I'm not sure if this would be useful. What do you think about the possibility to run a script from a firewall event?

Lol, nice screen.

While this option doesn't explicitly exist, you can do it a couple ways that I can think of.

The thing to keep in mind is that often a filter rule doesn't just match one packet but who knows how many, and you need a way to make sure your script is only being run once and not many times within a few seconds.

1. Create a filter rule that logs a matching packet with a unique prefix. Have a scheduled script check for new log entries every X seconds that contain this prefix. Store the date/time stamp in the comment of the schedule as a way to check that this is a new log entry. If a new log entry is found, the script is run. The interval that you set on the schedule would determine how often the script could possibly be run.

2. Basically the same as above except the filter rule would create an address list entry with a timeout of X seconds. The scheduled script would check for this address list entry and run the script.

These are more like workarounds, but depending on what you're trying to do they could probably be tweaked.

first problem about this issue is that you make your router prone to DoS/DDoS attacks as a small amount of traffic with high enough packet rate could hog all the resources of the router.

more useful (but still dangerous) is to do remote logging and make some external box do the computation and adjust configuration of the router automatically depending on the information received by remote logging.

Thanks for your opinion on this, it was just a thought. At a single occasion, I needed the ability to immediately trigger a script.

at first glance this does like neat idea, similar to firewall filter rule where instead of IP address one could enter FQDN, and it would be resolved on request. But when looking deeper - it is huge resource hog even through DNS request is cheaper than running script on event.

+1
Dear MikroTik Support!
Please add the script run option to the firewall (Filter, NAT, Mangle, Raw,) actions!

I would not find it useful right now, but this would open up so much possibilities. +1 from me.

make your router prone to DoS/DDoS attacks

Not true if Mikrotik adds frequency option. E.g. "Do not run script if it already has run in the past X seconds".

Instead of being forced to use static ip address lists only, it would be "most excellent" if there was a built-in DNSBL control as a firewall action "drop DNS blacklist lookup" that could be used for example during new connections (ie connection state new)

It's completely different request. And there's a difference between some server using DNSBL to filter new connections (e.g. mailserver) and doing it with packets on router. The former has it easy, plenty of time, no rush. If it takes a second, no big deal, even more won't break things. Router needs much quicker decision what to do with packet.

Well yes, it should probably have had its own thread. Anyhow, I beg to differ regarding the latency as a local dnsbl call would only lag a few ms which is a very small (even tiny) cost compared to the functional value it would add.

I can already see all those people who would add ten slow external lists, apply the action to every single packet and then complain how it doesn't work. :) But of course that's not necessarily the argument against it, current RouterOS already has enough ways how to break something.

Maybe it's doable. Netfilter has some user-space queuing where other process can decide what to do with packet, and someone already tried to use that for DNSBL: https://github.com/zevenet/packetbl