What's new

[Release] Skynet - Router Firewall & Security Enhancements

Therion87

Regular Contributor
I get this error when trying to update banmalware.

Code:
[I] Downloading filter.list         | [1s]
[I] Refreshing Whitelists           | /jffs/scripts/firewall: line 5143: can't fork
/jffs/scripts/firewall: line 5143: can't fork
/jffs/scripts/firewall: line 5143: can't fork
[188s]
[I] Consolidating Blacklist         | [11s]
[I] Filtering IPv4 Addresses        | [5s]
[I] Filtering IPv4 Ranges           | [1s]
[I] Applying New Blacklist          | [10s]
[I] Refreshing AiProtect Bans       | [1s]
[I] Saving Changes                  | [5s]
 

dave14305

Part of the Furniture
Just run banmalware again or manually whitelist 1.1.1.1 to resolve the issue.
Since this would have affected anyone using Cloudflare for DoT in Merlin, perhaps an enhancement request would be to extract the DoT server IPs in Whitelist-Shared()? You'd need to read nvram dnspriv_rulelist if interested, and deal with the format.
 

Adamm

Part of the Furniture
I get this error when trying to update banmalware.

Code:
[I] Downloading filter.list         | [1s]
[I] Refreshing Whitelists           | /jffs/scripts/firewall: line 5143: can't fork
/jffs/scripts/firewall: line 5143: can't fork
/jffs/scripts/firewall: line 5143: can't fork
[188s]
[I] Consolidating Blacklist         | [11s]
[I] Filtering IPv4 Addresses        | [5s]
[I] Filtering IPv4 Ranges           | [1s]
[I] Applying New Blacklist          | [10s]
[I] Refreshing AiProtect Bans       | [1s]
[I] Saving Changes                  | [5s]
You can safely ignore this for now. I've tracked down the issue to the Whitelist_Shared () function being overwhelmed by large "shared-*-Whitelist" files. Unfortunately I have to catch a flight in the morning so the fix will have to wait a few days until I get back.

Background from the maintainer: https://gitlab.com/ZeroDot1/CoinBlockerLists/issues/53

Firehol.org isn't updated yet, will likely update overnight.
This is very disappointing, such popular lists should have a lot more checks in place to prevent 27,000 incorrect entries being pushed unnoticed. :rolleyes:

Hopefully this didn't affect too many Skynet users, I personally didn't notice as I have cloudflare set as my dns server so it was automatically whitelisted.

Since this would have affected anyone using Cloudflare for DoT in Merlin, perhaps an enhancement request would be to extract the DoT server IPs in Whitelist-Shared()? You'd need to read nvram dnspriv_rulelist if interested, and deal with the format.
Interesting idea, perhaps we can also grab the other unlisted servers too (we currently only whitelist the regular dns nvram values). I'll look into it when I get back
 

dave14305

Part of the Furniture
Interesting idea, perhaps we can also grab the other unlisted servers too (we currently only whitelist the regular dns nvram values). I'll look into it when I get back
I was playing with that nasty format and thanks to Stackoverflow.com, came up with
Code:
nvram get dnspriv_rulelist | sed '/\n/!s/[0-9.]\+/\n&\n/;/^\([0-9]\{1,3\}\.\)\{3\}[0-9]\{1,3\}\n/P;D'
9.9.9.9
149.112.112.112
145.100.185.15
Or if you want all (I'd prefer only the selected DoT servers, especially if they're custom added in the GUI)
Code:
cat /rom/dot-servers.dat | sed '/\n/!s/[0-9.]\+/\n&\n/;/^\([0-9]\{1,3\}\.\)\{3\}[0-9]\{1,3\}\n/P;D'
 

mongodb

Occasional Visitor
Came here to say that 1.1.1.1 was blocked but have seen other people flag that false-positive too. I've unbanned it for now and alls good again. Cheers.
 

Adamm

Part of the Furniture
I've pushed v6.9.0

Code:
Significantly optimize Domain_Lookup()
Add DNS-Over-TLS servers to Whitelist
Wait for lists to process during Whitelist_Shared () if over 150 entries to prevent fork errors on HND platform
The main goal of this release is to try mitigate the (annoying!) "cannot fork" errors. This is quite a complex issue and to be honest doesn't make much sense on paper, I suspect its tied to the HND platform at a lower level.

With that being said, I was finally able to reproduce the issue consistently by generating a large shared-*-whitelist file, it appears once these files have a combined total of 200-300 lines the firmware can't handle the load of parallel processing. To mitigate this, if Skynet detects a combined list size of over 150 entries it will process the contents in batches and wait until everything has completed before moving on. If your list size is under this limit you should notice no difference and see slightly faster results due to the Domain_Lookup optimizations.

Skynet will now also whitelist your DOT servers by default (in addition to the regular DNS server values).


