Merge 361933b2c0 into 4869d74edf

... and drop the racy code querying dns cache. 😁

doc/fw-addr-lists.md

@@ -56,8 +56,12 @@ available in my repository and downloaded automatically. Import it manually
 (menu `/certificate/`) if missing.
 
 Create firewall rules to process the packets that are related to addresses
-from address-lists. This rejects the packets from and to ip addresses listed
-in address-list `block`.
+from address-lists.
+
+### IPv4 rules
+
+This rejects the packets from and to IPv4 addresses listed in
+address-list `block`.
 
     /ip/firewall/filter/add chain=input src-address-list=block action=reject reject-with=icmp-admin-prohibited;
     /ip/firewall/filter/add chain=forward src-address-list=block action=reject reject-with=icmp-admin-prohibited;
@@ -85,6 +89,33 @@ Alternatively handle the packets in firewall's raw section if you prefer:
 > ⚠️ **Warning**: Just again... The order of firewall rules is important. Make
 > sure they actually take effect as expected!
 
+### IPv6 rules
+
+These are the same rules, but for IPv6. 
+
+Reject packets in address-list `block`:
+
+    /ipv6/firewall/filter/add chain=input src-address-list=block action=reject reject-with=icmp-admin-prohibited;
+    /ipv6/firewall/filter/add chain=forward src-address-list=block action=reject reject-with=icmp-admin-prohibited;
+    /ipv6/firewall/filter/add chain=forward dst-address-list=block action=reject reject-with=icmp-admin-prohibited;
+    /ipv6/firewall/filter/add chain=output dst-address-list=block action=reject reject-with=icmp-admin-prohibited;
+
+Allow packets in address-list `allow`:
+
+    /ipv6/firewall/filter/add chain=input src-address-list=allow action=accept;
+    /ipv6/firewall/filter/add chain=forward src-address-list=allow action=accept;
+    /ipv6/firewall/filter/add chain=forward dst-address-list=allow action=accept;
+    /ipv6/firewall/filter/add chain=output dst-address-list=allow action=accept;
+
+Drop packets in firewall's raw section:
+
+    /ipv6/firewall/raw/add chain=prerouting src-address-list=block action=drop;
+    /ipv6/firewall/raw/add chain=prerouting dst-address-list=block action=drop;
+    /ipv6/firewall/raw/add chain=output dst-address-list=block action=drop;
+
+> ⚠️ **Warning**: Just again... The order of firewall rules is important. Make
+> sure they actually take effect as expected!
+
 ---
 [⬅️ Go back to main README](../README.md)  
 [⬆️ Go back to top](#top)

doc/netwatch-notify.md

@@ -83,9 +83,9 @@ with a resolvable name:
 
     /tool/netwatch/add comment="notify, name=example.com, resolve=example.com";
 
-But be warned: Dynamic updates will probably cause issues if the name has
-more than one record in dns - a high rate of configuration changes (and flash
-writes) at least.
+This supports multiple A or AAAA records for a name just fine, even a CNAME
+to those. An update happens only if no more record with the configured host
+address is found.
 
 ### No notification on host down
 

fw-addr-lists.rsc

@@ -24,7 +24,7 @@
 :global WaitFullyConnected;
 
 :local FindDelim do={
-  :local ValidChars "0123456789./ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz-";
+  :local ValidChars "0123456789.:/ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz-";
   :for I from=0 to=[ :len $1 ] do={
     :if ([ :typeof [ :find $ValidChars [ :pick ($1 . " ") $I ] ] ] != "num") do={
       :return $I;
@@ -38,10 +38,11 @@ $WaitFullyConnected;
 :local ListComment ("managed by " . $0);
 
 :foreach FwListName,FwList in=$FwAddrLists do={
-  :local Addresses ({});
   :local CntAdd 0;
   :local CntRenew 0;
   :local CntRemove 0;
+  :local IPv4Addresses ({});
+  :local IPv6Addresses ({});
   :local Failure false;
 
   :foreach List in=$FwList do={
@@ -85,7 +86,11 @@ $WaitFullyConnected;
       :local Address ([ :pick $Line 0 [ $FindDelim $Line ] ] . ($List->"cidr"));
       :if ($Address ~ "^[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}(/[0-9]{1,2})?\$" || \
            $Address ~ "^[\\.a-zA-Z0-9-]+\\.[a-zA-Z]{2,}\$") do={
-        :set ($Addresses->$Address) $TimeOut;
+        :set ($IPv4Addresses->$Address) $TimeOut;
+      }
+      :if ($Address ~ "^[0-9a-zA-Z]*:[0-9a-zA-Z:\\.]+(/[0-9]{1,3})?\$" || \
+           $Address ~ "^[\\.a-zA-Z0-9-]+\\.[a-zA-Z]{2,}\$") do={
+        :set ($IPv6Addresses->$Address) $TimeOut;
       }
       :set Data [ :pick $Data ([ :len $Line ] + 1) [ :len $Data ] ];
     }
@@ -93,28 +98,55 @@ $WaitFullyConnected;
 
