doc/mod/ssh-keys-import: reverse old and new

global-functions: $CertificateAvailable: drop the compatibility workaround...
... and make it depend in RouterOS 7.19 and its builtin certificates.
2026-03-05 21:49:36 +00:00 · 2025-10-22 19:06:28 +02:00 · 2025-10-22 19:06:28 +02:00 · 2025-10-22 19:06:28 +02:00 · 2025-10-22 19:05:38 +02:00 · 2025-10-19 19:55:12 +02:00
7 changed files with 88 additions and 22 deletions
--- a/INITIAL-COMMANDS.md
+++ b/INITIAL-COMMANDS.md
@ -4,7 +4,7 @@ Initial commands
 [![GitHub stars](https://img.shields.io/github/stars/eworm-de/routeros-scripts?logo=GitHub&style=flat&color=red)](https://github.com/eworm-de/routeros-scripts/stargazers)
 [![GitHub forks](https://img.shields.io/github/forks/eworm-de/routeros-scripts?logo=GitHub&style=flat&color=green)](https://github.com/eworm-de/routeros-scripts/network)
 [![GitHub watchers](https://img.shields.io/github/watchers/eworm-de/routeros-scripts?logo=GitHub&style=flat&color=blue)](https://github.com/eworm-de/routeros-scripts/watchers)
-[![required RouterOS version](https://img.shields.io/badge/RouterOS-7.15-yellow?style=flat)](https://mikrotik.com/download/changelogs/)
+[![required RouterOS version](https://img.shields.io/badge/RouterOS-7.19-yellow?style=flat)](https://mikrotik.com/download/changelogs/)
 [![Telegram group @routeros_scripts](https://img.shields.io/badge/Telegram-%40routeros__scripts-%2326A5E4?logo=telegram&style=flat)](https://t.me/routeros_scripts)
 [![donate with PayPal](https://img.shields.io/badge/Like_it%3F-Donate!-orange?logo=githubsponsors&logoColor=orange&style=flat)](https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=A4ZXBD6YS2W8J)

@ -22,8 +22,8 @@ Run the complete base installation:
      :local CertFileName "ISRG-Root-X2.pem";
      :local CertFingerprint "69729b8e15a86efc177a57afb7171dfc64add28c2fca8cf1507e34453ccb1470";

-      :if (!(([ /certificate/settings/get ]->"builtin-trust-anchors") = "trusted" && \
-           [[ :parse (":return [ :len [ /certificate/builtin/find where common-name=\"" . $CertCommonName . "\" ] ]") ]] > 0)) do={
+      :if (!([ /certificate/settings/get builtin-trust-anchors ] = "trusted" && \
+             [ :len [ /certificate/builtin/find where common-name=$CertCommonName ] ] > 0)) do={
        :put "Importing certificate...";
        /tool/fetch ($BaseUrl . "certs/" . $CertFileName) dst-path=$CertFileName as-value;
        :delay 1s;
--- a/README.md
+++ b/README.md
@ -4,7 +4,7 @@ RouterOS Scripts
 [![GitHub stars](https://img.shields.io/github/stars/eworm-de/routeros-scripts?logo=GitHub&style=flat&color=red)](https://github.com/eworm-de/routeros-scripts/stargazers)
 [![GitHub forks](https://img.shields.io/github/forks/eworm-de/routeros-scripts?logo=GitHub&style=flat&color=green)](https://github.com/eworm-de/routeros-scripts/network)
 [![GitHub watchers](https://img.shields.io/github/watchers/eworm-de/routeros-scripts?logo=GitHub&style=flat&color=blue)](https://github.com/eworm-de/routeros-scripts/watchers)
-[![required RouterOS version](https://img.shields.io/badge/RouterOS-7.15-yellow?style=flat)](https://mikrotik.com/download/changelogs/)
+[![required RouterOS version](https://img.shields.io/badge/RouterOS-7.19-yellow?style=flat)](https://mikrotik.com/download/changelogs/)
 [![Telegram group @routeros_scripts](https://img.shields.io/badge/Telegram-%40routeros__scripts-%2326A5E4?logo=telegram&style=flat)](https://t.me/routeros_scripts)
 [![donate with PayPal](https://img.shields.io/badge/Like_it%3F-Donate!-orange?logo=githubsponsors&logoColor=orange&style=flat)](https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=A4ZXBD6YS2W8J)

