endif%} 141 | {% if nat.in_bridge_port is defined %}in-bridge-port={{nat.in_bridge_port}} {%endif%} 142 | {% if nat.out_interface is defined %}out-interface={{nat.out_interface}} {%endif%} 143 | {% if nat.src_address_list is defined %}src-address-list={{nat.src_address_list}} {%endif%} 144 | {% if nat.comment is defined %}comment="Ansible managed: [{{nat.comment}}]" {%endif%} 145 | {% if nat.in_bridge_port_list is defined %}in-bridge-port-list={{nat.in_bridge_port_list}} {%endif%} 146 | {% if nat.out_interface_list is defined %}out-interface-list={{nat.out_interface_list}} {%endif%} 147 | {% if nat.src_address_type is defined %}src-address-type={{nat.src_address_type}} {%endif%} 148 | {% if nat.connection_bytes is defined %}connection-bytes={{nat.connection_bytes}} {%endif%} 149 | {% if nat.connection_limit is defined %}connection-limit={{nat.connection_limit}} {%endif%} 150 | {% if nat.connection_mark is defined %}connection-mark={{nat.connection_mark}} {%endif%} 151 | {% if nat.connection_rate is defined %}connection-rate={{nat.connection_rate}} {%endif%} 152 | {% if nat.connection_type is defined %}connection-type={{nat.connection_type}} {%endif%} 153 | {% if nat.in_interface is defined %}in-interface={{nat.in_interface}} {%endif%} 154 | {% if nat.packet_mark is defined %}packet-mark={{nat.packet_mark}} {%endif%} 155 | {% if nat.src_mac_address is defined %}src-mac-address={{nat.src_mac_address}} {%endif%} 156 | {% if nat.content is defined %}content={{nat.content}} {%endif%} 157 | {% if nat.in_interface_list is defined %}in-interface-list={{nat.in_interface_list}} {%endif%} 158 | {% if nat.packet_size is defined %}packet-size={{nat.packet_size}} {%endif%} 159 | {% if nat.src_port is defined %}src-port={{nat.src_port}} {%endif%} 160 | {% if nat.copy_from is defined %}copy-from={{nat.copy_from}} {%endif%} 161 | {% if nat.ingress_priority is defined %}ingress-priority={{nat.ingress_priority}} {%endif%} 162 | {% if nat.per_connection_classifier is defined %}per-connection-classifier={{nat.per_connection_classifier}} {%endif%} 163 | {% if nat.tcp_mss is defined %}tcp-mss={{nat.tcp_mss}} {%endif%} 164 | {% if nat.disabled is defined %}disabled={{nat.disabled}} {%endif%} 165 | {% if nat.ipsec_policy is defined %}ipsec-policy={{nat.ipsec_policy}} {%endif%} 166 | {% if nat.place_before is defined %}place-before={{nat.place_before}} {%endif%} 167 | {% if nat.time is defined %}time={{nat.time}} {%endif%} 168 | {% if nat.dscp is defined %}dscp={{nat.dscp}} {%endif%} 169 | {% if nat.ipv4_options is defined %}ipv4-options={{nat.ipv4_options}} {%endif%} 170 | {% if nat.port is defined %}port={{nat.port}} {%endif%} 171 | {% if nat.to_addresses is defined %}to-addresses={{nat.to_addresses}} {%endif%} 172 | {% if nat.dst_address is defined %}dst-address={{nat.dst_address}} {%endif%} 173 | {% if nat.jump_target is defined %}jump-target={{nat.jump_target}} {%endif%} 174 | {% if nat.priority is defined %}priority={{nat.priority}} {%endif%} 175 | {% if nat.to_ports is defined %}to-ports={{nat.to_ports}} {%endif%} 176 | {% if nat.dst_address_list is defined %}dst-address-list={{nat.dst_address_list}} {%endif%} 177 | {% if nat.layer7_protocol is defined %}layer7-protocol={{nat.layer7_protocol}} {%endif%} 178 | {% if nat.protocol is defined %}protocol={{nat.protocol}} {%endif%} 179 | {% if nat.ttl is defined %}ttl={{nat.ttl}} {%endif%} 180 | {% if nat.dst_address_type is defined %}dst-address-type={{nat.dst_address_type}} {%endif%} 181 | {% if nat.limit is defined %}limit={{nat.limit}} {%endif%} 182 | {% if nat.psd is defined %}psd={{nat.psd}} {%endif%} 183 | {% if nat.dst_limit is defined %}dst-limit={{nat.dst_limit}} {%endif%} 184 | {% if nat.log is defined %}log={{nat.log}} {%endif%} 185 | {% if nat.random is defined %}random={{nat.random}} {%endif%} 186 | {% if nat.dst_port is defined %}dst-port={{nat.dst_port}} {%endif%} 187 | {% if nat.log_prefix is defined %}log-prefix={{nat.log_prefix}} {%endif%} 188 | {% if nat.routing_mark is defined %}routing-mark={{nat.routing_mark}} {%endif%} 189 | {% if nat.fragment is defined %}fragment={{nat.fragment}} {%endif%} 190 | {% if nat.nth is defined %}nth={{nat.nth}} {%endif%} 191 | {% if nat.routing_table is defined %}routing-table={{nat.routing_table}} {%endif%} 192 | } 193 | {%endfor%} 194 | -------------------------------------------------------------------------------- /templates/filter.rsc.j2: -------------------------------------------------------------------------------- 1 | {% if mikrotik_firewall.remove_old_filter_rules == true %} 2 | /ip firewall filter remove [/ip firewall filter find where dynamic=no] 3 | {% endif %} 4 | # Remove not defined 5 | /ip firewall filter remove [/ip firewall filter find where !