Script: Adblock - not so lean

Discussion in 'Tomato Firmware' started by jerrm, Mar 13, 2016.

  1. jorzuniga

    jorzuniga New Member Member

    Hi

    I have a trouble with my installation, when i install on jffs i dont have a trouble, but when i install on /cifs2/adblock show this error

    /$ export PREFIX=/cifs2/
    /$ wget -O - http://goo.gl/GfA7cQ | sh
    Connecting to goo.gl (64.233.190.138:80)
    Connecting to tomato-adblock.weebly.com (199.34.228.53:80)
    adblock-install: installing binaries and scripts to /cifs2/, config to /cifs2//adblock.ini
    Connecting to tomato-adblock.weebly.com (199.34.228.54:80)
    adblock.sh
    adblockweb.sh
    adblock.changelog
    adblock.ini.default
    adblock.ini.readme
    pixelserv/arm/
    pixelserv/arm/LICENSE
    pixelserv/arm/README.md
    pixelserv/arm/pixelserv.tomatoware.performance.dynamic
    pixelserv/arm/pixelserv.tomatoware.performance.static
    pixelserv/arm/VERSION
    pixelserv/mips/
    pixelserv/mips/LICENSE
    pixelserv/mips/README.md
    pixelserv/mips/pixelserv.tomatoware.performance.dynamic
    pixelserv/mips/pixelserv.tomatoware.performance.static
    pixelserv/mips/VERSION
    pixelserv/mipsK24/
    pixelserv/mipsK24/LICENSE
    pixelserv/mipsK24/README.md
    pixelserv/mipsK24/pixelserv.mips.performance.dynamic
    pixelserv/mipsK24/pixelserv.mips.performance.static
    adblock-install: installing /cifs2//adblock.changelog
    adblock-install: installing /cifs2//adblock.ini.readme
    adblock-install: installing /cifs2//adblock.ini.default
    adblock-install: installing /cifs2//adblock.sh
    adblock-install: installing /cifs2//adblockweb.sh
    adblock-install: installing /cifs2//pixelserv.tomatoware.performance.static
    adblock-install: creating 'pixelserv' link for /cifs2//pixelserv.tomatoware.performance.static
    could not create link, attempting copy instead
    adblock-install: installing default config file /cifs2//adblock.ini
     
  2. HunterZ

    HunterZ Network Guru Member

    I don't see an error, just a warning. I'm not sure that cifs mounts support symbolic links.
     
  3. jerrm

    jerrm Network Guru Member

    Not an error. Assuming /cifs2 is really a CIFS mount. CIFS does not support links, so the install should be copying /cifs2/pixelserv.tomatoware.performance.static to /cifs2/pixelserv
     
    HunterZ likes this.
  4. jorzuniga

    jorzuniga New Member Member

    Hi tkz for answer my question... that its my problem the pixelserv... when i put the WANup script doesnt start.

    Plz help me !!
    PD: with jffs... works fine!! but when i download the source file my jffs its full and dont have much size, and that its the reason because i need a cifs

    Regars from Chile
     

    Attached Files:

    • 01.jpg
      01.jpg
      File size:
      78.9 KB
      Views:
      53
    • 02.jpg
      02.jpg
      File size:
      39.6 KB
      Views:
      48
    • 03.jpg
      03.jpg
      File size:
      45.4 KB
      Views:
      47
    Last edited: Jun 22, 2016
  5. Malakai

    Malakai Networkin' Nut Member

    Isn't there a problem with the PREFIX export part?
    Code:
    /$ export PREFIX=/cifs2/
    You have a / at the end so for all the adblock-install parts you have /cifs2//
    Code:
    adblock-install: installing /cifs2//adblock.changelog
    adblock-install: installing /cifs2//adblock.ini.readme
    adblock-install: installing /cifs2//adblock.ini.default
    adblock-install: installing /cifs2//adblock.sh
    adblock-install: installing /cifs2//adblockweb.sh
    adblock-install: installing /cifs2//pixelserv.tomatoware.performance.static
    I think it would be best to have :
    Code:
    [code]/$ export PREFIX=/cifs2
    Don't know if the warning comes from this but it would be better to not have a double /
     
  6. jorzuniga

    jorzuniga New Member Member

    tkz for help me ...but still doesnt work

    /$ export PREFIX=/cifs2
    /$ wget -O - http://goo.gl/GfA7cQ | sh
    Connecting to goo.gl (64.233.190.101:80)
    Connecting to tomato-adblock.weebly.com (199.34.228.54:80)
    adblock-install: installing binaries and scripts to /cifs2, config to /cifs2/adblock.ini
    Connecting to tomato-adblock.weebly.com (199.34.228.53:80)
    adblock.sh
    adblockweb.sh
    adblock.changelog
    adblock.ini.default
    adblock.ini.readme
    pixelserv/arm/
    pixelserv/arm/LICENSE
    pixelserv/arm/README.md
    pixelserv/arm/pixelserv.tomatoware.performance.dynamic
    pixelserv/arm/pixelserv.tomatoware.performance.static
    pixelserv/arm/VERSION
    pixelserv/mips/
    pixelserv/mips/LICENSE
    pixelserv/mips/README.md
    pixelserv/mips/pixelserv.tomatoware.performance.dynamic
    pixelserv/mips/pixelserv.tomatoware.performance.static
    pixelserv/mips/VERSION
    pixelserv/mipsK24/
    pixelserv/mipsK24/LICENSE
    pixelserv/mipsK24/README.md
    pixelserv/mipsK24/pixelserv.mips.performance.dynamic
    pixelserv/mipsK24/pixelserv.mips.performance.static
    adblock-install: installing /cifs2/adblock.changelog
    adblock-install: installing /cifs2/adblock.ini.readme
    adblock-install: installing /cifs2/adblock.ini.default
    adblock-install: installing /cifs2/adblock.sh
    adblock-install: installing /cifs2/adblockweb.sh
    adblock-install: installing /cifs2/pixelserv.tomatoware.performance.static
    adblock-install: creating 'pixelserv' link for /cifs2/pixelserv.tomatoware.performance.static
    could not create link, attempting copy instead
    adblock-install: installing default config file /cifs2/adblock.ini
     
  7. HunterZ

    HunterZ Network Guru Member

    @jorzuniga It looks like you haven't set up an adblock.ini for your particular configuration.
     
  8. jorzuniga

    jorzuniga New Member Member

    tkz @HunterZ i will try and later write here
     
  9. jorzuniga

    jorzuniga New Member Member

    i config adblock.ini but doesnt work.. if i use a jffs work fine!! :/ (my hardrive has a ext3 partition)
     
  10. HunterZ

    HunterZ Network Guru Member

    Anything helpful in your system logs?
     
  11. jorzuniga

    jorzuniga New Member Member

    That show me!!.... but it works!!! but I just realized, but dont show Adblock menu on Tomato i have to put de direct address!!.... you know why?


    Jun 23 00:42:18 unknown user.notice ADBLOCK[1356]: Running as /cifs2/adblock.sh cron
    Jun 23 00:42:19 unknown daemon.info udhcpc[1435]: Sending renew...
    Jun 23 00:42:19 unknown daemon.info udhcpc[1435]: Lease of 192.168.0.7 obtained, lease time 86400
    Jun 23 00:42:19 unknown user.notice ADBLOCK[1356]: Using config file /cifs2/adblock.ini
    Jun 23 00:42:19 unknown user.notice ADBLOCK[1356]: Ignoring extra config file /cifs2/adblock.ini
    Jun 23 00:42:19 unknown user.notice ADBLOCK[1356]: Requested list mode is OPTIMIZE
    Jun 23 00:42:19 unknown daemon.warn dnsmasq[682]: possible DNS-rebind attack detected: adblock.is.loaded
    Jun 23 00:42:20 unknown daemon.warn dnsmasq[682]: possible DNS-rebind attack detected: optimize.mode.is.loaded
    Jun 23 00:42:20 unknown user.notice ADBLOCK[1356]: Creating web link /www/user/adblock.sh
    Jun 23 00:42:20 unknown user.notice ADBLOCK[1356]: Web interface should be available at http://192.168.1.1/user/adblock.sh
    Jun 23 00:42:21 unknown user.notice ADBLOCK[1356]: Adding tomato menu item
    Jun 23 00:42:21 unknown user.notice ADBLOCK[1356]: Config or script has changed - rebuilding list
    Jun 23 00:42:21 unknown user.notice ADBLOCK[1356]: Download starting
    Jun 23 00:42:21 unknown cron.err crond[810]: time disparity of 24444281 minutes detected
    Jun 23 00:42:22 unknown user.notice ADBLOCK[1356]: Downloading: http://winhelp2002.mvps.org/hosts.txt
    Jun 23 00:42:25 unknown user.notice ADBLOCK[1356]: Downloading: http://pgl.yoyo.org/adservers/serverlist.php?hostformat=hosts&mimetype=plaintext
    Jun 23 00:42:26 unknown user.notice ADBLOCK[1356]: Completed: http://winhelp2002.mvps.org/hosts.txt
    Jun 23 00:42:28 unknown user.notice ADBLOCK[1356]: Completed: http://pgl.yoyo.org/adservers/serverlist.php?hostformat=hosts&mimetype=plaintext
    Jun 23 00:42:28 unknown user.notice ADBLOCK[1356]: Downloaded
    Jun 23 00:42:28 unknown user.notice ADBLOCK[1356]: Generating /cifs2/adblock/blocklist - OPTIMIZE mode
     
  12. reimer

    reimer Addicted to LI Member

    Looks like hosts-file.net has started using https. Noticed the number of blocked hosts dropped by half after an update.

