From 9312f677fe454c72ad6c6589268b6da31d202ad4 Mon Sep 17 00:00:00 2001 From: Christian Hesse Date: Mon, 19 Jan 2026 17:20:53 +0100 Subject: [PATCH 01/14] check-certificates: use :continue in loop --- check-certificates.rsc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/check-certificates.rsc b/check-certificates.rsc index 6b3e9a45..fe8f6aff 100644 --- a/check-certificates.rsc +++ b/check-certificates.rsc @@ -161,7 +161,7 @@ :do { :if ([ :len $CertRenewUrl ] = 0) do={ $LogPrintOnce info $ScriptName ("No CertRenewUrl given."); - :error false; + :continue; } $LogPrint info $ScriptName ("Attempting to renew certificate '" . ($CertVal->"name") . "'."); From c13a22e15cefbb7d29c3c0861bdbc5749a9e49c7 Mon Sep 17 00:00:00 2001 From: Christian Hesse Date: Mon, 19 Jan 2026 15:38:00 +0100 Subject: [PATCH 02/14] fw-addr-lists: use :continue in loop --- fw-addr-lists.rsc | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/fw-addr-lists.rsc b/fw-addr-lists.rsc index 3d295eb3..28899c6c 100644 --- a/fw-addr-lists.rsc +++ b/fw-addr-lists.rsc @@ -111,7 +111,7 @@ } else={ :set Address ([ :pick $Line 0 [ $FindDelim $Line ] ] . ($List->"cidr")); } - :do { + :local Branch; :if ($Address ~ "^[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}(/[0-9]{1,2})?\$") do={ :local Net $Address; @@ -124,7 +124,7 @@ } :set Branch [ $GetBranch $Address ]; :set ($IPv4Addresses->$Branch->$Address) $TimeOut; - :error true; + :continue; } :if ($Address ~ "^[0-9a-zA-Z]*:[0-9a-zA-Z:\\.]+(/[0-9]{1,3})?\$") do={ :local Net $Address; @@ -137,15 +137,14 @@ :set Address (([ :toip6 $Net ] & [ $NetMask6 $CIDR ]) . "/" . $CIDR); :set Branch [ $GetBranch $Address ]; :set ($IPv6Addresses->$Branch->$Address) $TimeOut; - :error true; + :continue; } :if ($Address ~ "^[\\.a-zA-Z0-9-]+\\.[a-zA-Z]{2,}\$") do={ :set Branch [ $GetBranch $Address ]; :set ($IPv4Addresses->$Branch->$Address) $TimeOut; :set ($IPv6Addresses->$Branch->$Address) $TimeOut; - :error true; + :continue; } - } on-error={ } } } From b3c2088ee92ea50ed8c038c2e22b8fa7c6229095 Mon Sep 17 00:00:00 2001 From: Christian Hesse Date: Mon, 19 Jan 2026 15:38:50 +0100 Subject: [PATCH 03/14] fw-addr-lists: fix indention --- fw-addr-lists.rsc | 62 +++++++++++++++++++++++------------------------ 1 file changed, 31 insertions(+), 31 deletions(-) diff --git a/fw-addr-lists.rsc b/fw-addr-lists.rsc index 28899c6c..fa61dc50 100644 --- a/fw-addr-lists.rsc +++ b/fw-addr-lists.rsc @@ -112,39 +112,39 @@ :set Address ([ :pick $Line 0 [ $FindDelim $Line ] ] . ($List->"cidr")); } - :local Branch; - :if ($Address ~ "^[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}(/[0-9]{1,2})?\$") do={ - :local Net $Address; - :local CIDR 32; - :local Slash [ :find $Address "/" ]; - :if ([ :typeof $Slash ] = "num") do={ - :set Net [ :toip [ :pick $Address 0 $Slash ] ] - :set CIDR [ :pick $Address ($Slash + 1) [ :len $Address ] ]; - :set Address [ :tostr (([ :toip $Net ] & [ $NetMask4 $CIDR ]) . [ $IfThenElse ($CIDR < 32) ("/" . $CIDR) ]) ]; - } - :set Branch [ $GetBranch $Address ]; - :set ($IPv4Addresses->$Branch->$Address) $TimeOut; - :continue; + :local Branch; + :if ($Address ~ "^[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}(/[0-9]{1,2})?\$") do={ + :local Net $Address; + :local CIDR 32; + :local Slash [ :find $Address "/" ]; + :if ([ :typeof $Slash ] = "num") do={ + :set Net [ :toip [ :pick $Address 0 $Slash ] ] + :set CIDR [ :pick $Address ($Slash + 1) [ :len $Address ] ]; + :set Address [ :tostr (([ :toip $Net ] & [ $NetMask4 $CIDR ]) . [ $IfThenElse ($CIDR < 32) ("/" . $CIDR) ]) ]; } - :if ($Address ~ "^[0-9a-zA-Z]*:[0-9a-zA-Z:\\.]