(\ 6 | {% for filter in mikrotik_firewall.filter_rules %} 7 | {% if iter is defined %} or {% endif %}(chain="{{filter.chain}}" \ 8 | {% if filter.action is defined %}and action="{{filter.action}}" {%endif%} 9 | {% if filter.hotspot is defined %}and hotspot="{{filter.hotspot}}" {%endif%} 10 | {% if filter.out_bridge_port is defined %}and out-bridge-port="{{filter.out_bridge_port}}" {%endif%} 11 | {% if filter.routing_mark is defined %}and routing-mark="{{filter.routing_mark}}" {%endif%} 12 | {% if filter.address_list is defined %}and address-list="{{filter.address_list}}" {%endif%} 13 | {% if filter.icmp_options is defined %}and icmp-options="{{filter.icmp_options}}" {%endif%} 14 | {% if filter.out_bridge_port_list is defined %}and out-bridge-port-list="{{filter.out_bridge_port_list}}" {%endif%} 15 | {% if filter.routing_table is defined %}and routing-table="{{filter.routing_table}}" {%endif%} 16 | {% if filter.address_list_timeout is defined %}and address-list-timeout="{{filter.address_list_timeout}}" {%endif%} 17 | {% if filter.in_bridge_port is defined %}and in-bridge-port="{{filter.in_bridge_port}}" {%endif%} 18 | {% if filter.out_interface is defined %}and out-interface="{{filter.out_interface}}" {%endif%} 19 | {% if filter.src_address is defined %}and src-address="{{filter.src_address}}" {%endif%} 20 | {% if filter.comment is defined %}and comment="Ansible managed: [{{filter.comment}}]" {%endif%} 21 | {% if filter.in_bridge_port_list is defined %}and in-bridge-port-list="{{filter.in_bridge_port_list}}" {%endif%} 22 | {% if filter.out_interface_list is defined %}and out-interface-list="{{filter.out_interface_list}}" {%endif%} 23 | {% if filter.src_address_list is defined %}and src-address-list="{{filter.src_address_list}}" {%endif%} 24 | {% if filter.connection_bytes is defined %}and connection-bytes="{{filter.connection_bytes}}" {%endif%} 25 | {% if filter.connection_mark is defined %}and connection-mark="{{filter.connection_mark}}" {%endif%} 26 | {% if filter.connection_rate is defined %}and connection-rate="{{filter.connection_rate}}" {%endif%} 27 | {% if filter.connection_type is defined %}and connection-type="{{filter.connection_type}}" {%endif%} 28 | {% if filter.connection_limit is defined %}and connection-limit="{{filter.connection_limit}}" {%endif%} 29 | {% if filter.connection_nat_state is defined %}and connection-nat-state="{{filter.connection_nat_state}}" {%endif%} 30 | {% if filter.connection_state is defined %}and connection-state="{{filter.connection_state}}" {%endif%} 31 | {% if filter.in_interface is defined %}and in-interface="{{filter.in_interface}}" {%endif%} 32 | {% if filter.p2p is defined %}and p2p="{{filter.p2p}}" {%endif%} 33 | {% if filter.src_address_type is defined %}and src-address-type="{{filter.src_address_type}}" {%endif%} 34 | {% if filter.content is defined %}and content="{{filter.content}}" {%endif%} 35 | {% if filter.in_interface_list is defined %}and in-interface-list="{{filter.in_interface_list}}" {%endif%} 36 | {% if filter.packet_mark is defined %}and packet-mark="{{filter.packet_mark}}" {%endif%} 37 | {% if filter.src_mac_address is defined %}and src-mac-address="{{filter.src_mac_address}}" {%endif%} 38 | {% if filter.copy_from is defined %}and copy-from="{{filter.copy_from}}" {%endif%} 39 | {% if filter.ingress_priority is defined %}and ingress-priority="{{filter.ingress_priority}}" {%endif%} 40 | {% if filter.packet_size is defined %}and packet-size="{{filter.packet_size}}" {%endif%} 41 | {% if filter.src_port is defined %}and src-port="{{filter.src_port}}" {%endif%} 42 | {% if filter.disabled is defined %}and disabled={{filter.disabled}} {%endif%} 43 | {% if filter.ipsec_policy is defined %}and ipsec-policy="{{filter.ipsec_policy}}" {%endif%} 44 | {% if filter.per_connection_classifier is defined %}and per-connection-classifier="{{filter.per_connection_classifier}}" {%endif%} 45 | {% if filter.tcp_flags is defined %}and tcp-flags="{{filter.tcp_flags}}" {%endif%} 46 | {% if filter.dscp is defined %}and dscp="{{filter.dscp}}" {%endif%} 47 | {% if filter.ipv4_options is defined %}and ipv4-options="{{filter.ipv4_options}}" {%endif%} 48 | {% if filter.place_before is defined %}and place-before="{{filter.place_before}}" {%endif%} 49 | {% if filter.tcp_mss is defined %}and tcp-mss="{{filter.tcp_mss}}" {%endif%} 50 | {% if filter.dst_address is defined %}and dst-address="{{filter.dst_address}}" {%endif%} 51 | {% if filter.jump_target is defined %}and jump-target="{{filter.jump_target}}" {%endif%} 52 | {% if filter.port is defined %}and port="{{filter.port}}" {%endif%} 53 | {% if filter.time is defined %}and time="{{filter.time}}" {%endif%} 54 | {% if filter.dst_address_list is defined %}and dst-address-list="{{filter.dst_address_list}}" {%endif%} 55 | {% if filter.layer7_protocol is defined %}and layer7-protocol="{{filter.layer7_protocol}}" {%endif%} 56 | {% if filter.priority is defined %}and priority="{{filter.priority}}" {%endif%} 57 | {% if filter.ttl is defined %}and ttl="{{filter.ttl}}" {%endif%} 58 | {% if filter.dst_address_type is defined %}and dst-address-type="{{filter.dst_address_type}}" {%endif%} 59 | {% if filter.limit is defined %}and limit="{{filter.limit}}" {%endif%} 60 | {% if filter.protocol is defined %}and protocol="{{filter.protocol}}" {%endif%} 61 | {% if filter.dst_limit is defined %}and dst-limit="{{filter.dst_limit}}" {%endif%} 62 | {% if filter.log is defined %}and log="{{filter.log}}" {%endif%} 63 | {% if filter.psd is defined %}and psd="{{filter.psd}}" {%endif%} 64 | {% if filter.dst_port is defined %}and dst-port="{{filter.dst_port}}" {%endif%} 65 | {% if filter.log_prefix is defined %}and log-prefix="{{filter.log_prefix}}" {%endif%} 66 | {% if filter.random is defined %}and random="{{filter.random}}" {%endif%} 67 | {% if filter.fragment is defined %}and fragment="{{filter.fragment}}" {%endif%} 68 | {% if filter.nth is defined %}and nth="{{filter.nth}}" {%endif%} 69 | {% if filter.reject_with is defined %}and reject-with="{{filter.reject_with}}" {%endif%}) \ 70 | {% set iter = true %} 71 | {%endfor%} 72 | ) and dynamic=no] 