diff --git a/INITIAL-COMMANDS.md b/INITIAL-COMMANDS.md index df64aa7e..e033b576 100644 --- a/INITIAL-COMMANDS.md +++ b/INITIAL-COMMANDS.md @@ -18,9 +18,9 @@ Run the complete base installation: { :local BaseUrl "https://rsc.eworm.de/main/"; - :local CertCommonName "ISRG Root X2"; - :local CertFileName "ISRG-Root-X2.pem"; - :local CertFingerprint "69729b8e15a86efc177a57afb7171dfc64add28c2fca8cf1507e34453ccb1470"; + :local CertCommonName "Root YE"; + :local CertFileName "Root-YE.pem"; + :local CertFingerprint "e14ffcad5b0025731006caa43a121a22d8e9700f4fb9cf852f02a708aa5d5666"; :local CertSettings [ /certificate/settings/get ]; :if (!((($CertSettings->"builtin-trust-anchors") = "trusted" || \ diff --git a/README.d/01-download-certs.avif b/README.d/01-download-certs.avif index f2afeb54..e4d8755c 100644 Binary files a/README.d/01-download-certs.avif and b/README.d/01-download-certs.avif differ diff --git a/README.d/03-check-certs.avif b/README.d/03-check-certs.avif index 1f03ad2c..6610ac47 100644 Binary files a/README.d/03-check-certs.avif and b/README.d/03-check-certs.avif differ diff --git a/README.md b/README.md index f7143ddf..1d67b913 100644 --- a/README.md +++ b/README.md @@ -126,18 +126,18 @@ If you intend to download the scripts from a different location (for example from github.com) install the corresponding certificate chain. - /tool/fetch "https://rsc.eworm.de/main/certs/ISRG-Root-X2.pem" dst-path="isrg-root-x2.pem"; + /tool/fetch "https://rsc.eworm.de/main/certs/Root-YE.pem" dst-path="root-ye.pem"; ![screenshot: download certs](README.d/01-download-certs.avif) > ℹ️ **Info**: Note that the command above does *not* verify server > certificate, so if you want to be safe download with your workstations's > browser from CA's website and transfer the file to your MikroTik device: -> *Let's Encrypt* / *ISRG* [ISRG Root X2 ↗️](https://letsencrypt.org/certs/isrg-root-x2.pem) +> *Let's Encrypt* / *ISRG* [Root YE ↗️](https://letsencrypt.org/certs/gen-y/root-ye.pem) Then we import the certificate. - /certificate/import file-name="isrg-root-x2.pem" passphrase=""; + /certificate/import file-name="root-ye.pem" passphrase=""; Do not worry that the command is not shown - that happens because it contains a sensitive property, the passphrase. @@ -145,11 +145,11 @@ a sensitive property, the passphrase. ![screenshot: import certs](README.d/02-import-certs.avif) For basic verification we rename the certificate and print it by -fingerprint. Make sure exactly this one certificate ("*ISRG-Root-X2*") +fingerprint. Make sure exactly this one certificate ("*Root-YE*") is shown. - /certificate/set name="ISRG-Root-X2" [ find where common-name="ISRG Root X2" ]; - /certificate/print proplist=name,fingerprint where fingerprint="69729b8e15a86efc177a57afb7171dfc64add28c2fca8cf1507e34453ccb1470"; + /certificate/set name="Root-YE" [ find where common-name="Root YE" ]; + /certificate/print proplist=name,fingerprint where fingerprint="e14ffcad5b0025731006caa43a121a22d8e9700f4fb9cf852f02a708aa5d5666"; ![screenshot: check certs](README.d/03-check-certs.avif) @@ -287,7 +287,6 @@ Available scripts * [Comment DHCP leases with info from access list](doc/dhcp-lease-comment.md) (`dhcp-lease-comment`) * [Create DNS records for DHCP leases](doc/dhcp-to-dns.md) (`dhcp-to-dns`) * [Run