What's new

Skynet Skynet - Router Firewall & Security Enhancements

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

I get this error when trying to update banmalware.

Code:
[I] Downloading filter.list         | [1s]
[I] Refreshing Whitelists           | /jffs/scripts/firewall: line 5143: can't fork
/jffs/scripts/firewall: line 5143: can't fork
/jffs/scripts/firewall: line 5143: can't fork
[188s]
[I] Consolidating Blacklist         | [11s]
[I] Filtering IPv4 Addresses        | [5s]
[I] Filtering IPv4 Ranges           | [1s]
[I] Applying New Blacklist          | [10s]
[I] Refreshing AiProtect Bans       | [1s]
[I] Saving Changes                  | [5s]
 
Just run banmalware again or manually whitelist 1.1.1.1 to resolve the issue.
Since this would have affected anyone using Cloudflare for DoT in Merlin, perhaps an enhancement request would be to extract the DoT server IPs in Whitelist-Shared()? You'd need to read nvram dnspriv_rulelist if interested, and deal with the format.
 
I get this error when trying to update banmalware.

Code:
[I] Downloading filter.list         | [1s]
[I] Refreshing Whitelists           | /jffs/scripts/firewall: line 5143: can't fork
/jffs/scripts/firewall: line 5143: can't fork
/jffs/scripts/firewall: line 5143: can't fork
[188s]
[I] Consolidating Blacklist         | [11s]
[I] Filtering IPv4 Addresses        | [5s]
[I] Filtering IPv4 Ranges           | [1s]
[I] Applying New Blacklist          | [10s]
[I] Refreshing AiProtect Bans       | [1s]
[I] Saving Changes                  | [5s]

You can safely ignore this for now. I've tracked down the issue to the Whitelist_Shared () function being overwhelmed by large "shared-*-Whitelist" files. Unfortunately I have to catch a flight in the morning so the fix will have to wait a few days until I get back.

Background from the maintainer: https://gitlab.com/ZeroDot1/CoinBlockerLists/issues/53

Firehol.org isn't updated yet, will likely update overnight.

This is very disappointing, such popular lists should have a lot more checks in place to prevent 27,000 incorrect entries being pushed unnoticed. :rolleyes:

Hopefully this didn't affect too many Skynet users, I personally didn't notice as I have cloudflare set as my dns server so it was automatically whitelisted.

Since this would have affected anyone using Cloudflare for DoT in Merlin, perhaps an enhancement request would be to extract the DoT server IPs in Whitelist-Shared()? You'd need to read nvram dnspriv_rulelist if interested, and deal with the format.

Interesting idea, perhaps we can also grab the other unlisted servers too (we currently only whitelist the regular dns nvram values). I'll look into it when I get back
 
Interesting idea, perhaps we can also grab the other unlisted servers too (we currently only whitelist the regular dns nvram values). I'll look into it when I get back
I was playing with that nasty format and thanks to Stackoverflow.com, came up with
Code:
nvram get dnspriv_rulelist | sed '/\n/!s/[0-9.]\+/\n&\n/;/^\([0-9]\{1,3\}\.\)\{3\}[0-9]\{1,3\}\n/P;D'
9.9.9.9
149.112.112.112
145.100.185.15
Or if you want all (I'd prefer only the selected DoT servers, especially if they're custom added in the GUI)
Code:
cat /rom/dot-servers.dat | sed '/\n/!s/[0-9.]\+/\n&\n/;/^\([0-9]\{1,3\}\.\)\{3\}[0-9]\{1,3\}\n/P;D'
 
Came here to say that 1.1.1.1 was blocked but have seen other people flag that false-positive too. I've unbanned it for now and alls good again. Cheers.
 
I've pushed v6.9.0

Code:
Significantly optimize Domain_Lookup()
Add DNS-Over-TLS servers to Whitelist
Wait for lists to process during Whitelist_Shared () if over 150 entries to prevent fork errors on HND platform

The main goal of this release is to try mitigate the (annoying!) "cannot fork" errors. This is quite a complex issue and to be honest doesn't make much sense on paper, I suspect its tied to the HND platform at a lower level.

With that being said, I was finally able to reproduce the issue consistently by generating a large shared-*-whitelist file, it appears once these files have a combined total of 200-300 lines the firmware can't handle the load of parallel processing. To mitigate this, if Skynet detects a combined list size of over 150 entries it will process the contents in batches and wait until everything has completed before moving on. If your list size is under this limit you should notice no difference and see slightly faster results due to the Domain_Lookup optimizations.

Skynet will now also whitelist your DOT servers by default (in addition to the regular DNS server values).


