From 5ffa85f8bfb5ed11c3f3886e3b8cd7b5346b6efa Mon Sep 17 00:00:00 2001 From: Christian Hesse Date: Tue, 7 Oct 2025 16:02:53 +0200 Subject: [PATCH 1/7] mod/ssh-keys-import: handle new parameter With RouterOS 7.21beta2 the user SSH keys "key-owner" field was renamed to "info". Either of both is displayed in red by syntax highlighting, but it works anyway. --- doc/mod/ssh-keys-import.md | 5 +++-- mod/ssh-keys-import.rsc | 4 +++- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/doc/mod/ssh-keys-import.md b/doc/mod/ssh-keys-import.md index 344f4bc2..49276d04 100644 --- a/doc/mod/ssh-keys-import.md +++ b/doc/mod/ssh-keys-import.md @@ -38,8 +38,9 @@ import that key: $SSHKeysImport "ssh-rsa AAAAB3Nza...QYZk8= user" admin; The third part of the key (`user` in this example) is inherited as -`key-owner` in RouterOS. Also the `MD5` fingerprint is recorded, this helps -to audit and verify the available keys. +`key-owner` in RouterOS (or `info` starting with RouterOS 7.21beta2). Also +the `MD5` fingerprint is recorded, this helps to audit and verify the +available keys. > ℹī¸ī¸ **Info**: Use `ssh-keygen` to show a fingerprint of an existing public > key file: `ssh-keygen -l -E md5 -f ~/.ssh/id_ed25519.pub` diff --git a/mod/ssh-keys-import.rsc b/mod/ssh-keys-import.rsc index dd32fd6b..8bea64ee 100644 --- a/mod/ssh-keys-import.rsc +++ b/mod/ssh-keys-import.rsc @@ -40,7 +40,9 @@ :local FingerPrintMD5 [ :convert from=base64 transform=md5 to=hex ($KeyVal->1) ]; - :if ([ :len [ /user/ssh-keys/find where user=$User key-owner~("\\bmd5=" . $FingerPrintMD5 . "\\b") ] ] > 0) do={ + :local RegEx ("\\bmd5=" . $FingerPrintMD5 . "\\b"); + :if ([ :len [ /user/ssh-keys/find where user=$User \ + (key-owner~$RegEx or info~$RegEx) ] ] > 0) do={ $LogPrint warning $0 ("The ssh public key (MD5:" . $FingerPrintMD5 . \ ") is already available for user '" . $User . "'."); :return false; From 9ceed0926a749c51ebc050d80cd33100ecdbcc5a Mon Sep 17 00:00:00 2001 From: Christian Hesse Date: Wed, 8 Oct 2025 16:02:20 +0200 Subject: [PATCH 2/7] fw-addr-lists: do not use IPv6 net addresses smaller /64 This should reduce the number of addresses in list by aggregating them, and also fix addresses with host part set (like 2001:470:1:fb5::2a0/64, which should be 2001:470:1:fb5::/64 really). The latter caused new warnings with RouterOS 7.21beta2. --- fw-addr-lists.rsc | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/fw-addr-lists.rsc b/fw-addr-lists.rsc index d56d40f0..2b5fd0cf 100644 --- a/fw-addr-lists.rsc +++ b/fw-addr-lists.rsc @@ -25,6 +25,7 @@ :global LogPrint; :global LogPrintOnce; :global LogPrintVerbose; + :global MIN; :global ScriptLock; :global WaitFullyConnected; @@ -120,9 +121,14 @@ :error true; } :if ($Address ~ "^[0-9a-zA-Z]*:[0-9a-zA-Z:\\.]+(/[0-9]{1,3})?\$") do={ - :if ([ :typeof [ :find $Address "/" ] ] = "nil") do={ - :set Address ($Address . "/128"); + :local Net $Address; + :local Cidr 64; + :local Slash [ :find $Address "/" ]; + :if ([ :typeof $Slash ] = "num") do={ + :set Net [ :toip6 [ :pick $Address 0 $Slash ] ] + :set Cidr [ $MIN [ :pick $Address ($Slash + 1) [ :len $Address ] ] 64 ]; } + :set Address (([ :toip6 $Net ] & ffff:ffff:ffff:ffff::) . "/" . $Cidr); :set ($IPv6Addresses->$Branch->$Address) $TimeOut; :error true; } From 35b556f0b20f79e2beb5d99c25159b3255124833 Mon Sep 17 00:00:00 2001 From: Christian Hesse Date: Wed, 8 Oct 2025 16:23:15 +0200 Subject: [PATCH 3/7] fw-addr-lists: calculate branch after post-processing... MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ... as branch will likely change, and we want to avoid duplicates. 