From 1b8358b1abc7d91cbec9211edaf3f5a222b39973 Mon Sep 17 00:00:00 2001 From: Dirk Brenken Date: Wed, 3 Feb 2016 19:19:29 +0100 Subject: [PATCH] adblock: 0.60.1 - fix possible race condition during startup - fix duplicate logging during startup - fix wget parms to prevent partitial downloads - fix iptables rules to meet openwrt user chains - added a rule in output chain to reject local ad related requests as well - changed default IPv4/IPv6 blackhole ip address to fix routing issues with windows clients Signed-off-by: Dirk Brenken --- net/adblock/Makefile | 2 +- net/adblock/files/README.md | 12 +- net/adblock/files/adblock-helper.sh | 239 ++++++++++++++++------------ net/adblock/files/adblock-update.sh | 48 +++--- net/adblock/files/adblock.conf | 3 + 5 files changed, 180 insertions(+), 124 deletions(-) diff --git a/net/adblock/Makefile b/net/adblock/Makefile index 5199e9ae2..c7ded21e5 100644 --- a/net/adblock/Makefile +++ b/net/adblock/Makefile @@ -7,7 +7,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=adblock -PKG_VERSION:=0.60.0 +PKG_VERSION:=0.60.1 PKG_RELEASE:=1 PKG_LICENSE:=GPL-3.0+ PKG_MAINTAINER:=Dirk Brenken diff --git a/net/adblock/files/README.md b/net/adblock/files/README.md index 2a4ceba14..59f2d0269 100644 --- a/net/adblock/files/README.md +++ b/net/adblock/files/README.md @@ -42,7 +42,7 @@ When the dns server on your router receives dns requests, you will sort out quer * overall duplicate removal in separate adblock lists (will be automatically disabled on low memory systems) * adblock source list parsing by fast & flexible regex rulesets * additional white- and blacklist support for manual overrides -* quality checks during/after update of adblock lists to ensure a reliable dnsmasq service +* quality checks during & after update of adblock lists to ensure a reliable dnsmasq service * wan update check, to wait for an active wan uplink before update * basic adblock statistics via iptables packet counters * status & error logging to stdout and syslog @@ -53,9 +53,9 @@ When the dns server on your router receives dns requests, you will sort out quer ## Prerequisites * [openwrt](https://openwrt.org), tested with latest stable release (Chaos Calmer 15.05) and with current trunk (Designated Driver > r47025) -* required software packages: +* usual openwrt setup with 'iptables' & 'uhttpd', additional required software packages: * wget - * optional for IPv6 support: kmod-ipt-nat6 + * optional: 'kmod-ipt-nat6' for IPv6 support * the above dependencies and requirements will be checked during package installation & script runtime, please check console output or *logread -e "adblock"* for errors ## Usage @@ -70,7 +70,7 @@ When the dns server on your router receives dns requests, you will sort out quer * => see [openwrt wiki](https://wiki.openwrt.org/doc/uci/fstab) for further details * add static, personal domain white- or blacklist entries, one domain per line (wildcards & regex are not allowed!), by default both lists are located in */etc/adblock* * enable the backup/restore feature, to restore automatically the latest, stable backup of your adblock lists in case of any processing error -* enable the debug log feature for continuous logfile writing to monitor the adblock runs over a longer period +* enable