Feedback would be appreciated if you previously experienced these fork errors. @Therion87 @Ubimo
 
I've pushed v6.9.0

Code:
Significantly optimize Domain_Lookup()
Add DNS-Over-TLS servers to Whitelist
Wait for lists to process during Whitelist_Shared () if over 150 entries to prevent fork errors on HND platform

The main goal of this release is to try mitigate the (annoying!) "cannot fork" errors. This is quite a complex issue and to be honest doesn't make much sense on paper, I suspect its tied to the HND platform at a lower level.

With that being said, I was finally able to reproduce the issue consistently by generating a large shared-*-whitelist file, it appears once these files have a combined total of 200-300 lines the firmware can't handle the load of parallel processing. To mitigate this, if Skynet detects a combined list size of over 150 entries it will process the contents in batches and wait until everything has completed before moving on. If your list size is under this limit you should notice no difference and see slightly faster results due to the Domain_Lookup optimizations.

Skynet will now also whitelist your DOT servers by default (in addition to the regular DNS server values).


Feedback would be appreciated if you previously experienced these fork errors. @Therion87 @Ubimo

Thanks for the update @Adamm

I am currently getting this error after the update and running a ban malware update.

Code:
[i] Downloading filter.list         | [0s]
[i] Refreshing Whitelists           | /jffs/scripts/firewall: line 5162: split: not found
/jffs/scripts/firewall: line 5162: can't open *: no such file
[5s]
[i] Consolidating Blacklist         | [25s]
[i] Filtering IPv4 Addresses        | [5s]
[i] Filtering IPv4 Ranges           | [1s]
[i] Applying New Blacklist          | [10s]
[i] Refreshing AiProtect Bans       | [1s]
[i] Saving Changes                  | [5s]

I am using a hosted whitelist with Diversion, with under 200 entries. I only have one whitelist in Skynet and that is for 1.1.1.1

If there is anything else that I can pull that would help. Let me know.

UPDATE:

I get the error on the RT-AC88U. I maintain an RT-AC86U for a friend. Same setup and blocking lists. I do not get that error.

Thanks,
 
Last edited:
I am currently getting this error after the update and running a ban malware update.

Okay that's odd, I assumed built-in binaries were identical between models o_O

Mind posting the output of;

Code:
which split
ls /usr/bin
 
Skynet will now also whitelist your DOT servers by default (in addition to the regular DNS server values).
I'm not sure of your position on supporting John's fork equally, but is it palatable to add a check for the similar stubby_dns variable for the same DoT whitelisting (IPv4 only)?
Code:
nvram get stubby_dns
<Quad 9 Secure Primary>9.9.9.9>2620:fe::fe>853>dns.quad9.net>>>yes>yes<Quad 9 Secure Secondary>149.112.112.112>2620:fe::9>853>dns.quad9.net>>>yes>yes
 
Okay that's odd, I assumed built-in binaries were identical between models o_O

Mind posting the output of;

Code:
which split
ls /usr/bin

Code:
Therion87@RT-AC3100-8910:/tmp/home/root# which split
Therion87@RT-AC3100-8910:/tmp/home/root# ls /usr/bin
[                        dos2unix                 logger                   scp                      tr
[[                       dropbearkey              lsusb                    sdparm                   traceroute
ad                       dropbearmulti            md5sum                   smbpasswd                traceroute6
afppasswd                du                       nano                     sort                     tty
awk                      env                      nc                       ssh                      uniconv
basename                 expr                     net-snmp-config          strings                  uniq
clear                    find                     net-snmp-create-v3-user  tail                     unix2dos
cmp                      flock                    nohup                    taskset                  unzip
crontab                  free                     nslookup                 tee                      uptime
cut                      ftpget                   printf                   telnet                   wc
dbclient                 ftpput                   pscan                    test                     which
dbd                      head                     readlink                 tftp                     xargs
diff                     killall                  renice                   time
dirname                  less                     rnano                    top
 
Code:
Therion87@RT-AC3100-8910:/tmp/home/root# which split
Therion87@RT-AC3100-8910:/tmp/home/root# ls /usr/bin
[                        dos2unix                 logger                   scp                      tr
[[                       dropbearkey              lsusb                    sdparm                   traceroute
ad                       dropbearmulti            md5sum                   smbpasswd                traceroute6
afppasswd                du                       nano                     sort                     tty
awk                      env                      nc                       ssh                      uniconv
basename                 expr                     net-snmp-config          strings                  uniq
clear                    find                     net-snmp-create-v3-user  tail                     unix2dos
cmp                      flock                    nohup                    taskset                  unzip
crontab                  free                     nslookup                 tee                      uptime
cut                      ftpget                   printf                   telnet                   wc
dbclient                 ftpput                   pscan                    test                     which
dbd                      head                     readlink                 tftp                     xargs
diff                     killall                  renice                   time
dirname                  less                     rnano                    top


Weird, @RMerlin any chance we can get split added (to non HND devices I assume) for consistency? Would be a huge help.