😉 --- fw-addr-lists.rsc | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/fw-addr-lists.rsc b/fw-addr-lists.rsc index 2b5fd0cf..cd136f95 100644 --- a/fw-addr-lists.rsc +++ b/fw-addr-lists.rsc @@ -112,11 +112,12 @@ :set Address ([ :pick $Line 0 [ $FindDelim $Line ] ] . ($List->"cidr")); } :do { - :local Branch [ $GetBranch $Address ]; + :local Branch; :if ($Address ~ "^[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}(/[0-9]{1,2})?\$") do={ :if ($Address ~ "/32\$") do={ :set Address [ :pick $Address 0 ([ :len $Address ] - 3) ]; } + :set Branch [ $GetBranch $Address ]; :set ($IPv4Addresses->$Branch->$Address) $TimeOut; :error true; } @@ -129,10 +130,12 @@ :set Cidr [ $MIN [ :pick $Address ($Slash + 1) [ :len $Address ] ] 64 ]; } :set Address (([ :toip6 $Net ] & ffff:ffff:ffff:ffff::) . "/" . $Cidr); + :set Branch [ $GetBranch $Address ]; :set ($IPv6Addresses->$Branch->$Address) $TimeOut; :error true; } :if ($Address ~ "^[\\.a-zA-Z0-9-]+\\.[a-zA-Z]{2,}\$") do={ + :set Branch [ $GetBranch $Address ]; :set ($IPv4Addresses->$Branch->$Address) $TimeOut; :set ($IPv6Addresses->$Branch->$Address) $TimeOut; :error true; From c81618b57166cbc066aa476a31a32cee421314a8 Mon Sep 17 00:00:00 2001 From: Christian Hesse Date: Thu, 9 Oct 2025 09:22:39 +0200 Subject: [PATCH 4/7] log-forward: always use memo symbol... ... and add warning sign on top. --- log-forward.rsc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/log-forward.rsc b/log-forward.rsc index be7eff7b..3d7d0547 100644 --- a/log-forward.rsc +++ b/log-forward.rsc @@ -95,7 +95,7 @@ :set LogForwardRateLimit ($LogForwardRateLimit + 10); $SendNotification2 ({ origin=$ScriptName; \ - subject=([ $SymbolForNotification [ $IfThenElse ($Warning = true) "warning-sign" "memo" ] ] . \ + subject=([ $SymbolForNotification ("memo" . [ $IfThenElse ($Warning = true) ",warning-sign" ]) ] . \ "Log Forwarding"); \ message=("The log on " . $Identity . " contains " . [ $IfThenElse ($Count = 1) "this message" \ ("these " . $Count . " messages") ] . " after " . [ /system/resource/get uptime ] . " uptime." . \ From 3488c9b9af4071e6fdc074c089eb8e3aebbdb7c8 Mon Sep 17 00:00:00 2001 From: Christian Hesse Date: Sat, 7 Jun 2025 22:38:55 +0200 Subject: [PATCH 5/7] INITIAL-COMMANDS: drop the compatibility workaround... ... and make it depend in RouterOS 7.19 and its builtin certificates. --- INITIAL-COMMANDS.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/INITIAL-COMMANDS.md b/INITIAL-COMMANDS.md index 40f609b9..2df29e0c 100644 --- a/INITIAL-COMMANDS.md +++ b/INITIAL-COMMANDS.md @@ -4,7 +4,7 @@ Initial commands [![GitHub stars](https://img.shields.io/github/stars/eworm-de/routeros-scripts?logo=GitHub&style=flat&color=red)](https://github.com/eworm-de/routeros-scripts/stargazers) [![GitHub forks](https://img.shields.io/github/forks/eworm-de/routeros-scripts?logo=GitHub&style=flat&color=green)](https://github.com/eworm-de/routeros-scripts/network) [![GitHub watchers](https://img.shields.io/github/watchers/eworm-de/routeros-scripts?logo=GitHub&style=flat&color=blue)](https://github.com/eworm-de/routeros-scripts/watchers) -[![required RouterOS version](https://img.shields.io/badge/RouterOS-7.15-yellow?style=flat)](https://mikrotik.com/download/changelogs/) +[![required RouterOS version](https://img.shields.io/badge/RouterOS-7.19-yellow?style=flat)](https://mikrotik.com/download/changelogs/) [![Telegram group @routeros_scripts](https://img.shields.io/badge/Telegram-%40routeros__scripts-%2326A5E4?logo=telegram&style=flat)](https://t.me/routeros_scripts) [![donate with PayPal](https://img.shields.io/badge/Like_it%3F-Donate!-orange?logo=githubsponsors&logoColor=orange&style=flat)](https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=A4ZXBD6YS2W8J) @@ -22,8 +22,8 @@ Run the complete base installation: :local CertFileName "ISRG-Root-X2.pem"; :local CertFingerprint "69729b8e15a86efc177a57afb7171dfc64add28c2fca8cf1507e34453ccb1470"; - :if (!