This branch is a follow-up on 9ceed0926a
with clean solution. Read on for details...
The data type `ip6-prefix` used to hold what it was named for - an IPv6
prefix:
[user@mikrotik] > :put 2001:db8::dead:beef/32
2001:db8::/32
This changed with RouterOS 6.21beta2, which now allows that exact same
data type to hold something like "address with prefix length attached":
[user@mikrotik] > :put 2001:db8::dead:beef/32
2001:db8::dead:beef/32
My scripts (namely `fw-addr-lists`) relied on the old behaviour and broke.
The commit mentioned above was just a quick workaround, with rough edges,
and it could still fail.
Sadly RouterOS does not support bit shifting on IPv6 data types, so a
(completely) mathematical solution is out of scope.
This branch implements a new and better workaround, see the first commit
of branch (6ad6f9aa08) for details.
I opened a support ticket / feature request on this topic, let's see
what results it brings...
https://help.mikrotik.com/servicedesk/servicedesk/customer/portal/1/SUP-201881
The calculation is quite complex for something that needs to be done
frequently, for example by `fw-addr-lists`. The number of possible
netmasks is limited, so let's cache the results that were calculated
already.
RouterOS does not support bit shifting on IPv6 data types, so we have to
split the problem:
* each 16 bit block is calculated separately, as number
* the complete netmask is assembled in a loop, as string
* the final string is casted to correct data type
Chances are that messages have been queued before system was fully up or
connected. Thus the certificate may be missing, and it should be checked
again for on flush.
This should reduce the number of addresses in list by aggregating them,
and also fix addresses with host part set (like 2001:470:1:fb5::2a0/64,
which should be 2001:470:1:fb5::/64 really).
The latter caused new warnings with RouterOS 7.21beta2.
With RouterOS 7.21beta2 the user SSH keys "key-owner" field was
renamed to "info".
Either of both is displayed in red by syntax highlighting, but it
works anyway.
This is not a proof, but a line also ending with a curly bracket
has higher probability of being valid JSON.
Better safe than sorry... We are suffering a CVE in RouterOS:
https://www.cve.org/CVERecord?id=CVE-2025-10948
Checking a specific file is less expensive operation than finding one,
especially when on hardware with huge storage and lots of files (like
RDS). We have to keep the find command in the latter loop, though.
There are CA certificates with identical CommonName out there... 🤪
Let's handle these.
[admin@MikroTik] > /certificate/print proplist=common-name,skid where common-name="GlobalSign";
Flags: T - TRUSTED
Columns: COMMON-NAME, SKID
# COMMON-NAME SKID
0 T GlobalSign 8FF04B7FA82E4524AE4D50FA639A8BDEE2DD1BBC
1 T GlobalSign 3DE629489BEA07CA21444A26DE6EDED283D09F59
2 T GlobalSign AE6C05A39313E2A2E7E2D71CD6C7F07FC86753A0
3 T GlobalSign 54B07BAD45B8E2407FFB0A6EFBBE33C93CA384D5
... for example from a module. Add a script `mod/symbols-extra` with
something like:
:global SymbolsExtra;
:set ($SymbolsExtra->"rocket") "\F0\9F\9A\80";
RouterOS is suffering a race condition, where a file exists, but its
properties are not (yet) available. This is handled in $WaitForFile.
This passes an interval of zero to $WaitForFile, as does not wait for
the file to exist, but wants to avoid the race only.
This (mostly) reverts commits 0e00a228d6
and e08bb2192d.
This is required for RouterOS 7.20beta4. That fixed recursive find for
files, and (again, or still?) suffers timing (and thus racing) issues
getting file properties.
This breaks RouterOS 7.20beta2 again, so that specific version is not
supported. Just update...
... to avoid:
packages-update: Script 'packages-update' exited with error: Script Error: cannot compare if truth value is more than or equal to ip address
This happens in :convert when a list is way too large.
Let's use $LogPrintOnce here. If the scripting subsystem really crashes
the message will be purged from $LogPrintOnceMessages anyway (as all
global variables are lost).
(Though we keep the quoting for type.)
Well, turned out this functionality is for `/file/print` only,
but does not work with `/file/find`. 🫣🥴
This reverts commit 15fd522d3d.