other scripts on IPv4 DHCP server lease](doc/dhcpv4-server-lease.md) (`dhcpv4-server-lease`) -* [Run other scripts on IPv6 DHCP client lease](doc/dhcpv6-client-lease.md) (`dhcpv6-client-lease`) * [Automatically upgrade firmware and reboot](doc/firmware-upgrade-reboot.md) (`firmware-upgrade-reboot`) * [Download, import and update firewall address-lists](doc/fw-addr-lists.md) (`fw-addr-lists`) * [Wait for global functions und modules](doc/global-wait.md) (`global-wait`) diff --git a/backup-email.rsc b/backup-email.rsc index 70b18c06..fcafff45 100644 --- a/backup-email.rsc +++ b/backup-email.rsc @@ -16,7 +16,6 @@ do={ :error ("Global config and/or functions not ready."); }; } delay=500ms max=50; :local ScriptName [ :jobname ]; - :global BackupFileNameDate; :global BackupPassword; :global BackupRandomDelay; :global BackupSendBinary; @@ -74,9 +73,7 @@ # filename based on identity :local DirName ("tmpfs/" . $ScriptName); - :local Clock [ /system/clock/get ]; - :local FileName [ $CleanName ($Identity . "." . $Domain . [ $IfThenElse \ - ($BackupFileNameDate = true) ("-" . $Clock->"date" . "-" . $Clock->"time") "" ] ) ]; + :local FileName [ $CleanName ($Identity . "." . $Domain) ]; :local FilePath ($DirName . "/" . $FileName); :local BackupFile "none"; :local ExportFile "none"; diff --git a/backup-upload.rsc b/backup-upload.rsc index b89d123d..bded570c 100644 --- a/backup-upload.rsc +++ b/backup-upload.rsc @@ -17,7 +17,6 @@ do={ :error ("Global config and/or functions not ready."); }; } delay=500ms max=50; :local ScriptName [ :jobname ]; - :global BackupFileNameDate; :global BackupPassword; :global BackupRandomDelay; :global BackupSendBinary; @@ -73,9 +72,7 @@ # filename based on identity :local DirName ("tmpfs/" . $ScriptName); - :local Clock [ /system/clock/get ]; - :local FileName [ $CleanName ($Identity . "." . $Domain . [ $IfThenElse \ - ($BackupFileNameDate = true) ("-" . $Clock->"date" . "-" . $Clock->"time") "" ] ) ]; + :local FileName [ $CleanName ($Identity . "." . $Domain) ]; :local FilePath ($DirName . "/" . $FileName); :local BackupFile "none"; :local ExportFile "none"; diff --git a/certs/Makefile b/certs/Makefile index 8b516e4d..c9a33798 100644 --- a/certs/Makefile +++ b/certs/Makefile @@ -12,12 +12,12 @@ DOMAINS_DUAL = \ cloudflare-dns.com/SSL-com-Root-Certification-Authority-ECC \ dns.google/GTS-Root-RX \ dns.quad9.net/DigiCert-Global-Root-G3 \ - git.eworm.de/ISRG-Root-X2 \ + git.eworm.de/Root-YE \ gitlab.com/USERTrust-RSA-Certification-Authority \ lists.blocklist.de/GTS-Root-R4 \ matrix.org/GTS-Root-R4 \ raw.githubusercontent.com/ISRG-Root-X1 \ - rsc.eworm.de/ISRG-Root-X2 \ + rsc.eworm.de/Root-YE \ upgrade.mikrotik.com/ISRG-Root-X1 DOMAINS_IPV4 = \ 1.1.1.1/SSL-com-Root-Certification-Authority-ECC \ diff --git a/contrib/telegram.md b/contrib/telegram.md index 192fd6cb..f84d6dc3 100644 --- a/contrib/telegram.md +++ b/contrib/telegram.md @@ -95,10 +95,6 @@ Notes /save dhcpv4-server-lease Run other scripts on IPv4 DHCP server lease with [dhcpv4-server-lease](https://rsc.eworm.de/doc/dhcpv4-server-lease.md). -#### dhcpv6-client-lease - - /save dhcpv6-client-lease Run other scripts on IPv6 DHCP client lease with [dhcpv6-client-lease](https://rsc.eworm.de/doc/dhcpv6-client-lease.md). - #### firmware-upgrade-reboot /save firmware-upgrade-reboot Automatically upgrade firmware and reboot with [firmware-upgrade-reboot](https://rsc.eworm.de/doc/firmware-upgrade-reboot.md). diff --git a/dhcpv6-client-lease.rsc b/dhcpv6-client-lease.rsc deleted file mode 100644 index d3c1b9aa..00000000 --- a/dhcpv6-client-lease.rsc +++ /dev/null @@ -1,63 +0,0 @@ -#!rsc by RouterOS -# RouterOS script: dhcpv6-client-lease -# Copyright (c) 2026 Christian Hesse -# https://rsc.eworm.de/COPYING.md -# -# requires RouterOS, version=7.19 -# -# run scripts on IPv6 DHCP client lease -# https://rsc.eworm.de/doc/dhcpv6-client-lease.md - -:local ExitOK false; -:onerror Err { - :global GlobalConfigReady; :global GlobalFunctionsReady; - :retry { :if ($GlobalConfigReady != true || $GlobalFunctionsReady != true) \ - do={ :error ("Global config and/or functions not ready."); }; } delay=500ms max=50; - :local ScriptName [ :jobname ]; - - :global Grep; - :global LogPrint; - :global ParseKeyValueStore; - :global ScriptLock; - - :if ([ $ScriptLock $ScriptName 10 ] = false) do={ - :set ExitOK true; - :error false; - } - - :if (([ :typeof $"na-address" ] = "nothing" || [ :typeof $"na-valid" ] = "nothing") && \ - ([ :typeof $"pd-prefix" ] = "nothing" || [ :typeof $"pd-valid" ] = "nothing")) do={ - $LogPrint error $ScriptName ("This script is supposed to run from ipv6 dhcp-client."); - :set ExitOK true; - :error false; - } - - :global DHCPv6ClientLeaseVars { - "na-address"=$"na-address"; - "na-valid"=$"na-valid"; - "pd-prefix"=$"pd-prefix"; - "pd-valid"=$"pd-valid"; - "options"=$"options" }; - - :local RunOrder ({}); - :foreach Script in=[ /system/script/find where source~("\n# provides: dhcpv6-client-lease\\b") ] do={ - :local ScriptVal [ /system/script/get $Script ]; - :local Store [ $ParseKeyValueStore [ $Grep ($ScriptVal->"source") ("\23 provides: dhcpv6-client-lease, ") ] ]; - - :set ($RunOrder->($Store->"order" . "-" . $ScriptVal->"name")) ($ScriptVal->"name"); - } - - :foreach Order,Script in=$RunOrder do={ - :onerror Err { - $LogPrint debug $ScriptName ("Running script with order " . $Order . ": " . $Script); - /system/script/run $Script; - } do={ - $LogPrint warning $ScriptName ("Running script '" . $Script . "' failed: " . $Err); - } - } - - :set DHCPv6ClientLeaseVars; -} do={ - :global DHCPv6ClientLeaseVars; :set DHCPv6ClientLeaseVars; - :global ExitError; $ExitError $ExitOK [ :jobname ] $Err; -} diff --git a/doc/backup-email.md b/doc/backup-email.md index e55a0d7b..cf334697 100644 --- a/doc/backup-email.md +++ b/doc/backup-email.md @@ -34,7 +34,6 @@ Configuration The configuration goes to `global-config-overlay`, these are the parameters: -* `BackupFileNameDate`: whether to add date & time in filenames * `BackupSendBinary`: whether to send binary backup * `BackupSendExport`: whether to send configuration export * `BackupSendGlobalConfig`: whether to send `global-config-overlay` diff --git a/doc/backup-upload.md b/doc/backup-upload.md index bbf5227b..221cb721 100644 --- a/doc/backup-upload.md +++ b/doc/backup-upload.md @@ -40,7 +40,6 @@ Configuration The configuration goes to `global-config-overlay`, these are the parameters: -* `BackupFileNameDate`: whether to add date & time in filenames * `BackupSendBinary`: whether to send binary backup * `BackupSendExport`: whether to send configuration export * `BackupSendGlobalConfig`: whether to send `global-config-overlay` diff --git a/doc/dhcpv6-client-lease.md b/doc/dhcpv6-client-lease.md deleted file mode 100644 index c126f2d4..00000000 --- a/doc/dhcpv6-client-lease.md +++ /dev/null @@ -1,65 +0,0 @@ -Run other scripts on IPv6 DHCP client lease -=========================================== - -[![GitHub stars](https://img.shields.io/github/stars/eworm-de/routeros-scripts?logo=GitHub&style=flat&color=red)](https://github.com/eworm-de/routeros-scripts/stargazers) -[![GitHub forks](https://img.shields.io/github/forks/eworm-de/routeros-scripts?logo=GitHub&style=flat&color=green)](https://github.com/eworm-de/routeros-scripts/network) -[![GitHub watchers](https://img.shields.io/github/watchers/eworm-de/routeros-scripts?logo=GitHub&style=flat&color=blue)](https://github.com/eworm-de/routeros-scripts/watchers) -[![required RouterOS version](https://img.shields.io/badge/RouterOS-7.19-yellow?style=flat)](https://mikrotik.com/download/changelogs/) -[![Telegram group @routeros_scripts](https://img.shields.io/badge/Telegram-%40routeros__scripts-%2326A5E4?logo=telegram&style=flat)](https://t.me/routeros_scripts) -[![donate with PayPal](https://img.shields.io/badge/Like_it%3F-Donate!-orange?logo=githubsponsors&logoColor=orange&style=flat)](https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=A4ZXBD6YS2W8J) - -[⬅️ Go back to main README](../README.md) - -> ℹ️ **Info**: This script can not be used on its own but requires the base -> installation. See [main README](../README.md) for details. - -Description ------------ - -This script is supposed to run from IPv6 DHCP client as lease script. On a -DHCP leasse it runs each script containing the following line, where `##` is -a decimal number for ordering: - - # provides: dhcpv6-client-lease, order=## - -The lease script is started with some variables injected, but these are not -available in child scripts. However this script makes these variables -available with a global variable. This code is required in child script: - - :global EitherOr; - - :global DHCPv6ClientLeaseVars; - - :local NaAddress [ $EitherOr $"na-address" ($DHCPv6ClientLeaseVars->"na-address") ]; - :local NaValid [ $EitherOr $"na-valid" ($DHCPv6ClientLeaseVars->"na-valid") ]; - :local PdPrefix [ $EitherOr $"pd-prefix" ($DHCPv6ClientLeaseVars->"pd-prefix") ]; - :local PdValid [ $EitherOr $"pd-valid" ($DHCPv6ClientLeaseVars->"pd-valid") ]; - :local Options [ $EitherOr $"options" ($DHCPv6ClientLeaseVars->"options") ]; - -The values are available under different name then, use `$PdPrefix` instead -of `$"pd-prefix"`, and so on. The resulting script supports both, being a -lease script itself or being run as child. - -Currently it runs if available, in order: - -* [ipv6-update](ipv6-update.md) - -Requirements and installation ------------------------------ - -Just install the script: - - $ScriptInstallUpdate dhcpv6-client-lease; - -... and add it as `lease-script` to your dhcp client: - - /ipv6/dhcp-client/set lease-script="dhcpv6-client-lease" [ find ]; - -See also --------- - -* [Update configuration on IPv6 prefix change](ipv6-update.md) - ---- -[⬅️ Go back to main README](../README.md) -[⬆️ Go back to