From babad56cc62246fa8cd481915431206e766af3de Mon Sep 17 00:00:00 2001 From: Dirk Brenken Date: Mon, 22 Feb 2016 20:57:40 +0100 Subject: [PATCH] adblock: 0.80.1 * fix ip6tables reject types * simplified firewall ruleset for IPv4/IPv6 * fix memory detection (swap was always 0) * fix dnsmasq restart after partial restore * ad hotplug support, adblock will be started when wan interface comes up * change adblock init script accordingly, do nothing on 'boot' * optimize wget parameters for faster download results (in case of an error) * added CC installation notes to readme * removed needless external online check * removed needless optional parms 'adb_maxtime', 'adb_maxloop', 'adb_probeipv4' and 'adb_probeipv6' Signed-off-by: Dirk Brenken --- net/adblock/Makefile | 5 +- net/adblock/files/README.md | 14 ++-- net/adblock/files/adblock-helper.sh | 102 +++++++++------------------- net/adblock/files/adblock-update.sh | 12 ++-- net/adblock/files/adblock.hotplug | 19 ++++++ net/adblock/files/adblock.init | 5 ++ 6 files changed, 74 insertions(+), 83 deletions(-) create mode 100644 net/adblock/files/adblock.hotplug diff --git a/net/adblock/Makefile b/net/adblock/Makefile index b882e9b7d..84b775179 100644 --- a/net/adblock/Makefile +++ b/net/adblock/Makefile @@ -7,7 +7,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=adblock -PKG_VERSION:=0.80.0 +PKG_VERSION:=0.80.1 PKG_RELEASE:=1 PKG_LICENSE:=GPL-3.0+ PKG_MAINTAINER:=Dirk Brenken @@ -49,6 +49,9 @@ define Package/$(PKG_NAME)/install $(INSTALL_BIN) ./files/adblock-update.sh $(1)/usr/bin/ $(INSTALL_DATA) ./files/adblock-helper.sh $(1)/usr/bin/ + $(INSTALL_DIR) $(1)/etc/hotplug.d/iface + $(INSTALL_BIN) ./files/adblock.hotplug $(1)/etc/hotplug.d/iface/99-adblock + $(INSTALL_DIR) $(1)/etc/init.d $(INSTALL_BIN) ./files/adblock.init $(1)/etc/init.d/adblock diff --git a/net/adblock/files/README.md b/net/adblock/files/README.md index 00b40ff9f..88a58ef2b 100644 --- a/net/adblock/files/README.md +++ b/net/adblock/files/README.md @@ -51,6 +51,7 @@ When the dns server on your router receives dns requests, you will sort out quer * status & error logging to stdout and syslog * use of dynamic uhttpd instance as adblock pixel server * openwrt init system support (start/stop/restart/reload) +* hotplug support, adblock start will be triggered by wan 'ifup' event * optional features (disabled by default): * adblock list backup/restore * debug logging to separate file @@ -62,8 +63,8 @@ When the dns server on your router receives dns requests, you will sort out quer * optional: 'kmod-ipt-nat6' for IPv6 support * the above dependencies and requirements will be checked during package installation & script runtime -## Usage -* install the adblock package (*opkg install adblock*) +## Installation & Usage +* install the adblock package (*opkg update & opkg install adblock*) * start the adblock service with */etc/init.d/adblock start* and check *logread -e "adblock"* for adblock related information * optional: enable/disable your required adblock list sources in */etc/config/adblock* - 'adaway', 'disconnect' and 'yoyo' are enabled by default * optional: maintain the adblock service in luci under 'System => Startup' @@ -73,6 +74,11 @@ For easy management of the various blocklist sources and and the adblock options Please install the package 'luci-app-adblock'. Then you will find the application in LuCI