    Went ahead and installed entware + openssl-util and everything is back to normal
     
  13. meazz1

    meazz1 LI Guru Member

    I just noticed it too. Did the entware+openssl-util work along with this adblocker script? How did you achieve this?
     
  14. HunterZ

    HunterZ Network Guru Member

    I have entware-ng with the openssl packages, and for me it seems to see the HTTP redirect code and try the reported URL automatically.
     
  15. reimer

    reimer Addicted to LI Member

    I followed this guide on installing entware to a usb drive.
    https://github.com/Entware-ng/Entware-ng/wiki/Install-on-the-TomatoUSB

    then install the openssl-util package
    "opkg openssl-util"

    reinstall the adblock script and you're good to go
     
  16. tmr250z

    tmr250z Network Guru Member

    It seems to work initially if I load adblock manually i.e., executing "/opt/bin/adblock.sh cron" from Tomato's Tools->System Commands or from the command line, or by running "force" from the adblock web interface. But if I reboot the router and let adblock load from the wanup script, the hosts-file.net download fails. I have this in my wanup script:

    Code:
    nslookup adblock.is.loaded || /opt/bin/adblock.sh cron &

    Anyone else experience this?
     
    Last edited: Jun 26, 2016
  17. koitsu

    koitsu Network Guru Member

    "Doesn't work" is vague, but odds are it relates to $PATH usage. Please try:
    Code:
    nslookup adblock.is.loaded || /opt/bin/adblock.sh cron > /tmp/adblock.cron.log 2>&1 &
    ...reboot, then see what /tmp/adblock.cron.log contains. This should shed light on what the actual error is when downloading from that host. As hinted, I have a feeling PATH isn't including /opt so the wrong wget/whatever binary is being run. I simply don't know, hence why to do the above. :D
     
  18. tmr250z

    tmr250z Network Guru Member

    Alright, this is what it contains:

    Code:
    ADBLOCK[979]: Running as /opt/bin/adblock.sh cron
    ADBLOCK[979]: Using config file /opt/bin/adblock.ini
    ADBLOCK[979]: Requested list mode is OPTIMIZE
    ADBLOCK[979]: Creating web link /www/user/adblock.sh
    ADBLOCK[979]: Web interface should be available at http://10.0.0.1/user/adblock.sh
    ADBLOCK[979]: Adding tomato menu item
    ADBLOCK[979]: Download starting
    ADBLOCK[979]: Unchanged: http://www.malwaredomainlist.com/hostslist/hosts.txt (Last-Modified: Mon, 27 Jun 2016 00:24:34 GMT)
    ADBLOCK[979]: Unchanged: http://winhelp2002.mvps.org/hosts.txt (Last-Modified: Thu, 23 Jun 2016 16:31:31 GMT)
    ADBLOCK[979]: Downloading: https://hosts-file.net/ad_servers.txt
    Connecting to hosts-file.net (107.22.171.143:443)
    ADBLOCK[979]: Unchanged: http://pgl.yoyo.org/adservers/serverlist.php?hostformat=hosts&mimetype=plaintext (Last-Modified: Fri, 17 Jun 2016 12:57:43 GMT)
    ADBLOCK[979]: Unchanged: http://adaway.org/hosts.txt (Last-Modified: Tue, 25 Aug 2015 22:42:21 GMT)
    wget: error getting response: Connection reset by peer
    ADBLOCK[979]: Failed: https://hosts-file.net/ad_servers.txt
    ADBLOCK[979]: Filters unchanged
    ADBLOCK[979]: Setting up 10.0.0.254 netmask 255.255.255.0 on br0:adblk
    ADBLOCK[979]: Setting up pixelserv on 10.0.0.254
    ADBLOCK[979]: pixelserv[1380]: /opt/bin/pixelserv version: V35.HZ13 compiled: Oct  6 2015 22:35:24 options: 10.0.0.254
    ADBLOCK[979]: Writing File /etc/dnsmasq.custom
    ADBLOCK[979]: CONF file /etc/dnsmasq.custom changed
    ADBLOCK[979]: Restarting dnsmasq
    ADBLOCK[979]: ....
    ADBLOCK[979]: Done.
    ADBLOCK[979]: Exiting /opt/bin/adblock.sh 0
    
     
  19. koitsu

    koitsu Network Guru Member

    Okay, I see several things wrong with this script, specifically with regards to things using HTTPS:

    First, it implements a HEAD request in a very broken way. Line numbers are on the left:

    Code:
    589         local host=$(echo $1 | awk -F"/" '{print $3}')
    590         local path=$(echo $1 | awk -F"/" '{print substr($0, index($0,$4))}')
    591         local lastmod=$(echo -e "HEAD /$path HTTP/1.1\r\nHost: $host\r\n\r\n" | nc -w30 $host 80 | tr -d '\r' | grep "Last-Modified")
    
    Use of nc (netcat) to connect on TCP port 80 is used and is hard-coded, regardless of what the URL is. For HTTPS URLs (usually TCP port 443), this will unconditionally/always fail, forcing a download every single time. This problem would happen as well for sites which use a non-port-80 TCP port (ex. http://blah.com:1234/something).

    Because Tomato does not come with curl by default (which can make this whole process easier, if not downright flawless), the script will need to be modified to parse/comprehend URI -- specifically http vs. https. Adding support for explicit port numbers (see above ex.) would have to be done too, if someone wanted to be thorough about it.

    However, URI parsing will not necessarily fix the problem. Which leads me to the next issue.

    The "connection reset by peer" message happens when wget is called. The script simply calls it as a raw command -- i.e. it is susceptible to whatever $PATH is currently in effect when the script is run:

    Code:
    613                 if wget  $1 -O - $wget_opts ; then
    
    Note #1: This code is also very broken if special characters are used in the URL, especially ampersand; it really should have double quotes around the $1. This is super, SUPER dangerous as it stands!).

    Note #2: The argument order here is completely wrong. Someone seems to think you can just append arguments to a command line and it'll work; this person is very, very mistaken (I cannot stress this enough. Grr!!!). To solve both this and #1, the command should really read:

    Code:
    613                if wget -O - $wget_opts "$1" ; then
    
    We can verify that the stock Tomato/Busybox wget being called easily enough:

    Code:
    root@gw:/tmp/home/root# /usr/bin/wget https://hosts-file.net/ad_servers.txt
    Connecting to hosts-file.net (107.22.171.143:443)
    wget: error getting response: Connection reset by peer
    
    The "connection reset by peer" error comes from the fact that the SSL ciphers mandated/required by whoever runs hosts-file.net do not work with the ones that Busybox wget supports. This shouldn't come as a surprise, given that SSL support in Tomato/Busybox is precarious at best.

    If you were to use the Entware-ng wget, you'd find it works:

    Code:
    root@gw:/tmp/home/root# /opt/bin/wget https://hosts-file.net/ad_servers.txt
    --2016-06-26 23:15:15--  https://hosts-file.net/ad_servers.txt
    Resolving hosts-file.net... 107.22.171.143
    Connecting to hosts-file.net|107.22.171.143|:443... connected.
    HTTP request sent, awaiting response... 200 OK
    Length: 1824280 (1.7M) [text/plain]
    ...
    
    When a script runs from the Administration -> Scripts section, it does not take into account PATH (i.e. PATH does not contain /opt-related paths). In fact, it can't do this reliably -- ever! It would create a catch-22 or infinite recursion loop issue: /opt needs to be mounted before this script can be run successfully, but it's in WAN Up, which could technically happen even before "tasting" (to find filesystems, mount them, etc.) has happened. There's no real way to block/wait indefinitely for that to happen. In fact, most *IX systems (Linux and FreeBSD especially) behave like this as well -- PATH inside of init scripts run at boot-up tend to be different than if run from the command-line, etc...

    The way you usually solve this reliably is by calling the adblock bits in an autorun script that's on your USB flash drive, not using WAN Up. An autorun script on the USB flash drive will automatically run when the filesystem is mounted. You'd then also have to modify the script to either a) use /opt/bin/wget instead of just wget, or b) do something like export PATH="/opt/usr/sbin:/opt/sbin:/opt/bin:/usr/local/sbin:/usr/sbin:/usr/bin:/sbin:/bin" near the very top of the script. I would suggest starting with just calling /opt/bin/wget (vs. using PATH) because changing PATH means other programs that might conflict (Tomato/Busybox base vs. Entware) could break. (Busybox does not necessarily implement all the same flags and usage syntaxes as common GNU utilities)

    If someone reads this post and says "whatever koitsu, you can just use /opt/bin/wget and the problem is solved... see, I unplugged my WAN and then plugged it back in and it worked!", then they aren't thinking about the problem from a reboot perspective (their /opt is certainly already mounted, so of course it'll work). If you want to implement it like that, then great, go right ahead: you'll find it "might" work on boot (sometimes), and when it doesn't, you'll be forced to go manually run the command from the CLI (which WILL work because /opt will be available by then, or should be). :p

    For implementing autorun properly (esp. solving the issue of if clicking Save or Mount in parts of the Tomato GUI causing multiple /opt bindable mounts to be made), you can Google site:linksysinfo.org autorun koitsu and find me talking about all this, as well as people implementing autorun scripts to do things appropriately.

    If you've already implemented an autorun script yourself, then awesome -- just add
    nslookup adblock.is.loaded || /opt/bin/adblock.sh cron & to your autorun script and you should be good to go. (I would suggest using the > some.log 2>&1 methodology to troubleshoot it at the beginning to make sure everything works).
     
    ruggerof and Tuurbo like this.
  20. jerrm

    jerrm Network Guru Member

    @tmr250z, what version of Tomato?