(([ /certificate/settings/get ]->"builtin-trust-anchors") = "trusted" && \ - [[ :parse (":return [ :len [ /certificate/builtin/find where common-name=\"" . $CertCommonName . "\" ] ]") ]] > 0)) do={ + :if (!([ /certificate/settings/get builtin-trust-anchors ] = "trusted" && \ + [ :len [ /certificate/builtin/find where common-name=$CertCommonName ] ] > 0)) do={ :put "Importing certificate..."; /tool/fetch ($BaseUrl . "certs/" . $CertFileName) dst-path=$CertFileName as-value; :delay 1s; From da466a46807faf4296ec20f306ae91543a5cea15 Mon Sep 17 00:00:00 2001 From: Christian Hesse Date: Sat, 7 Jun 2025 22:41:29 +0200 Subject: [PATCH 6/7] global-functions: $CertificateAvailable: drop the compatibility workaround... ... and make it depend in RouterOS 7.19 and its builtin certificates. --- README.md | 2 +- global-functions.rsc | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 243e1fc5..50cc270c 100644 --- a/README.md +++ b/README.md @@ -4,7 +4,7 @@ RouterOS Scripts [![GitHub stars](https://img.shields.io/github/stars/eworm-de/routeros-scripts?logo=GitHub&style=flat&color=red)](https://github.com/eworm-de/routeros-scripts/stargazers) [![GitHub forks](https://img.shields.io/github/forks/eworm-de/routeros-scripts?logo=GitHub&style=flat&color=green)](https://github.com/eworm-de/routeros-scripts/network) [![GitHub watchers](https://img.shields.io/github/watchers/eworm-de/routeros-scripts?logo=GitHub&style=flat&color=blue)](https://github.com/eworm-de/routeros-scripts/watchers) -[![required RouterOS version](https://img.shields.io/badge/RouterOS-7.15-yellow?style=flat)](https://mikrotik.com/download/changelogs/) +[![required RouterOS version](https://img.shields.io/badge/RouterOS-7.19-yellow?style=flat)](https://mikrotik.com/download/changelogs/) [![Telegram group @routeros_scripts](https://img.shields.io/badge/Telegram-%40routeros__scripts-%2326A5E4?logo=telegram&style=flat)](https://t.me/routeros_scripts) [![donate with PayPal](https://img.shields.io/badge/Like_it%3F-Donate!-orange?logo=githubsponsors&logoColor=orange&style=flat)](https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=A4ZXBD6YS2W8J) diff --git a/global-functions.rsc b/global-functions.rsc index 98bc306c..33b3902d 100644 --- a/global-functions.rsc +++ b/global-functions.rsc @@ -4,7 +4,7 @@ # Michael Gisbers # https://rsc.eworm.de/COPYING.md # -# requires RouterOS, version=7.15 +# requires RouterOS, version=7.19 # requires device-mode, fetch, scheduler # # global functions @@ -121,8 +121,8 @@ :return false; } - :if (([ /certificate/settings/get ]->"builtin-trust-anchors") = "trusted" && \ - [[ :parse (":return [ :len [ /certificate/builtin/find where common-name=\"" . $CommonName . "\" ] ]") ]] > 0) do={ + :if ([ /certificate/settings/get builtin-trust-anchors ] = "trusted" && \ + [ :len [ /certificate/builtin/find where common-name=$CommonName ] ] > 0) do={ :return true; } From 4b30806c07d3dce5546d4188de09dd1bb26303a9 Mon Sep 17 00:00:00 2001 From: Christian Hesse Date: Fri, 10 Oct 2025 09:11:27 +0200 Subject: [PATCH 7/7] doc/mod/ssh-keys-import: reverse old and new --- doc/mod/ssh-keys-import.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/mod/ssh-keys-import.md b/doc/mod/ssh-keys-import.md index 49276d04..1273de81 100644 --- a/doc/mod/ssh-keys-import.md +++ b/doc/mod/ssh-keys-import.md @@ -38,7 +38,7 @@ import that key: $SSHKeysImport "ssh-rsa AAAAB3Nza...QYZk8= user" admin; The third part of the key (`user` in this example) is inherited as -`key-owner` in RouterOS (or `info` starting with RouterOS 7.21beta2). Also +`info` in RouterOS (or `key-owner` with RouterOS 7.19.x and before). Also the `MD5` fingerprint is recorded, this helps to audit and verify the available keys.