located under 'Services' menu. Thanks to Hannu Nyman for this great adblock LuCI frontend! +## CC installation notes +* currently the adblock package is *not* part of the CC package repository +* download the latest adblock package *adblock_x.xx.x-1_all.ipk* from a DD snapshot [package directory](https://downloads.openwrt.org/snapshots/trunk/ar71xx/generic/packages/packages) +* manual transfer the package to your router and install the opkg package as usual + ## Tweaks * there is no need to enable all blacklist sites at once, for normal use one to three adblock list sources should be sufficient * if you really need to handle all blacklists at once add an usb stick or any other storage device to supersize your temp directory with a swap partition => see [openwrt wiki](https://wiki.openwrt.org/doc/uci/fstab) for further details @@ -90,10 +96,6 @@ Thanks to Hannu Nyman for this great adblock LuCI frontend! * adb\_port => port of the adblock uhttpd instance (default: '65535') * adb\_nullipv4 => IPv4 blackhole ip address (default: '192.0.2.1') * adb\_nullipv6 => IPv6 blackhole ip address (default: '::ffff:c000:0201') - * adb\_probeipv4 => IPv4 address used for uplink online check (default: '8.8.8.8') - * adb\_probeipv6 => IPv6 address used for uplink online check (default: '2001:4860:4860::8888') - * adb\_maxtime => download timeout limit in seconds (default: '60') - * adb\_maxloop => startup timeout limit in seconds to wait for an active wan interface (default: '20') ## Background This adblock package is a dns/dnsmasq based adblock solution for openwrt. diff --git a/net/adblock/files/adblock-helper.sh b/net/adblock/files/adblock-helper.sh index 49f0542c1..faccc9640 100644 --- a/net/adblock/files/adblock-helper.sh +++ b/net/adblock/files/adblock-helper.sh @@ -86,10 +86,6 @@ f_envparse() adb_port="65535" adb_nullipv4="192.0.2.1" adb_nullipv6="::ffff:c000:0201" - adb_probeipv4="8.8.8.8" - adb_probeipv6="2001:4860:4860::8888" - adb_maxtime="60" - adb_maxloop="20" adb_blacklist="/etc/adblock/adblock.blacklist" adb_whitelist="/etc/adblock/adblock.whitelist" @@ -198,47 +194,23 @@ f_envparse() # get logical wan update interfaces (with default route) and their device names # - while [ $((adb_cnt)) -le $((adb_maxloop)) ] - do - network_find_wan adb_wanif4 2>/dev/null - network_find_wan6 adb_wanif6 2>/dev/null - if [ -z "${adb_wanif4}" ] && [ -z "${adb_wanif6}" ] - then - network_flush_cache - elif [ "${adb_wanif4}" = "${adb_lanif}" ] || [ "${adb_wanif6}" = "${adb_lanif}" ] - then - rc=125 - f_log "LAN only (${adb_lanif}) network, no valid IPv4/IPv6 wan update interface found" "${rc}" - f_exit - else - network_get_device adb_wandev4 "${adb_wanif4}" 2>/dev/null - network_get_device adb_wandev6 "${adb_wanif6}" 2>/dev/null - if [ -n "${adb_wandev4}" ] - then - rc="$(ping -q -4 -c1 -W1 -I${adb_wandev4} "${adb_probeipv4}" >/dev/null 2>&1; printf ${?})" - if [ $((rc)) -eq 0 ] - then - f_log "get active IPv4 wan update interface/device (${adb_wanif4}/${adb_wandev4})" - break - fi - elif [ -n "${adb_wandev6}" ] - then - rc="$(ping -q -6 -c1 -W1 -I${adb_wandev6} "${adb_probeipv6}" >/dev/null 2>&1; printf ${?