+(/[0-9]{1,3})?\$") do={ - :local Net $Address; - :local CIDR 128; - :local Slash [ :find $Address "/" ]; - :if ([ :typeof $Slash ] = "num") do={ - :set Net [ :toip6 [ :pick $Address 0 $Slash ] ] - :set CIDR [ :pick $Address ($Slash + 1) [ :len $Address ] ]; - } - :set Address (([ :toip6 $Net ] & [ $NetMask6 $CIDR ]) . "/" . $CIDR); - :set Branch [ $GetBranch $Address ]; - :set ($IPv6Addresses->$Branch->$Address) $TimeOut; - :continue; - } - :if ($Address ~ "^[\\.a-zA-Z0-9-]+\\.[a-zA-Z]{2,}\$") do={ - :set Branch [ $GetBranch $Address ]; - :set ($IPv4Addresses->$Branch->$Address) $TimeOut; - :set ($IPv6Addresses->$Branch->$Address) $TimeOut; - :continue; + :set Branch [ $GetBranch $Address ]; + :set ($IPv4Addresses->$Branch->$Address) $TimeOut; + :continue; + } + :if ($Address ~ "^[0-9a-zA-Z]*:[0-9a-zA-Z:\\.]+(/[0-9]{1,3})?\$") do={ + :local Net $Address; + :local CIDR 128; + :local Slash [ :find $Address "/" ]; + :if ([ :typeof $Slash ] = "num") do={ + :set Net [ :toip6 [ :pick $Address 0 $Slash ] ] + :set CIDR [ :pick $Address ($Slash + 1) [ :len $Address ] ]; } + :set Address (([ :toip6 $Net ] & [ $NetMask6 $CIDR ]) . "/" . $CIDR); + :set Branch [ $GetBranch $Address ]; + :set ($IPv6Addresses->$Branch->$Address) $TimeOut; + :continue; + } + :if ($Address ~ "^[\\.a-zA-Z0-9-]+\\.[a-zA-Z]{2,}\$") do={ + :set Branch [ $GetBranch $Address ]; + :set ($IPv4Addresses->$Branch->$Address) $TimeOut; + :set ($IPv6Addresses->$Branch->$Address) $TimeOut; + :continue; + } } } From 2e71b055dbcc7951b7cb7a3472838a88da56ec65 Mon Sep 17 00:00:00 2001 From: Christian Hesse Date: Mon, 19 Jan 2026 16:08:37 +0100 Subject: [PATCH 04/14] global-functions: $ScriptInstallUpdate: use :continue in loop --- global-functions.rsc | 24 +++++++++++------------- 1 file changed, 11 insertions(+), 13 deletions(-) diff --git a/global-functions.rsc b/global-functions.rsc index 3237c14f..bbb7382f 100644 --- a/global-functions.rsc +++ b/global-functions.rsc @@ -1290,17 +1290,16 @@ } } - :do { :if ($ScriptInfo->"ignore" = true) do={ $LogPrint debug $0 ("Ignoring script '" . $ScriptVal->"name" . "', as requested."); - :error true; + :continue; } :local CheckSum ($CheckSums->($ScriptVal->"name")); :if ([ :len ($ScriptInfo->"base-url") ] = 0 && [ :len ($ScriptInfo->"url-suffix") ] = 0 && \ [ :convert transform=md5 to=hex [ :tolf ($ScriptVal->"source") ] ] = $CheckSum) do={ $LogPrint debug $0 ("Checksum for script '" . $ScriptVal->"name" . "' matches, ignoring."); - :error true; + :continue; } :if ([ :len ($ScriptInfo->"certificate") ] > 0) do={ @@ -1322,44 +1321,44 @@ } do={ $LogPrint warning $0 ("Failed fetching script '" . $ScriptVal->"name" . "': " . $Err); :if ($Err != "Fetch failed with status 404") do={ - :error false; + :continue; } :if ($ScriptVal->"source" = "#!rsc by RouterOS\n") do={ $LogPrint warning $0 ("Removing dummy. Typo on installation?"); /system/script/remove $Script; - :error false; + :continue; } :if ([ :len ($ScriptInfo->"base-url") ] = 0 && [ :len ($ScriptInfo->"url-suffix") ] = 0 && \ [ :len $CheckSum ] = 0) do={ $LogPrintOnce warning $0 \ ("Added the script manually? Skip updates with 'ignore=true' in comment."); } - :error false; + :continue; } :if ([ :len $SourceNew ] = 0) do={ $LogPrint debug $0 ("No update for script '" . $ScriptVal->"name" . "'."); - :error false; + :continue; } :local SourceCRLF [ :tocrlf $SourceNew ]; :if ($SourceNew = $ScriptVal->"source" || $SourceCRLF = $ScriptVal->"source") do={ $LogPrint debug $0 ("Script '" . $ScriptVal->"name" . "' did not change."); - :error false; + :continue; } :if ([ :pick $SourceNew 0 18 ] != "#!rsc by RouterOS\n") do={ $LogPrint warning $0 ("Looks like new script '" . $ScriptVal->"name" . \ "' is not valid (missing shebang). Ignoring!"); - :error false; + :continue; } :local RequiredROS ([ $ParseKeyValueStore [ $Grep $SourceNew ("\23 requires RouterOS, ") ] ]->"version"); :if ([ $RequiredRouterOS $0 [ $EitherOr $RequiredROS "0.0" ] false ] = false) do={ $LogPrintOnce warning $0 ("The script '" . $ScriptVal->"name" . "' requires RouterOS " . \ $RequiredROS . ", which is not met by your installation. Ignoring!"); - :error false; + :continue; } :local RequiredDM [ $ParseKeyValueStore [ $Grep $SourceNew ("\23 requires device-mode, ") ] ]; @@ -1372,12 +1371,12 @@ :if ([ :len $MissingDM ] > 0) do={ $LogPrintOnce warning $0 ("The script '" . $ScriptVal->"name" . "' requires disabled " . \ "device-mode features (" . [ :tostr $MissingDM ] . "). Ignoring!"); - :error false; + :continue; } :if ([ $ValidateSyntax $SourceNew ] = false) do={ $LogPrint warning $0 ("Syntax validation for script '" . $ScriptVal->"name" . "' failed! Ignoring!"); - :error false; + :continue; } $LogPrint info $0 ("Updating script: " . $ScriptVal->"name"); @@ -1388,7 +1387,6 @@ $ScriptVal->"name" ~ ("^(global-functions\\.d|mod)/.")) do={ :set ReloadGlobal true; } - } on-error={ } } :if ($ReloadGlobal = true) do={ From 2a321c430ac47cb2b17202785a83a05c2e8c6032 Mon Sep 17 00:00:00 2001 From: Christian Hesse Date: Mon, 19 Jan 2026 16:09:41 +0100 Subject: [PATCH 05/14] global-functions: $ScriptInstallUpdate: fix indention --- global-functions.rsc | 168 +++++++++++++++++++++---------------------- 1 file changed, 84 insertions(+), 84 deletions(-) diff --git a/global-functions.rsc b/global-functions.rsc index bbb7382f..22579f90 100644 --- a/global-functions.rsc +++ b/global-functions.rsc @@ -1290,103 +1290,103 @@ } } - :if ($ScriptInfo->"ignore" = true) do={ - $LogPrint debug $0 ("Ignoring script '" . $ScriptVal->"name" . "', as requested."); + :if ($ScriptInfo->"ignore" = true) do={ + $LogPrint debug $0 ("Ignoring script '" . $ScriptVal->"name" . "', as requested."); + :continue; + } + + :local CheckSum ($CheckSums->($ScriptVal->"name")); + :if ([ :len ($ScriptInfo->"base-url") ] = 0 && [ :len ($ScriptInfo->"url-suffix") ] = 0 && \ + [ :convert transform=md5 to=hex [ :tolf ($ScriptVal->"source") ] ] = $CheckSum) do={ + $LogPrint debug $0 ("Checksum for script '" . $ScriptVal->"name" . "' matches, ignoring."); + :continue; + } + + :if ([ :len ($ScriptInfo->"certificate") ] > 0) do={ + :if ([ $CertificateAvailable ($ScriptInfo->"certificate") "fetch" ] = false) do={ + $LogPrint warning $0 ("Downloading certificate failed, trying without."); + } + } + + :onerror Err { + :local BaseUrl [ $EitherOr ($ScriptInfo->"base-url") $ScriptUpdatesBaseUrl ]; + :local UrlSuffix [ $EitherOr ($ScriptInfo->"url-suffix") $ScriptUpdatesUrlSuffix ]; + :local Url ($BaseUrl . $ScriptVal->"name" . ".rsc" . $UrlSuffix); + $LogPrint debug $0 ("Fetching script '" . $ScriptVal->"name" . "' from url: " . $Url); + :local Result [ /tool/fetch check-certificate=yes-without-crl \ + http-header-field=({ [ $FetchUserAgentStr $0 ] }) $Url output=user as-value ]; + :if ($Result->"status" = "finished") do={ + :set SourceNew [ :tolf ($Result->"data") ]; + } + } do={ + $LogPrint warning $0 ("Failed fetching script '" . $ScriptVal->"name" . "': " . $Err); + :if ($Err != "Fetch failed with status 404") do={ :continue; } - :local CheckSum ($CheckSums->($ScriptVal->"name")); + :if ($ScriptVal->"source" = "#!rsc by RouterOS\n") do={ + $LogPrint warning $0 ("Removing dummy. Typo on installation?"); + /system/script/remove $Script; + :continue; + } :if ([ :len ($ScriptInfo->"base-url") ] = 0 && [ :len ($ScriptInfo->"url-suffix") ] = 0 && \ - [ :convert transform=md5 to=hex [ :tolf ($ScriptVal->"source") ] ] = $CheckSum) do={ - $LogPrint debug $0 ("Checksum for script '" . $ScriptVal->"name" . "' matches, ignoring."); - :continue; + [ :len $CheckSum ] = 0) do={ + $LogPrintOnce warning $0 \ + ("Added the script manually? Skip updates with 'ignore=true' in comment."); } + :continue; + } - :if ([ :len ($ScriptInfo->"certificate") ] > 0) do={ - :if ([ $CertificateAvailable ($ScriptInfo->"certificate") "fetch" ] = false) do={ - $LogPrint warning $0 ("Downloading certificate failed, trying without."); - } - } + :if ([ :len $SourceNew ] = 0) do={ + $LogPrint debug $0 ("No update for script '" . $ScriptVal->"name" . "'."); + :continue; + } - :onerror Err { - :local BaseUrl [ $EitherOr ($ScriptInfo->"base-url") $ScriptUpdatesBaseUrl ]; - :local UrlSuffix [ $EitherOr ($ScriptInfo->"url-suffix") $ScriptUpdatesUrlSuffix ]; - :local Url ($BaseUrl . $ScriptVal->"name" . ".rsc" . $UrlSuffix); - $LogPrint debug $0 ("Fetching script '" . $ScriptVal->"name" . "' from url: " . $Url); - :local Result [ /tool/fetch check-certificate=yes-without-crl \ - http-header-field=({ [ $FetchUserAgentStr $0 ] }) $Url output=user as-value ]; - :if ($Result->"status" = "finished") do={ - :set SourceNew [ :tolf ($Result->"data") ]; - } - } do={ - $LogPrint warning $0 ("Failed fetching script '" . $ScriptVal->"name" . "': " . $Err); - :if ($Err != "Fetch failed with status 404") do={ - :continue; - } + :local SourceCRLF [ :tocrlf $SourceNew ]; + :if ($SourceNew = $ScriptVal->"source" || $SourceCRLF = $ScriptVal->"source") do={ + $LogPrint debug $0 ("Script '" . $ScriptVal->"name" . "' did not change."); + :continue; + } - :if ($ScriptVal->"source" = "#!rsc by RouterOS\n") do={ - $LogPrint warning $0 ("Removing dummy. Typo on installation?"); - /system/script/remove $Script; - :continue; - } - :if ([ :len ($ScriptInfo->"base-url") ] = 0 && [ :len ($ScriptInfo->"url-suffix") ] = 0 && \ - [ :len $CheckSum ] = 0) do={ - $LogPrintOnce warning $0 \ - ("Added the script manually? Skip updates with 'ignore=true' in comment."); - } - :continue; - } + :if ([ :pick $SourceNew 0 18 ] != "#!rsc by RouterOS\n") do={ + $LogPrint warning $0 ("Looks like new script '" . $ScriptVal->"name" . \ + "' is not valid (missing shebang). Ignoring!"); + :continue; + } - :if ([ :len $SourceNew ] = 0) do={ - $LogPrint debug $0 ("No update for script '" . $ScriptVal->"name" . "'."); - :continue; - } + :local RequiredROS ([ $ParseKeyValueStore [ $Grep $SourceNew ("\23 requires RouterOS, ") ] ]->"version"); + :if ([ $RequiredRouterOS $0 [ $EitherOr $RequiredROS "0.0" ] false ] = false) do={ + $LogPrintOnce warning $0 ("The script '" . $ScriptVal->"name" . "' requires RouterOS " . \ + $RequiredROS . ", which is not met by your installation. Ignoring!"); + :continue; + } - :local SourceCRLF [ :tocrlf $SourceNew ]; - :if ($SourceNew = $ScriptVal->"source" || $SourceCRLF = $ScriptVal->"source") do={ - $LogPrint debug $0 ("Script '" . $ScriptVal->"name" . "' did not change."); - :continue; + :local RequiredDM [ $ParseKeyValueStore [ $Grep $SourceNew ("\23 requires device-mode, ") ] ]; + :local MissingDM ({}); + :foreach Feature,Value in=$RequiredDM