--- a/doc/mod/ssh-keys-import.md
+++ b/doc/mod/ssh-keys-import.md
@ -38,7 +38,7 @@ import that key:
    $SSHKeysImport "ssh-rsa AAAAB3Nza...QYZk8= user" admin;

 The third part of the key (`user` in this example) is inherited as
-`key-owner` in RouterOS (or `info` starting with RouterOS 7.21beta2). Also
+`info` in RouterOS (or `key-owner` with RouterOS 7.19.x and before). Also
 the `MD5` fingerprint is recorded, this helps to audit and verify the
 available keys.

--- a/fw-addr-lists.rsc
+++ b/fw-addr-lists.rsc
@ -22,10 +22,12 @@
  :global EitherOr;
  :global FetchHuge;
  :global HumanReadableNum;
+  :global IfThenElse;
  :global LogPrint;
  :global LogPrintOnce;
  :global LogPrintVerbose;
-  :global MIN;
+  :global NetMask4;
+  :global NetMask6;
  :global ScriptLock;
  :global WaitFullyConnected;

@ -114,8 +116,13 @@
        :do {
          :local Branch;
          :if ($Address ~ "^[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}(/[0-9]{1,2})?\$") do={
-            :if ($Address ~ "/32\$") do={
-              :set Address [ :pick $Address 0 ([ :len $Address ] - 3) ];
+            :local Net $Address;
+            :local CIDR 32;
+            :local Slash [ :find $Address "/" ];
+            :if ([ :typeof $Slash ] = "num") do={
+              :set Net [ :toip [ :pick $Address 0 $Slash ] ]
+              :set CIDR [ :pick $Address ($Slash + 1) [ :len $Address ] ];
+              :set Address [ :tostr (([ :toip $Net ] & [ $NetMask4 $CIDR ]) . [ $IfThenElse ($CIDR < 32) ("/" . $CIDR) ]) ];
            }
            :set Branch [ $GetBranch $Address ];
            :set ($IPv4Addresses->$Branch->$Address) $TimeOut;
@ -123,13 +130,13 @@
          }
          :if ($Address ~ "^[0-9a-zA-Z]*:[0-9a-zA-Z:\\.]+(/[0-9]{1,3})?\$") do={
            :local Net $Address;
-            :local Cidr 64;
+            :local CIDR 128;
            :local Slash [ :find $Address "/" ];
            :if ([ :typeof $Slash ] = "num") do={
              :set Net [ :toip6 [ :pick $Address 0 $Slash ] ]
-              :set Cidr [ $MIN [ :pick $Address ($Slash + 1) [ :len $Address ] ] 64 ];
+              :set CIDR [ :pick $Address ($Slash + 1) [ :len $Address ] ];
            }
-            :set Address (([ :toip6 $Net ] & ffff:ffff:ffff:ffff::) . "/" . $Cidr);
+            :set Address (([ :toip6 $Net ] & [ $NetMask6 $CIDR ]) . "/" . $CIDR);
            :set Branch [ $GetBranch $Address ];
            :set ($IPv6Addresses->$Branch->$Address) $TimeOut;
            :error true;
--- a/global-functions.rsc
+++ b/global-functions.rsc
@ -4,7 +4,7 @@
 #                         Michael Gisbers <michael@gisbers.de>
 # https://rsc.eworm.de/COPYING.md
 #
-# requires RouterOS, version=7.15
+# requires RouterOS, version=7.19
 # requires device-mode, fetch, scheduler
 #
 # global functions
@ -61,6 +61,8 @@
 :global MAX;
 :global MIN;
 :global MkDir;
+:global NetMask4;
+:global NetMask6;
 :global NotificationFunctions;
 :global ParseDate;
 :global ParseKeyValueStore;
@ -121,8 +123,8 @@
    :return false;
  }