73 | 74 | {% for filter in mikrotik_firewall.filter_rules %} 75 | :if ([/ip firewall filter find chain={{filter.chain}} \ 76 | {% if filter.action is defined %}action="{{filter.action}}" {%endif%} 77 | {% if filter.hotspot is defined %}hotspot="{{filter.hotspot}}" {%endif%} 78 | {% if filter.out_bridge_port is defined %}out-bridge-port="{{filter.out_bridge_port}}" {%endif%} 79 | {% if filter.routing_mark is defined %}routing-mark="{{filter.routing_mark}}" {%endif%} 80 | {% if filter.address_list is defined %}address-list="{{filter.address_list}}" {%endif%} 81 | {% if filter.icmp_options is defined %}icmp-options="{{filter.icmp_options}}" {%endif%} 82 | {% if filter.out_bridge_port_list is defined %}out-bridge-port-list="{{filter.out_bridge_port_list}}" {%endif%} 83 | {% if filter.routing_table is defined %}routing-table="{{filter.routing_table}}" {%endif%} 84 | {% if filter.address_list_timeout is defined %}address-list-timeout="{{filter.address_list_timeout}}" {%endif%} 85 | {% if filter.in_bridge_port is defined %}in-bridge-port="{{filter.in_bridge_port}}" {%endif%} 86 | {% if filter.out_interface is defined %}out-interface="{{filter.out_interface}}" {%endif%} 87 | {% if filter.src_address is defined %}src-address="{{filter.src_address}}" {%endif%} 88 | {% if filter.comment is defined %}comment="Ansible managed: [{{filter.comment}}]" {%endif%} 89 | {% if filter.in_bridge_port_list is defined %}in-bridge-port-list="{{filter.in_bridge_port_list}}" {%endif%} 90 | {% if filter.out_interface_list is defined %}out-interface-list="{{filter.out_interface_list}}" {%endif%} 91 | {% if filter.src_address_list is defined %}src-address-list="{{filter.src_address_list}}" {%endif%} 92 | {% if filter.connection_bytes is defined %}connection-bytes="{{filter.connection_bytes}}" {%endif%} 93 | {% if filter.connection_mark is defined %}connection-mark="{{filter.connection_mark}}" {%endif%} 94 | {% if filter.connection_rate is defined %}connection-rate="{{filter.connection_rate}}" {%endif%} 95 | {% if filter.connection_type is defined %}connection-type="{{filter.connection_type}}" {%endif%} 96 | {% if filter.connection_limit is defined %}connection-limit="{{filter.connection_limit}}" {%endif%} 97 | {% if filter.connection_nat_state is defined %}connection-nat-state="{{filter.connection_nat_state}}" {%endif%} 98 | {% if filter.connection_state is defined %}connection-state="{{filter.connection_state}}" {%endif%} 99 | {% if filter.in_interface is defined %}in-interface="{{filter.in_interface}}" {%endif%} 100 | {% if filter.p2p is defined %}p2p="{{filter.p2p}}" {%endif%} 101 | {% if filter.src_address_type is defined %}src-address-type="{{filter.src_address_type}}" {%endif%} 102 | {% if filter.content is defined %}content="{{filter.content}}" {%endif%} 103 | {% if filter.in_interface_list is defined %}in-interface-list="{{filter.in_interface_list}}" {%endif%} 104 | {% if filter.packet_mark is defined %}packet-mark="{{filter.packet_mark}}" {%endif%} 105 | {% if filter.src_mac_address is defined %}src-mac-address="{{filter.src_mac_address}}" {%endif%} 106 | {% if filter.copy_from is defined %}copy-from="{{filter.copy_from}}" {%endif%} 107 | {% if filter.ingress_priority is defined %}ingress-priority="{{filter.ingress_priority}}" {%endif%} 108 | {% if filter.packet_size is defined %}packet-size="{{filter.packet_size}}" {%endif%} 109 | {% if filter.src_port is defined %}src-port="{{filter.src_port}}" {%endif%} 110 | {% if filter.disabled is defined %}disabled={{filter.disabled}} {%endif%} 111 | {% if filter.ipsec_policy is defined %}ipsec-policy="{{filter.ipsec_policy}}" {%endif%} 112 | {% if filter.per_connection_classifier is defined %}per-connection-classifier="{{filter.per_connection_classifier}}" {%endif%} 113 | {% if filter.tcp_flags is defined %}tcp-flags="{{filter.tcp_flags}}" {%endif%} 114 | {% if filter.dscp is defined %}dscp="{{filter.dscp}}" {%endif%} 115 | {% if filter.ipv4_options is defined %}ipv4-options="{{filter.ipv4_options}}" {%endif%} 116 | {% if filter.place_before is defined %}place-before="{{filter.place_before}}" {%endif%} 117 | {% if filter.tcp_mss is defined %}tcp-mss="{{filter.tcp_mss}}" {%endif%} 118 | {% if filter.dst_address is defined %}dst-address="{{filter.dst_address}}" {%endif%} 119 | {% if filter.jump_target is defined %}jump-target="{{filter.jump_target}}" {%endif%} 120 | {% if filter.port is defined %}port="{{filter.port}}" {%endif%} 121 | {% if filter.time is defined %}time="{{filter.time}}" {%endif%} 122 | {% if filter.dst_address_list is defined %}dst-address-list="{{filter.dst_address_list}}" {%endif%} 123 | {% if filter.layer7_protocol is defined %}layer7-protocol="{{filter.layer7_protocol}}" {%endif%} 124 | {% if filter.priority is defined %}priority="{{filter.priority}}" {%endif%} 125 | {% if filter.ttl is defined %}ttl="{{filter.ttl}}" {%endif%} 126 | {% if filter.dst_address_type is defined %}dst-address-type="{{filter.dst_address_type}}" {%endif%} 127 | {% if filter.limit is defined %}limit="{{filter.limit}}" {%endif%} 128 | {% if filter.protocol is defined %}protocol="{{filter.protocol}}" {%endif%} 129 | {% if filter.dst_limit is defined %}dst-limit="{{filter.dst_limit}}" {%endif%} 130 | {% if filter.log is defined %}log="{{filter.log}}" {%endif%} 131 | {% if filter.psd is defined %}psd="{{filter.psd}}" {%endif%} 132 | {% if filter.dst_port is defined %}dst-port="{{filter.dst_port}}" {%endif%} 