the logging feature for continuous logfile writing to monitor the adblock runs over a longer period ## Distributed samples * all sample configuration files stored in */etc/adblock/samples* @@ -82,8 +82,8 @@ When the dns server on your router receives dns requests, you will sort out quer ## Background This adblock package is a dns/dnsmasq based adblock solution for openwrt. Queries to ad/abuse domains are never forwarded and always replied with a local IP address which may be IPv4 or IPv6. -For that purpose adblock uses an ip address from the old reserved [class 'E'](https://tools.ietf.org/html/rfc1700) subnet (254.0.0.1 / ::ffff:fe00:0001) by default. -Furthermore all ad/abuse queries will be filtered by ip(6)tables and redirected to internal adblock pixel server (in PREROUTING chain) or rejected (in FORWARD chain). +For that purpose adblock uses an ip address from the private 'TEST-NET-1' subnet (192.0.2.1 / ::ffff:c000:0201) by default. +Furthermore all ad/abuse queries will be filtered by ip(6)tables and redirected to internal adblock pixel server (in PREROUTING chain) or rejected (in FORWARD and OUTPUT chain). All iptables and uhttpd related adblock additions are non-destructive, no hard-coded changes in 'firewall.user', 'uhttpd' config or any other openwrt related config files. ## Removal diff --git a/net/adblock/files/adblock-helper.sh b/net/adblock/files/adblock-helper.sh index 1a6382633..5a98f0e01 100644 --- a/net/adblock/files/adblock-helper.sh +++ b/net/adblock/files/adblock-helper.sh @@ -47,19 +47,14 @@ f_envload() # f_envparse() { - # set the C locale, characters are single bytes, the charset is ASCII - # speeds up sort, grep etc. - # - LC_ALL=C - # set initial defaults, # may be overwritten by setting appropriate adblock config options in global section of /etc/config/adblock # adb_wanif="wan" adb_lanif="lan" adb_port="65535" - adb_nullipv4="254.0.0.1" - adb_nullipv6="::ffff:fe00:0001" + adb_nullipv4="192.0.2.1" + adb_nullipv6="::ffff:c000:0201" adb_maxtime="60" adb_maxloop="20" adb_blacklist="/etc/adblock/adblock.blacklist" @@ -136,14 +131,21 @@ f_envparse() # set more script defaults (can't be overwritten by adblock config options) # - adb_minspace="20000" - adb_unique="1" + adb_cnt=0 + adb_minspace=20000 + adb_unique=1 adb_tmpfile="$(mktemp -tu 2>/dev/null)" adb_tmpdir="$(mktemp -p /tmp -d 2>/dev/null)" adb_dnsdir="/tmp/dnsmasq.d" adb_dnsprefix="adb_list" - unset adb_srcfind - unset adb_revsrcfind + adb_prechain_ipv4="prerouting_rule" + adb_fwdchain_ipv4="forwarding_rule" + adb_outchain_ipv4="output_rule" + adb_prechain_ipv6="PREROUTING" + adb_fwdchain_ipv6="forwarding_rule" + adb_outchain_ipv6="output_rule" + unset adb_srclist + unset adb_revsrclist # set adblock source ruleset definitions # @@ -164,21 +166,34 @@ f_envparse() rset_yoyo="${rset_start} | sed 's/,/\n/g' | ${rset_end}" rset_zeus="${rset_start} | ${rset_end}" - # get logical wan update interfaces + # get logical wan update interfaces (with default route) and their device names # - network_find_wan adb_wanif4 2>/dev/null - network_find_wan6 adb_wanif6 2>/dev/null - if [ "${adb_wanif4}" = "${adb_lanif}" ] || [ "${adb_wanif6}" = "${adb_lanif}" ] - then - rc=125 - f_log "LAN only (${adb_lanif}) network, no valid IPv4/IPv6 wan update