})" - if [ $((rc)) -eq 0 ] - then - f_log "get active IPv6 wan update interface/device (${adb_wanif6}/${adb_wandev6})" - break - fi - fi - fi - if [ $((adb_cnt)) -ge $((adb_maxloop)) ] - then - rc=125 - f_log "no valid IPv4/IPv6 wan update interface found" "${rc}" - f_exit - fi - adb_cnt=$((adb_cnt + 1)) - done + network_find_wan adb_wanif4 2>/dev/null + network_find_wan6 adb_wanif6 2>/dev/null + if [ -z "${adb_wanif4}" ] && [ -z "${adb_wanif6}" ] + then + rc=125 + f_log "no valid IPv4/IPv6 wan update interface found" "${rc}" + f_exit + elif [ "${adb_wanif4}" = "${adb_lanif}" ] || [ "${adb_wanif6}" = "${adb_lanif}" ] + then + rc=125 + f_log "LAN only (${adb_lanif}) network, no valid IPv4/IPv6 wan update interface found" "${rc}" + f_exit + else + network_get_device adb_wandev4 "${adb_wanif4}" 2>/dev/null + network_get_device adb_wandev6 "${adb_wanif6}" 2>/dev/null + break + fi # get lan ip addresses # @@ -287,12 +259,11 @@ f_envcheck() # check ca-certificates package and set wget parms accordingly # + wget_parm="--no-config --quiet --tries=1 --no-cache --no-cookies --max-redirect=0 --dns-timeout=5 --connect-timeout=5 --read-timeout=5" check="$(printf "${pkg_list}" | grep "^ca-certificates -" 2>/dev/null)" if [ -z "${check}" ] then - wget_parm="--no-config --no-check-certificate --quiet --tries=1 --no-cache --no-cookies --max-redirect=0 --dns-timeout=5" - else - wget_parm="--no-config --quiet --tries=1 --no-cache --no-cookies --max-redirect=0 --dns-timeout=5" + wget_parm="${wget_parm} --no-check-certificate" fi # check adblock blacklist/whitelist configuration @@ -326,16 +297,15 @@ f_envcheck() f_exit fi - # check total and swap memory + # memory check # - mem_total="$(grep -F "MemTotal" "/proc/meminfo" 2>/dev/null | grep -o "[0-9]*" 2>/dev/null)" - mem_free="$(grep -F "MemFree" "/proc/meminfo" 2>/dev/null | grep -o "[0-9]*" 2>/dev/null)" - swap_total="$(grep -F "SwapTotal" "/proc/meminfo" 2>/dev/null | grep -o "[0-9]*" 2>/dev/null)" - if [ $((mem_total)) -le 64000 ] && [ $((swap_total)) -eq 0 ] + mem_total="$(awk '$1 ~ /^MemTotal/ {print $2}' "/proc/meminfo" 2>/dev/null)" + mem_free="$(awk '$1 ~ /^MemFree/ {print $2}' "/proc/meminfo" 2>/dev/null)" + mem_swap="$(awk '$1 ~ /^SwapTotal/ {print $2}' "/proc/meminfo" 2>/dev/null)" + if [ $((mem_total)) -le 64000 ] && [ $((mem_swap)) -eq 0 ] then adb_unique=0 - f_log "not enough memory, overall sort/unique processing will be disabled" - f_log "please consider adding an external swap device to supersize your temp directory (total: ${mem_total}, free: ${mem_free}, swap: ${mem_swap})" + f_log "not enough memory, overall sort processing will be disabled (total: ${mem_total}, free: ${mem_free}, swap: ${mem_swap})" fi # check backup configuration @@ -382,12 +352,8 @@ f_envcheck() f_firewall "IPv4" "nat" "A" "${adb_prechain_ipv4}" "adb-prerouting" "! -i ${adb_wandev4} -p tcp -d ${adb_nullipv4} -m multiport --dports 80,443 -j REDIRECT --to-ports ${adb_port}" f_firewall "IPv4" "nat" "A" "${adb_prechain_ipv4}" "adb-dns" "! -i ${adb_wandev4} -p udp --dport 53 -j REDIRECT" f_firewall "IPv4" "nat" "A" "${adb_prechain_ipv4}" "adb-dns" "! -i ${adb_wandev4} -p tcp --dport 53 -j REDIRECT" - f_firewall "IPv4" "filter" "A" "${adb_fwdchain_ipv4}" "adb-forward" "! -i ${adb_wandev4} -p udp -d ${adb_nullipv4} -j REJECT --reject-with icmp-port-unreachable" - f_firewall "IPv4" "filter" "A" "${adb_fwdchain_ipv4}" "adb-forward" "! -i ${adb_wandev4} -p tcp -d ${adb_nullipv4} -j REJECT --reject-with tcp-reset" - f_firewall "IPv4" "filter" "A" "${adb_fwdchain_ipv4}" "adb-forward" "! -i ${adb_wandev4} -d ${adb_nullipv4} -j REJECT --reject-with icmp-proto-unreachable" - f_firewall "IPv4" "filter" "A" "${adb_outchain_ipv4}" "adb-output" "! -i ${adb_wandev4} -p udp -d ${adb_nullipv4} -j REJECT --reject-with icmp-port-unreachable" - f_firewall "IPv4" "filter" "A" "${adb_outchain_ipv4}" "adb-output" "! -i ${adb_wandev4} -p tcp -d ${adb_nullipv4} -j REJECT --reject-with tcp-reset" - f_firewall "IPv4" "filter" "A" "${adb_outchain_ipv4}" "adb-output" "! -i ${adb_wandev4} -d ${adb_nullipv4} -j REJECT --reject-with icmp-proto-unreachable" + f_firewall "IPv4" "filter" "A" "${adb_fwdchain_ipv4}" "adb-forward" "! -i ${adb_wandev4} -d ${adb_nullipv4} -j REJECT --reject-with icmp-host-unreachable" + f_firewall "IPv4" "filter" "A" "${adb_outchain_ipv4}" "adb-output" "! -i ${adb_wandev4} -d ${adb_nullipv4} -j REJECT --reject-with icmp-host-unreachable" if [ "${fw_done}" = "true" ] then f_log "created volatile IPv4 firewall ruleset" @@ -402,12 +368,8 @@ f_envcheck() f_firewall "IPv6" "nat" "A" "${adb_prechain_ipv6}" "adb-prerouting" "! -i ${adb_wandev6} -p tcp -d ${adb_nullipv6} -m multiport --dports 80,443 -j REDIRECT --to-ports ${adb_port}" f_firewall "IPv6" "nat" "A" "${adb_prechain_ipv6}" "adb-dns" "! -i ${adb_wandev6} -p udp --dport 53 -j REDIRECT" f_firewall "IPv6" "nat" "A" "${adb_prechain_ipv6}" "adb-dns" "! -i ${adb_wandev6} -p tcp --dport 53 -j REDIRECT" - f_firewall "IPv6" "filter" "A" "${adb_fwdchain_ipv6}" "adb-forward" "! -i ${adb_wandev6} -p udp -d ${adb_nullipv6} -j REJECT --reject-with icmp-port-unreachable" - f_firewall "IPv6" "filter" "A" "${adb_fwdchain_ipv6}" "adb-forward" "! -i ${adb_wandev6} -p tcp -d ${adb_nullipv6} -j REJECT --reject-with tcp-reset" - f_firewall "IPv6" "filter" "A" "${adb_fwdchain_ipv6}" "adb-forward" "! -i ${adb_wandev6} -d ${adb_nullipv6} -j REJECT --reject-with icmp-proto-unreachable" - f_firewall "IPv6" "filter" "A" "${adb_outchain_ipv6}" "adb-output" "! -i ${adb_wandev6} -p udp -d ${adb_nullipv6} -j REJECT --reject-with icmp-port-unreachable" - f_firewall "IPv6" "filter" "A" "${adb_outchain_ipv6}" "adb-output" "! -i ${adb_wandev6} -p tcp -d ${adb_nullipv6} -j REJECT --reject-with tcp-reset" - f_firewall "IPv6" "filter" "A" "${adb_outchain_ipv6}" "adb-output" "! -i ${adb_wandev6} -d ${adb_nullipv6} -j REJECT --reject-with icmp-proto-unreachable" + f_firewall "IPv6" "filter" "A" "${adb_fwdchain_ipv6}" "adb-forward" "! -i ${adb_wandev6} -d ${adb_nullipv6} -j REJECT --reject-with icmp6-addr-unreachable" + f_firewall "IPv6" "filter" "A" "${adb_outchain_ipv6}" "adb-output" "! -i ${adb_wandev6} -d ${adb_nullipv6} -j REJECT --reject-with icmp6-addr-unreachable" if [ "${fw_done}" = "true" ] then f_log "created volatile IPv6 firewall ruleset" @@ -691,9 +653,9 @@ f_exit() fi if [ -n "${adb_wanif6}" ] then - ipv6_prerouting="$(${iptv6} -t nat -vnL | awk '$11 ~ /^adb-prerouting$/ {sum += $1} END {print sum}')" - ipv6_forward="$(${iptv6} -vnL | awk '$11 ~ /^adb-forward$/ {sum += $1} END {print sum}')" - ipv6_output="$(${iptv6} -vnL | awk '$11 ~ /^adb-output$/ {sum += $1} END {print sum}')" + ipv6_prerouting="$(${iptv6} -t nat -vnL | awk '$10 ~ /^adb-prerouting$/ {sum += $1} END {print sum}')" + ipv6_forward="$(${iptv6} -vnL | awk '$10 ~ /^adb-forward$/ {sum += $1} END {print sum}')" + ipv6_output="$(${iptv6} -vnL | awk '$10 ~ /^adb-output$/ {sum += $1} END {print sum}')" fi if [ -n "${adb_wanif4}" ] && [ -n "${adb_wanif6}" ] then