133 | {% if filter.log_prefix is defined %}log-prefix="{{filter.log_prefix}}" {%endif%} 134 | {% if filter.random is defined %}random="{{filter.random}}" {%endif%} 135 | {% if filter.fragment is defined %}fragment="{{filter.fragment}}" {%endif%} 136 | {% if filter.nth is defined %}nth="{{filter.nth}}" {%endif%} 137 | {% if filter.reject_with is defined %}reject-with="{{filter.reject_with}}" {%endif%}] = "") do={ 138 | /ip firewall filter add chain={{filter.chain}} \ 139 | {% if filter.action is defined %}action={{filter.action}} {%endif%} 140 | {% if filter.hotspot is defined %}hotspot={{filter.hotspot}} {%endif%} 141 | {% if filter.out_bridge_port is defined %}out-bridge-port={{filter.out_bridge_port}} {%endif%} 142 | {% if filter.routing_mark is defined %}routing-mark={{filter.routing_mark}} {%endif%} 143 | {% if filter.address_list is defined %}address-list={{filter.address_list}} {%endif%} 144 | {% if filter.icmp_options is defined %}icmp-options={{filter.icmp_options}} {%endif%} 145 | {% if filter.out_bridge_port_list is defined %}out-bridge-port-list={{filter.out_bridge_port_list}} {%endif%} 146 | {% if filter.routing_table is defined %}routing-table={{filter.routing_table}} {%endif%} 147 | {% if filter.address_list_timeout is defined %}address-list-timeout={{filter.address_list_timeout}} {%endif%} 148 | {% if filter.in_bridge_port is defined %}in-bridge-port={{filter.in_bridge_port}} {%endif%} 149 | {% if filter.out_interface is defined %}out-interface={{filter.out_interface}} {%endif%} 150 | {% if filter.src_address is defined %}src-address={{filter.src_address}} {%endif%} 151 | {% if filter.comment is defined %}comment="Ansible managed: [{{filter.comment}}]" {%endif%} 152 | {% if filter.in_bridge_port_list is defined %}in-bridge-port-list={{filter.in_bridge_port_list}} {%endif%} 153 | {% if filter.out_interface_list is defined %}out-interface-list={{filter.out_interface_list}} {%endif%} 154 | {% if filter.src_address_list is defined %}src-address-list={{filter.src_address_list}} {%endif%} 155 | {% if filter.connection_bytes is defined %}connection-bytes={{filter.connection_bytes}} {%endif%} 156 | {% if filter.connection_mark is defined %}connection-mark={{filter.connection_mark}} {%endif%} 157 | {% if filter.connection_rate is defined %}connection-rate={{filter.connection_rate}} {%endif%} 158 | {% if filter.connection_type is defined %}connection-type={{filter.connection_type}} {%endif%} 159 | {% if filter.connection_limit is defined %}connection-limit={{filter.connection_limit}} {%endif%} 160 | {% if filter.connection_nat_state is defined %}connection-nat-state={{filter.connection_nat_state}} {%endif%} 161 | {% if filter.connection_state is defined %}connection-state={{filter.connection_state}} {%endif%} 162 | {% if filter.in_interface is defined %}in-interface={{filter.in_interface}} {%endif%} 163 | {% if filter.p2p is defined %}p2p={{filter.p2p}} {%endif%} 164 | {% if filter.src_address_type is defined %}src-address-type={{filter.src_address_type}} {%endif%} 165 | {% if filter.content is defined %}content={{filter.content}} {%endif%} 166 | {% if filter.in_interface_list is defined %}in-interface-list={{filter.in_interface_list}} {%endif%} 167 | {% if filter.packet_mark is defined %}packet-mark={{filter.packet_mark}} {%endif%} 168 | {% if filter.src_mac_address is defined %}src-mac-address={{filter.src_mac_address}} {%endif%} 169 | {% if filter.copy_from is defined %}copy-from={{filter.copy_from}} {%endif%} 170 | {% if filter.ingress_priority is defined %}ingress-priority={{filter.ingress_priority}} {%endif%} 171 | {% if filter.packet_size is defined %}packet-size={{filter.packet_size}} {%endif%} 172 | {% if filter.src_port is defined %}src-port={{filter.src_port}} {%endif%} 173 | {% if filter.disabled is defined %}disabled={{filter.disabled}} {%endif%} 174 | {% if filter.ipsec_policy is defined %}ipsec-policy={{filter.ipsec_policy}} {%endif%} 175 | {% if filter.per_connection_classifier is defined %}per-connection-classifier={{filter.per_connection_classifier}} {%endif%} 176 | {% if filter.tcp_flags is defined %}tcp-flags={{filter.tcp_flags}} {%endif%} 177 | {% if filter.dscp is defined %}dscp={{filter.dscp}} {%endif%} 178 | {% if filter.ipv4_options is defined %}ipv4-options={{filter.ipv4_options}} {%endif%} 179 | {% if filter.place_before is defined %}place-before={{filter.place_before}} {%endif%} 180 | {% if filter.tcp_mss is defined %}tcp-mss={{filter.tcp_mss}} {%endif%} 181 | {% if filter.dst_address is defined %}dst-address={{filter.dst_address}} {%endif%} 182 | {% if filter.jump_target is defined %}jump-target={{filter.jump_target}} {%endif%} 183 | {% if filter.port is defined %}port={{filter.port}} {%endif%} 184 | {% if filter.time is defined %}time={{filter.time}} {%endif%} 185 | {% if filter.dst_address_list is defined %}dst-address-list={{filter.dst_address_list}} {%endif%} 186 | {% if filter.layer7_protocol is defined %}layer7-protocol={{filter.layer7_protocol}} {%endif%} 187 | {% if filter.priority is defined %}priority={{filter.priority}} {%endif%} 188 | {% if filter.ttl is defined %}ttl={{filter.ttl}} {%endif%} 189 | {% if filter.dst_address_type is defined %}dst-address-type={{filter.dst_address_type}} {%endif%} 190 | {% if filter.limit is defined %}limit={{filter.limit}} {%endif%} 191 | {% if filter.protocol is defined %}protocol={{filter.protocol}} {%endif%} 192 | {% if filter.dst_limit