   :foreach Entry in=[ /ip/firewall/address-list/find where list=$FwListName comment=$ListComment ] do={
     :local Address [ /ip/firewall/address-list/get $Entry address ];
-    :if ([ :typeof ($Addresses->$Address) ] = "time") do={
-      $LogPrintExit2 debug $0 ("Renewing for " . ($Addresses->$Address) . ": " . $Address) false;
-      /ip/firewall/address-list/set $Entry timeout=($Addresses->$Address);
-      :set ($Addresses->$Address);
+    :if ([ :typeof ($IPv4Addresses->$Address) ] = "time") do={
+      $LogPrintExit2 debug $0 ("Renewing IPv4 address for " . ($IPv4Addresses->$Address) . ": " . $Address) false;
+      /ip/firewall/address-list/set $Entry timeout=($IPv4Addresses->$Address);
+      :set ($IPv4Addresses->$Address);
       :set CntRenew ($CntRenew + 1);
     } else={
       :if ($Failure = false) do={
-        $LogPrintExit2 debug $0 ("Removing: " . $Address) false;
+        $LogPrintExit2 debug $0 ("Removing IPv4 address: " . $Address) false;
         /ip/firewall/address-list/remove $Entry;
         :set CntRemove ($CntRemove + 1);
       }
     }
   }
 
-  :foreach Address,Ignore in=$Addresses do={
-    $LogPrintExit2 debug $0 ("Adding for " . ($Addresses->$Address) . ": " . $Address) false;
+  :foreach Entry in=[ /ipv6/firewall/address-list/find where list=$FwListName comment=$ListComment ] do={
+    :local Address [ /ipv6/firewall/address-list/get $Entry address ];
+    :if ([ :typeof ($IPv6Addresses->$Address) ] = "time") do={
+      $LogPrintExit2 debug $0 ("Renewing IPv6 address for " . ($IPv6Addresses->$Address) . ": " . $Address) false;
+      /ipv6/firewall/address-list/set $Entry timeout=($IPv6Addresses->$Address);
+      :set ($IPv6Addresses->$Address);
+      :set CntRenew ($CntRenew + 1);
+    } else={
+      :if ($Failure = false) do={
+        $LogPrintExit2 debug $0 ("Removing: " . $Address) false;
+        /ipv6/firewall/address-list/remove $Entry;
+        :set CntRemove ($CntRemove + 1);
+      }
+    }
+  }
+
+  :foreach Address,Timeout in=$IPv4Addresses do={
+    $LogPrintExit2 debug $0 ("Adding IPv4 address for " . $Timeout . ": " . $Address) false;
     :do {
-      /ip/firewall/address-list/add list=$FwListName comment=$ListComment address=$Address timeout=($Addresses->$Address);
-      :set ($Addresses->$Address);
+      /ip/firewall/address-list/add list=$FwListName comment=$ListComment address=$Address timeout=$Timeout;
+      :set ($IPv4Addresses->$Address);
       :set CntAdd ($CntAdd + 1);
     } on-error={
-      $LogPrintExit2 warning $0 ("Failed to add address " . $Address . " to list '" . $FwListName . "'.") false;
+      $LogPrintExit2 warning $0 ("Failed to add IPv4 address " . $Address . " to list '" . $FwListName . "'.") false;
+    }
+  }
+
+  :foreach Address,Timeout in=$IPv6Addresses do={
+    $LogPrintExit2 debug $0 ("Adding IPv6 address for " . $Timeout . ": " . $Address) false;
+    :do {
+      /ipv6/firewall/address-list/add list=$FwListName comment=$ListComment address=$Address timeout=$Timeout;
+      :set ($IPv6Addresses->$Address);
+      :set CntAdd ($CntAdd + 1);
+    } on-error={
+      $LogPrintExit2 warning $0 ("Failed to add IPv6 address " . $Address . " to list '" . $FwListName . "'.") false;
     }
   }
 

global-functions.rsc

@@ -12,7 +12,7 @@
 :local 0 [ :jobname ];
 
