From 5ffa85f8bfb5ed11c3f3886e3b8cd7b5346b6efa Mon Sep 17 00:00:00 2001 From: Christian Hesse Date: Tue, 7 Oct 2025 16:02:53 +0200 Subject: [PATCH 1/4] mod/ssh-keys-import: handle new parameter With RouterOS 7.21beta2 the user SSH keys "key-owner" field was renamed to "info". Either of both is displayed in red by syntax highlighting, but it works anyway. --- doc/mod/ssh-keys-import.md | 5 +++-- mod/ssh-keys-import.rsc | 4 +++- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/doc/mod/ssh-keys-import.md b/doc/mod/ssh-keys-import.md index 344f4bc2..49276d04 100644 --- a/doc/mod/ssh-keys-import.md +++ b/doc/mod/ssh-keys-import.md @@ -38,8 +38,9 @@ import that key: $SSHKeysImport "ssh-rsa AAAAB3Nza...QYZk8= user" admin; The third part of the key (`user` in this example) is inherited as -`key-owner` in RouterOS. Also the `MD5` fingerprint is recorded, this helps -to audit and verify the available keys. +`key-owner` in RouterOS (or `info` starting with RouterOS 7.21beta2). Also +the `MD5` fingerprint is recorded, this helps to audit and verify the +available keys. > ℹī¸ī¸ **Info**: Use `ssh-keygen` to show a fingerprint of an existing public > key file: `ssh-keygen -l -E md5 -f ~/.ssh/id_ed25519.pub` diff --git a/mod/ssh-keys-import.rsc b/mod/ssh-keys-import.rsc index dd32fd6b..8bea64ee 100644 --- a/mod/ssh-keys-import.rsc +++ b/mod/ssh-keys-import.rsc @@ -40,7 +40,9 @@ :local FingerPrintMD5 [ :convert from=base64 transform=md5 to=hex ($KeyVal->1) ]; - :if ([ :len [ /user/ssh-keys/find where user=$User key-owner~("\\bmd5=" . $FingerPrintMD5 . "\\b") ] ] > 0) do={ + :local RegEx ("\\bmd5=" . $FingerPrintMD5 . "\\b"); + :if ([ :len [ /user/ssh-keys/find where user=$User \ + (key-owner~$RegEx or info~$RegEx) ] ] > 0) do={ $LogPrint warning $0 ("The ssh public key (MD5:" . $FingerPrintMD5 . \ ") is already available for user '" . $User . "'."); :return false; From 9ceed0926a749c51ebc050d80cd33100ecdbcc5a Mon Sep 17 00:00:00 2001 From: Christian Hesse Date: Wed, 8 Oct 2025 16:02:20 +0200 Subject: [PATCH 2/4] fw-addr-lists: do not use IPv6 net addresses smaller /64 This should reduce the number of addresses in list by aggregating them, and also fix addresses with host part set (like 2001:470:1:fb5::2a0/64, which should be 2001:470:1:fb5::/64 really). The latter caused new warnings with RouterOS 7.21beta2. --- fw-addr-lists.rsc | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/fw-addr-lists.rsc b/fw-addr-lists.rsc index d56d40f0..2b5fd0cf 100644 --- a/fw-addr-lists.rsc +++ b/fw-addr-lists.rsc @@ -25,6 +25,7 @@ :global LogPrint; :global LogPrintOnce; :global LogPrintVerbose; + :global MIN; :global ScriptLock; :global WaitFullyConnected; @@ -120,9 +121,14 @@ :error true; } :if ($Address ~ "^[0-9a-zA-Z]*:[0-9a-zA-Z:\\.]+(/[0-9]{1,3})?\$") do={ - :if ([ :typeof [ :find $Address "/" ] ] = "nil") do={ - :set Address ($Address . "/128"); + :local Net $Address; + :local Cidr 64; + :local Slash [ :find $Address "/" ]; + :if ([ :typeof $Slash ] = "num") do={ + :set Net [ :toip6 [ :pick $Address 0 $Slash ] ] + :set Cidr [ $MIN [ :pick $Address ($Slash + 1) [ :len $Address ] ] 64 ]; } + :set Address (([ :toip6 $Net ] & ffff:ffff:ffff:ffff::) . "/" . $Cidr); :set ($IPv6Addresses->$Branch->$Address) $TimeOut; :error true; } From 35b556f0b20f79e2beb5d99c25159b3255124833 Mon Sep 17 00:00:00 2001 From: Christian Hesse Date: Wed, 8 Oct 2025 16:23:15 +0200 Subject: [PATCH 3/4] fw-addr-lists: calculate branch after post-processing... MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ... as branch will likely change, and we want to avoid duplicates. 😉 --- fw-addr-lists.rsc | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/fw-addr-lists.rsc b/fw-addr-lists.rsc index 2b5fd0cf..cd136f95 100644 --- a/fw-addr-lists.rsc +++ b/fw-addr-lists.rsc @@ -112,11 +112,12 @@ :set Address ([ :pick $Line 0 [ $FindDelim $Line ] ] . ($List->"cidr")); } :do { - :local Branch [ $GetBranch $Address ]; + :local Branch; :if ($Address ~ "^[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}(/[0-9]{1,2})?\$") do={ :if ($Address ~ "/32\$") do={ :set Address [ :pick $Address 0 ([ :len $Address ] - 3) ]; } + :set Branch [ $GetBranch $Address ]; :set ($IPv4Addresses->$Branch->$Address) $TimeOut; :error true; } @@ -129,10 +130,12 @@ :set Cidr [ $MIN [ :pick $Address ($Slash + 1) [ :len $Address ] ] 64 ]; } :set Address (([ :toip6 $Net ] & ffff:ffff:ffff:ffff::) . "/" . $Cidr); + :set Branch [ $GetBranch $Address ]; :set ($IPv6Addresses->$Branch->$Address) $TimeOut; :error true; } :if ($Address ~ "^[\\.a-zA-Z0-9-]+\\.[a-zA-Z]{2,}\$") do={ + :set Branch [ $GetBranch $Address ]; :set ($IPv4Addresses->$Branch->$Address) $TimeOut; :set ($IPv6Addresses->$Branch->$Address) $TimeOut; :error true; From c81618b57166cbc066aa476a31a32cee421314a8 Mon Sep 17 00:00:00 2001 From: Christian Hesse Date: Thu, 9 Oct 2025 09:22:39 +0200 Subject: [PATCH 4/4] log-forward: always use memo symbol... ... and add warning sign on top. --- log-forward.rsc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/log-forward.rsc b/log-forward.rsc index be7eff7b..3d7d0547 100644 --- a/log-forward.rsc +++ b/log-forward.rsc @@ -95,7 +95,7 @@ :set LogForwardRateLimit ($LogForwardRateLimit + 10); $SendNotification2 ({ origin=$ScriptName; \ - subject=([ $SymbolForNotification [ $IfThenElse ($Warning = true) "warning-sign" "memo" ] ] . \ + subject=([ $SymbolForNotification ("memo" . [ $IfThenElse ($Warning = true) ",warning-sign" ]) ] . \ "Log Forwarding"); \ message=("The log on " . $Identity . " contains " . [ $IfThenElse ($Count = 1) "this message" \ ("these " . $Count . " messages") ] . " after " . [ /system/resource/get uptime ] . " uptime." . \