    As has been mentioned multiple times, the script does not support https. That said, it should be mostly functional on Shibby ARM 130+ or any relatively recent Tomato version if a full wget is installed (or openssl-util for MIPS 130+). The file date check code will not work, and any lists will be downloaded with each execution (the date check has always been a hack around busybox wget). For https, we would need to use s_client for the head request. ARM could support this, MIPS cannot without opt/ent/tomato-ware.

    @koitsu's mount availability discussion is technically accurate, but rather academic. In practice, over 4+ years or so and dozens of installs, USB thumb drives are mounted at wanup. A slow to spin up physical drive might be a different story, but I have not seen that to be the case. Of course the next update could break the behavior(along with anything else). In any event it is not relevant to @tmr250z. The script is run from /opt/bin, so obviously the drive is mounted. That said, I don't like wanup or autorun scripts and start everything from init.

    The PATH is a concern. Wanup includes /opt in the path, but it is at the end of the path, not the beginning. If using 3rd party packages, the path needs to be tweaked appropriately. I doubt I will ever modify the script for this, it is simple enough to add the line wanup prior to calling the script. Another option would be to tweak the path or alias the command in the config file, but be warned I HATE the executable config. I've left it that way for backward compatibility, but it could change.

    I use @shibby20's builds up to 132. I can't speak directly to @Toastman's. If there is an issue with @shibby20's 133+ or @Toastman's builds I will attempt to address them, but someone else will need to do the testing.
     
    Last edited: Jun 27, 2016
  21. tmr250z

    tmr250z Network Guru Member

    @jerrm: I'm using Shibby v132, specifically tomato-K26USB-1.28.RT-N5x-MIPSR2-132-VPN-64K on a Asus RT-N66U, so yeah it's MIPS. I don't need MultiWAN so I decided to stick with that version.

    I'm aware that adblock doesn't support https, so I am using entware-ng+wget as a work-around. It seemed to work fine at first until I had to reboot my router and discovered this reboot issue.

    Edit: @jerrm Just noticed that when adblock runs the update scheduled by the cron job, https download fails then, too. So there's that as well.


    @koitsu: You're a great help as always. I will definitely try what you suggested. Thank you.
     
    Last edited: Jun 27, 2016
  22. koitsu

    koitsu Network Guru Member

    While falling asleep last night, something else occurred to me: more is required than just "dumping this into an autorun script". The autorun script will need to essentially wait for the Internet connection to become usable (i.e. router reboots, USB filesystem is mounted quickly but before the WAN connection has come up -- the script will fail because it'll be trying to access the Internet before it's available).

    I solved this problem by writing a small Entware init.d/rc.unslung script that patiently and safely waits for ntpc (which Tomato does by default) to finish. I named it /opt/etc/init.d/S00netwait (the "Sxxxx" naming convention is important!), with subsequent startup scripts that rely on the Internet being named something after that (i.e. S01adblock would be a good choice) so that they run "in sequential order". This is how classic init scripts work, and how Entware runs its init scripts (see /opt/etc/init.d/rc.unslung -- it's very short/easy to understand).

    In my autorun script (called /opt/mount.autorun), I do this (note that you'd need to change myusbflashlabelname to whatever your USB flash drives' label is -- I simply don't know it!):

    Code:
    #!/bin/sh
    #
    # automount script for USB flash drives
    #
    # Details about automount scripts:
    # http://www.linksysinfo.org/index.php?threads/status-logs-dont-update-correctly.69614/#post-240957
    # http://www.linksysinfo.org/index.php?threads/how-can-i-run-transimission-after-mounting-hdd.70573/#post-252990
    
    # Ensure that only one /opt bindable mount exists.  Repeated /opt mounts can happen (Linux will
    # allow this!) if clicking "Mount" or "Save" in some parts of the Tomato GUI.
    
    if /bin/grep -q /opt /proc/mounts
    then
      /bin/umount /opt
    
      if [ $? -ne 0 ]
      then
        echo "umount failed, script not continuing"
        exit 1
      fi
    fi
    
    /bin/mount -o bindable /tmp/mnt/myusbflashlabelname /opt
    
    #
    # If using Entware, do some stuff.  Otherwise don't bother.
    #
    if [ -e /opt/etc/init.d ]; then
      #
      # Launch daemons we have installed per Entware.
      #
      if [ -f /opt/etc/init.d/rc.unslung ]; then
        /opt/etc/init.d/rc.unslung start
      fi
    fi
    
    And here's S00netwait:

    Code:
    #!/bin/sh
    
    # Copyright (C) 2013-2016 Jeremy Chadwick. All rights reserved.
    #
    # Redistribution and use in source and binary forms, with or without
    # modification, are permitted provided that the following conditions
    # are met:
    #
    # 1. Redistributions of source code must retain the above copyright
    #    notice, this list of conditions and the following disclaimer.
    # 2. Redistributions in binary form must reproduce the above copyright
    #    notice, this list of conditions and the following disclaimer in the
    #    documentation and/or other materials provided with the distribution.
    #
    # THIS SOFTWARE IS PROVIDED BY AUTHOR AND CONTRIBUTORS ``AS IS'' AND
    # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
    # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
    # ARE DISCLAIMED.  IN NO EVENT SHALL AUTHOR OR CONTRIBUTORS BE LIABLE
    # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
    # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
    # OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
    # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
    # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
    # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
    # SUCH DAMAGE.
    
    # Waits for ntpc/ntpdate to properly sync time before starting up any
    # daemons past this point.  The way it works is by repeatedly calling
    # /bin/date +%Y and seeing if the year returned is later than 1970.
    # Most routers do not have battery-backed RTCs, so their clocks always
    # start from the epoch (December 31st 1969).  A year later than 1970
    # (i.e. 1971 or later) would indicate ntpc has finished.
    #
    # This is helpful for daemons which are time-sensitive, such as
    # BIND/named, where a clock that is extremely skewed can cause errors
    # like: checkhints: unable to get root NS rrset from cache: not found
    #
    # TODO: Implement stop/start/restart/reconfigure/check/kill argument
    # support, per rc.unslung.  Right now this just runs blindly every
    # time.  stop/reconfigure/check/kill should be no-ops, start/restart
    # should actually do something.
    #
    NAME="netwait[$$]"
    INTERVAL=3
    MAXCOUNT=10
    
    checkdate() {
      local year=$(/bin/date +%Y)
      if [ $year -gt 1970 ]
      then
        return 0
      fi
      return 1
    }
    
    # First thing we do is check the current date.  If the year is
    # already compliant, then don't call logger or anything else; just
    # exit cleanly immediately.
    
    if checkdate; then
      exit 0
    fi
    
    # Otherwise use a loop to check things repeatedly and bail out if
    # things look good -- or bail out at the very end with a nastygram
    # indicating we're not responsible if daemons misbehave past this
    # point.  :-)
    
    i=1
    while [ $i -le $MAXCOUNT ]
    do
      logger -t $NAME "Waiting for ntpc (attempt ${i}/${MAXCOUNT})"
      sleep $INTERVAL
    
      if checkdate; then
        logger -t $NAME "Clock synced; good to go!"
        exit 0
      fi
      i=$((i+1))
    done
    
    logger -t $NAME "Clock remains unsynced; continuing anyway"
    exit 1
    
    
    After that, all of this magically happen on USB filesystem mount. You'll see stuff in the log (e.g. /var/log/messages) as well (I use logger in S00netwait for that exact reason).
     
  23. tmr250z

    tmr250z Network Guru Member

    OK, I'll add those, thanks!
     
  24. jerrm

    jerrm Network Guru Member

    Easiest option is to add
    Code:
    PATH="/opt/sbin:/opt/bin:$PATH"
    at the top of WANUP. No need to modify the adblock script.
     
    dowden likes this.
  25. tmr250z

    tmr250z Network Guru Member

    Adding that to the top of WAN Up fixes the reboot issue (as long as /opt/bin/adblock.sh cron is in WAN Up too), but https download still fails during a scheduled update.

    But if I add that to the top of the adblock script or make either one of the modifications koitsu suggested earlier, i.e. modifying the script to use /opt/bin/wget instead of wget, or adding export PATH="/opt/usr/sbin:/opt/sbin:/opt/bin:/usr/local/sbin:/usr/sbin:/usr/bin:/sbin:/bin" to the top of the script, fixes both issues.
     
  26. Frequenzy

    Frequenzy Networkin' Nut Member

    @jerrm
    i know the script is for tomato only, but is there a way to use it under merlin fw? thanks.
     
  27. vdantoni

    vdantoni Network Newbie Member

    Adblock has been integrated into shibby tomato v137, so you may want to try that route...
     
  28. jerrm

    jerrm Network Guru Member

    Last I looked, Merlin has enough hooks to make it work, but had some hurdles. Unless things have changed, the admin http server binds to all IPs, so either pixelserv or the admin http server would need to be run on an alternate port. An iptables redirect could be used to redirect traffic appropriately based on the target IP. dnsmasq.custom does not exist under Merlin, but there is an analog, don't remember the name. No idea about the web UI.
     
    Last edited: Jun 29, 2016
  29. Jorge Benavides

    Jorge Benavides Connected Client Member

    Quick question, then. I was recommended to use v132 because QoS was not working on higher versions.
    Can someone tell me if v137 (including adblock) has fixed QoS?

    Thanks in advance.
     