 # expected configuration version
-:global ExpectedConfigVersion 118;
+:global ExpectedConfigVersion 119;
 
 # global variables not to be changed by user
 :global GlobalFunctionsReady false;

mod/dns-adblock

@@ -0,0 +1,124 @@
+#!rsc by RouterOS
+
+:global UpdateAdblock;
+:global HelpAdblock;
+:global ShowAdblockHost;
+:global AddAdblockHost;
+:global RemoveAdblockHost;
+
+:global RunAdblockHost do={
+ # store hostlist as script
+ :if ([:len [/system script find where name=adblockhostlist]] = 0) do={
+  /system script add name=adblockhostlist source=":global AdblockHost"
+ }
+ :if ($1 = "update") do={
+  :global NewAdblockHost;
+  /system script set [find where name=adblockhostlist] source=(":global AdblockHost $NewAdblockHost");
+ }
+ /system script run adblockhostlist
+}
+
+:set $HelpAdblock do={
+ :local HelpAdblockList {\
+  "\$UpdateAdblock - Update static DNS entries";\
+  "\$ShowAdblockHost - Show current sources";\
+  "\$AddAdblockHost [URL] - Add new sources, eg: https://adaway.org/hosts.txt";\
+  "\$RemoveAdblockHost [Number] - Remove specified source, eg: 0"\
+ }
+ :foreach x in=$HelpAdblockList do={
+  :put $x
+ }
+}
+
+:set $ShowAdblockHost do={
+ :global AdblockHost;
+ :if ([:len $AdblockHost] = 0) do={
+  :error "No source found"
+ }
+ :foreach x,y in=$AdblockHost do={
+  :put ("$x  $y")
+ }
+}
+
+:set $AddAdblockHost do={
+ :if ([:len $1] < 1) do={
+  :error "No URL specified!"
+ }
+ :global AdblockHost;
+ :global RunAdblockHost;
+ :global NewAdblockHost;
+ :local CurAdblockHost;
+ :if ([:len $AdblockHost] != 0) do={
+  :foreach x in=$AdblockHost do={
+   :set CurAdblockHost ("$CurAdblockHost\"$x\";")
+  }
+  :set NewAdblockHost ("{$CurAdblockHost\"$1\"}")
+ } else={
+  :set NewAdblockHost "{\"$1\"}"
+ }
+ $RunAdblockHost "update"
+ :put ("Added new source: $1")
+}
+
+:set $RemoveAdblockHost do={
+ :if ([:len $1] < 1) do={
+  :error "No number specified!"
+ }
+ :global AdblockHost;
+ :global RunAdblockHost;
+ :global NewAdblockHost;
+ :local CurAdblockHost;
+ :if ([:len $AdblockHost] = 0) do={
+  :error "No source found"
+ }
+ :foreach x,y in=$AdblockHost do={
+  :if ($x != $1) do={
+   :set CurAdblockHost ("$CurAdblockHost\"$y\";")
+  } else={
+   :put ("Removed source: $y")
+  }
+ }
+ :if ([:len $AdblockHost] <= 1) do={
+  :set AdblockHost ""
+  :set NewAdblockHost ""
+ } else={
+  :set NewAdblockHost ("{$CurAdblockHost}")
+ }
+ $RunAdblockHost "update"
+}
+
+:set $UpdateAdblock do={
+ :global AdblockHost;
+ :if ([:len $AdblockHost] = 0) do={
+  :error "Add source first!"
+ }
+ :local AdblockHostList;
+ :foreach x in=$AdblockHost do={
+  :set AdblockHostList ("$AdblockHostList$x,")
+ }
+ :set $AdblockHostList [:pick $AdblockHostList 0 ([:len $AdblockHostList]-1)]
+ # https://github.com/tarampampam/mikrotik-hosts-parser
+ :local parserVer "4.4.0";
+ :local adblockLimit "5000";
+ :local redirectTo "127.0.0.1";
+ :local excludedHost "localhost,localhost.localdomain,broadcasthost,local,ip6-localhost,ip6-loopback,ip6-localnet,ip6-mcastprefix,ip6-allnodes,ip6-allrouters,ip6-allhosts";
+ :local hostScriptUrl ("https://stopad.cgood.ru/script/source\?format=routeros&version=$parserVer&redirect_to=$redirectTo&limit=$adblockLimit&sources_urls=$AdblockHostList&excluded_hosts=$excludedHost");
+ :local scriptName "stop_ad.script";
+ do {
+  /tool fetch check-certificate=no mode=https url=$hostScriptUrl dst-path=$scriptName
+  :delay 3s;
+ } on-error={
+  :error "Fetch source failed"
+ }
+ :if ([:find [/file get $scriptName contents] "Script generation failed"]) do={
+  :error "Invalid/unsupported source"
+ } else={
+  /ip dns static remove [/ip dns static find comment=ADBlock]
+  /import file-name=$scriptName
+  /file remove $scriptName
+  :put "Static DNS entries updated successfully"
+ }
+}
+
+# Initialize adblockhostlist
+$RunAdblockHost