@Therion87 for the time being you can install the "coreutils-split" package from entware, that will temporarily resolve the issue.
 
Weird, @RMerlin any chance we can get split added (to non HND devices I assume) for consistency? Would be a huge help.

@Therion87 for the time being you can install the "coreutils-split" package from entware, that will temporarily resolve the issue.

New outputs with split installed.

Code:
Therion87@RT-AC3100-8910:/tmp/home/root# which split
/opt/bin/split
Therion87@RT-AC3100-8910:/tmp/home/root# ls /usr/bin/
[                        dos2unix                 logger                   scp                      tr
[[                       dropbearkey              lsusb                    sdparm                   traceroute
ad                       dropbearmulti            md5sum                   smbpasswd                traceroute6
afppasswd                du                       nano                     sort                     tty
awk                      env                      nc                       ssh                      uniconv
basename                 expr                     net-snmp-config          strings                  uniq
clear                    find                     net-snmp-create-v3-user  tail                     unix2dos
cmp                      flock                    nohup                    taskset                  unzip
crontab                  free                     nslookup                 tee                      uptime
cut                      ftpget                   printf                   telnet                   wc
dbclient                 ftpput                   pscan                    test                     which
dbd                      head                     readlink                 tftp                     xargs
diff                     killall                  renice                   time
dirname                  less                     rnano                    top
Therion87@RT-AC3100-8910:/tmp/home/root#

The error is gone during a ban malware update.

Thanks for the help @Adamm
 
I'm not sure of your position on supporting John's fork equally, but is it palatable to add a check for the similar stubby_dns variable for the same DoT whitelisting (IPv4 only)?
Code:
nvram get stubby_dns
<Quad 9 Secure Primary>9.9.9.9>2620:fe::fe>853>dns.quad9.net>>>yes>yes<Quad 9 Secure Secondary>149.112.112.112>2620:fe::9>853>dns.quad9.net>>>yes>yes

I pushed a hotfix with support for Johns fork.

The error is gone during a ban malware update.

Perfect. Once I hear back from Merlin I can act accordingly.
 
Many Thanks for latest Skynet !!!

'Fork' errors have gone !!! :)
 
Another fork-related item for the backlog/wishlist:

When Enable DoS Protection is enabled (fw_dos_x=1), the Unload_IPTables misses the deletion of the logdrop rule because the format is slightly different on John's fork. Without DoS protection, it works fine.

Code:
-A logdrop -m state --state NEW -m limit --limit 4/sec -j LOG --log-prefix "DROP " --log-tcp-sequence --log-tcp-options --log-ip-options
 
Weird, @RMerlin any chance we can get split added (to non HND devices I assume) for consistency? Would be a huge help.

Busybox options are identical for all models, HND doesn't get different options.
 
Another fork-related item for the backlog/wishlist:

When Enable DoS Protection is enabled (fw_dos_x=1), the Unload_IPTables misses the deletion of the logdrop rule because the format is slightly different on John's fork. Without DoS protection, it works fine.

Code:
-A logdrop -m state --state NEW -m limit --limit 4/sec -j LOG --log-prefix "DROP " --log-tcp-sequence --log-tcp-options --log-ip-options

https://github.com/Adamm00/IPSet_ASUS/commit/8b90b07a512029d14aa54ba147acc83a8345afe3

Busybox options are identical for all models, HND doesn't get different options.

Not sure how to explain it then, I assumed the config files were out of sync as Busybox has split included on my AX88U. As you can see from the output in this post it isn't included on the RT-AC3100

Code:
skynet@RT-AX88U-DC28:/usr/sbin# split --help
BusyBox v1.25.1 (2019-10-10 16:59:57 AEST) multi-call binary.

Usage: split [OPTIONS] [INPUT [PREFIX]]

    -b N[k|m]    Split by N (kilo|mega)bytes
    -l N        Split by N lines
    -a N        Use N letters as suffix
 
https://github.com/Adamm00/IPSet_ASUS/commit/8b90b07a512029d14aa54ba147acc83a8345afe3



Not sure how to explain it then, I assumed the config files were out of sync as Busybox has split included on my AX88U. As you can see from the output in this post it isn't included on the RT-AC3100

Code:
skynet@RT-AX88U-DC28:/usr/sbin# split --help
BusyBox v1.25.1 (2019-10-10 16:59:57 AEST) multi-call binary.

Usage: split [OPTIONS] [INPUT [PREFIX]]

    -b N[k|m]    Split by N (kilo|mega)bytes
    -l N        Split by N lines
    -a N        Use N letters as suffix

Don't know why it would be enabled then, the only instance in the source code that enables that applet is if the router is compiled with DSL_TCLINUX (i.e. for DSL modem/routers).
 

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top