  30. my_bey

    my_bey Serious Server Member

    Before upgrading my F─▒rmware to v137, I uninstalled adblock. I found the new firmware integrated adblock under advanced option. Now, I am wondering what the URL is to monitor what is blocked and white listed.
    In v136 or below, the URL I used was https://192.168.2.1/user/adblock.sh
     
  31. vdantoni

    vdantoni Network Newbie Member

    You may want to ask those questions/requests on the Shibby's Tomato thread, so this one won't be hijacked.
     
  32. Michael Malone

    Michael Malone Network Newbie Member

    I am running Tomato Firmware 1.28.0000 MIPSR2-137 K26 Max on my Linksys E1200 v2.0 with the new Adblock feature. It doesn't have pixelserv and I can't download the 2 SSL https block lists which appear as options. Not with this router, anyway. I don't know how good it is?
     
  33. phuklok1

    phuklok1 Network Guru Member

    Agreed. I played with the built in option, but I'm sticking with this stand alone script. Not only for pixelserv, but because it is far more configurable.
     
  34. dowden

    dowden Reformed Router Member

    After setting wget from optware, I get error downloading from host file:

    Unable to locally verify the issuer's authority.
    To connect to .. insecurely, use `--no-check-certificate'.


    The solution is to modify adblock.sh:

    # additional options for wget
    wget_opts="--no-check-certificate"

    I can't put this in adblock.ini

    I also see lastmod* files are not generated for source downloaded from https.
    So it always download all https source without checking lastmod.
     
    Last edited: Jul 3, 2016
  35. Malakai

    Malakai Networkin' Nut Member

    I think you can also install the ca-certificates from optware so that wget can check the certificate (not sure but I think it is available only for ARM).
     
  36. Michael Malone

    Michael Malone Network Newbie Member

    I gave up on the newly included MIPSR2-137 firmware adblock and appreciate the tip that hosts-file.net is now using https --so it's off my list (can't use SSL downloads with my Linksys e1200v2). SSL Not supported in curl. I have a curl binary that's supposed to work and allow SSL downloads if I add it to the router, but I'm not sure how to implement that?
     
  37. HunterZ

    HunterZ Network Guru Member

    Why is it that if I put "mlofficial.no-ip.biz" in the whitelist, it still gets redirected to pixelserv?

    Is there something I need to set in adblock.ini to let me whitelist subdomains?
     
  38. leandroong

    leandroong LI Guru Member

    As an alternative for adblock implementation, you can use unbound with libevent, much easier to implement. I have been using this for almost 2 yrs now and got no more worries.
     
  39. meazz1

    meazz1 LI Guru Member

    Can you briefly write how did you do that? I tried to google it but could not understand much.
     
  40. leandroong

    leandroong LI Guru Member

    I got the concept here, https://www.bentasker.co.uk/documentation/linux/279-unbound-adding-custom-dns-records

    1. unbound.conf (add)
    include: /opt/etc/unbound/local-blocking-data.conf

    2. sample contents of local-blocking-data.conf
    Code:
           local-data: "000dom.revenuedirect.com A 127.0.0.8"
           local-data: "00119922.com A 127.0.0.8"
           local-data: "005.free-counter.co.uk A 127.0.0.8"
           local-data: "006.free-adult-counters.x-xtra.com A 127.0.0.8"
           local-data: "006.free-counter.co.uk A 127.0.0.8"
    ....
    3. prefer cronjob for data update.

    4. make sure your unbound compiled with libevent, for speed.
     
    Last edited: Jul 5, 2016
    meazz1 likes this.
  41. Michael Malone

    Michael Malone Network Newbie Member

    I get random SSL Error 107.
    Can I white-list some domains to fix the problem?

    SSL connection error
    Unable to make a secure connection to the server. This may be a problem with the server, or it may be requiring a client authentication certificate that you don't have.

    Error 107 (net::ERR_SSL_PROTOCOL_ERROR): SSL protocol error.
     
  42. gsdstream

    gsdstream New Member Member

    Is there a way to make this work only for one specific bridge? e.g. use the adblock script for br2 but not br0,br1. Alternatively a way to make it work on 192.168.3.0/24 but not any other IPs.
     
  43. jerrm

    jerrm Network Guru Member

    Not via the script, but it can be achieved. The clients that don't want adblock could point their dns to something other than the router. Dnsmasq directives could be usedto assign an alternate dns server to no-block Lans. Iptables could be used to redirect the requests. A second dnsmasq instance could be run.
     
  44. Michael Malone

    Michael Malone Network Newbie Member

    I got tired of entering Google Capchas and heard the fix was to use Google's Public DNS (8.8.8.8/8.8.4.4) instead of ISP. Is this all that needs to be done to keep it working with the adblock script?

    Dnsmasq
    Custom configuration

    ----

    no-resolv
    strict-order
    server=8.8.8.8
    server=8.8.4.4
     
  45. jerrm

    jerrm Network Guru Member

    Should be OK, but I'm not 100% sure how no-resolv interacts with the resolv-file directive used by Tomato.

    It can be done in the GUI though without custom config entries. Under "Basic->Network-Static DNS" enter the google dns addresses and make sure "Advanced->DHCP/DNS->Use received DNS with user-entered DNS" is NOT checked.
     
  46. koitsu

    koitsu Network Guru Member

    I can answer that one by reviewing the dnsmasq code: src/dnsmasq.c, lines 779 to 786. Rephrased into English:

    If the DNS capabilty in dnsmasq is enabled[1] AND the no-resolv feature[2] is set, then check the following:

    * If resolv-file is used[3], then warn the user that because they used resolv-file alongside no-resolv that the resolv-file line(s) are ignored (and they really are ignored (daemon->resolv_files = NULL))
    * If no servers are defined[4], then warn the user that there are no upstream servers configured

    [1]: As long as port != 0 (setting port=0 disables DNS capability in dnsmasq, i.e. DHCP server only)
    [2]: Either no-resolv set in the config file, or the -R or --no-resolv command line flags
    [3]: Either resolv-file set in the config file (one or more times), or the -r or --resolv-file command line flags
    [4]: Either server set in the config file (one or more times), or the -S or --server command line flags

    So, the example @Michael Malone gave should work (because there are server=XXX lines provided), however it will result in a syslog entry that says "warning: ignoring resolv-file flag because no-resolv is set".

    To solve all of this, you can just simply put 8.8.8.8 and 8.8.4.4 in Basic -> Network -> Static DNS and not have to touch anything under Dnsmasq Custom Configuration. What happens then: /etc/resolv.conf and /etc/resolv.dnsmasq both contain the IP addresses you entered into the Static DNS field.

    You can still use strict-order if you want (that's up to the user).

    If people want to know why both /etc/resolv.conf and /etc/resolv.dnsmasq are updated (rather than just the latter), I can explain that. But this is absolutely correct behaviour.
     
  47. ambiance

    ambiance Networkin' Nut Member

    I've recently noticed the 'wget: error getting response: Connection reset by peer' issue on one secure site. It seems to only affect Adaway which used to work and isn't a big deal as it's pretty much redundant. Hosts-file, Yoyo and Malwaredomainlist seem to work fine. R7000 on 137 for what it's worth and I'm in no need of a fix.

    Code:
    ADBLOCK[24114]: Running as /mnt/RALLY2/adblock/adblock.sh
    ADBLOCK[24114]: Using config file /mnt/RALLY2/adblock/adblock.ini
    ADBLOCK[24114]: Requested list mode is OPTIMIZE
    ADBLOCK[24114]: Creating web link /www/user/adblock.sh
    ADBLOCK[24114]: Web interface should be available at http://192.168.1.1/user/adblock.sh
    ADBLOCK[24114]: Config or script has changed - rebuilding list
    ADBLOCK[24114]: Download starting
    ADBLOCK[24114]: Downloading: https://adaway.org/hosts.txt
    Connecting to adaway.org (104.24.105.89:443)
    ADBLOCK[24114]: Downloading: https://hosts-file.net/ad_servers.txt
    Connecting to hosts-file.net (107.22.171.143:443)
    wget: error getting response: Connection reset by peer
    ADBLOCK[24114]: Downloading: https://hosts-file.net/hphosts-partial.txt
    ADBLOCK[24114]: Failed: https://adaway.org/hosts.txt
    Connecting to hosts-file.net (107.22.171.143:443)
    ADBLOCK[24114]: Downloading: https://www.malwaredomainlist.com/hostslist/hosts.txt
    ADBLOCK[24114]: Downloading: http://winhelp2002.mvps.org/hosts.txt
    Connecting to www.malwaredomainlist.com (143.215.130.61:443)
    ADBLOCK[24114]: Downloading: https://pgl.yoyo.org/adservers/serverlist.php?hostformat=hosts&showintro=0&mimetype=plaintext
    Connecting to winhelp2002.mvps.org (216.155.126.40:80)
    Connecting to pgl.yoyo.org (213.230.210.230:443)
    ADBLOCK[24114]: Downloading: http://sysctl.org/cameleon/hosts
    Connecting to sysctl.org (213.186.34.12:80)
    ADBLOCK[24114]: Downloading: http://someonewhocares.org/hosts/
    Connecting to someonewhocares.org (209.97.222.140:80)
    -                    100% |********************************| 38280   0:00:00 ETA
    ADBLOCK[24114]: Completed: https://www.malwaredomainlist.com/hostslist/hosts.txt
    -                    100% |********************************|   364k  0:00:00 ETA
    ADBLOCK[24114]: Completed: http://someonewhocares.org/hosts/
    -                    100% |********************************| 63404   0:00:00 ETA
    ADBLOCK[24114]: Completed: https://pgl.yoyo.org/adservers/serverlist.php?hostformat=hosts&showintro=0&mimetype=plaintext
    -                    100% |********************************|   490k  0:00:00 ETA
    ADBLOCK[24114]: Completed: http://winhelp2002.mvps.org/hosts.txt
    -                    100% |********************************|   543k  0:00:00 ETA
    -                     15% |****                            | 98653   0:00:05 ETAADBLOCK[24114]: Completed: https://hosts-file.net/hphosts-partial.txt
    -                    100% |********************************|  1781k  0:00:00 ETA
    ADBLOCK[24114]: Completed: https://hosts-file.net/ad_servers.txt
    -                    100% |********************************|   640k  0:00:00 ETA
    ADBLOCK[24114]: Completed: http://sysctl.org/cameleon/hosts
    ADBLOCK[24114]: Downloaded
    ADBLOCK[24114]: Generating /mnt/RALLY2/adblock/blocklist - OPTIMIZE mode
    ADBLOCK[24114]: Blocklist generated - 18 seconds
    ADBLOCK[24114]: 44247 unique hosts to block
    ADBLOCK[24114]: Setting up 192.168.1.254 netmask 255.255.255.0 on br0:adblk
    ADBLOCK[24114]: Setting up pixelserv on 192.168.1.254
    ADBLOCK[24114]: pixelserv[24702]: /mnt/RALLY2/adblock/pixelserv version: V35.HZ13 compiled: Nov  8 2015 23:33:28 options: 192.168.1.254
    ADBLOCK[24114]: Writing File /etc/dnsmasq.custom
    ADBLOCK[24114]: CONF file /etc/dnsmasq.custom changed
    ADBLOCK[24114]: Restarting dnsmasq
    ADBLOCK[24114]: .....
    ADBLOCK[24114]: Done.
    ADBLOCK[24114]: Exiting /mnt/RALLY2/adblock/adblock.sh 0
     
