fix mistakes in filter acl at sync mikrotik script

scripts/Rstat/net_utils.pm

@@ -233,6 +233,8 @@ return $ok;
 
 sub is_ip {
 my $ip_str = trim($_[0]);
+return 1 if (!$ip_str);
+return 1 if ($ip_str eq '0/0');
 if ($ip_str =~ /([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})(\/[0-9]{1,2}){0,1}/) {
         my $mask = $5;
         return 0 if($1 > 255 || $2 > 255 || $3 > 255 || $4 > 255);

scripts/sync_mikrotik.pl

@@ -326,9 +326,11 @@ if ($connected_users_only) { next if (!$connected_users->match_string($row->{ip}
 #skip not office ip's
 next if (!$office_networks->match_string($row->{ip}));
 $found_users{$row->{'id'}}=$row->{ip};
+#filter group acl's
 $users{'group_'.$row->{filter_group_id}}->{$row->{ip}}=1;
 $users{'group_all'}->{$row->{ip}}=1;
 $lists{'group_'.$row->{filter_group_id}}=1;
+#queue acl's
 if ($row->{queue_id}) { $users{'queue_'.$row->{queue_id}}->{$row->{ip}}=1; }
 }
 
@@ -386,9 +388,9 @@ foreach my $row (@filterlist_ref) {
         } else {
         #if dst not ip - check dns record
         my @dns_record=ResolveNames($row->{dst},undef);
-        $resolved_ips = (scalar @dns_record>0);
+        my $resolved_ips = (scalar @dns_record>0);
         next if (!$resolved_ips);
-        foreach my $resolved_ip (@dns_record) {
+        foreach my $resolved_ip (sort @dns_record) {
                 #enable dns dst filters
                 $filters{$row->{id}}->{dns_dst}=1;
                 #add dynamic dns filter
@@ -400,7 +402,7 @@ foreach my $row (@filterlist_ref) {
                 $filters{$dyn_filters_index}->{action}=$row->{action};
                 $filters{$dyn_filters_index}->{dns_dst}=0;
                 #save new filter dns id for original filter id
-                push(@{$dyn_filters->{$row->{id}}},$dyn_filters_index);
+                push(@{$dyn_filters{$row->{id}}},$dyn_filters_index);
                 $dyn_filters_index++;
             }
         }
@@ -409,10 +411,13 @@ foreach my $row (@filterlist_ref) {
 log_debug("Filters status:". Dumper(\%filters));
 log_debug("DNS-filters status:". Dumper(\%dyn_filters));
 
+#clean unused filter records
+do_sql($dbh,"DELETE FROM Group_filters WHERE group_id NOT IN (SELECT id FROM Group_list)");
+
 my @grouplist_ref = get_records_sql($dbh,"SELECT group_id,filter_id,Group_filters.order FROM Group_filters order by Group_filters.group_id,Group_filters.order");
 
 my %group_filters;
-my $index=1;
+my $index=0;
 foreach my $row (@grouplist_ref) {
     #if dst dns filter not found
     if (!$filters{$row->{filter_id}}->{dns_dst}) {
@@ -420,11 +425,14 @@ foreach my $row (@grouplist_ref) {
         $index++;
     } else {
         #if found dns dst filters - add
-        if (exists $dyn_filters->{$row->{filter_id}} and scalar @{$dyn_filters->{$row->{filter_id}}}>0) {
-            foreach my $dyn_filter (@{$dyn_filters->{$row->{filter_id}}}) {
-                $group_filters{'group_'.$row->{group_id}}->{$index}=$dyn_filter;
-                $index++; 
-            }
+	if (exists $dyn_filters{$row->{filter_id}}) {
+	    my @dyn_ips = @{$dyn_filters{$row->{filter_id}}};
+	    if (scalar @dyn_ips >0) {
+		for (my $i = 0; $i < scalar @dyn_ips; $i++) {
+        	    $group_filters{'group_'.$row->{group_id}}->{$index}=$dyn_ips[$i];
+        	    $index++;
+        	    }
+	    }
         }
     }
 }
@@ -514,6 +522,8 @@ next if (!exists($group_filters{$group_name}));
 foreach my $filter_index (sort keys %{$group_filters{$group_name}}) {
     my $filter_id=$group_filters{$group_name}->{$filter_index};
     next if (!$filters{$filter_id});
+    next if ($filters{$filter_id}->{dns_dst});
+
     my $src_rule='chain='.$group_name;
     my $dst_rule='chain='.$group_name;
 
@@ -563,7 +573,6 @@ foreach my $filter_index (sort keys %{$group_filters{$group_name}}) {
     }
 }
 
-log_debug("New chain rules:".Dumper(\%chain_rules));
 
 #chain filters
 foreach my $group_name (keys %group_filters) {
@@ -571,8 +580,7 @@ foreach my $group_name (keys %group_filters) {
 next if (!$group_name);
 
 my @get_filter=netdev_cmd($gate,$t,'ssh','/ip firewall filter print terse without-paging where chain='.$group_name,1);
-
-log_debug("Get chain $group_name:".Dumper(\@get_filter));
+chomp(@get_filter);
 
 my @cur_filter=();
 my $chain_ok=1;
@@ -581,12 +589,16 @@ foreach (my $f_index=0; $f_index<scalar(@get_filter); $f_index++) {
     my $filter_str=trim($get_filter[$f_index]);
     next if (!$filter_str);
     next if ($filter_str!~/^(\d){1,3}/);
+    $filter_str=~s/[^[:ascii:]]//g;
     $filter_str=~s/^\d{1,3}\s+//;
     $filter_str=trim($filter_str);
     next if (!$filter_str);
     push(@cur_filter,$filter_str);
 }
 
+log_debug("Current filters:".Dumper(\@cur_filter));
+log_debug("New filters:".Dumper($chain_rules{$group_name}));
+
 #current state rules
 foreach (my $f_index=0; $f_index<scalar(@cur_filter); $f_index++) {
     my $filter_str=trim($cur_filter[$f_index]);

updates/20230429/mysql-migrate-path.sql

@@ -1,3 +1,4 @@
 UPDATE `config_options` SET `default_value` = REPLACE(`default_value`, '/usr/local/scripts/', '/opt/Eye/scripts/') WHERE `default_value` LIKE '%/usr/local/scripts/%';
 UPDATE `config` SET `value` = REPLACE(`value`, '/usr/local/scripts/', '/opt/Eye/scripts/') WHERE `value` LIKE '%/usr/local/scripts/%';
 ALTER TABLE `Filter_list` CHANGE `dst` `dst` VARCHAR(253) CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci NULL DEFAULT NULL;
+UPDATE `config_options` SET `option_name` = REPLACE(`option_name`, 'cconfig', 'config') WHERE `option_name` LIKE '%config%';