do={ + :if ([ :typeof ($DeviceMode->$Feature) ] = "bool" && ($DeviceMode->$Feature) = false) do={ + :set MissingDM ($MissingDM, $Feature); } + } + :if ([ :len $MissingDM ] > 0) do={ + $LogPrintOnce warning $0 ("The script '" . $ScriptVal->"name" . "' requires disabled " . \ + "device-mode features (" . [ :tostr $MissingDM ] . "). Ignoring!"); + :continue; + } - :if ([ :pick $SourceNew 0 18 ] != "#!rsc by RouterOS\n") do={ - $LogPrint warning $0 ("Looks like new script '" . $ScriptVal->"name" . \ - "' is not valid (missing shebang). Ignoring!"); - :continue; - } + :if ([ $ValidateSyntax $SourceNew ] = false) do={ + $LogPrint warning $0 ("Syntax validation for script '" . $ScriptVal->"name" . "' failed! Ignoring!"); + :continue; + } - :local RequiredROS ([ $ParseKeyValueStore [ $Grep $SourceNew ("\23 requires RouterOS, ") ] ]->"version"); - :if ([ $RequiredRouterOS $0 [ $EitherOr $RequiredROS "0.0" ] false ] = false) do={ - $LogPrintOnce warning $0 ("The script '" . $ScriptVal->"name" . "' requires RouterOS " . \ - $RequiredROS . ", which is not met by your installation. Ignoring!"); - :continue; - } - - :local RequiredDM [ $ParseKeyValueStore [ $Grep $SourceNew ("\23 requires device-mode, ") ] ]; - :local MissingDM ({}); - :foreach Feature,Value in=$RequiredDM do={ - :if ([ :typeof ($DeviceMode->$Feature) ] = "bool" && ($DeviceMode->$Feature) = false) do={ - :set MissingDM ($MissingDM, $Feature); - } - } - :if ([ :len $MissingDM ] > 0) do={ - $LogPrintOnce warning $0 ("The script '" . $ScriptVal->"name" . "' requires disabled " . \ - "device-mode features (" . [ :tostr $MissingDM ] . "). Ignoring!"); - :continue; - } - - :if ([ $ValidateSyntax $SourceNew ] = false) do={ - $LogPrint warning $0 ("Syntax validation for script '" . $ScriptVal->"name" . "' failed! Ignoring!"); - :continue; - } - - $LogPrint info $0 ("Updating script: " . $ScriptVal->"name"); - /system/script/set owner=($ScriptVal->"name") \ - source=[ $IfThenElse ($ScriptUpdatesCRLF = true) $SourceCRLF $SourceNew ] $Script; - :if ($ScriptVal->"name" = "global-config" || \ - $ScriptVal->"name" = "global-functions" || \ - $ScriptVal->"name" ~ ("^(global-functions\\.d|mod)/.")) do={ - :set ReloadGlobal true; - } + $LogPrint info $0 ("Updating script: " . $ScriptVal->"name"); + /system/script/set owner=($ScriptVal->"name") \ + source=[ $IfThenElse ($ScriptUpdatesCRLF = true) $SourceCRLF $SourceNew ] $Script; + :if ($ScriptVal->"name" = "global-config" || \ + $ScriptVal->"name" = "global-functions" || \ + $ScriptVal->"name" ~ ("^(global-functions\\.d|mod)/.")) do={ + :set ReloadGlobal true; + } } :if ($ReloadGlobal = true) do={ From fe5f28ea6cd0d4236052f4000603599714b499b5 Mon Sep 17 00:00:00 2001 From: Christian Hesse Date: Thu, 22 Jan 2026 10:52:47 +0100 Subject: [PATCH 06/14] netwatch-dns: use :continue in loop --- netwatch-dns.rsc | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/netwatch-dns.rsc b/netwatch-dns.rsc index e57bb74a..2a728f62 100644 --- a/netwatch-dns.rsc +++ b/netwatch-dns.rsc @@ -121,9 +121,9 @@ } do={ $LogPrint warning $ScriptName ("Request to DoH server " . ($DohServer->"doh-url") . \ " failed: " . $Err); + :continue; } - :if ($Data != false) do={ :if ([ :typeof [ :find $Data "doh-check-OK" ] ] = "num") do={ /ip/dns/set use-doh-server=($DohServer->"doh-url") verify-doh-cert=yes; :if ([ /certificate/settings/get crl-use ] = true) do={ @@ -136,7 +136,6 @@ $LogPrint warning $ScriptName ("Received unexpected response from DoH server: " . \ ($DohServer->"doh-url")); } - } } } do={ :global ExitOnError; $ExitOnError [ :jobname ] $Err; From db880aea768c00f35128dcfe7bfdf55b4d5ce7cb Mon Sep 17 00:00:00 2001 From: Christian Hesse Date: Thu, 22 Jan 2026 10:56:45 +0100 Subject: [PATCH 07/14] netwatch-dns: fix indention --- netwatch-dns.rsc | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/netwatch-dns.rsc b/netwatch-dns.rsc index 2a728f62..df2c987b 100644 --- a/netwatch-dns.rsc +++ b/netwatch-dns.rsc @@ -124,18 +124,18 @@ :continue; } - :if ([ :typeof [ :find $Data "doh-check-OK" ] ] = "num") do={ - /ip/dns/set use-doh-server=($DohServer->"doh-url") verify-doh-cert=yes; - :if ([ /certificate/settings/get crl-use ] = true) do={ - $LogPrintOnce warning $ScriptName ("Configured to use CRL, that can cause severe issue!"); - } - /ip/dns/cache/flush; - $LogPrint info $ScriptName ("Setting DoH server: " . ($DohServer->"doh-url")); - :exit; - } else={ - $LogPrint warning $ScriptName ("Received unexpected response from DoH server: " . \ - ($DohServer->"doh-url")); + :if ([ :typeof [ :find $Data "doh-check-OK" ] ] = "num") do={ + /ip/dns/set use-doh-server=($DohServer->"doh-url") verify-doh-cert=yes; + :if ([ /certificate/settings/get crl-use ] = true) do={ + $LogPrintOnce warning $ScriptName ("Configured to use CRL, that can cause severe issue!"); } + /ip/dns/cache/flush; + $LogPrint info $ScriptName ("Setting DoH server: " . ($DohServer->"doh-url")); + :exit; + } else={ + $LogPrint warning $ScriptName ("Received unexpected response from DoH server: " . \ + ($DohServer->"doh-url")); + } } } do={ :global ExitOnError; $ExitOnError [ :jobname ] $Err; From 2e2f3c4b1aaf9e5530588de9b1400146501a8d2f Mon Sep 17 00:00:00 2001 From: Christian Hesse Date: Thu, 22 Jan 2026 10:54:21 +0100 Subject: [PATCH 08/14] netwatch-dns: use :continue in loop --- netwatch-dns.rsc | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/netwatch-dns.rsc b/netwatch-dns.rsc index df2c987b..7f2f791f 100644 --- a/netwatch-dns.rsc +++ b/netwatch-dns.rsc @@ -124,7 +124,12 @@ :continue; } - :if ([ :typeof [ :find $Data "doh-check-OK" ] ] = "num") do={ + :if ([ :typeof [ :find $Data "doh-check-OK" ] ] != "num") do={ + $LogPrint warning $ScriptName ("Received unexpected response from DoH server: " . \ + ($DohServer->"doh-url")); + :continue; + } + /ip/dns/set use-doh-server=($DohServer->"doh-url") verify-doh-cert=yes; :if ([ /certificate/settings/get crl-use ] = true) do={ $LogPrintOnce warning $ScriptName ("Configured to use CRL, that can cause severe issue!"); @@ -132,10 +137,6 @@ /ip/dns/cache/flush; $LogPrint info $ScriptName ("Setting DoH server: " . ($DohServer->"doh-url")); :exit; - } else={ - $LogPrint warning $ScriptName ("Received unexpected response from DoH server: " . \ - ($DohServer->"doh-url")); - } } } do={ :global ExitOnError; $ExitOnError [ :jobname ] $Err; From 99cf486b8e5db99ac16377abb8992cb3f68a32e6 Mon Sep 17 00:00:00 2001 From: Christian Hesse Date: Thu, 22 Jan 2026 10:58:31 +0100 Subject: [PATCH 09/14] netwatch-dns: fix indention --- netwatch-dns.rsc | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/netwatch-dns.rsc b/netwatch-dns.rsc index 7f2f791f..11134dd5 100644 --- a/netwatch-dns.rsc +++ b/netwatch-dns.rsc @@ -130,13 +130,13 @@ :continue; } - /ip/dns/set use-doh-server=($DohServer->"doh-url") verify-doh-cert=yes; - :if ([ /certificate/settings/get crl-use ] = true) do={ - $LogPrintOnce warning $ScriptName ("Configured to use CRL, that can cause severe issue!"); - } - /ip/dns/cache/flush; - $LogPrint info $ScriptName ("Setting DoH server: " . ($DohServer->"doh-url")); - :exit; + /ip/dns/set use-doh-server=($DohServer->"doh-url") verify-doh-cert=yes; + :if ([ /certificate/settings/get crl-use ] = true) do={ + $LogPrintOnce warning $ScriptName ("Configured to use CRL, that can cause severe issue!"); + } + /ip/dns/cache/flush; + $LogPrint info $ScriptName ("Setting DoH server: " . ($DohServer->"doh-url")); + :exit; } } do={ :global ExitOnError; $ExitOnError [ :jobname ] $Err; From 3b73af9559c1eb371bef3a68a0d87409752a1637 Mon Sep 17 00:00:00 2001 From: Christian Hesse Date: Thu, 22 Jan 2026 10:28:50 +0100 Subject: [PATCH 10/14] telegram-chat: use :break in loop --- telegram-chat.rsc | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/telegram-chat.rsc b/telegram-chat.rsc index cd790051..86114e0a 100644 --- a/telegram-chat.rsc +++ b/telegram-chat.rsc @@ -68,12 +68,12 @@ :local Data false; :for I from=1 to=4 do={ - :if ($Data = false) do={ :onerror Err { :set Data ([ /tool/fetch check-certificate=yes-without-crl output=user \ ("https://api.telegram.org/bot" . $TelegramTokenId . "/getUpdates?offset=" . \ $TelegramChatOffset->0 . "&allowed_updates=%5B%22message%22%5D") as-value ]->"data"); :set TelegramRandomDelay [ $MAX 0 ($TelegramRandomDelay - 1) ]; + :break; } do={ :if ($I < 4) do={ $LogPrint debug $ScriptName ("Fetch failed, " . $I . ". try: " . $Err); @@ -81,7 +81,6 @@ :delay (($I * $I) . "s"); } } - } } :if ($Data = false) do={ From 9f005a16a15e8e88fea1556898229e8a7ad19cef Mon Sep 17 00:00:00 2001 From: Christian Hesse Date: Thu, 15 Jan 2026 09:28:38 +0100 Subject: [PATCH 11/14] telegram-chat: use :continue in loop --- telegram-chat.rsc | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/telegram-chat.rsc b/telegram-chat.rsc index 0daa0714..cd790051 100644 --- a/telegram-chat.rsc +++ b/telegram-chat.rsc @@ -115,7 +115,6 @@ } :if ($Trusted = true) do={ - :local Done false; :if ($Command = "?") do={ $LogPrint info $ScriptName ("Sending notice for update " . $UpdateID . "."); $SendTelegram2 ({ origin=$ScriptName; chatid=($Chat->"id"); silent=true; \ @@ -123,9 +122,9 @@ subject=([ $SymbolForNotification "speech-balloon" ] . "Telegram Chat"); \ message=([ $IfThenElse ([ :len ($From->"first_name") ] > 0) ("Hello " . ($From->"first_name") . "!\n\n") ] . \ "Online" . [ $IfThenElse $TelegramChatActive " (and active!)" ] . ", awaiting your commands!") }); - :set Done true; + :continue; } - :if ($Done = false && [ :pick $Command 0 1 ] = "!") do={ + :if ([ :pick $Command 0 1 ] = "!") do={ :if ($Command ~ ("^! *(" . [ $EscapeForRegEx $Identity ] . "|@" . $TelegramChatGroups . ")\$")) do={ :set TelegramChatActive true; } else={ @@ -133,9 +132,9 @@ } $LogPrint info $ScriptName ("Now " . [ $IfThenElse $TelegramChatActive "active" "passive" ] . \ " from update " . $UpdateID . "!"); - :set Done true; + :continue; } - :if ($Done = false && ($IsMyReply = 1 || ($IsAnyReply = false && \ + :if (($IsMyReply = 1 || ($IsAnyReply = false && \ $TelegramChatActive = true)) && [ :len $Command ] > 0) do={ :if ([ $ValidateSyntax $Command ] = true) do={ :local State ""; From b1e4e895857612edaba6a76834eeb5c96b8891cc Mon Sep 17 00:00:00 2001 From: Christian Hesse Date: Thu, 22 Jan 2026 10:29:31 +0100 Subject: [PATCH 12/14] telegram-chat: fix indention --- telegram-chat.rsc | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/telegram-chat.rsc b/telegram-chat.rsc index 86114e0a..615008d5 100644 --- a/telegram-chat.rsc +++ b/telegram-chat.rsc @@ -68,19 +68,19 @@ :local Data false; :for I from=1 to=4 do={ - :onerror Err { - :set Data ([ /tool/fetch