  48. leandroong

    leandroong LI Guru Member

    use wget http://adaway.org/hosts.txt
     
    jerrm likes this.
  49. ambiance

    ambiance Networkin' Nut Member

    @leandroong I've tried that, but it just redirects to the secure link with the same result.
     
  50. leandroong

    leandroong LI Guru Member

    well, i can see the data when pasting from firefox browser
    note: i'm using unbound to manage my adblock.
    note2: both http and https display data on browser.
     
  51. ambiance

    ambiance Networkin' Nut Member

    Yeah, that's what I used to cross reference. If it were an issue, I'd try my hand with optware.
     
  52. koitsu

    koitsu Network Guru Member

    @ambiance @leandroong The problem with https://adaway.org/hosts.txt is almost certainly that the Tomato base system OpenSSL doesn't play well with CloudFlare (adaway.org uses them). CloudFlare has very anal settings for SSL cipher negotiation, parameter requirements, as well as mandatory TLS extensions that need to be present (for example: they require server_name (a.k.a. SNI)). This is definitive information, but speculative in the sense that I can't actually provide hard evidence for it yet. Why's that?

    I've apparently opened a Pandora's box that is very, very uncomfortable. To analyse the situation, I obviously have to capture packets. But when using Busybox wget along with tcpdump (Entware-ng), the Busybox wget traffic is not picked up by tcpdump. Even using the pseudo-interface any (to capture traffic from all interfaces) doesn't catch it. Use or promiscuous mode changes nothing (shouldn't be relevant though, as the WAN interface has an IP and there is no bridging), nor does disabling the tcpdump packet-matching code optimiser (-O). However: switch to Entware-ng wget (i.e. GNU wget) and the packets show up in the capture. The issue is 100% reproducible. So, I started digging even more into this mess, and believe I can explain why this is happening. But first:

    I'll add that with Busybox wget, despite the above, I would not reliably get a TCP RST ("Connection reset by peer") from the remote end (and there was no file downloaded either). It didn't matter which IP I got back either (adaway.org has RR A records of 104.24.104.89 and 104.24.105.89): Proof of that (bolded lines):

    root@gw:/tmp/home/root# /usr/bin/wget https://adaway.org/hosts.txt
    Connecting to adaway.org (104.24.104.89:443)
    wget: error getting response: Connection reset by peer
    root@gw:/tmp/home/root# /usr/bin/wget https://adaway.org/hosts.txt
    Connecting to adaway.org (104.24.104.89:443)
    wget: error getting response: Connection reset by peer

    root@gw:/tmp/home/root# /usr/bin/wget https://adaway.org/hosts.txt
    Connecting to adaway.org (104.24.104.89:443)

    root@gw:/tmp/home/root# /usr/bin/wget https://adaway.org/hosts.txt
    Connecting to adaway.org (104.24.104.89:443)
    wget: error getting response: Connection reset by peer
    root@gw:/tmp/home/root# /usr/bin/wget https://adaway.org/hosts.txt
    Connecting to adaway.org (104.24.104.89:443)
    wget: error getting response: Connection reset by peer
    root@gw:/tmp/home/root# /usr/bin/wget https://adaway.org/hosts.txt
    Connecting to adaway.org (104.24.104.89:443)
    wget: error getting response: Connection reset by peer

    root@gw:/tmp/home/root# /usr/bin/wget https://adaway.org/hosts.txt
    Connecting to adaway.org (104.24.105.89:443)
    root@gw:/tmp/home/root# /usr/bin/wget https://adaway.org/hosts.txt
    Connecting to adaway.org (104.24.105.89:443)

    root@gw:/tmp/home/root# /usr/bin/wget https://adaway.org/hosts.txt
    Connecting to adaway.org (104.24.104.89:443)
    wget: error getting response: Connection reset by peer

    Guess what else behaves this way? EVERYTHING!

    root@gw:/tmp/home/root# /usr/bin/wget https://www.google.com/
    Connecting to www.google.com (172.217.4.164:443)
    wget: error getting response: Connection reset by peer
    root@gw:/tmp/home/root# /usr/bin/wget https://www.microsoft.com/
    Connecting to www.microsoft.com (23.210.250.189:443)
    wget: error getting response: Connection reset by peer
    root@gw:/tmp/home/root# /usr/bin/wget https://lists.freedesktop.org/archives/systemd-devel/2014-April/018601.html
    Connecting to lists.freedesktop.org (131.252.210.177:443)
    wget: error getting response: Connection reset by peer

    So, upon reviewing the "high-quality" code in Busybox wget (Tomato uses Busybox v1.23.2), I found the way it works is like this: it literally does a fork/exec of the command openssl s_client -quiet -connect <hostname> followed by binding file descriptors between that forked process and wget/Busybox to read/write the plaintext I/O. There's no SNI support in that version of OpenSSL, so that would explain why CloudFlare rejects it. Newer OpenSSL's s_client subcommand supports the argument -servername <string> that includes the SNI header in the TLS extension list.

    So I decided to reproduce that behaviour... except:

    Code:
    root@gw:/tmp/home/root# /usr/sbin/openssl s_client
    openssl:Error: 's_client' is an invalid command.
    
    Standard commands
    enc            req            rsa            x509
    
    Cipher commands (see the `enc' command for more details)
    aes-128-cbc    aes-128-ecb    aes-192-cbc    aes-192-ecb    aes-256-cbc
    aes-256-ecb    bf-cbc         bf-ecb
    
    I thought we solved this problem in Tomato already, re: the OpenSSL configuration needing to include support for the s_client subcommand? Why has it been removed? :| @Toastman

    In other words: I wasn't seeing HTTPS packets because there were none being generated because openssl s_client doesn't even work.

    I've said this time and time again, but Busybox is really quite awful. (Also, their website has been bizarrely broken for at least 48 hours now -- I don't even want to know) I wish we could get off of OpenSSL in the base system and switch to WolfSSL (intended for embedded architectures -- it's literally 20x smaller than OpenSSL) and use GNU wget and other tools alongside that. Or even MatrixSSL or PolarSSL/mbed TLS or libressl-portable (which is OpenSSL with all the garbage removed). Busybox is just so utterly horrid. Sigh. I also love it when I see commits like this in Busybox (note the commit comment): it's almost like they know how wonky all their own stuff is. (I still think that commit is horrid though -- it disables shared libraries and forces you to embed the entire wolfssl library into every binary that's built. And that ssl_helper thing is just... I'm shivering with fear over what could go wrong there)

    Footnote: you can't use GNU wget with an IP address with https. If you do so, the SNI header in the SSL/TLSv1.2 "client hello" packet is omitted; CloudFlare rejects this with a cute TLS alert/error ("level = fatal, description = internal error (code 80)"), followed by clean socket closure.
     
    Last edited: Jul 18, 2016
    visceralpsyche likes this.
  53. ambiance

    ambiance Networkin' Nut Member

    @koitsu That's mostly Greek to me, but if it uses significantly less resources and has less dubious code then why not? Would it be a massive undertaking to integrate?
     
  54. koitsu

    koitsu Network Guru Member

    I've updated my post to reflect the situation. Summary that's easier to understand:

    The root cause is that openssl s_client is no longer a working command in Tomato. Busybox wget relies on the openssl s_client command for HTTPS to work.

    I wasn't seeing packets in tcpdump for any HTTPS traffic because there weren't any packets being generated -- the openssl s_client command failed to run.

    As a result, the Busybox wget "error getting response" message is 100% misleading (here's the code -- it comes from the ), making users think it's a server problem or the socket being closed abruptly when in fact it's because of how Busybox wget behaves.