interface found" "${rc}" - f_exit - elif [ -z "${adb_wanif4}" ] && [ -z "${adb_wanif6}" ] - then - rc=125 - f_log "no valid IPv4/IPv6 wan update interface found" "${rc}" - f_exit - fi + while [ $((adb_cnt)) -le $((adb_maxloop)) ] + do + network_find_wan adb_wanif4 2>/dev/null + network_find_wan6 adb_wanif6 2>/dev/null + if [ -z "${adb_wanif4}" ] && [ -z "${adb_wanif6}" ] + then + network_flush_cache + elif [ "${adb_wanif4}" = "${adb_lanif}" ] || [ "${adb_wanif6}" = "${adb_lanif}" ] + then + rc=125 + f_log "LAN only (${adb_lanif}) network, no valid IPv4/IPv6 wan update interface found" "${rc}" + f_exit + else + network_get_device adb_wandev4 "${adb_wanif4}" 2>/dev/null + network_get_device adb_wandev6 "${adb_wanif6}" 2>/dev/null + break + fi + if [ $((adb_cnt)) -ge $((adb_maxloop)) ] + then + rc=125 + f_log "no valid IPv4/IPv6 wan update interface found" "${rc}" + f_exit + fi + adb_cnt=$((adb_cnt + 1)) + sleep 1 + done # get lan ip addresses # @@ -203,6 +218,7 @@ f_envcheck() { # check general package dependencies # + f_depend "uhttpd" f_depend "wget" f_depend "iptables" f_depend "kmod-ipt-nat" @@ -231,9 +247,9 @@ f_envcheck() check="$(printf "${pkg_list}" | grep "^ca-certificates -" 2>/dev/null)" if [ -z "${check}" ] then - wget_parm="--no-config --no-check-certificate --quiet" + wget_parm="--no-config --no-check-certificate --quiet --tries=1 --no-cache --no-cookies --max-redirect=0" else - wget_parm="--no-config --quiet" + wget_parm="--no-config --quiet --tries=1 --no-cache --no-cookies --max-redirect=0" fi # check adblock blacklist/whitelist configuration @@ -254,10 +270,11 @@ f_envcheck() # if [ -n "${adb_tmpdir}" ] && [ -d "${adb_tmpdir}" ] then - f_space "${adb_tmpdir}" "please supersize your /tmp directory" + f_space "${adb_tmpdir}" if [ "${space_ok}" = "false" ] then rc=140 + f_log "not enough space in '${adb_tmpdir}', please supersize your temp directory" "${rc}" f_exit fi else @@ -274,19 +291,21 @@ f_envcheck() if [ $((mem_total)) -le 64000 ] && [ $((swap_total)) -eq 0 ] then adb_unique=0 - f_log "overall sort/unique processing will be disabled," - f_log "please consider adding an external swap device to supersize your /tmp directory (total: ${mem_total}, free: ${mem_free}, swap: ${mem_swap})" + f_log "not enough memory, overall sort/unique processing will be disabled" + f_log "please consider adding an external swap device to supersize your temp directory (total: ${mem_total}, free: ${mem_free}, swap: ${mem_swap})" fi # check backup configuration # if [ -n "${adb_backupdir}" ] && [ -d "${adb_backupdir}" ] then - f_space "${adb_backupdir}" "backup/restore will be disabled" + f_space "${adb_backupdir}" if [ "${space_ok}" = "false" ] then + f_log "backup/restore will be disabled" backup_ok="false" else + f_log "backup/restore will be enabled" backup_ok="true" fi else @@ -294,41 +313,45 @@ f_envcheck() f_log "backup/restore will be disabled" fi - # check debug log configuration + # check log configuration # adb_logdir="${adb_logfile%/*}" if [ -n "${adb_logdir}" ] && [ -d "${adb_logdir}" ] then - f_space "${adb_logdir}" "debug logging will be disabled" + f_space "${adb_logdir}" if [ "${space_ok}" = "false" ] then + f_log "not enough space in '${adb_logdir}', logging will be disabled" log_ok="false" else + f_log "logging will be enabled" log_ok="true" fi else log_ok="false" - f_log "debug logging will be disabled" + f_log "logging will be disabled" fi # check ipv4/iptables configuration # if [ -n "${adb_wanif4}" ] then - f_firewall "IPv4" "nat" "I" "PREROUTING" "adb-nat: tcp, port 80, DNAT" "-p tcp -d ${adb_nullipv4} --dport 80 -j DNAT --to-destination ${adb_ipv4}:${adb_port}" - f_firewall "IPv4" "nat" "A" "PREROUTING" "adb-dns: udp, port 53, DNAT" "-p udp --dport 53 -j DNAT --to-destination ${adb_ipv4}" - f_firewall "IPv4" "nat" "A" "PREROUTING" "adb-dns: tcp, port 53, DNAT" "-p tcp --dport 53 -j DNAT --to-destination ${adb_ipv4}" - f_firewall "IPv4" "filter" "I" "FORWARD" "adb-rej: all protocols, all ports, REJECT" "-d ${adb_nullipv4} -j REJECT" + f_firewall "IPv4" "nat" "A" "${adb_prechain_ipv4}" "adblock-pre" "-p tcp -d ${adb_nullipv4} --dport 80 -j REDIRECT --to-ports ${adb_port}" + f_firewall "IPv4" "nat" "A" "${adb_prechain_ipv4}" "adblock-dns" "-p udp --dport 53 -j REDIRECT" + f_firewall "IPv4" "nat" "A" "${adb_prechain_ipv4}" "adblock-dns" "-p tcp --dport 53 -j REDIRECT" + f_firewall "IPv4" "filter" "A" "${adb_fwdchain_ipv4}" "adblock-fwd" "-d ${adb_nullipv4} -j REJECT" + f_firewall "IPv4" "filter" "A" "${adb_outchain_ipv4}" "adblock-out" "-d ${adb_nullipv4} -j REJECT" fi # check ipv6/ip6tables configuration # if [ -n "${adb_wanif6}" ] then - f_firewall "IPv6" "nat" "I" "PREROUTING" "adb-nat: tcp, port 80, DNAT" "-p tcp -d ${adb_nullipv6} --dport 80 -j DNAT --to-destination [${adb_ipv6}]:${adb_port}" - f_firewall "IPv6" "nat" "A" "PREROUTING" "adb-dns: udp, port 53, DNAT" "-p udp --dport 53 -j DNAT --to-destination ${adb_ipv6}" - f_firewall "IPv6" "nat" "A" "PREROUTING" "adb-dns: tcp, port 53, DNAT" "-p tcp --dport 53 -j DNAT --to-destination ${adb_ipv6}" - f_firewall "IPv6" "filter" "I" "FORWARD" "adb-rej: all protocols, all ports, REJECT" "-d ${adb_nullipv6} -j REJECT" + f_firewall "IPv6" "nat" "A" "${adb_prechain_ipv6}" "adblock-pre" "-p tcp -d ${adb_nullipv6} --dport 80 -j REDIRECT --to-ports ${adb_port}" + f_firewall "IPv6" "nat" "A" "${adb_prechain_ipv6}" "adblock-dns" "-p udp --dport 53 -j REDIRECT" + f_firewall "IPv6" "nat" "A" "${adb_prechain_ipv6}" "adblock-dns" "-p tcp --dport 53 -j REDIRECT" + f_firewall "IPv6" "filter" "A" "${adb_fwdchain_ipv6}" "adblock-fwd" "-d ${adb_nullipv6} -j REJECT" + f_firewall "IPv6" "filter" "A" "${adb_outchain_ipv6}" "adblock-out" "-d ${adb_nullipv6} -j REJECT" fi # check volatile adblock uhttpd instance configuration @@ -374,19 +397,18 @@ f_envcheck() # wait for active wan update interface # - cnt=0 - while [ $((cnt)) -le $((adb_maxloop)) ] + while [ $((adb_cnt)) -le $((adb_maxloop)) ] do for interface in ${adb_wanif} do network_get_device adb_wandev "${interface}" 2>/dev/null if [ -z "${adb_wandev}" ] || [ ! -d "/sys/class/net/${adb_wandev}" ] then - if [ -n "${adb_wanif4}" ] + if [ -n "${adb_wandev4}" ] then - network_get_device adb_wandev "${adb_wanif4}" 2>/dev/null + adb_wandev="${adb_wandev4}" else - network_get_device adb_wandev "${adb_wanif6}" 2>/dev/null + adb_wandev="${adb_wandev6}" fi if [ -z "${adb_wandev}" ] || [ ! -d "/sys/class/net/${adb_wandev}" ] then @@ -398,15 +420,15 @@ f_envcheck() check="$(cat /sys/class/net/${adb_wandev}/operstate 2>/dev/null)" if [ "${check}" = "up" ] then - f_log "get active wan update interface/device (${adb_wanif}/${adb_wandev}) after ${cnt} loops" + f_log "get active wan update interface/device (${adb_wanif}/${adb_wandev})" break 2 - elif [ $((cnt)) -eq $((adb_maxloop)) ] + elif [ $((adb_cnt)) -eq $((adb_maxloop)) ] then rc=145 - f_log "wan update interface/device not running (${adb_wanif}/${adb_wandev}) after ${cnt} loops" "${rc}" + f_log "wan update interface/device not running (${adb_wanif}/${adb_wandev})" "${rc}" f_restore fi - cnt=$((cnt + 1)) + adb_cnt=$((adb_cnt + 1)) sleep 1 done done @@ -415,7 +437,6 @@ f_envcheck() # if [ -n "${adb_ntpsrv}" ] then - cnt=0 unset ntp_pool for srv in ${adb_ntpsrv} do @@ -425,11 +446,9 @@ f_envcheck() rc=${?} if [ $((rc)) -eq 0 ] then - ntp_ok="true" f_log "get ntp time sync" else rc=0 - ntp_ok="false" f_log "ntp time sync failed" fi fi @@ -457,14 +476,13 @@ f_envcheck() # f_depend() { - local rc_func local package="${1}" check="$(printf "${pkg_list}" | grep "^${package} -" 2>/dev/null)" if [ -z "${check}" ] then - rc_func=150 - f_log "package '${package}' not found" "${rc_func}" + rc=150 + f_log "package '${package}' not found" "${rc}" f_exit fi } @@ -474,7 +492,6 @@ f_depend() # f_firewall() { - local rc_func local ipt local iptv4="/usr/sbin/iptables" local iptv6="/usr/sbin/ip6tables" @@ -496,16 +513,16 @@ f_firewall() # check whether iptables rule already applied and proceed accordingly # - rc_func="$("${ipt}" -w -t "${table}" -C "${chain}" -m comment --comment "${notes}" ${rules} >/dev/null 2>&1; printf ${?})" - if [ $((rc_func)) -ne 0 ] + rc="$("${ipt}" -w -t "${table}" -C "${chain}" -m comment --comment "${notes}" ${rules} >/dev/null 2>&1; printf ${?})" + if [ $((rc)) -ne 0 ] then "${ipt}" -w -t "${table}" -"${ctype}" "${chain}" -m comment --comment "${notes}" ${rules} >/dev/null 2>&1 - rc_func=${?} - if [ $((rc_func)) -eq 0 ] + rc=${?} + if [ $((rc)) -eq 0 ] then f_log "created volatile ${proto} firewall rule in '${chain}' chain (${notes})" else - f_log "failed to initialize volatile ${proto} firewall rule in '${chain}' chain (${notes})" "${rc_func}" + f_log "failed to initialize volatile ${proto} firewall rule in '${chain}' chain (${notes})" "${rc}" f_restore fi fi @@ -530,8 +547,12 @@ f_log() log_rc=", rc: ${log_rc}" log_msg="${log_msg}${log_rc}" fi - /usr/bin/logger -s -t "adblock[${pid}] ${class}" "${log_msg}" - if [ "${log_ok}" = "true" ] && [ "${ntp_ok}" = "true" ] + /usr/bin/logger -t "adblock[${pid}] ${class}" "${log_msg}" + if [ -t 1 ] + then + printf "%s\n" "adblock[${pid}] ${class}: ${log_msg}" + fi + if [ "${log_ok}" = "true" ] then printf "%s\n" "$(/bin/date "+%d.%m.%Y %H:%M:%S") adblock[${pid}] ${class}: ${log_msg}" >> "${adb_logfile}" fi @@ -543,9 +564,7 @@ f_log() # f_space() { - local rc_func local mp="${1}" - local notes="${2}" # check relevant mount points in a subshell # @@ -558,22 +577,23 @@ f_space() av_space="${available}" if [ $((av_space)) -eq 0 ] then - rc_func=155 - f_log "no space left on device/not mounted (${mp}), ${notes}" - exit ${rc_func} + rc=155 + f_log "no space left on device/not mounted (${mp})" + exit ${rc} elif [ $((av_space)) -lt $((adb_minspace)) ] then - rc_func=155 - f_log "not enough space left on device (${mp}), ${notes}" - exit ${rc_func} + rc=155 + f_log "not enough space left on device (${mp})" + exit ${rc} fi done # subshell return code handling, set space trigger accordingly # - rc_func=${?