check-certificate=yes-without-crl output=user \ - ("https://api.telegram.org/bot" . $TelegramTokenId . "/getUpdates?offset=" . \ - $TelegramChatOffset->0 . "&allowed_updates=%5B%22message%22%5D") as-value ]->"data"); - :set TelegramRandomDelay [ $MAX 0 ($TelegramRandomDelay - 1) ]; - :break; - } do={ - :if ($I < 4) do={ - $LogPrint debug $ScriptName ("Fetch failed, " . $I . ". try: " . $Err); - :set TelegramRandomDelay [ $MIN 15 ($TelegramRandomDelay + 5) ]; - :delay (($I * $I) . "s"); - } + :onerror Err { + :set Data ([ /tool/fetch check-certificate=yes-without-crl output=user \ + ("https://api.telegram.org/bot" . $TelegramTokenId . "/getUpdates?offset=" . \ + $TelegramChatOffset->0 . "&allowed_updates=%5B%22message%22%5D") as-value ]->"data"); + :set TelegramRandomDelay [ $MAX 0 ($TelegramRandomDelay - 1) ]; + :break; + } do={ + :if ($I < 4) do={ + $LogPrint debug $ScriptName ("Fetch failed, " . $I . ". try: " . $Err); + :set TelegramRandomDelay [ $MIN 15 ($TelegramRandomDelay + 5) ]; + :delay (($I * $I) . "s"); } + } } :if ($Data = false) do={ From 3394f0a1409e9001bfa727fdab048c3df289fc86 Mon Sep 17 00:00:00 2001 From: Christian Hesse Date: Wed, 21 Jan 2026 07:35:32 +0100 Subject: [PATCH 13/14] global-functions: $NetMask6: use shift operator... ... and drop the workaround. This requires RouterOS 7.22beta3. --- global-functions.rsc | 26 ++------------------------ 1 file changed, 2 insertions(+), 24 deletions(-) diff --git a/global-functions.rsc b/global-functions.rsc index 22579f90..e6638154 100644 --- a/global-functions.rsc +++ b/global-functions.rsc @@ -1014,31 +1014,9 @@ # return an IPv6 netmask for CIDR :set NetMask6 do={ - :local CIDR [ :tostr $1 ]; + :local CIDR [ :tonum $1 ]; - :global IfThenElse; - :global MAX; - :global MIN; - - :global NetMask6Cache; - - :if ([ :typeof ($NetMask6Cache->$CIDR) ] = "ip6") do={ - :return ($NetMask6Cache->$CIDR); - } - - :if ([ :typeof $NetMask6Cache ] = "nothing") do={ - :set NetMask6Cache ({}); - } - - :local Mask ""; - :for I from=0 to=7 do={ - :set Mask ($Mask . \ - [ :convert from=num to=hex (0xffff - (0xffff >> [ :tonum [ $MIN [ $MAX ($CIDR - (16 * $I)) 0 ] 16 ] ])) ] . \ - [ $IfThenElse ($I < 7) ":" ]); - } - :set Mask [ :toip6 $Mask ]; - :set ($NetMask6Cache->$CIDR) $Mask; - :return $Mask; + :return (((~::) << (128 - $CIDR)) & (~::)); } # prepare NotificationFunctions array From a853e172fa4542e20114fabef7bd02602ff852c8 Mon Sep 17 00:00:00 2001 From: Christian Hesse Date: Thu, 22 Jan 2026 14:26:21 +0100 Subject: [PATCH 14/14] check-certificates: better error handling and reporting for downloads --- check-certificates.rsc | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/check-certificates.rsc b/check-certificates.rsc index fe8f6aff..1853905b 100644 --- a/check-certificates.rsc +++ b/check-certificates.rsc @@ -54,9 +54,17 @@ "' (file '" . $CertFileName . "')..."); :do { - /tool/fetch check-certificate=yes-without-crl http-header-field=({ [ $FetchUserAgentStr $ScriptName ] }) \ - ($CertRenewUrl . $CertFileName) dst-path=$CertFileName as-value; - $WaitForFile $CertFileName; + :onerror Err { + /tool/fetch check-certificate=yes-without-crl \ + http-header-field=({ [ $FetchUserAgentStr $ScriptName ] }) \ + ($CertRenewUrl . $CertFileName) dst-path=$CertFileName as-value; + } do={ + :if ($Err != "Fetch failed with status 404") do={ + $LogPrint warning $0 ("Failed fetching certificate: " . $Err); + } + :error false; + } + $WaitForFile $CertFileName; :local DecryptionFailed true; :foreach I,PassPhrase in=$CertRenewPass do={