top](#top) diff --git a/doc/ipv6-update.md b/doc/ipv6-update.md index fb42e931..a9561063 100644 --- a/doc/ipv6-update.md +++ b/doc/ipv6-update.md @@ -77,7 +77,6 @@ start with "`ipv6-pool-`" and actual pool name, followed by a comma, See also -------- -* [Run other scripts on IPv6 DHCP client lease](dhcpv6-client-lease.md) * [Run scripts on ppp connection](ppp-on-up.md) --- diff --git a/doc/mod/notification-email.md b/doc/mod/notification-email.md index cae7c94b..c45e917c 100644 --- a/doc/mod/notification-email.md +++ b/doc/mod/notification-email.md @@ -37,9 +37,7 @@ Also make sure the device has correct time configured, best is to set up the ntp client. Then edit `global-config-overlay`, add `EmailGeneralTo` with a valid -recipient address. Optionally add `EmailServerCertificate` and add the CA -certificate name if you have certificate verification enabled. Finally -reload the configuration. +recipient address. Finally reload the configuration. > ℹ️ **Info**: Copy relevant configuration from > [`global-config`](../../global-config.rsc) (the one without `-overlay`) to diff --git a/doc/mod/ssh-keys-import.md b/doc/mod/ssh-keys-import.md index c6530ec2..c2d3c951 100644 --- a/doc/mod/ssh-keys-import.md +++ b/doc/mod/ssh-keys-import.md @@ -4,7 +4,7 @@ Import ssh keys for public key authentication [![GitHub stars](https://img.shields.io/github/stars/eworm-de/routeros-scripts?logo=GitHub&style=flat&color=red)](https://github.com/eworm-de/routeros-scripts/stargazers) [![GitHub forks](https://img.shields.io/github/forks/eworm-de/routeros-scripts?logo=GitHub&style=flat&color=green)](https://github.com/eworm-de/routeros-scripts/network) [![GitHub watchers](https://img.shields.io/github/watchers/eworm-de/routeros-scripts?logo=GitHub&style=flat&color=blue)](https://github.com/eworm-de/routeros-scripts/watchers) -[![required RouterOS version](https://img.shields.io/badge/RouterOS-7.21-yellow?style=flat)](https://mikrotik.com/download/changelogs/) +[![required RouterOS version](https://img.shields.io/badge/RouterOS-7.19-yellow?style=flat)](https://mikrotik.com/download/changelogs/) [![Telegram group @routeros_scripts](https://img.shields.io/badge/Telegram-%40routeros__scripts-%2326A5E4?logo=telegram&style=flat)](https://t.me/routeros_scripts) [![donate with PayPal](https://img.shields.io/badge/Like_it%3F-Donate!-orange?logo=githubsponsors&logoColor=orange&style=flat)](https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=A4ZXBD6YS2W8J) @@ -38,8 +38,9 @@ import that key: $SSHKeysImport "ssh-rsa AAAAB3Nza...QYZk8= user" admin; The third part of the key (`user` in this example) is inherited as -`info` in RouterOS. Also the `MD5` fingerprint is recorded, this helps -to audit and verify the available keys. +`info` in RouterOS (or `key-owner` with RouterOS 7.20.x and before). Also +the `MD5` fingerprint is recorded, this helps to audit and verify the +available keys. > ℹ️️ **Info**: Use `ssh-keygen` to show a fingerprint of an existing public > key file: `ssh-keygen -l -E md5 -f ~/.ssh/id_ed25519.pub` diff --git a/doc/ppp-on-up.md b/doc/ppp-on-up.md index add5308f..e92601a2 100644 --- a/doc/ppp-on-up.md +++ b/doc/ppp-on-up.md @@ -36,7 +36,6 @@ Just install the script: See also -------- -* [Run other scripts on IPv6 DHCP client