is defined %}dst-limit={{filter.dst_limit}} {%endif%} 193 | {% if filter.log is defined %}log={{filter.log}} {%endif%} 194 | {% if filter.psd is defined %}psd={{filter.psd}} {%endif%} 195 | {% if filter.dst_port is defined %}dst-port={{filter.dst_port}} {%endif%} 196 | {% if filter.log_prefix is defined %}log-prefix={{filter.log_prefix}} {%endif%} 197 | {% if filter.random is defined %}random={{filter.random}} {%endif%} 198 | {% if filter.fragment is defined %}fragment={{filter.fragment}} {%endif%} 199 | {% if filter.nth is defined %}nth={{filter.nth}} {%endif%} 200 | {% if filter.reject_with is defined %}reject-with={{filter.reject_with}} {%endif%} 201 | } 202 | {%endfor%} 203 | -------------------------------------------------------------------------------- /templates/mangle.rsc.j2: -------------------------------------------------------------------------------- 1 | {% if mikrotik_firewall.remove_old_mangle_rules == true %} 2 | /ip firewall mangle remove [/ip firewall mangle find where dynamic=no] 3 | {% endif %} 4 | # Remove not defined 5 | /ip firewall mangle remove [/ip firewall mangle find where !(\ 6 | {% for mangle in mikrotik_firewall.mangle_rules %} 7 | {% if iter is defined %} or {% endif %}(chain={{mangle.chain}} \ 8 | {% if mangle.action is defined %}and action={{mangle.action}} {%endif%} 9 | {% if mangle.in_bridge_port is defined %}and in-bridge-port={{mangle.in_bridge_port}} {%endif%} 10 | {% if mangle.new_routing_mark is defined %}and new-routing-mark={{mangle.new_routing_mark}} {%endif%} 11 | {% if mangle.random is defined %}and random={{mangle.random}} {%endif%} 12 | {% if mangle.address_list is defined %}and address-list={{mangle.address_list}} {%endif%} 13 | {% if mangle.in_bridge_port_list is defined %}and in-bridge-port-list={{mangle.in_bridge_port_list}} {%endif%} 14 | {% if mangle.new_ttl is defined %}and new-ttl={{mangle.new_ttl}} {%endif%} 15 | {% if mangle.route_dst is defined %}and route-dst={{mangle.route_dst}} {%endif%} 16 | {% if mangle.address_list_timeout is defined %}and address-list-timeout={{mangle.address_list_timeout}} {%endif%} 17 | {% if mangle.in_interface is defined %}and in-interface={{mangle.in_interface}} {%endif%} 18 | {% if mangle.nth is defined %}and nth={{mangle.nth}} {%endif%} 19 | {% if mangle.routing_mark is defined %}and routing-mark={{mangle.routing_mark}} {%endif%} 20 | {% if mangle.comment is defined %}and comment="Ansible managed: [{{mangle.comment}}]" {%endif%} 21 | {% if mangle.in_interface_list is defined %}and in-interface-list={{mangle.in_interface_list}} {%endif%} 22 | {% if mangle.out_bridge_port is defined %}and out-bridge-port={{mangle.out_bridge_port}} {%endif%} 23 | {% if mangle.routing_table is defined %}and routing-table={{mangle.routing_table}} {%endif%} 24 | {% if mangle.connection_bytes is defined %}and connection-bytes={{mangle.connection_bytes}} {%endif%} 25 | {% if mangle.connection_mark is defined %}and connection-mark={{mangle.connection_mark}} {%endif%} 26 | {% if mangle.connection_rate is defined %}and connection-rate={{mangle.connection_rate}} {%endif%} 27 | {% if mangle.connection_type is defined %}and connection-type={{mangle.connection_type}} {%endif%} 28 | {% if mangle.connection_limit is defined %}and connection-limit={{mangle.connection_limit}} {%endif%} 29 | {% if mangle.connection_nat_state is defined %}and connection-nat-state={{mangle.connection_nat_state}} {%endif%} 30 | {% if mangle.connection_state is defined %}and connection-state={{mangle.connection_state}} {%endif%} 31 | {% if mangle.ingress_priority is defined %}and ingress-priority={{mangle.ingress_priority}} {%endif%} 32 | {% if mangle.out_bridge_port_list is defined %}and out-bridge-port-list={{mangle.out_bridge_port_list}} {%endif%} 33 | {% if mangle.sniff_id is defined %}and sniff-id={{mangle.sniff_id}} {%endif%} 34 | {% if mangle.content is defined %}and content={{mangle.content}} {%endif%} 35 | {% if mangle.ipsec_policy is defined %}and ipsec-policy={{mangle.ipsec_policy}} {%endif%} 36 | {% if mangle.out_interface is defined %}and out-interface={{mangle.out_interface}} {%endif%} 37 | {% if mangle.sniff_target is defined %}and sniff-target={{mangle.sniff_target}} {%endif%} 38 | {% if mangle.copy_from is defined %}and copy-from={{mangle.copy_from}} {%endif%} 39 | {% if mangle.ipv4_options is defined %}and ipv4-options={{mangle.ipv4_options}} {%endif%} 40 | {% if mangle.out_interface_list is defined %}and out-interface-list={{mangle.out_interface_list}} {%endif%} 41 | {% if mangle.sniff_target_port is defined %}and sniff-target-port={{mangle.sniff_target_port}} {%endif%} 42 | {% if mangle.disabled is defined %}and disabled={{mangle.disabled}} {%endif%} 43 | {% if mangle.jump_target is defined %}and jump-target={{mangle.jump_target}} {%endif%} 44 | {% if mangle.p2p is defined %}and p2p={{mangle.p2p}} {%endif%} 45 | {% if mangle.src_address is defined %}and src-address={{mangle.src_address}} {%endif%} 46 | {% if mangle.dscp is defined %}and dscp={{mangle.dscp}} {%endif%} 47 | {% if mangle.layer7_protocol is defined %}and layer7-protocol={{mangle.layer7_protocol}} {%endif%} 48 | {% if mangle.packet_mark is defined %}and packet-mark={{mangle.packet_mark}} {%endif%} 49 | {% if mangle.src_address_list is defined %}and src-address-list={{mangle.src_address_list}} {%endif%} 50 | {% if mangle.dst_address is defined %}and dst-address={{mangle.dst_address}} {%endif%} 51 | {% if mangle.limit is defined %}and limit={{mangle.limit}} {%endif%} 52 | {% if mangle.packet_size is defined %}and packet-size={{mangle.packet_size}} {%endif%} 53 | {% if mangle.src_address_type is defined %}and src-address-type={{mangle.src_address_type}} {%endif%} 54 | {% if mangle.dst_address_list is defined %}and dst-address-list={{mangle.dst_address_list}} {%endif%} 55 | {% if mangle.log is defined %}and log={{mangle.log}} {%endif%} 56 | {% if mangle.passthrough is defined %}and passthrough={{mangle.passthrough}} {%endif%} 57 | {% if mangle.src_mac_address is defined %}and src-mac-address={{mangle.src_mac_address}} {%endif%} 58 | {% if mangle.dst_address_type is defined %}and dst-address-type={{mangle.dst_address_type}} {%endif%} 59 | {% if mangle.log_prefix is defined %}and log-prefix={{mangle.log_prefix}} {%endif%} 60 | {% if mangle.per_connection_classifier is defined %}and per-connection-classifier={{mangle.per_connection_classifier}} {%endif%} 61 | {% if mangle.src_port is defined %}and src-port={{mangle.src_port}} {%endif%} 62 | {% if mangle.dst_limit is defined %}and dst-limit={{mangle.dst_limit}} {%endif%} 63 | {% if mangle.new_connection_mark is defined %}and new-connection-mark={{mangle.new_connection_mark}} {%endif%} 64 | {% if mangle.place_before is defined %}and place-before={{mangle.place_before}} {%endif%} 65 | {% if mangle.tcp_flags is defined %}and tcp-flags={{mangle.tcp_flags}} {%endif%} 66 | {% if mangle.dst_port is defined %}and dst-port={{mangle.dst_port}} {%endif%} 67 | {% if mangle.new_dscp is defined %}and new-dscp={{mangle.new_dscp}} {%endif%} 68 | {% if mangle.port is defined %}and port={{mangle.port}} {%endif%} 69 | {% if mangle.tcp_mss is defined %}and tcp-mss={{mangle.tcp_mss}} {%endif%} 70 | {% if mangle.fragment is defined %}and fragment={{mangle.fragment}} {%endif%} 71 | {% if mangle.new_mss is defined %}and new-mss={{mangle.new_mss}} {%endif%} 72 | {% if mangle.priority is defined %}and priority={{mangle.priority}} {%endif%} 73 | {% if mangle.time is defined %}and time={{mangle.time}} {%endif%} 74 | {% if mangle.hotspot is defined %}and hotspot={{mangle.hotspot}} {%endif%} 75 | {% if mangle.new_packet_mark is defined %}and new-packet-mark={{mangle.new_packet_mark}} {%endif%} 76 | {% if mangle.protocol is defined %}and protocol={{mangle.protocol}} {%endif%} 77 | {% if mangle.ttl is defined %}and ttl={{mangle.ttl}} {%endif%} 78 | {% if mangle.icmp_options is defined %}and icmp-options={{mangle.icmp_options}} {%endif%} 79 | {% if mangle.new_priority is defined %}and new-priority={{mangle.new_priority}} {%endif%} 80 | {% if mangle.psd is defined %}and psd={{mangle.psd}} {%endif%} 81 | {% set iter = true %}) \ 82 | {%endfor%} 83 | ) and dynamic=no] 84 | # Add 85 | {% for mangle in mikrotik_firewall.mangle_rules %} 86 | :if ([/ip firewall mangle find chain={{mangle.chain}} \ 87 | {% if mangle.action is defined %}action={{mangle.action}} {%endif%} 88 | {% if mangle.in_bridge_port is defined %}in-bridge-port={{mangle.in_bridge_port}} {%endif%} 89 | {% if mangle.new_routing_mark is defined %}new-routing-mark={{mangle.new_routing_mark}} {%endif%} 90 | {% if mangle.random is defined %}random={{mangle.random}} {%endif%} 91 | {% if mangle.address_list is defined %}address-list={{mangle.address_list}} {%endif%} 92 | {% if mangle.in_bridge_port_list is defined %}in-bridge-port-list={{mangle.in_bridge_port_list}} {%endif%} 93 | {% if mangle.new_ttl is defined %}new-ttl={{mangle.new_ttl}} {%endif%} 94 | {% if mangle.route_dst is defined %}route-dst={{mangle.route_dst}} {%endif%} 95 | {% if mangle.address_list_timeout is defined %}address-list-timeout={{mangle.address_list_timeout}} {%endif%} 96 | {% if mangle.in_interface is defined %}in-interface={{mangle.in_interface}} {%endif%} 97 | {% if mangle.nth is defined %}nth={{mangle.nth}} {%endif%} 98 | {% if mangle.routing_mark is defined %}routing-mark={{mangle.routing_mark}} {%endif%} 99 | {% if mangle.comment is defined %}comment="Ansible managed: [{{mangle.comment}}]" {%endif%} 100 | {% if mangle.in_interface_list is defined %}in-interface-list={{mangle.in_interface_list}} {%endif%} 101 | {% if mangle.out_bridge_port is defined %}out-bridge-port={{mangle.out_bridge_port}} {%endif%} 102 | {% if mangle.routing_table is defined %}routing-table={{mangle.routing_table}} {%endif%} 103 | {% if mangle.connection_bytes is defined %}connection-bytes={{mangle.connection_bytes}} {%endif%} 104 | {% if mangle.connection_mark is defined %}connection-mark={{mangle.connection_mark}} {%endif%} 105 | {% if mangle.connection_rate is defined %}connection-rate={{mangle.connection_rate}} {%endif%} 106 | {% if mangle.connection_type is defined %}connection-type={{mangle.connection_type}} {%endif%} 107 | {% if mangle.connection_limit is defined %}connection-limit={{mangle.connection_limit}} {%endif%} 108 | {% if mangle.connection_nat_state is defined %}connection-nat-state={{mangle.connection_nat_state}} {%endif%} 109 | {% if mangle.connection_state is defined %}connection-state={{mangle.connection_state}} {%endif%} 110 | {% if mangle.ingress_priority is defined %}ingress-priority={{mangle.ingress_priority}} {%endif%} 111 | {% if mangle.out_bridge_port_list is defined %}out-bridge-port-list={{mangle.out_bridge_port_list}} {%endif%} 112 | {% if mangle.sniff_id is defined %}sniff-id={{mangle.sniff_id}} {%endif%} 113 | {% if mangle.content is defined %}content={{mangle.content}} {%endif%} 114 | {% if mangle.ipsec_policy is defined %}ipsec-policy={{mangle.ipsec_policy}} {%endif%} 115 | {% if mangle.out_interface is defined %}out-interface={{mangle.out_interface}} {%endif%} 116 | {% if mangle.sniff_target is defined %}sniff-target={{mangle.sniff_target}} {%endif%} 117 | {% if mangle.copy_from is defined %}copy-from={{mangle.copy_from}} {%endif%} 118 | {% if mangle.ipv4_options is defined %}ipv4-options={{mangle.ipv4_options}} {%endif%} 119 | {% if mangle.out_interface_list is defined %}out-interface-list={{mangle.out_interface_list}} {%endif%} 120 | {% if mangle.sniff_target_port is defined %}sniff-target-port={{mangle.sniff_target_port}} {%endif%} 121 | {% if mangle.disabled is defined %}disabled={{mangle.disabled}} {%endif%} 122 | {% if mangle.jump_target is defined %}jump-target={{mangle.jump_target}} {%endif%} 123 | {% if mangle.p2p is defined %}p2p={{mangle.p2p}} {%endif%} 124 | {% if mangle.src_address is defined %}src-address={{mangle.src_address}} {%endif%} 125 | {% if mangle.dscp is defined %}dscp={{mangle.dscp}} {%endif%} 126 | {% if mangle.layer7_protocol is defined %}layer7-protocol={{mangle.layer7_protocol}} {%endif%} 127 | {% if mangle.packet_mark is defined %}packet-mark={{mangle.packet_mark}} {%endif%} 128 | {% if mangle.src_address_list is defined %}src-address-list={{mangle.src_address_list}} {%endif%} 129 | {% if mangle.dst_address is defined %}dst-address={{mangle.dst_address}} {%endif%} 130 | {% if mangle.limit is defined %}limit={{mangle.limit}} {%endif%} 131 | {% if mangle.packet_size is defined %}packet-size={{mangle.packet_size}} {%endif%} 132 | {% if mangle.src_address_type is defined %}src-address-type={{mangle.src_address_type}} {%endif%} 133 | {% if mangle.dst_address_list is defined %}dst-address-list={{mangle.dst_address_list}} {%endif%} 134 | {% if mangle.log is defined %}log={{mangle.log}} {%endif%} 135 | {% if mangle.passthrough is defined %}passthrough={{mangle.passthrough}} {%endif%} 136 | {% if mangle.src_mac_address is defined %}src-mac-address={{mangle.src_mac_address}} {%endif%} 137 | {% if mangle.dst_address_type is defined %}dst-address-type={{mangle.dst_address_type}} {%endif%} 138 | {% if mangle.log_prefix is defined %}log-prefix={{mangle.log_prefix}} {%endif%} 139 | {% if mangle.per_connection_classifier is defined %}per-connection-classifier={{mangle.per_connection_classifier}} {%endif%} 140 | {% if mangle.src_port is defined %}src-port={{mangle.src_port}} {%endif%} 141 | {% if mangle.dst_limit is defined %}dst-limit={{mangle.dst_limit}} {%endif%} 142 | {% if mangle.new_connection_mark is defined %}new-connection-mark={{mangle.new_connection_mark}} {%endif%} 143 | {% if mangle.place_before is defined %}place-before={{mangle.place_before}} {%endif%} 144 | {% if mangle.tcp_flags is defined %}tcp-flags={{mangle.tcp_flags}} {%endif%} 145 | {% if mangle.dst_port is defined %}dst-port={{mangle.dst_port}} {%endif%} 146 | {% if mangle.new_dscp is defined %}new-dscp={{mangle.new_dscp}} {%endif%} 147 | {% if mangle.port is defined %}port={{mangle.port}} {%endif%} 148 | {% if mangle.tcp_mss is defined %}tcp-mss={{mangle.tcp_mss}} {%endif%} 149 | {% if mangle.fragment is defined %}fragment={{mangle.fragment}} {%endif%} 150 | {% if mangle.new_mss is defined %}new-mss={{mangle.new_mss}} {%endif%} 151 | {% if mangle.priority is defined %}priority={{mangle.priority}} {%endif%} 152 | {% if mangle.time is defined %}time={{mangle.time}} {%endif%} 153 | {% if mangle.hotspot is defined %}hotspot={{mangle.hotspot}} {%endif%} 154 | {% if mangle.new_packet_mark is defined %}new-packet-mark={{mangle.new_packet_mark}} {%endif%} 155 | {% if mangle.protocol is defined %}protocol={{mangle.protocol}} {%endif%} 156 | {% if mangle.ttl is defined %}ttl={{mangle.ttl}} {%endif%} 157 | {% if mangle.icmp_options is defined %}icmp-options={{mangle.icmp_options}} {%endif%} 158 | {% if mangle.new_priority is defined %}new-priority={{mangle.new_priority}} {%endif%} 159 | {% if mangle.psd is defined %}psd={{mangle.psd}} {%endif%}] = "") do={ 160 | /ip firewall mangle add chain={{mangle.chain}} \ 161 | {% if mangle.action is defined %}action={{mangle.action}} {%endif%} 162 | {% if mangle.in_bridge_port is defined %}in-bridge-port={{mangle.in_bridge_port}} {%endif%} 163 | {% if mangle.new_routing_mark is defined %}new-routing-mark={{mangle.new_routing_mark}} {%endif%} 164 | {% if mangle.random is defined %}random={{mangle.random}} {%endif%} 165 | {% if mangle.address_list is defined %}address-list={{mangle.address_list}} {%endif%} 166 | {% if mangle.in_bridge_port_list is defined %}in-bridge-port-list={{mangle.in_bridge_port_list}} {%endif%} 167 | {% if mangle.new_ttl is defined %}new-ttl={{mangle.new_ttl}} {%endif%} 168 | {% if mangle.route_dst is defined %}route-dst={{mangle.route_dst}} {%endif%} 169 | {% if mangle.address_list_timeout is defined %}address-list-timeout={{mangle.address_list_timeout}} {%endif%} 170 | {% if mangle.in_interface is defined %}in-interface={{mangle.in_interface}} {%endif%} 171 | {% if mangle.nth is defined %}nth={{mangle.nth}} {%endif%} 172 | {% if mangle.routing_mark is defined %}routing-mark={{mangle.routing_mark}} {%endif%} 173 | {% if mangle.comment is defined %}comment="Ansible managed: [{{mangle.comment}}]" {%endif%} 174 | {% if mangle.in_interface_list is defined %}in-interface-list={{mangle.in_interface_list}} {%endif%} 175 | {% if