MikroTik firewall synchronization

Niisis, kuna sõber google ei leia midagi tarka, siis tegin VÄGA robustse lahenduse, mis minu jaoks toimib. Ja kuna siin on juba jupp aega ka muid etteasteid, kui puhas sukeldumine, siis väike MikroTiku tülemüüri reeglite sünkroniseerimise lahendus võib ju siia sobida küll ;)

Yeah, after using the all-mighty  google I dit NOT find anything suitable for my needs. So, after an hour of "work" here is the simple and robust script to synchronize MikroTik firewall rules. This was not tested in LAB, all tests were made with my live units ;) - so, at least we know this script does the job. Might not look good but get's the job done! So, here we go! As you can tell from the bash path I'm using FreeBSD. OK, here is the code:

main script:
#!/usr/local/bin/bash

# get rules from the "main" unit
ssh user@MT1 '/ip firewall address-list export' | grep -v ^# > MT1-address
ssh user@MT1 '/ip firewall filter export' | grep -v ^# > MT1-filter

# let's insert some must-have crap
cat vahepala | grep -v ^# > newfw.rsc

# let's make changes to fetched info
cat MT1-address | sed -f change-address >> newfw.rsc
cat MT1-filter | sed -f change-filter >> newfw.rsc

# let's teach the MT2 box
scp newfw.rsc user@MT2:  # YES, you do need the colon here!
ssh user@MT2 '/import newfw.rsc'

--- other files ---
file called "vahepala"
--
# remove old rules
/ip firewall filter remove [/ip firewall filter find]
# remove old address list
/ip firewall address-list remove [/ip firewall address-list find]
# inserting new rules
--

file called change-address
--
s/^M//
--
so, just to remove the odd newline characters. and yes, you CAN NOT just copy-paste this!
if you are using vi/vim then getting the ^M is simple, press ctrl+V and then ctrl+M

file called  change-filter
--
s/ip-of-the-unit-one-if-some-input-rules-are-using-ip-address/ip-of-the-second-unit/
s/^M//
--

OK, this is simple sed and you should be able to use it after one hour of testing. if you need to change anything else then just add new lines to change-address or change-filter files and you are good to go.
NOTE: this is not to sync all the config, just the firewall rules and address list part. this "solution" does not include dynamic addresses and if you are tracking spam or any other unwanted traffic (well, I do but sync for dynamic list is not needed for me!) then you need to change this setup a bit.

You MIGHT want to add some sanity checks if your filter lists are huge - just to make sure that you get all the lines etc. Easiest way seems to be when you add one do-nothing rule to the end with some odd comment and then track the comment before proceeding with MT2 configuration. Anyways, this solutions works for me and I'm happy! Simple and quick! Just might implement this for my Junipers also ;)