} - if [ $((rc_func)) -ne 0 ] + rc=${?} + if [ $((rc)) -ne 0 ] then + rc=0 space_ok="false" fi fi @@ -584,7 +604,6 @@ f_space() # f_restore() { - local rc_func local removal_done local restore_done @@ -592,11 +611,11 @@ f_restore() # if [ -n "${adb_revsrclist}" ] then - find "${adb_dnsdir}" -maxdepth 1 -type f \( ${adb_revsrcfind} \) -exec rm -f "{}" \; 2>/dev/null - rc_func=${?} - if [ $((rc_func)) -ne 0 ] + find "${adb_dnsdir}" -maxdepth 1 -type f \( ${adb_revsrclist} \) -exec rm -f "{}" \; 2>/dev/null + rc=${?} + if [ $((rc)) -ne 0 ] then - f_log "error during removal of bogus adblock lists" "${rc_func}" + f_log "error during removal of bogus adblock lists" "${rc}" f_exit else removal_done="true" @@ -612,10 +631,10 @@ f_restore() do filename="${file##*/}" cp -pf "${file}" "${adb_dnsdir}" 2>/dev/null - rc_func=${?} - if [ $((rc_func)) -ne 0 ] + rc=${?} + if [ $((rc)) -ne 0 ] then - f_log "error during restore of adblock list (${filename})" "${rc_func}" + f_log "error during restore of adblock list (${filename})" "${rc}" f_exit fi restore_done="true" @@ -635,10 +654,16 @@ f_restore() if [ -n "${dns_status}" ] then rc=0 + if [ -n "${adb_wanif4}" ] && [ -n "${adb_wanif6}" ] + then + adb_count="$(($(head -qn -4 "${adb_dnsdir}/${adb_dnsprefix}."* 2>/dev/null | wc -l) / 2))" + else + adb_count="$(head -qn -4 "${adb_dnsdir}/${adb_dnsprefix}."* 2>/dev/null | wc -l)" + fi + f_log "adblock lists with overall ${adb_count} domains loaded" else rc=160 f_log "dnsmasq restart failed, please check 'logread' output" "${rc}" - f_restore fi fi f_exit @@ -650,10 +675,14 @@ f_restore() # f_exit() { - local ipv4_nat - local ipv4_rej - local ipv6_nat - local ipv6_rej + local ipv4_prerouting + local ipv4_forward + local ipv4_output + local ipv6_prerouting + local ipv6_forward + local ipv6_output + local iptv4="/usr/sbin/iptables" + local iptv6="/usr/sbin/ip6tables" # delete temporary files & directories # @@ -670,23 +699,35 @@ f_exit() # if [ $((rc)) -eq 0 ] then + if [ -n "${adb_wanif4}" ] + then + ipv4_prerouting="$(${iptv4} -t nat -vnL | grep -F "adblock-pre" | grep -Eo "[0-9]+" | head -n1)" + ipv4_forward="$(${iptv4} -vnL | grep -F "adblock-fwd" | grep -Eo "[0-9]+" | head -n1)" + ipv4_output="$(${iptv4} -vnL | grep -F "adblock-out" | grep -Eo "[0-9]+" | head -n1)" + fi + if [ -n "${adb_wanif6}" ] + then + ipv6_prerouting="$(${iptv6} -t nat -vnL | grep -F "adblock-pre" | grep -Eo "[0-9]+" | head -n1)" + ipv6_forward="$(${iptv6} -vnL | grep -F "adblock-fwd" | grep -Eo "[0-9]+" | head -n1)" + ipv6_output="$(${iptv6} -vnL | grep -F "adblock-out" | grep -Eo "[0-9]+" | head -n1)" + fi if [ -n "${adb_wanif4}" ] && [ -n "${adb_wanif6}" ] then - ipv4_nat="$(iptables -t nat -vnL | grep -F "adb-nat" | grep -Eo "[0-9]+" | head -n1)" - ipv4_rej="$(iptables -vnL | grep -F "adb-rej" | grep -Eo "[0-9]+" | head -n1)" - ipv6_nat="$(ip6tables -t nat -vnL | grep -F "adb-nat" | grep -Eo "[0-9]+" | head -n1)" - ipv6_rej="$(ip6tables -vnL | grep -F "adb-rej" | grep -Eo "[0-9]+" | head -n1)" - f_log "adblock firewall statistics (IPv4/IPv6): ${ipv4_nat}/${ipv6_nat} packets redirected in PREROUTING