From 1a2432a07646fb53148b5977526c7cb0effd0590 Mon Sep 17 00:00:00 2001
From: Christian Hesse <mail@eworm.de>
Date: Tue, 7 Oct 2025 16:02:53 +0200
Subject: [PATCH 1/3] mod/ssh-keys-import: handle new parameter

With RouterOS 7.21beta2 the user SSH keys "key-owner" field was renamed
to "info".
---
 doc/mod/ssh-keys-import.md | 5 +++--
 mod/ssh-keys-import.rsc    | 3 ++-
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/doc/mod/ssh-keys-import.md b/doc/mod/ssh-keys-import.md
index 344f4bc2..49276d04 100644
--- a/doc/mod/ssh-keys-import.md
+++ b/doc/mod/ssh-keys-import.md
@@ -38,8 +38,9 @@ import that key:
     $SSHKeysImport "ssh-rsa AAAAB3Nza...QYZk8= user" admin;
 
 The third part of the key (`user` in this example) is inherited as
-`key-owner` in RouterOS. Also the `MD5` fingerprint is recorded, this helps
-to audit and verify the available keys.
+`key-owner` in RouterOS (or `info` starting with RouterOS 7.21beta2). Also
+the `MD5` fingerprint is recorded, this helps to audit and verify the
+available keys.
 
 > ℹ️️ **Info**: Use `ssh-keygen` to show a fingerprint of an existing public
 > key file: `ssh-keygen -l -E md5 -f ~/.ssh/id_ed25519.pub`
diff --git a/mod/ssh-keys-import.rsc b/mod/ssh-keys-import.rsc
index dd32fd6b..c8cff266 100644
--- a/mod/ssh-keys-import.rsc
+++ b/mod/ssh-keys-import.rsc
@@ -40,7 +40,8 @@
 
   :local FingerPrintMD5 [ :convert from=base64 transform=md5 to=hex ($KeyVal->1) ];
 
-  :if ([ :len [ /user/ssh-keys/find where user=$User key-owner~("\\bmd5=" . $FingerPrintMD5 . "\\b") ] ] > 0) do={
+  :if ([ :len [ /user/ssh-keys/find where user=$User \
+       (key-owner~("\\bmd5=" . $FingerPrintMD5 . "\\b") or info~("\\bmd5=" . $FingerPrintMD5 . "\\b")) ] ] > 0) do={
     $LogPrint warning $0 ("The ssh public key (MD5:" . $FingerPrintMD5 . \
       ") is already available for user '" . $User . "'.");
     :return false;

From 51edcfc92e8dd44b1e7faf44daf06a8f046926e3 Mon Sep 17 00:00:00 2001
From: Christian Hesse <mail@eworm.de>
Date: Wed, 8 Oct 2025 16:02:20 +0200
Subject: [PATCH 2/3] fw-addr-lists: do not use IPv6 net addresses smaller /64

This should reduce the number of addresses in list, and also fix
addresses with host part set (like 2001:470:1:fb5::2a0/64, which should
be 2001:470:1:fb5::/64 really).
---
 fw-addr-lists.rsc | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/fw-addr-lists.rsc b/fw-addr-lists.rsc
index d56d40f0..d7c4e8b2 100644
--- a/fw-addr-lists.rsc
+++ b/fw-addr-lists.rsc
@@ -25,6 +25,7 @@
   :global LogPrint;
   :global LogPrintOnce;
   :global LogPrintVerbose;
+  :global MIN;
   :global ScriptLock;
   :global WaitFullyConnected;
 
@@ -120,9 +121,14 @@
             :error true;
           }
           :if ($Address ~ "^[0-9a-zA-Z]*:[0-9a-zA-Z:\\.]+(/[0-9]{1,3})?\$") do={
-            :if ([ :typeof [ :find $Address "/" ] ] = "nil") do={
-              :set Address ($Address . "/128");
+            :local Net $Address;
+            :local Cidr 64;
+            :local Slash [ :find $Address "/" ];
+            :if ([ :typeof $Slash ] = "num") do={
+              :set Net [ :toip6 [ :pick $Address 0 $Slash ] ]
+              :set Cidr [ $MIN [ :pick $Address $Slash [ :len $Address ] ] 64 ];
             }
+            :set Address (([ :toip6 $Net ] & ffff:ffff:ffff:ffff::) . "/" . $Cidr);
             :set ($IPv6Addresses->$Branch->$Address) $TimeOut;
             :error true;
           }

From e0e50ed01f05e8dc7b55d12ce43c387eaeb7e867 Mon Sep 17 00:00:00 2001
From: Christian Hesse <mail@eworm.de>
Date: Wed, 8 Oct 2025 16:23:15 +0200
Subject: [PATCH 3/3] fw-addr-lists: calculate branch after post-processing

---
 fw-addr-lists.rsc | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/fw-addr-lists.rsc b/fw-addr-lists.rsc
index d7c4e8b2..962305e2 100644
--- a/fw-addr-lists.rsc
+++ b/fw-addr-lists.rsc
@@ -112,11 +112,12 @@
           :set Address ([ :pick $Line 0 [ $FindDelim $Line ] ] . ($List->"cidr"));
         }
         :do {
-          :local Branch [ $GetBranch $Address ];
+          :local Branch;
           :if ($Address ~ "^[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}(/[0-9]{1,2})?\$") do={
             :if ($Address ~ "/32\$") do={
               :set Address [ :pick $Address 0 ([ :len $Address ] - 3) ];
             }
+            :set Branch [ $GetBranch $Address ];
             :set ($IPv4Addresses->$Branch->$Address) $TimeOut;
             :error true;
           }
@@ -129,10 +130,12 @@
               :set Cidr [ $MIN [ :pick $Address $Slash [ :len $Address ] ] 64 ];
             }
             :set Address (([ :toip6 $Net ] & ffff:ffff:ffff:ffff::) . "/" . $Cidr);
+            :set Branch [ $GetBranch $Address ];
             :set ($IPv6Addresses->$Branch->$Address) $TimeOut;
             :error true;
           }
           :if ($Address ~ "^[\\.a-zA-Z0-9-]+\\.[a-zA-Z]{2,}\$") do={
+            :set Branch [ $GetBranch $Address ];
             :set ($IPv4Addresses->$Branch->$Address) $TimeOut;
             :set ($IPv6Addresses->$Branch->$Address) $TimeOut;
             :error true;