diff --git a/net/adblock/files/adblock-update.sh b/net/adblock/files/adblock-update.sh index ed826dca2..2fec96d74 100755 --- a/net/adblock/files/adblock-update.sh +++ b/net/adblock/files/adblock-update.sh @@ -45,7 +45,7 @@ fi # get current directory, script- and openwrt version # adb_scriptdir="${0%/*}" -adb_scriptver="0.80.0" +adb_scriptver="0.80.1" openwrt_version="$(cat /etc/openwrt_version 2>/dev/null)" # source in adblock function library @@ -100,7 +100,7 @@ then # only process shallalist archive with updated timestamp, # extract and merge only domains of selected shallalist categories # - shalla_time="$(${adb_fetch} ${wget_parm} --timeout=5 --server-response --spider "${adb_arc_shalla}" 2>&1 | grep -F "Last-Modified: " 2>/dev/null | tr -d '\r' 2>/dev/null)" + shalla_time="$(${adb_fetch} ${wget_parm} --server-response --spider "${adb_arc_shalla}" 2>&1 | grep -F "Last-Modified: " 2>/dev/null | tr -d '\r' 2>/dev/null)" shalla_time="${shalla_time/*: /}" if [ -z "${shalla_time}" ] then @@ -109,7 +109,7 @@ then fi if [ -z "${list_time}" ] || [ "${list_time}" != "${shalla_time}" ] then - ${adb_fetch} ${wget_parm} --timeout="${adb_maxtime}" --output-document="${shalla_archive}" "${adb_arc_shalla}" 2>/dev/null + ${adb_fetch} ${wget_parm} --output-document="${shalla_archive}" "${adb_arc_shalla}" 2>/dev/null rc=${?} if [ $((rc)) -eq 0 ] then @@ -184,7 +184,7 @@ do then url_time="${shalla_time}" else - url_time="$(${adb_fetch} ${wget_parm} --timeout=5 --server-response --spider "${url}" 2>&1 | grep -F "Last-Modified: " 2>/dev/null | tr -d '\r' 2>/dev/null)" + url_time="$(${adb_fetch} ${wget_parm} --server-response --spider "${url}" 2>&1 | grep -F "Last-Modified: " 2>/dev/null | tr -d '\r' 2>/dev/null)" url_time="${url_time/*: /}" fi if [ -z "${url_time}" ] @@ -203,7 +203,7 @@ do tmp_domains="$(cat "${shalla_file}" 2>/dev/null)" rc=${?} else - tmp_domains="$(${adb_fetch} ${wget_parm} --timeout="${adb_maxtime}" --output-document=- "${url}" 2>/dev/null)" + tmp_domains="$(${adb_fetch} ${wget_parm} --output-document=- "${url}" 2>/dev/null)" rc=${?} fi else @@ -413,7 +413,7 @@ fi # restart dnsmasq with newly generated or deleted adblock lists, # check dnsmasq startup afterwards # -if [ -n "${adb_revsrclist}" ] || [ -n "${rm_done}" ] +if [ -n "${adb_revsrclist}" ] || [ -n "${rm_done}" ] || [ -n "${restore_done}" ] then /etc/init.d/dnsmasq restart >/dev/null 2>&1 sleep 2 diff --git a/net/adblock/files/adblock.hotplug b/net/adblock/files/adblock.hotplug new file mode 100644 index 000000000..050701b1e --- /dev/null +++ b/net/adblock/files/adblock.hotplug @@ -0,0 +1,19 @@ +#!/bin/sh +# + +if [ -f "/var/run/adblock.pid" ] || [ "${ACTION}" != "ifup" ] +then + exit 0 +fi + +. /lib/functions/network.sh +adb_pid="${$}" +adb_logger="/usr/bin/logger" +network_find_wan adb_wanif4 +network_find_wan6 adb_wanif6 + +if [ "${INTERFACE}" = "${adb_wanif4}" ] || [ "${INTERFACE}" = "${adb_wanif6}" ] +then + /etc/init.d/adblock start + "${adb_logger}" -t "adblock[${adb_pid}] info " "adblock service started due to '${ACTION}' of '${INTERFACE}' interface" +fi diff --git a/net/adblock/files/adblock.init b/net/adblock/files/adblock.init index 96e564437..2174fea60 100755 --- a/net/adblock/files/adblock.init +++ b/net/adblock/files/adblock.init @@ -23,6 +23,11 @@ then exit 255 fi +boot() +{ + return 0 +} + start() { eval "${adb_script}" ${bg_parm}