chain, ${ipv4_rej}/${ipv6_rej} packets rejected in FORWARD chain" + f_log "adblock firewall statistics (IPv4/IPv6):" + f_log "${ipv4_prerouting}/${ipv6_prerouting} packets redirected in PREROUTING chain" + f_log "${ipv4_forward}/${ipv6_forward} packets rejected in FORWARD chain" + f_log "${ipv4_output}/${ipv6_output} packets rejected in OUTPUT chain" elif [ -n "${adb_wanif4}" ] then - ipv4_nat="$(iptables -t nat -vnL | grep -F "adb-nat" | grep -Eo "[0-9]+" | head -n1)" - ipv4_rej="$(iptables -vnL | grep -F "adb-rej" | grep -Eo "[0-9]+" | head -n1)" - f_log "adblock firewall statistics (IPv4): ${ipv4_nat} packets redirected in PREROUTING chain, ${ipv4_rej} packets rejected in FORWARD chain" + f_log "adblock firewall statistics (IPv4):" + f_log "${ipv4_prerouting} packets redirected in PREROUTING chain" + f_log "${ipv4_forward} packets rejected in FORWARD chain" + f_log "${ipv4_output} packets rejected in OUTPUT chain" elif [ -n "${adb_wanif6}" ] then - ipv6_nat="$(ip6tables -t nat -vnL | grep -F "adb-nat" | grep -Eo "[0-9]+" | head -n1)" - ipv6_rej="$(ip6tables -vnL | grep -F "adb-rej" | grep -Eo "[0-9]+" | head -n1)" - f_log "adblock firewall statistics (IPv6): ${ipv6_nat} packets redirected in PREROUTING chain, ${ipv6_rej} packets rejected in FORWARD chain" + f_log "${ipv6_prerouting} packets redirected in PREROUTING chain" + f_log "${ipv6_forward} packets rejected in FORWARD chain" + f_log "${ipv6_output} packets rejected in OUTPUT chain" fi f_log "domain adblock processing finished successfully (${adb_version}, ${openwrt_version}, $(/bin/date "+%d.%m.%Y %H:%M:%S"))" else diff --git a/net/adblock/files/adblock-update.sh b/net/adblock/files/adblock-update.sh index 90e78554b..bd425d73e 100755 --- a/net/adblock/files/adblock-update.sh +++ b/net/adblock/files/adblock-update.sh @@ -23,9 +23,14 @@ # environment # ############### +# set the C locale, characters are single bytes, the charset is ASCII +# speeds up things like sort, grep etc. +# +LC_ALL=C + # set script version # -adb_version="0.60.0" +adb_version="0.60.1" # get current pid, script directory and openwrt version # @@ -48,9 +53,9 @@ fi # main program # ################ -# call restore function on trap signals (HUP, INT, QUIT, BUS, SEGV, TERM) +# call exit function on trap signals (HUP, INT, QUIT, BUS, SEGV, TERM) # -trap "rc=255; f_log 'trap error' '${rc}'; f_restore" 1 2 3 10 11 15 +trap "rc=255; f_log 'error signal received/trapped' '${rc}'; f_exit" 1 2 3 10 11 15 # start logging # @@ -94,7 +99,7 @@ then fi if [ -z "${list_time}" ] || [ "${list_time}" != "${shalla_time}" ] then - wget ${wget_parm} --timeout="${adb_maxtime}" --tries=1 --output-document="${shalla_archive}" "${adb_arc_shalla}" 2>/dev/null + wget ${wget_parm} --timeout="${adb_maxtime}" --output-document="${shalla_archive}" "${adb_arc_shalla}" 2>/dev/null rc=${?} if [ $((rc)) -eq 0 ] then @@ -126,7 +131,7 @@ then rc=0 fi else - adb_srcfind="! -name ${adb_dnsprefix}.${src_name}" + adb_srclist="! -name ${adb_dnsprefix}.${src_name}" f_log " source archive doesn't change, no update required" fi fi @@ -152,11 +157,11 @@ do # prepare find statement with active adblock list sources # - if [ -z "${adb_srcfind}" ] + if [ -z "${adb_srclist}" ] then - adb_srcfind="! -name ${adb_dnsprefix}.${src_name}" + adb_srclist="! -name ${adb_dnsprefix}.${src_name}" else - adb_srcfind="${adb_srcfind} -a ! -name ${adb_dnsprefix}.${src_name}" + adb_srclist="${adb_srclist} -a ! -name ${adb_dnsprefix}.${src_name}" fi # only download adblock list with newer/updated timestamp @@ -187,7 +192,7 @@ do tmp_domains="$(cat "${shalla_file}" 2>/dev/null)" rc=${?} else - tmp_domains="$(wget ${wget_parm} --timeout="${adb_maxtime}" --tries=1 --output-document=- "${url}" 2>/dev/null)" + tmp_domains="$(wget ${wget_parm} --timeout="${adb_maxtime}" --output-document=- "${url}" 2>/dev/null)" rc=${?} fi else @@ -212,8 +217,8 @@ do f_log " empty source download finished" continue else - f_log " source download failed" rc=0 + f_log " source download failed" continue fi @@ -233,11 +238,11 @@ do # prepare find statement with revised adblock list sources # - if [ -z "${adb_revsrcfind}" ] + if [ -z "${adb_revsrclist}" ] then - adb_revsrcfind="-name ${adb_dnsprefix}.${src_name}" + adb_revsrclist="-name ${adb_dnsprefix}.${src_name}" else - adb_revsrcfind="${adb_revsrcfind} -o -name ${adb_dnsprefix}.${src_name}" + adb_revsrclist="${adb_revsrclist} -o -name ${adb_dnsprefix}.${src_name}" fi # write preliminary adblock list footer @@ -267,9 +272,9 @@ done # remove old adblock lists and their backups # -if [ -n "${adb_srcfind}" ] +if [ -n "${adb_srclist}" ] then - adb_rmfind="$(find "${adb_dnsdir}" -maxdepth 1 -type f -name "${adb_dnsprefix}.*" \( ${adb_srcfind} \) -print -exec rm -f "{}" \; 2>/dev/null)" + adb_rmfind="$(find "${adb_dnsdir}" -maxdepth 1 -type f -name "${adb_dnsprefix}.*" \( ${adb_srclist} \) -print -exec rm -f "{}" \; 2>/dev/null)" if [ $((rc)) -eq 0 ] && [ -n "${adb_rmfind}" ] then f_log "no longer used adblock lists removed" "${rc}" @@ -280,7 +285,7 @@ then fi if [ "${backup_ok}" = "true" ] then - find "${adb_backupdir}" -maxdepth 1 -type f -name "${adb_dnsprefix}.*" \( ${adb_srcfind} \) -exec rm -f "{}" \; 2>/dev/null + find "${adb_backupdir}" -maxdepth 1 -type f -name "${adb_dnsprefix}.*" \( ${adb_srclist} \) -exec rm -f "{}" \; 2>/dev/null if [ $((rc)) -ne 0 ] then f_log "error during removal of old backups" "${rc}" @@ -302,7 +307,7 @@ fi # if [ $((adb_unique)) -eq 1 ] then - if [ -n "${adb_revsrcfind}" ] + if [ -n "${adb_revsrclist}" ] then f_log "remove duplicates in separate adblock lists" @@ -352,10 +357,17 @@ else adb_count="$(head -qn -4 "${adb_dnsdir}/${adb_dnsprefix}."* 2>/dev/null | wc -l)" fi +# restore adblock lists if overall count is null (i.e. all downloads failed) +# +if [ "${backup_ok}" = "true" ] && [ $((adb_count)) -eq 0 ] +then + f_restore +fi + # restart dnsmasq with newly generated or deleted adblock lists, # check dnsmasq startup afterwards # -if [ -n "${adb_revsrcfind}" ] || [ -n "${adb_rmfind}" ] +if [ -n "${adb_revsrclist}" ] || [ -n "${adb_rmfind}" ] then /etc/init.d/dnsmasq restart >/dev/null 2>&1 sleep 2 diff --git a/net/adblock/files/adblock.conf b/net/adblock/files/adblock.conf index b4c91e563..f066bfca3 100644 --- a/net/adblock/files/adblock.conf +++ b/net/adblock/files/adblock.conf @@ -1,3 +1,6 @@ +# adblock configuration, for further information +# please see /etc/adblock/samples/adblock.conf.sample +# and /etc/adblock/README.md config adblock "global" option adb_blacklist "/etc/adblock/adblock.blacklist"