lease](dhcpv6-client-lease.md) * [Update configuration on IPv6 prefix change](ipv6-update.md) * [Update tunnelbroker configuration](update-tunnelbroker.md) diff --git a/global-config.rsc b/global-config.rsc index 0bb572b5..1425764c 100644 --- a/global-config.rsc +++ b/global-config.rsc @@ -31,8 +31,6 @@ :global EmailGeneralCc ""; #:global EmailGeneralTo "mail@example.com"; #:global EmailGeneralCc "another@example.com,third@example.com"; -# Add the CA certificate name here for verification. -:global EmailServerCertificate ""; # You can send Telegram notifications. Register a bot # and add the token and chat ids here, then install the module: @@ -90,9 +88,7 @@ # Toggle this to disable color output in terminal/cli. :global TerminalColorOutput true; -# This defines whether to add date & time in filenames, what backups to generate, -# the password to use, and what random delay (between 0 and given seconds) to apply. -:global BackupFileNameDate false; +# This defines what backups to generate and what password to use. :global BackupSendBinary false; :global BackupSendExport true; :global BackupSendGlobalConfig true; diff --git a/global-functions.rsc b/global-functions.rsc index 30b0ccbc..e45d4363 100644 --- a/global-functions.rsc +++ b/global-functions.rsc @@ -15,7 +15,7 @@ # Git commit id & info, expected configuration version :global CommitId "unknown"; :global CommitInfo "unknown"; -:global ExpectedConfigVersion 143; +:global ExpectedConfigVersion 140; # global variables not to be changed by user :global GlobalFunctionsReady false; @@ -111,13 +111,11 @@ :local UseFor [ :tostr $2 ]; :global CertificateDownload; + :global EitherOr; :global LogPrint; :global ParseKeyValueStore; - :if ([ :len $UseFor ] = 0) do={ - $LogPrint warning $0 ("The intended use is undefined!"); - :set UseFor "undefined"; - } + :set UseFor [ $EitherOr $UseFor "undefined" ]; :if ([ /system/resource/get free-hdd-space ] < 8388608 && \ [ /certificate/settings/get crl-download ] = true && \ @@ -191,12 +189,7 @@ $LogPrint warning $0 ("Failed downloading certificate with CommonName '" . $CommonName . \ "' from repository! Trying fallback to mkcert.org..."); :do { - :local CertSettings [ /certificate/settings/get ]; - :if ([ :len [ /certificate/find where common-name="ISRG Root X1" ] ] = 0 && \ - !((($CertSettings->"builtin-trust-anchors") = "trusted" || \ - ($CertSettings->"builtin-trust-store") ~ "fetch" || \ - ($CertSettings->"builtin-trust-store") = "all") && \ - [ :len [ /certificate/builtin/find where common-name="ISRG Root X1" ] ] > 0)) do={ + :if ([ :len [ /certificate/find where common-name="ISRG Root X1" ] ] = 0) do={ $LogPrint error $0 ("Required certificate is not available."); :return false; } @@ -310,7 +303,7 @@ :for I from=0 to=([ :len $Input ] - 1) do={ :local Char [ :pick $Input $I ]; - :if ([ :typeof [ :find "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789" $Char ] ] = "nil") do={ + :if ([ :typeof [ find "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789" $Char ] ] = "nil") do={ :do { :if ([ :len $Return ] = 0) do={ :error true; @@ -812,15 +805,10 @@ # check if DNS is resolving :set IsDNSResolving do={ :do { - :local I 1; - :retry { - :set I ($I ^ 1); - :resolve ("low-ttl.eworm." . ({ "de"; "net" }->$I)); - } delay=50ms max=6; + :resolve "low-ttl.eworm.de"; } on-error={ :return false; } - :return true; } @@ -1205,12 +1193,10 @@ } :onerror Err { - /file/remove [ find where name=$DirName ]; + /file/remove $DirName; } do={ - :if (!