Feedback would be appreciated if you previously experienced these fork errors. @Therion87 @Ubimo
 

Therion87

Regular Contributor
I've pushed v6.9.0

Code:
Significantly optimize Domain_Lookup()
Add DNS-Over-TLS servers to Whitelist
Wait for lists to process during Whitelist_Shared () if over 150 entries to prevent fork errors on HND platform
The main goal of this release is to try mitigate the (annoying!) "cannot fork" errors. This is quite a complex issue and to be honest doesn't make much sense on paper, I suspect its tied to the HND platform at a lower level.

With that being said, I was finally able to reproduce the issue consistently by generating a large shared-*-whitelist file, it appears once these files have a combined total of 200-300 lines the firmware can't handle the load of parallel processing. To mitigate this, if Skynet detects a combined list size of over 150 entries it will process the contents in batches and wait until everything has completed before moving on. If your list size is under this limit you should notice no difference and see slightly faster results due to the Domain_Lookup optimizations.

Skynet will now also whitelist your DOT servers by default (in addition to the regular DNS server values).


Feedback would be appreciated if you previously experienced these fork errors. @Therion87 @Ubimo
Thanks for the update @Adamm

I am currently getting this error after the update and running a ban malware update.

Code:
[i] Downloading filter.list         | [0s]
[i] Refreshing Whitelists           | /jffs/scripts/firewall: line 5162: split: not found
/jffs/scripts/firewall: line 5162: can't open *: no such file
[5s]
[i] Consolidating Blacklist         | [25s]
[i] Filtering IPv4 Addresses        | [5s]
[i] Filtering IPv4 Ranges           | [1s]
[i] Applying New Blacklist          | [10s]
[i] Refreshing AiProtect Bans       | [1s]
[i] Saving Changes                  | [5s]
I am using a hosted whitelist with Diversion, with under 200 entries. I only have one whitelist in Skynet and that is for 1.1.1.1

If there is anything else that I can pull that would help. Let me know.

UPDATE:

I get the error on the RT-AC88U. I maintain an RT-AC86U for a friend. Same setup and blocking lists. I do not get that error.

Thanks,
 
Last edited:

Adamm

Part of the Furniture
I am currently getting this error after the update and running a ban malware update.
Okay that's odd, I assumed built-in binaries were identical between models o_O

Mind posting the output of;

Code:
which split
ls /usr/bin
 

dave14305

Part of the Furniture
Skynet will now also whitelist your DOT servers by default (in addition to the regular DNS server values).
I'm not sure of your position on supporting John's fork equally, but is it palatable to add a check for the similar stubby_dns variable for the same DoT whitelisting (IPv4 only)?
Code:
nvram get stubby_dns
<Quad 9 Secure Primary>9.9.9.9>2620:fe::fe>853>dns.quad9.net>>>yes>yes<Quad 9 Secure Secondary>149.112.112.112>2620:fe::9>853>dns.quad9.net>>>yes>yes
 

Therion87

Regular Contributor
Okay that's odd, I assumed built-in binaries were identical between models o_O

Mind posting the output of;

Code:
which split
ls /usr/bin
Code:
[email protected]:/tmp/home/root# which split
[email protected]:/tmp/home/root# ls /usr/bin
[                        dos2unix                 logger                   scp                      tr
[[                       dropbearkey              lsusb                    sdparm                   traceroute
ad                       dropbearmulti            md5sum                   smbpasswd                traceroute6
afppasswd                du                       nano                     sort                     tty
awk                      env                      nc                       ssh                      uniconv
basename                 expr                     net-snmp-config          strings                  uniq
clear                    find                     net-snmp-create-v3-user  tail                     unix2dos
cmp                      flock                    nohup                    taskset                  unzip
crontab                  free                     nslookup                 tee                      uptime
cut                      ftpget                   printf                   telnet                   wc
dbclient                 ftpput                   pscan                    test                     which
dbd                      head                     readlink                 tftp                     xargs
diff                     killall                  renice                   time
dirname                  less                     rnano                    top
 

Adamm

Part of the Furniture
Code:
[email protected]:/tmp/home/root# which split
[email protected]:/tmp/home/root# ls /usr/bin
[                        dos2unix                 logger                   scp                      tr
[[                       dropbearkey              lsusb                    sdparm                   traceroute
ad                       dropbearmulti            md5sum                   smbpasswd                traceroute6
afppasswd                du                       nano                     sort                     tty
awk                      env                      nc                       ssh                      uniconv
basename                 expr                     net-snmp-config          strings                  uniq
clear                    find                     net-snmp-create-v3-user  tail                     unix2dos
cmp                      flock                    nohup                    taskset                  unzip
crontab                  free                     nslookup                 tee                      uptime
cut                      ftpget                   printf                   telnet                   wc
dbclient                 ftpput                   pscan                    test                     which
dbd                      head                     readlink                 tftp                     xargs
diff                     killall                  renice                   time
dirname                  less                     rnano                    top

Weird, @RMerlin any chance we can get split added (to non HND devices I assume) for consistency? Would be a huge help.

@Therion87 for the time being you can install the "coreutils-split" package from entware, that will temporarily resolve the issue.
 