netwatch-notify.rsc

@@ -52,6 +52,24 @@
   :return ("Ran hook:\n" . $Hook);
 }
 
+:local ResolveExpected do={
+  :local Name     [ :tostr $1 ];
+  :local Expected [ :tostr $2 ];
+
+  :global GetRandom20CharAlNum;
+
+  :local FwAddrList ($0 . "-" . [ $GetRandom20CharAlNum ]);
+  /ip/firewall/address-list/add address=$Name list=$FwAddrList dynamic=yes timeout=1s;
+  /ipv6/firewall/address-list/add address=$Name list=$FwAddrList dynamic=yes timeout=1s;
+  :delay 20ms;
+  :if ([ :len [ /ip/firewall/address-list/find where list=$FwAddrList address=$Expected ] ] > 0 || \
+       [ :len [ /ipv6/firewall/address-list/find where list=$FwAddrList address=$Expected ] ] > 0) do={
+    :return true;
+  }
+
+  :return false;
+}
+
 $ScriptLock $0;
 
 :local ScriptFromTerminalCached [ $ScriptFromTerminal $0 ];
@@ -79,14 +97,16 @@ $ScriptLock $0;
       :if ([ $IsDNSResolving ] = true) do={
         :do {
           :local Resolve [ :resolve ($HostInfo->"resolve") ];
-          :if ($Resolve != $HostVal->"host" and \
-               [ :len [ /ip/dns/cache/find where name=($HostInfo->"resolve") data=[ :tostr ($HostVal->"host") ] ] ] = 0) do={
-             $LogPrintExit2 info $0 ("Name '" . $HostInfo->"resolve" . [ $IfThenElse \
-                 ($HostInfo->"resolve" != $HostInfo->"name") ("' for " . $Type . " '" . \
-                 $HostInfo->"name") "" ] . "' resolves to different address " . $Resolve . \
-                 ", updating.") false;
-            /tool/netwatch/set host=$Resolve $Host;
-            :set ($Metric->"resolve-failcnt") 0;
+          :if ($Resolve != $HostVal->"host") do={
+            :if ([ $ResolveExpected ($HostInfo->"resolve") ($HostVal->"host") ] = false) do={
+              $LogPrintExit2 info $0 ("Name '" . $HostInfo->"resolve" . [ $IfThenElse \
+                  ($HostInfo->"resolve" != $HostInfo->"name") ("' for " . $Type . " '" . \
+                  $HostInfo->"name") "" ] . "' resolves to different address " . $Resolve . \
+                  ", updating.") false;
+              /tool/netwatch/set host=$Resolve $Host;
+              :set ($Metric->"resolve-failcnt") 0;
+              :set ($HostVal->"status") "unknown";
+            }
           }
         } on-error={
           :set ($Metric->"resolve-failcnt") ($Metric->"resolve-failcnt" + 1);
@@ -125,7 +145,9 @@ $ScriptLock $0;
       :set ($Metric->"notified") false;
       :set ($Metric->"parent") ($HostInfo->"parent");
       :set ($Metric->"since");
-    } else={
+    }
+
+    :if ($HostVal->"status" = "down") do={
       :set ($Metric->"count-down") ($Metric->"count-down" + 1);
       :set ($Metric->"count-up") 0;
       :set ($Metric->"parent") ($HostInfo->"parent");
@@ -178,6 +200,7 @@ $ScriptLock $0;
         :set ($Metric->"notified") true;
       }
     }
+
     :set ($NetwatchNotify->$Name) {
       "count-down"=($Metric->"count-down");
       "count-up"=($Metric->"count-up");

news-and-changes.rsc

@@ -43,6 +43,7 @@
         [ $IfThenElse ($Resource->"total-hdd-space" < 16000000) ("Your " . $Resource->"board-name" . " is specifically affected! ") \
         [ $IfThenElse ($Resource->"free-hdd-space" > 4000000) ("(Your " . $Resource->"board-name" . " does not suffer this issue.) ") ] ] . \
         "Huge configuration and lots of scripts give an extra risk. Take care!");
+  119="Added support for IPv6 to script 'fw-addr-lists'.";
 };
 
 # Migration steps to be applied on script updates