-  :if (([ /certificate/settings/get ]->"builtin-trust-anchors") = "trusted" && \
-       [[ :parse (":return [ :len [ /certificate/builtin/find where common-name=\"" . $CommonName . "\" ] ]") ]] > 0) do={
+  :if ([ /certificate/settings/get builtin-trust-anchors ] = "trusted" && \
+       [ :len [ /certificate/builtin/find where common-name=$CommonName ] ] > 0) do={
    :return true;
  }

@ -465,7 +467,7 @@
  :local Error  [ :tostr $3 ];

  :global IfThenElse;
-  :global LogPrint; 
+  :global LogPrint;

  :if ($ExitOK = "false") do={
    $LogPrint error $Name ([ $IfThenElse ([ :pick $Name 0 1 ] = "\$") \
@ -990,6 +992,43 @@
  :return true;
 }

+# return an IPv4 netmask for CIDR
+:set NetMask4 do={
+  :local CIDR [ :tonum $1 ];
+
+  :return ((255.255.255.255 << (32 - $CIDR)) & 255.255.255.255);
+}
+
+# return an IPv6 netmask for CIDR
+:set NetMask6 do={
+  :local FuncName $0;
+  :local CIDR [ :tostr $1 ];
+
+  :global IfThenElse;
+  :global MAX;
+  :global MIN;
+
+  :global NetMask6Cache;
+
+  :if ([ :typeof ($NetMask6Cache->$CIDR) ] = "ip6") do={
+    :return ($NetMask6Cache->$CIDR);
+  }
+
+  :if ([ :typeof $NetMask6Cache ] = "nothing") do={
+    :set NetMask6Cache ({});
+  }
+
+  :local Mask "";
+  :for I from=0 to=7 do={
+    :set Mask ($Mask . \
+      [ :convert from=num to=hex (0xffff - (0xffff >> [ :tonum [ $MIN [ $MAX ($CIDR - (16 * $I)) 0 ] 16 ] ])) ] . \
+      [ $IfThenElse ($I < 7) ":" ]);
+  }
+  :set Mask [ :toip6 $Mask ];
+  :set ($NetMask6Cache->$CIDR) $Mask;
+  :return $Mask;
+}
+
 # prepare NotificationFunctions array
 :if ([ :typeof $NotificationFunctions ] != "array") do={
  :set NotificationFunctions ({});
--- a/mod/ipcalc.rsc
+++ b/mod/ipcalc.rsc
@ -34,20 +34,34 @@
 # calculate and return netmask, network, min host, max host and broadcast
 :set IPCalcReturn do={
  :local Input [ :tostr $1 ];
-  :local Address [ :toip [ :pick $Input 0 [ :find $Input "/" ] ] ];
-  :local Bits [ :tonum [ :pick $Input ([ :find $Input "/" ] + 1) [ :len $Input ] ] ];
-  :local Mask ((255.255.255.255 << (32 - $Bits)) & 255.255.255.255);

-  :local Return {
+  :global NetMask4;
+  :global NetMask6;
+
+  :local Address [ :pick $Input 0 [ :find $Input "/" ] ];
+  :local Bits [ :tonum [ :pick $Input ([ :find $Input "/" ] + 1) [ :len $Input ] ] ];
+  :local Mask;
+  :local One;
+  :if ([ :typeof [ :toip $Address ] ] = "ip") do={
+    :set Address [ :toip $Address ];
+    :set Mask [ $NetMask4 $Bits ];
+    :set One 0.0.0.1;
+  } else={
+    :set Address [ :toip6 $Address ];
+    :set Mask [ $NetMask6 $Bits ];
+    :set One ::1;
+  }
+
+  :local Return ({
    "address"=$Address;
    "netmask"=$Mask;
    "networkaddress"=($Address & $Mask);
    "networkbits"=$Bits;
    "network"=(($Address & $Mask) . "/" . $Bits);
-    "hostmin"=(($Address & $Mask) | 0.0.0.1);
-    "hostmax"=(($Address | ~$Mask) ^ 0.0.0.1);
+    "hostmin"=(($Address & $Mask) | $One);
+    "hostmax"=(($Address | ~$Mask) ^ $One);
    "broadcast"=($Address | ~$Mask);
-  }
+  });