($Err ~ "no such item")) do={ - $LogPrint error $0 ("Removing directory '" . $DirName . "' failed: " . $Err); - :return false; - } + $LogPrint error $0 ("Removing directory '" . $DirName . "' failed: " . $Err); + :return false; } :return true; } @@ -1236,12 +1222,10 @@ } :onerror Err { - /file/remove [ find where name=$FileName ]; + /file/remove $FileName; } do={ - :if (!($Err ~ "no such item")) do={ - $LogPrint error $0 ("Removing file '" . $FileName . "' failed: " . $Err); - :return false; - } + $LogPrint error $0 ("Removing file '" . $FileName . "' failed: " . $Err); + :return false; } :return true; } @@ -1301,8 +1285,7 @@ :global SymbolForNotification; :global ValidateSyntax; - :if ([ $CertificateAvailable "ISRG Root X2" "fetch" ] = false || \ - [ $CertificateAvailable "Root YE" "fetch" ] = false) do={ + :if ([ $CertificateAvailable "Root YE" "fetch" ] = false) do={ $LogPrint warning $0 ("Downloading certificate failed, trying without."); } diff --git a/ipv6-update.rsc b/ipv6-update.rsc index f93e2786..c87410cc 100644 --- a/ipv6-update.rsc +++ b/ipv6-update.rsc @@ -4,7 +4,6 @@ # https://rsc.eworm.de/COPYING.md # # requires RouterOS, version=7.19 -# provides: dhcpv6-client-lease, order=40 # # update firewall and dns settings on IPv6 prefix change # https://rsc.eworm.de/doc/ipv6-update.md @@ -16,19 +15,16 @@ do={ :error ("Global config and/or functions not ready."); }; } delay=500ms max=50; :local ScriptName [ :jobname ]; - :global EitherOr; :global LogPrint; :global ParseKeyValueStore; :global ScriptLock; - :global DHCPv6ClientLeaseVars; + :local NaAddress $"na-address"; + :local NaValid $"na-valid"; + :local PdPrefix $"pd-prefix"; + :local PdValid $"pd-valid"; - :local NaAddress [ $EitherOr $"na-address" ($DHCPv6ClientLeaseVars->"na-address") ]; - :local NaValid [ $EitherOr $"na-valid" ($DHCPv6ClientLeaseVars->"na-valid") ]; - :local PdPrefix [ $EitherOr $"pd-prefix" ($DHCPv6ClientLeaseVars->"pd-prefix") ]; - :local PdValid [ $EitherOr $"pd-valid" ($DHCPv6ClientLeaseVars->"pd-valid") ]; - - :if ([ $ScriptLock $ScriptName 10 ] = false) do={ + :if ([ $ScriptLock $ScriptName ] = false) do={ :set ExitOK true; :error false; } @@ -54,7 +50,7 @@ :local Pool [ /ipv6/pool/get [ find where prefix=$PdPrefix ] name ]; :if ([ :len [ /ipv6/firewall/address-list/find where comment=("ipv6-pool-" . $Pool) ] ] = 0) do={ /ipv6/firewall/address-list/add list=("ipv6-pool-" . $Pool) address=:: comment=("ipv6-pool-" . $Pool) dynamic=yes; - $LogPrint info $ScriptName ("Added dynamic ipv6 address list entry for ipv6-pool-" . $Pool); + $LogPrint warning $ScriptName ("Added dynamic ipv6 address list entry for ipv6-pool-" . $Pool); } :local AddrList [ /ipv6/firewall/address-list/find where comment=("ipv6-pool-" . $Pool) ]; :local OldPrefix [ /ipv6/firewall/address-list/get ($AddrList->0) address ]; diff --git a/mod/notification-email.rsc b/mod/notification-email.rsc index b6288821..b0ac77ac 100644 --- a/mod/notification-email.rsc +++ b/mod/notification-email.rsc @@ -37,9 +37,7 @@ # flush e-mail queue :set FlushEmailQueue do={ :onerror Err { :global EmailQueue; - :global EmailServerCertificate; - :global CertificateAvailable; :global EitherOr; :global EMailGenerateFrom; :global FileExists; @@ -92,14 +90,6 @@ :return false; } - :if (([ /tool/e-mail/get ]->"certificate-verification") ~ "^yes" && \ - [ :len $EmailServerCertificate ] > 0) do={ - :if ([ $CertificateAvailable $EmailServerCertificate "email" ] = false) do={ - $LogPrint warning $0 ("Downloading required certificate failed."); - :return false; - } - } - /system/scheduler/set interval=($QueueLen . "m") comment="Sending..." \ [ find where name="_FlushEmailQueue" ]; diff --git a/mod/ssh-keys-import.rsc b/mod/ssh-keys-import.rsc index ea8bf130..d1cc4fa3 100644 --- a/mod/ssh-keys-import.rsc +++ b/mod/ssh-keys-import.rsc @@ -3,7 +3,7 @@ # Copyright (c) 2020-2026 Christian Hesse # https://rsc.eworm.de/COPYING.md # -# requires RouterOS, version=7.21 +# requires RouterOS, version=7.19 # # import ssh keys for public key authentication # https://rsc.eworm.de/doc/mod/ssh-keys-import.md @@ -40,8 +40,9 @@ :local FingerPrintMD5 [ :convert from=base64 transform=md5 to=hex ($KeyVal->1) ]; + :local RegEx ("\\bmd5=" . $FingerPrintMD5 . "\\b"); :if ([ :len [ /user/ssh-keys/find where user=$User \ - info~("\\bmd5=" . $FingerPrintMD5 . "\\b") ] ] > 0) do={ + (key-owner~$RegEx or info~$RegEx) ] ] > 0) do={ $LogPrint warning $0 ("The ssh public key (MD5:" . $FingerPrintMD5 . \ ") is already available for user '" . $User . "'."); :return false; diff --git a/netwatch-dns.rsc b/netwatch-dns.rsc index 7c6a7b5b..9531d4ad 100644 --- a/netwatch-dns.rsc +++ b/netwatch-dns.rsc @@ -115,15 +115,13 @@ :local Data false; :onerror Err { - :local I 1; :retry { - :set I ($I ^ 1); :set Data ([ /tool/fetch check-certificate=yes-without-crl output=user \ http-header-field=({ "accept: application/dns-message" }) \ url=(($DohServer->"doh-url") . "?dns=" . [ :convert to=base64 ([ :rndstr length=2 ] . \ - "\01\00" . "\00\01" . "\00\00" . "\00\00" . "\00\00" . "\09doh-check\05eworm" . \ - ({ "\02de"; "\03net" }->$I) . "\00" . "\00\10" . "\00\01") ]) as-value ]->"data"); - } delay=500ms max=6; + "\01\00" . "\00\01" . "\00\00" . "\00\00" . "\00\00" . "\09doh-check\05eworm\02de\00" . \ + "\00\10" . "\00\01") ]) as-value ]->"data"); + } delay=1s max=3; } do={ $LogPrint warning $ScriptName ("Request to DoH server " . ($DohServer->"doh-url") . \ " failed: " . $Err); diff --git a/news-and-changes.rsc b/news-and-changes.rsc index ed60a6c2..48558deb 100644 --- a/news-and-changes.rsc +++ b/news-and-changes.rsc @@ -65,9 +65,6 @@ 138="RouterOS 7.19 is suffering an issue with certificate store. Fixing trust state for all certificates..."; 139="Certificate Authorities will reduce the leaf certificate validity times soon. Thus the defaults for renewal and warning in 'check-certificates' were decreased."; 140="The scripts 'lease-script' was renamed to 'dhcpv4-server-lease', configuration was updated automatically."; - 141="Introduced script 'dhcpv6-client-lease' to run several scripts on IPv6 DHCP client lease."; - 142="Added a setting for 'mod/notification-email' to check availability of certificate chain."; - 143="Made backup scripts 'backup-email' and 'backup-upload' support date & time in filenames."; }; # Migration steps to be applied on script updates