    The "Connection reset by peer" message is actually coming from the very deeply-wrapped read() system call, and the message specifically through perror global or strerror() (I don't know which but it doesn't matter). read() can return ECONNRESET, which is "Connection reset by peer". You have to look into libbb ("lib Busybox") and how this work to work it out.

    It's easier to prove all this via strace. This should act as further proof of the root cause. Ignore the ioctl() errors (these are ridiculously normal on Linux and esp. under Busybox, and they have no bearing on the problem):

    Code:
    root@gw:/tmp/home/root# strace -s 256 -o strace.out -f /usr/bin/wget https://lists.freedesktop.org/archives/systemd-devel/2014-April
    /018601.html
    Connecting to lists.freedesktop.org (131.252.210.177:443)
    wget: error getting response: Connection reset by peer
    
    root@gw:/tmp/home/root# cat strace.out
    4054  execve("/usr/bin/wget", ["/usr/bin/wget", "https://lists.freedesktop.org/archives/systemd-devel/2014-April/018601.html"], [/* 14 vars */]) = 0
    
    {snipping for brevity}
    
    4054  write(2, "Connecting to ", 14)    = 14
    4054  write(2, "lists.freedesktop.org", 21) = 21
    4054  write(2, " (", 2)                 = 2
    4054  write(2, "131.252.210.177:443", 19) = 19
    4054  write(2, ")\n", 2)                = 2
    4054  socketpair(PF_LOCAL, SOCK_STREAM, 0, [3, 4]) = 0
    4054  ioctl(2147483647, TCGETS, 0x7fedfa00) = -1 EBADF (Bad file descriptor)
    4054  fork()                            = 4055
    4054  close(4)                          = 0
    4054  fcntl(3, F_GETFL)                 = 0x2 (flags O_RDWR)
    4054  ioctl(3, TCGETS, 0x7fedfab0)      = -1 EINVAL (Invalid argument)
    4054  write(3, "GET /archives/systemd-devel/2014-April/018601.html HTTP/1.1\r\nHost: lists.freedesktop.org\r\nUser-Agent: Wget\r\nConnection: close\r\n\r\n", 129 <unfinished ...>
    4055  close(3 <unfinished ...>
    4054  <... write resumed> )             = 129
    4055  <... close resumed> )             = 0
    4054  read(3,  <unfinished ...>
    4055  dup2(4, 0)                        = 0
    4055  close(4)                          = 0
    4055  dup2(0, 1)                        = 1
    4055  dup2(2, 3)                        = 3
    4055  close(2)                          = 0
    4055  open("/dev/null", O_RDWR|O_LARGEFILE) = 2
    4055  execve("/opt/usr/sbin/openssl", ["openssl", "s_client", "-quiet", "-connect", "lists.freedesktop.org:443"], [/* 14 vars */]) = -1 ENOENT (No such file or directory)
    4055  execve("/opt/sbin/openssl", ["openssl", "s_client", "-quiet", "-connect", "lists.freedesktop.org:443"], [/* 14 vars */]) = -1 ENOENT (No such file or directory)
    4055  execve("/opt/bin/openssl", ["openssl", "s_client", "-quiet", "-connect", "lists.freedesktop.org:443"], [/* 14 vars */]) = -1 ENOENT (No such file or directory)
    4055  execve("/usr/local/sbin/openssl", ["openssl", "s_client", "-quiet", "-connect", "lists.freedesktop.org:443"], [/* 14 vars */]) = -1 ENOENT (No such file or directory)
    4055  execve("/usr/sbin/openssl", ["openssl", "s_client", "-quiet", "-connect", "lists.freedesktop.org:443"], [/* 14 vars */]) = 0
    
    {snipping for brevity}
    
    4055  write(2, "openssl:Error: 's_client' is an invalid command.\n", 49) = 49
    4055  write(2, "\nStandard commands", 18) = 18
    4055  write(2, "\n", 1)                 = 1
    4055  write(2, "enc            ", 15)   = 15
    4055  write(2, "req            ", 15)   = 15
    4055  write(2, "rsa            ", 15)   = 15
    4055  write(2, "x509           ", 15)   = 15
    4055  write(2, "\n", 1)                 = 1
    4055  write(2, "\nCipher commands (see the `enc' command for more details)\n", 58) = 58
    4055  write(2, "aes-128-cbc    ", 15)   = 15
    4055  write(2, "aes-128-ecb    ", 15)   = 15
    4055  write(2, "aes-192-cbc    ", 15)   = 15
    4055  write(2, "aes-192-ecb    ", 15)   = 15
    4055  write(2, "aes-256-cbc    ", 15)   = 15
    4055  write(2, "\n", 1)                 = 1
    4055  write(2, "aes-256-ecb    ", 15)   = 15
    4055  write(2, "bf-cbc         ", 15)   = 15
    4055  write(2, "bf-ecb         ", 15)   = 15
    4055  write(2, "\n\n", 2)               = 2
    4055  exit(0)                           = ?
    4054  <... read resumed> 0x4cf210, 4096) = -1 ECONNRESET (Connection reset by peer)
    4054  ioctl(2147483647, TCGETS, 0x7fedf998) = -1 EBADF (Bad file descriptor)
    4054  brk(0x4d3000)                     = 0x4d3000
    4054  write(2, "wget: error getting response: Connection reset by peer\n", 55) = 55
    4054  exit(1)                           = ?
    
    So if we fix this (restoring openssl s_client), it'll improve things for a lot of HTTPS sites, and that's good. However, it won't fix the problem for all sites, because Busybox wget doesn't support sending TLS SNI (which things like CloudFlare and lots of other places require/mandate).

    That's because Busybox wget doesn't pass the -servername XXX flag to openssl s_client. The -servername argument was introduced as of OpenSSL 1.0.0.

    TomatoUSB currently uses OpenSSL 1.0.2g, so it's supported, but Busybox (even latest master) doesn't have the brains to include the flag. (And "when" to use the flag is somewhat dependent upon the situation -- specifically when using a hostname-based value. For example, Busybox wget of https://1.2.3.4/blah should not use -servername 1.2.3.4 -- but https://ilikesnakes.com/blah should use -servername ilikesnakes.com).
     
  55. koitsu

    koitsu Network Guru Member

    Oh, and while I'm here, this is pretty cute too -- you can blame the OpenSSL folks for this. An unknown subcommand still results in openssl returning an exit code of 0, so Busybox can't even rely on exit code value to determine if the openssl sub-command (even slightly) failed in some way:

    Code:
    root@gw:/tmp# openssl s_client
    openssl:Error: 's_client' is an invalid command.
    
    Standard commands
    enc            req            rsa            x509
    
    Cipher commands (see the `enc' command for more details)
    aes-128-cbc    aes-128-ecb    aes-192-cbc    aes-192-ecb    aes-256-cbc
    aes-256-ecb    bf-cbc         bf-ecb
    
    root@gw:/tmp# echo $?
    0
    
    TL;DR -- When actually tracking down problems, in this day and age, this is exactly what I've come to expect: a cascading amount of mistakes, failures, bad software design, and all sorts of other nonsense along the way. And people wonder why I'm trying to get out of the tech industry...
     
  56. koitsu

    koitsu Network Guru Member

  57. HorseCalledHorse

    HorseCalledHorse LI Guru Member

    ^ That explains why I can't add this anti-adblock list:

    Code:
    ADBLOCK[4485]: Downloading: https://raw.github.com/reek/anti-adblock-killer/master/anti-adblock-killer-filters.txt
    Connecting to raw.github.com (151.101.100.133:80)
    wget: not an http or ftp url: https://raw.github.com/reek/anti-adblock-killer/master/anti-adblock-killer-filters.txt
    ADBLOCK[4485]: Failed: https://raw.github.com/reek/anti-adblock-killer/master/anti-adblock-killer-filters.txt
     
  58. damionhh

    damionhh Networkin' Nut Member

    i found this script online to block TOR exit nodes from accessing my router:

    # create a new set for individual IP addresses
    ipset -N tor iphash
    # get a list of Tor exit nodes that can access $YOUR_IP, skip the comments and read line by line
    wget -q https://check.torproject.org/cgi-bin/TorBulkExitList.py?ip=$YOUR_IP -O -|sed '/^#/d' |while read IP
    do
    # add each IP address to the new set, silencing the warnings for IPs that have already been added
    ipset -q -A tor $IP
    done
    # filter our new set in iptables
    iptables -A INPUT -m set --match-set tor src -j DROP

    there is something about it that wont work with the shell in Tomato and i have searched extensively to see if anyone has ported it to tomato firmware. any ideas from anyone how or if this could be integrated into the adblock firewall script (that i find very very useful. thank you!)
     
  59. Beast

    Beast Network Guru Member

    ok

    Seems for some time now my adblock script (11/11/2015) release is no longer doing the auto updates??
    I have made NO changes to the default scheduled time. I used to see in the logs where it would check for updated files, but now nothing ever.

    How can I check to see if it is in the scheduler or is it a cron job? And if so how to check that out.

    Anyone else see this??
     
  60. ambiance

    ambiance Networkin' Nut Member

    Since updating to 138 I notice I'm getting an error message: adblock.sh: local: line 1056: not in a function. It still works fine, so I'm assuming it's minor.

    @Beast I've had issues with it and use scheduler on Tomato instead.
     
  61. meazz1

    meazz1 LI Guru Member

    SSH to router and run the following command
    cru l
     
  62. Beast

    Beast Network Guru Member

    This is the result,, im not sure what that is telling me.