  :return $Return;
 }
--- a/mod/notification-telegram.rsc
+++ b/mod/notification-telegram.rsc
@ -21,6 +21,7 @@
  :global TelegramQueue;
  :global TelegramMessageIDs;

+  :global CertificateAvailable;
  :global IsFullyConnected;
  :global LogPrint;

@ -29,6 +30,11 @@
    :return false;
  }

+  :if ([ $CertificateAvailable "Go Daddy Root Certificate Authority - G2" ] = false) do={
+    $LogPrint warning $0 ("Downloading required certificate failed.");
+    :return false;
+  }
+
  :local AllDone true;
  :local QueueLen [ :len $TelegramQueue ];
Author	SHA1	Message	Date
Christian Hesse	6041f5cb5c	doc/mod/ssh-keys-import: reverse old and new	2025-10-22 19:06:28 +02:00
Christian Hesse	beafaf4bf5	global-functions: $CertificateAvailable: drop the compatibility workaround... ... and make it depend in RouterOS 7.19 and its builtin certificates.	2025-10-22 19:06:28 +02:00
Christian Hesse	10b0ee7e87	INITIAL-COMMANDS: drop the compatibility workaround... ... and make it depend in RouterOS 7.19 and its builtin certificates.	2025-10-22 19:06:28 +02:00
Christian Hesse	ea4b5553c2	Merge branch 'netmask6' into next This branch is a follow-up on `9ceed0926a` with clean solution. Read on for details... The data type `ip6-prefix` used to hold what it was named for - an IPv6 prefix: [user@mikrotik] > :put 2001:db8::dead:beef/32 2001:db8::/32 This changed with RouterOS 6.21beta2, which now allows that exact same data type to hold something like "address with prefix length attached": [user@mikrotik] > :put 2001:db8::dead:beef/32 2001:db8::dead:beef/32 My scripts (namely `fw-addr-lists`) relied on the old behaviour and broke. The commit mentioned above was just a quick workaround, with rough edges, and it could still fail. Sadly RouterOS does not support bit shifting on IPv6 data types, so a (completely) mathematical solution is out of scope. This branch implements a new and better workaround, see the first commit of branch (`6ad6f9aa08`) for details. I opened a support ticket / feature request on this topic, let's see what results it brings... https://help.mikrotik.com/servicedesk/servicedesk/customer/portal/1/SUP-201881	2025-10-22 19:05:38 +02:00
Christian Hesse	b80b872e55	mod/ipcalc: support IPv6 Well, some of these values do not make a lot of sense for IPv6... Something to be cleaned up later.	2025-10-19 19:55:12 +02:00
Christian Hesse	ea05b69f7c	fw-addr-lists: use $NetMask6	2025-10-19 19:55:12 +02:00
Christian Hesse	d7a6eb1d00	global-functions: $NetMask6: implement simple caching The calculation is quite complex for something that needs to be done frequently, for example by `fw-addr-lists`. The number of possible netmasks is limited, so let's cache the results that were calculated already.	2025-10-19 19:52:42 +02:00
Christian Hesse	6ad6f9aa08	global-functions: introduce $NetMask6 RouterOS does not support bit shifting on IPv6 data types, so we have to split the problem: * each 16 bit block is calculated separately, as number * the complete netmask is assembled in a loop, as string * the final string is casted to correct data type	2025-10-19 19:48:14 +02:00
Christian Hesse	c62f236251	Merge branch 'netmask4' into next	2025-10-19 19:26:51 +02:00
Christian Hesse	47309e5c03	fw-addr-lists: normalize IPv4 addresses	2025-10-16 15:43:43 +02:00
Christian Hesse	9fa11cb79a	mod/ipcalc: use $NetMask4	2025-10-16 13:03:54 +02:00
Christian Hesse	def540c965	global-functions: introduce $NetMask4	2025-10-16 10:47:19 +02:00
Christian Hesse	025b492783	global-functions: remove trailing space	2025-10-16 10:34:09 +02:00
Christian Hesse	6630d35eea	mod/notification-telegram: $FlushTelegramQueue: check for cert, again Chances are that messages have been queued before system was fully up or connected. Thus the certificate may be missing, and it should be checked again for on flush.	2025-10-13 12:06:01 +02:00