Therion87

Regular Contributor
Weird, @RMerlin any chance we can get split added (to non HND devices I assume) for consistency? Would be a huge help.

@Therion87 for the time being you can install the "coreutils-split" package from entware, that will temporarily resolve the issue.
New outputs with split installed.

Code:
[email protected]:/tmp/home/root# which split
/opt/bin/split
[email protected]:/tmp/home/root# ls /usr/bin/
[                        dos2unix                 logger                   scp                      tr
[[                       dropbearkey              lsusb                    sdparm                   traceroute
ad                       dropbearmulti            md5sum                   smbpasswd                traceroute6
afppasswd                du                       nano                     sort                     tty
awk                      env                      nc                       ssh                      uniconv
basename                 expr                     net-snmp-config          strings                  uniq
clear                    find                     net-snmp-create-v3-user  tail                     unix2dos
cmp                      flock                    nohup                    taskset                  unzip
crontab                  free                     nslookup                 tee                      uptime
cut                      ftpget                   printf                   telnet                   wc
dbclient                 ftpput                   pscan                    test                     which
dbd                      head                     readlink                 tftp                     xargs
diff                     killall                  renice                   time
dirname                  less                     rnano                    top
[email protected]:/tmp/home/root#
The error is gone during a ban malware update.

Thanks for the help @Adamm
 

Adamm

Part of the Furniture
I'm not sure of your position on supporting John's fork equally, but is it palatable to add a check for the similar stubby_dns variable for the same DoT whitelisting (IPv4 only)?
Code:
nvram get stubby_dns
<Quad 9 Secure Primary>9.9.9.9>2620:fe::fe>853>dns.quad9.net>>>yes>yes<Quad 9 Secure Secondary>149.112.112.112>2620:fe::9>853>dns.quad9.net>>>yes>yes
I pushed a hotfix with support for Johns fork.

The error is gone during a ban malware update.
Perfect. Once I hear back from Merlin I can act accordingly.
 

Twiglets

Senior Member
Many Thanks for latest Skynet !!!

'Fork' errors have gone !!! :)
 

dave14305

Part of the Furniture
I pushed a hotfix with support for Johns fork.
Looking good! Thanks!
Code:
# ipset list Skynet-Whitelist | grep stubby
9.9.9.9 comment "nvram: stubby_dns"
149.112.112.112 comment "nvram: stubby_dns"
 

dave14305

Part of the Furniture
Another fork-related item for the backlog/wishlist:

When Enable DoS Protection is enabled (fw_dos_x=1), the Unload_IPTables misses the deletion of the logdrop rule because the format is slightly different on John's fork. Without DoS protection, it works fine.

Code:
-A logdrop -m state --state NEW -m limit --limit 4/sec -j LOG --log-prefix "DROP " --log-tcp-sequence --log-tcp-options --log-ip-options
 

RMerlin

Asuswrt-Merlin dev
Weird, @RMerlin any chance we can get split added (to non HND devices I assume) for consistency? Would be a huge help.
Busybox options are identical for all models, HND doesn't get different options.
 

Adamm

Part of the Furniture
Another fork-related item for the backlog/wishlist:

When Enable DoS Protection is enabled (fw_dos_x=1), the Unload_IPTables misses the deletion of the logdrop rule because the format is slightly different on John's fork. Without DoS protection, it works fine.

Code:
-A logdrop -m state --state NEW -m limit --limit 4/sec -j LOG --log-prefix "DROP " --log-tcp-sequence --log-tcp-options --log-ip-options
https://github.com/Adamm00/IPSet_ASUS/commit/8b90b07a512029d14aa54ba147acc83a8345afe3

Busybox options are identical for all models, HND doesn't get different options.
Not sure how to explain it then, I assumed the config files were out of sync as Busybox has split included on my AX88U. As you can see from the output in this post it isn't included on the RT-AC3100

Code:
[email protected]:/usr/sbin# split --help
BusyBox v1.25.1 (2019-10-10 16:59:57 AEST) multi-call binary.

Usage: split [OPTIONS] [INPUT [PREFIX]]

    -b N[k|m]    Split by N (kilo|mega)bytes
    -l N        Split by N lines
    -a N        Use N letters as suffix
 

RMerlin

Asuswrt-Merlin dev
https://github.com/Adamm00/IPSet_ASUS/commit/8b90b07a512029d14aa54ba147acc83a8345afe3



Not sure how to explain it then, I assumed the config files were out of sync as Busybox has split included on my AX88U. As you can see from the output in this post it isn't included on the RT-AC3100

Code:
[email protected]:/usr/sbin# split --help
BusyBox v1.25.1 (2019-10-10 16:59:57 AEST) multi-call binary.

Usage: split [OPTIONS] [INPUT [PREFIX]]

    -b N[k|m]    Split by N (kilo|mega)bytes
    -l N        Split by N lines
    -a N        Use N letters as suffix
Don't know why it would be enabled then, the only instance in the source code that enables that applet is if the router is compiled with DSL_TCLINUX (i.e. for DSL modem/routers).
 

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top