    Looks like two jobs [1] syslogmark = puts the --Mark-- in log every 2 hours.
    [2] ntpsnc = check the time every 4 hours.

    Don't see nothing for adblock. ASSUMING I am reading this correctly

    root@Beast-Net:/tmp/home/root# cru l

    0 */2 * * * logger -p syslog.info -- -- MARK -- #syslogdmark#
    21 20,0,4,8,12,16 * * * ntpsync --cron #ntpsync#
     
    Last edited: Aug 3, 2016
  63. koitsu

    koitsu Network Guru Member

    @Beast You're interpreting the cru l output correctly.
     
  64. Beast

    Beast Network Guru Member

    Im learning, thu may it be slow. So now how to figure out why the update schedule in adblock is no longer being added to the cron job list????

    I have even tried putting the update time in the "adblock.ini" file with same results.

    I have the script and support files on an USB stick and start adblock from the System Tool command box
    after a router reboot, i do wait a few minutes to start adblock to give the router time to be in a stable state.

    tmp/mnt/USBDRIVE/adblock/adblock.sh
     
  65. jerrm

    jerrm Network Guru Member

    Are you starting with the "cron" parameter?
     
  66. Beast

    Beast Network Guru Member

    I have only sources in the config.ini file and have made no changes to the default settings in the adblock.sh file it looks like this>

    # default cron schedule standard cru format
    schedule="10 02 * * *"
    cronid=adblock.update

    # minimum age of blocklist in hours before we re-build
    age2update=4

    Am I missing something???
     
  67. jerrm

    jerrm Network Guru Member

    Again, are you starting with the "cron" parameter? See Scheduling Updates in the first post. Adblock does not schedule itself unless told to.
     
  68. Beast

    Beast Network Guru Member

    Ok, face palm moment, vapor lock of brain. Sorry when you said parameter my brain said setting. I remember now some time back one of the Toastmans updates had an bug where it reported the flash size incorrectly, and when i installed the corrected version I also re-entered everything from scratch. And no I did NOT add the cron parameter back.

    Duh.............

    root@Beast-Net:/tmp/home/root# cru l
    0 */2 * * * logger -p syslog.info -- -- MARK -- #syslogdmark#
    44 22,2,6,10,14,18 * * * ntpsync --cron #ntpsync#

    10 02 * * * /tmp/mnt/USBDRIVE/adblock/adblock.sh update #adblock.update#
     
    Last edited: Aug 5, 2016
  69. mmosoll

    mmosoll Networkin' Nut Member

    It's only an idea but maybe it'll be useful: I'm using a keepalive task every twenty minutes to check if internet connectivity is OK and reboot if it isn't case. Some months ago I had a problem with adblock (not quite the same problem, 'cron' parameter existed but the update job disappeared) and I added the following command line in my script (I found it in this forum):

    nslookup adblock.is.loaded || /tmp/mnt/.../ads/adblock.sh cron &
     
  70. Beast

    Beast Network Guru Member

    Thanks for the info, mine worked just fine untill i forgot to add the cron & parameter back during a resetup of my router. But if I see a problem I will also add that to the script.
     
    Last edited: Aug 5, 2016
  71. ambiance

    ambiance Networkin' Nut Member

    I don't know what it means, but the 'adblock.sh: local: line 1056: not in a function' points to 'fi'. Is anyone else receiving that error on update?
     
  72. koitsu

    koitsu Network Guru Member

    Some shells/interpreters print a line number that doesn't immediately correlate with the line number in an editor. There are several reasons for this, rather not go over all of them.

    The error in question is referring to the use of the term local to define a local variable -- that is, a variable whose scope is only available within that function itself (by default variables in shell scripts are global) -- while not being inside of a function. That should be pretty easy to track down given scope/context. Functions are declared like:
    Code:
    myfunc() {
      ...stuff...
    }
    
    And do not end with fi. So, possibly someone thought you could use local for local scope within an if/fi scope (you can't).
     
  73. jerrm

    jerrm Network Guru Member

    No one thought that. Doesn't mean there wasn't a cut/paste error somewhere. Very possible the Shibby 138 busybox update to 1.25 is picking up something up the prior versions let slide. I'll try to load 138 somewhere soon and test.
     
    Last edited: Aug 9, 2016
  74. jerrm

    jerrm Network Guru Member

    I think @koitsu nailed it. Remove the "local" from line 1045. I Have not tested under Shibby 138.
     
  75. tmr250z

    tmr250z Network Guru Member

    @jerrm Also under Shibby 138, I'm getting these two errors in the adblock web interface.

    1.When I try to save any changes to the config or the white/blacklists, I get an error saying changes weren't saved, when in fact they were saved despite the error message.

    2. With logging enabled, if I try to add any of the domains from the recently resolved hosts or recently blocked hosts lists by clicking on one of them, I get the error message pictured below, even though it does add it to the either list.
     

    Attached Files:

    • 1.png
      1.png
      File size:
      98.6 KB
      Views:
      26
    • 2.png
      2.png
      File size:
      275.5 KB
      Views:
      25
  76. jerrm

    jerrm Network Guru Member

    Yeah, my guess is it's the same core error. Code copied out of a function with a "local" intact.

    Remove the "local" from line 304 of adblockweb.sh.

    Please report back - I haven't tested any of this. Still need to load 138 on a box.
     
  77. tmr250z

    tmr250z Network Guru Member

    I noticed the "adblock.sh: local: line 1056: not in a function" error too, removing "local" from line 1045 in adblock.sh fixed it.

    Removing the "local" from line 304 in adblockweb.sh fixed both of the errors I reported.

    Thanks.
     
  78. koitsu

    koitsu Network Guru Member

    I'd need to see the code in question to know if simply removing local is the "proper thing" (obviously it doesn't work, but the question then becomes does the code in question really need a global variable or what). I trust your judgement on this one though. :)
     
  79. ambiance

    ambiance Networkin' Nut Member

    @jerrm I removed the entry and no more error message here as well.

    @koitsu

    Code:
    # write weblink
    if [ "$weblink" != "" ] &&  [ -x "$binprefix/$webscript" -o -x "$( which "$webscript" )" ]; then
        if ln -sf "$me" "$weblink" ; then
            local lanport=$(nvram get http_lanport)
            [ "$lanport" = 80 -o "$lanport" = "" ] && lanport="" || lanport=":$lanport"
            elog "Creating web link $weblink"
            elog "Web interface should be available at http://$(nvram get lan_ipaddr)$lanport/user/${weblink##*/}"
            echo "$weblink" >  $weblink.weblink
            addtomatolink
        else
            elog "ERROR - could not create web link $weblink"
        fi
    else
        elog "ERROR - Web Script $webscript not found or not executable!"
    fi
     
  80. koitsu

    koitsu Network Guru Member

    Thanks for the code block. I can see how/why someone wanted a local variable here, but yeah, removing local is the only way (without revamping lots of code) to do it. I tend to use unset when wanting a "locally scoped variable", even though it's not true local scoping, as I don't like to "pollute" (bit strong of a word here but you get the gist) variable space. An example:

    Code:
    # write weblink
    if [ "$weblink" != "" ] &&  [ -x "$binprefix/$webscript" -o -x "$( which "$webscript" )" ]; then
        if ln -sf "$me" "$weblink" ; then
            lanport=$(nvram get http_lanport)
            [ "$lanport" = 80 -o "$lanport" = "" ] && lanport="" || lanport=":$lanport"
            elog "Creating web link $weblink"
            elog "Web interface should be available at http://$(nvram get lan_ipaddr)$lanport/user/${weblink##*/}"
            echo "$weblink" >  $weblink.weblink
            addtomatolink
            unset lanport
        else
            elog "ERROR - could not create web link $weblink"
        fi
    else
        elog "ERROR - Web Script $webscript not found or not executable!"
    fi
    
     
  81. phuklok1

    phuklok1 Network Guru Member

    In both the lastest Shibby 138 and Toastman 7510 builds, I am seeing an issue which causes random DNS lookups to fail when adblock is running. As an example in my setup, mozilla.org will now consistently not resolve. Not certain if this is a result of an interaction of adblock with some new change in dnsmasq or some other variable, but if I stop adblock, the random name resolution failures also stop. This setup worked perfectly in the last toastman release 7509.9 (also using dnsmasq 2.76) and shibby 137 and below. For sanity, I just reverted back to 7509.9 and there is no issue. Anyone else experiencing this?

    PS. this is an IPV4 only setup.

    Update: cleared setup and created a simplified test one, adding a feature at a time. It looks like the problem is something new happening in DNSSEC resulting in certain sites not resolving. A new mystery... LOL, but nothing to do with this thread.
     
    Last edited: Aug 15, 2016
  82. ruggerof

    ruggerof Network Guru Member

    Hi.

    I am getting the following error in the Adblock GUI page

    pixelserv info:

    ERROR: No response from pixelserv...
    pixelserv is not runnng on router for 192.168.1.254

    In the syslog:

    Code:
    Aug 16 02:21:24 rt-ac68u user.notice ADBLOCK[10975]: Setting up 192.168.1.254 netmask 255.255.255.0 on br0:adblk
    Aug 16 02:21:25 rt-ac68u user.notice ADBLOCK[10975]: Setting up pixelserv on 192.168.1.254
    Aug 16 02:21:25 rt-ac68u daemon.info pixelserv[11435]: /opt/adblock/pixelserv version: V35.HZ13 compiled: Nov  8 2015 23:33:28 options: 192.168.1.254
    Aug 16 02:21:25 rt-ac68u daemon.err pixelserv[11439]: Abort: Address already in use - :192.168.1.254:80
    Aug 16 02:21:25 rt-ac68u user.notice ADBLOCK[10975]: pixelserv[11435]: /opt/adblock/pixelserv version: V35.HZ13 compiled: Nov  8 2015 23:33:28 options: 192.168.1.254
    The address 192.168.1.254 is not in use but port 80 is (NGINX). How can I solve the problem?
     