mangle.out_bridge_port is defined %}out-bridge-port={{mangle.out_bridge_port}} {%endif%} 176 | {% if mangle.routing_table is defined %}routing-table={{mangle.routing_table}} {%endif%} 177 | {% if mangle.connection_bytes is defined %}connection-bytes={{mangle.connection_bytes}} {%endif%} 178 | {% if mangle.connection_mark is defined %}connection-mark={{mangle.connection_mark}} {%endif%} 179 | {% if mangle.connection_rate is defined %}connection-rate={{mangle.connection_rate}} {%endif%} 180 | {% if mangle.connection_type is defined %}connection-type={{mangle.connection_type}} {%endif%} 181 | {% if mangle.connection_limit is defined %}connection-limit={{mangle.connection_limit}} {%endif%} 182 | {% if mangle.connection_nat_state is defined %}connection-nat-state={{mangle.connection_nat_state}} {%endif%} 183 | {% if mangle.connection_state is defined %}connection-state={{mangle.connection_state}} {%endif%} 184 | {% if mangle.ingress_priority is defined %}ingress-priority={{mangle.ingress_priority}} {%endif%} 185 | {% if mangle.out_bridge_port_list is defined %}out-bridge-port-list={{mangle.out_bridge_port_list}} {%endif%} 186 | {% if mangle.sniff_id is defined %}sniff-id={{mangle.sniff_id}} {%endif%} 187 | {% if mangle.content is defined %}content={{mangle.content}} {%endif%} 188 | {% if mangle.ipsec_policy is defined %}ipsec-policy={{mangle.ipsec_policy}} {%endif%} 189 | {% if mangle.out_interface is defined %}out-interface={{mangle.out_interface}} {%endif%} 190 | {% if mangle.sniff_target is defined %}sniff-target={{mangle.sniff_target}} {%endif%} 191 | {% if mangle.copy_from is defined %}copy-from={{mangle.copy_from}} {%endif%} 192 | {% if mangle.ipv4_options is defined %}ipv4-options={{mangle.ipv4_options}} {%endif%} 193 | {% if mangle.out_interface_list is defined %}out-interface-list={{mangle.out_interface_list}} {%endif%} 194 | {% if mangle.sniff_target_port is defined %}sniff-target-port={{mangle.sniff_target_port}} {%endif%} 195 | {% if mangle.disabled is defined %}disabled={{mangle.disabled}} {%endif%} 196 | {% if mangle.jump_target is defined %}jump-target={{mangle.jump_target}} {%endif%} 197 | {% if mangle.p2p is defined %}p2p={{mangle.p2p}} {%endif%} 198 | {% if mangle.src_address is defined %}src-address={{mangle.src_address}} {%endif%} 199 | {% if mangle.dscp is defined %}dscp={{mangle.dscp}} {%endif%} 200 | {% if mangle.layer7_protocol is defined %}layer7-protocol={{mangle.layer7_protocol}} {%endif%} 201 | {% if mangle.packet_mark is defined %}packet-mark={{mangle.packet_mark}} {%endif%} 202 | {% if mangle.src_address_list is defined %}src-address-list={{mangle.src_address_list}} {%endif%} 203 | {% if mangle.dst_address is defined %}dst-address={{mangle.dst_address}} {%endif%} 204 | {% if mangle.limit is defined %}limit={{mangle.limit}} {%endif%} 205 | {% if mangle.packet_size is defined %}packet-size={{mangle.packet_size}} {%endif%} 206 | {% if mangle.src_address_type is defined %}src-address-type={{mangle.src_address_type}} {%endif%} 207 | {% if mangle.dst_address_list is defined %}dst-address-list={{mangle.dst_address_list}} {%endif%} 208 | {% if mangle.log is defined %}log={{mangle.log}} {%endif%} 209 | {% if mangle.passthrough is defined %}passthrough={{mangle.passthrough}} {%endif%} 210 | {% if mangle.src_mac_address is defined %}src-mac-address={{mangle.src_mac_address}} {%endif%} 211 | {% if mangle.dst_address_type is defined %}dst-address-type={{mangle.dst_address_type}} {%endif%} 212 | {% if mangle.log_prefix is defined %}log-prefix={{mangle.log_prefix}} {%endif%} 213 | {% if mangle.per_connection_classifier is defined %}per-connection-classifier={{mangle.per_connection_classifier}} {%endif%} 214 | {% if mangle.src_port is defined %}src-port={{mangle.src_port}} {%endif%} 215 | {% if mangle.dst_limit is defined %}dst-limit={{mangle.dst_limit}} {%endif%} 216 | {% if mangle.new_connection_mark is defined %}new-connection-mark={{mangle.new_connection_mark}} {%endif%} 217 | {% if mangle.place_before is defined %}place-before={{mangle.place_before}} {%endif%} 218 | {% if mangle.tcp_flags is defined %}tcp-flags={{mangle.tcp_flags}} {%endif%} 219 | {% if mangle.dst_port is defined %}dst-port={{mangle.dst_port}} {%endif%} 220 | {% if mangle.new_dscp is defined %}new-dscp={{mangle.new_dscp}} {%endif%} 221 | {% if mangle.port is defined %}port={{mangle.port}} {%endif%} 222 | {% if mangle.tcp_mss is defined %}tcp-mss={{mangle.tcp_mss}} {%endif%} 223 | {% if mangle.fragment is defined %}fragment={{mangle.fragment}} {%endif%} 224 | {% if mangle.new_mss is defined %}new-mss={{mangle.new_mss}} {%endif%} 225 | {% if mangle.priority is defined %}priority={{mangle.priority}} {%endif%} 226 | {% if mangle.time is defined %}time={{mangle.time}} {%endif%} 227 | {% if mangle.hotspot is defined %}hotspot={{mangle.hotspot}} {%endif%} 228 | {% if mangle.new_packet_mark is defined %}new-packet-mark={{mangle.new_packet_mark}} {%endif%} 229 | {% if mangle.protocol is defined %}protocol={{mangle.protocol}} {%endif%} 230 | {% if mangle.ttl is defined %}ttl={{mangle.ttl}} {%endif%} 231 | {% if mangle.icmp_options is defined %}icmp-options={{mangle.icmp_options}} {%endif%} 232 | {% if mangle.new_priority is defined %}new-priority={{mangle.new_priority}} {%endif%} 233 | {% if mangle.psd is defined %}psd={{mangle.psd}} {%endif%} 234 | } 235 | {%endfor%} 236 | --------------------------------------------------------------------------------