  83. jerrm

    jerrm Network Guru Member

    You have to tell nginx to only listen on the primary IP.

    It may mean using a custom user config file, but try setting the GUI "Web Server->Nginx & PHP->Web Server Port" option to something other than 80, then add "listen 192.168.1.1:80;" to the "SERVER Section/Custom configuration" text box. That should only bind port 80 on the primary IP, but I haven't tested exactly how @shibby20 builds the config files.
     
  84. ruggerof

    ruggerof Network Guru Member

    In fact I am using NGINX and PHP from Entware-ng but I understood you. The problem is that 192.168.1.1:80 and 192.168.1.254:80 can't be separated. I can run either Pixelserv or NGINX but not both.

    Is it possible for Pixelserv to use other port than 80 / 443?
     
  85. jerrm

    jerrm Network Guru Member

    If you are running nginx from entware with your own config files, it should be as simple as changing the listen directive in the nginx config, instead of "listen 80;" is should be "listen 192.168.1.1:80;"

    Nginx should then bind ONLY to 192.168.1.1, leaving .254 free for pixelserv.
     
  86. leandroong

    leandroong LI Guru Member

    Why not change your tomato router web port from 80 to 81 or X
     
  87. ruggerof

    ruggerof Network Guru Member

    In fact as ports 80 and 443 are used by NGINX for me to access my stuff via reverse proxy the standard Tomato WebUI is already hocked up to port 85.

    In the end I have just managed to make it work, I just had to port forward from 80/443 to 192.168.1.1:80/443 and correctly open the firewall, now NGINX is listening to ports 80/443 of 192.168.1.1 and Pixelserv is listening to port 80 of 192.168.1.254.
     
  88. Beast

    Beast Network Guru Member

    Hey Jerrm could you show the code block in question to fix the black/white list save error in the adblock web interface. Line numbers don't match those listed with the editor I use.
    I think this is where I need to remove the "local", if so? do I need to remove both? And if this is not the right location please post the correct code block. Thanks

    CONFchanged=0
    if [ -e "$CONF" ]; then
    local CONFmd51=$(md5sum "$CONF" 2>/dev/null)
    echo -n > "$CONF"
    local CONFmd52=$(md5sum "$CONF" 2>/dev/null)
    if [ "$CONFmd51" = "$CONFmd52" ]; then
    elog "CONF file $CONF unchanged"
    else
    CONFchanged=1
    elog "CONF file $CONF truncated"
    fi
    fi
     
  89. jerrm

    jerrm Network Guru Member

    Remove "local" from the following:

    In adblockweb.sh search for:
    Code:
    local file=""
    In adblock.sh search for:
    Code:
    local lanport=$(nvram get http_lanport)
     
  90. Nathaniel Cowles

    Nathaniel Cowles Networkin' Nut Member

    Hi there!

    Why does this happen?

    "ADBLOCK[4319]: Another instance found (/var/run/adblock.pid - 667), exiting!"

    I thought that everything is configured correctly, but it's happened occasionally for some time.

    What do I do to get Adblock running again? What should I change to avoid it happening? Thanks you.
     
  91. Filpos

    Filpos Reformed Router Member

    Adblock is running fine on my asus n12 with shibby and with whopping 60k hosts in the blacklist after I figured I could use cifs instead of jffs.
    But for some reason I still get ad videos in the beginning of youtube videos if I use a) firefox on my desktop pc b) youtube app in Android. For some reason I do not get ads in Chrome on my PC. Any idea why this would be happening and what could I do to correct this? Cleared FF cache. No help. Disabled all other addons etc.
    But if I use adblock plus extention in FF, those pesky ads are gone.
    I've enabled DNS logs and pretty much only domain related to youtube that is not directed to 192.168.1.254 (pixelserv?) is those xxxxxx.googlevideo.com stuff.

    Edit: something wrong with FF and YT I suppose cos if I logout of YT, I don't get ads but if I sign in I get ads. Dunno about the android though...
     
    Last edited: Sep 20, 2016
  92. AndreDVJ

    AndreDVJ LI Guru Member

    1) In case adblock tries to run twice (i.e. kicked off by wanup script), you may see these messages in syslog. It's perfectly normal, and its concurrency control is working as designed, so won't try to download blocklists, sort them through, have dnsmasq configured to send unwanted stuff to pixelserv's IP address, further dnsmasq restarts, etc. while the first script is running.

    2) Check if file /opt/etc/adblock/blocklist (or whatever location blocklist is saved) has content, and /etc/dnsmasq.conf has conf-file pointing to somewhere (i.e. the blocklist file). If it has, should be working properly.
     
  93. ambiance

    ambiance Networkin' Nut Member

    @Filpos If you're running Adblock Plus then make sure Allow Acceptable Ads is unchecked.
     
  94. mswells

    mswells New Member Member

    Adblock shows its running when I issue the following command: nslookup adblock.is.loaded || /opt/bin/adblock.sh cron &

    I am not seeing the AdBlock Menu option in the left pane in Tomato. How do I get the Adblock Menu to appear in Tomato.
    I installed using automated script to my /jffs/adblock in my RT-N66U Shibby Tomato router.
     
  95. Filpos

    Filpos Reformed Router Member

    Type: /jffs/adblock/adblock.sh cron, in the Tools; System Commands.
    And you should see following lines:
    "Creating web link /www/user/adblock.sh
    Web interface should be available at http://xxx.xxx.xxx.xxx/user/adblock.sh
    Adding tomato menu item"

    @ambiance: Well I would not run the ABP but now i kinda have to cos it is the only thing blocking those pesky youtube ads in the beginning of videos. Tomato's AB seems to block everything else just fine.
     
  96. ambiance

    ambiance Networkin' Nut Member

    @Filpos I still use it to clean up the blocked elements on websites. I've recently been using uBlock Origin instead, but haven't had issues with either.
     
  97. AtTheAsylum

    AtTheAsylum LI Guru Member

    If anyone is interested, I got pixelserv-tls working on Shibby Tomato Firmware 1.28.0000 -138 K26ARM USB AIO-64K on my Asus RT-AC68U. Involves using command line and ssh'ing into your router, so skip it if you're not comfortable with that :)

    This allows pixselserv to also respond to requests for adverts on port 443 (ie: encrypted TLS/HTTPS).

    0: Stop the current install of adblock.
    1. Download pixelserv-tls from https://github.com/kvic-z/pixelserv-tls/releases/tag/V35.HZ12.Kh and unzip.
    2. Copy "pixelserv.arm.performance.static" into your adblock install directory (/tmp/mnt/sda2/adblock in my case).
    3. Delete the "pixelserv" symlink in your adblock install directory:
    rm pixelserv​
    4. Recreate the symlink to pixelserv-tls:
    ln -s pixelserv.arm.performance.static pixelserv​
    5. Create a directory for cache TLS certificates needed and collected by pixelserv-tls (/tmp/mnt/sda2/adblock/cache in my case) and cd into it:
    mkdir cache; cd cache​
    6. Generate a Root CA certificate. Needed for TLS/HTTPS. You will need a Mac/Linux for this or a way to run 'openssl' on Windows:
    openssl genrsa -out ca.key 1024'
    openssl req -key ca.key -new -x509 -days 3650 -sha256 -extensions v3_ca -out ca.crt -subj "/CN=Pixelserv CA"​
    7. Copy ca.key and ca.crt generated in step 6 into your cache directory.
    8. Edit adblock.sh and change the line:
    PIXEL_OPTS=""​
    to:
    PIXEL_OPTS="-z /tmp/mnt/sda2/adblock/cache -u root"​
    Take note of the -z parameter and make sure it points to the cache directory created in step 5.
    9. Edit adblockweb.sh and change the line:
    pixmsg="$(wget -q -t 1 -T 5 -O - "http://$redirip/servstats" 2>/dev/null || echo error)"​
    to:
    pixmsg="$(wget -q -t 1 -T 5 -O - "http://$redirip/servstats.txt" 2>/dev/null || echo error)"​
    10. (Optional - fixes a bug in the original code) In adblock.sh change the line:
    local lanport=$(nvram get http_lanport)​
    to:
    lanport=$(nvram get http_lanport)​
    11. Restart adblock.

    It's complicated but it works, mostly. There seems to be an issue when editing the adblock config from within the web UI. When saving it reports an error even though there are none. Will keep working on this bit :)
     
    Last edited: Oct 24, 2016
  98. Frequenzy

    Frequenzy Networkin' Nut Member

    doesnt the latest hunter pixelserv already blocks ads on port 443?
     
  99. AtTheAsylum

    AtTheAsylum LI Guru Member

    You know - I think it does :)

    Looking at it though, I couldn't figure out how to add a certifcate? I also like pixelserv-tls's stats page in that it reports on the number of https connections.
     
  100. jerrm

    jerrm Network Guru Member

    pixelserv handles https by returning an error code during the certificate negotiation phase to hopefully quickly and cleanly keep he client from retrying.

    pixelserv-tls generates spoofed certificates for requested sites so that it can deliver the dummy data - 1px gif, null txt, etc - to the client. To get the best, no security warning results from clients, clients should have the generated pixelserv-tls ca imported.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice