Skynet Skynet v8 - Router Firewall & Security Enhancements

[SG2088]

@Adamm Thanks so much for all the work you do and this great release! I did not mean anything harsh by my previous comment on 'testing before a production release'. I was just 'surprised' when the update happened although I had auto-updates disabled. All is good now.
BTW, I have been using skynet for years! I know some people say it may be 'overkill', but I to me, it does not hurt performance and it adds another layer, where to me, it may in fact prevent dns dos (argumentative). I do not catch many outbound blocks, but when I have, it is well worth it. I also only use active block lists, with a conservative approach to block the real bad guys with minimizing false-positives. These include spamhaus, feodo, dshield, ponmocup (although no longer maintained) and stamparm ip level 5.

 

[JB_1366]

I guess this is the heart of the problem. The wan interface name is part of the Skynet rules, and yours seems to start as eth0 then change to wan0. Never seen that before.

I'm guessing?? because I'm translating packets via router & not the ONT, router is using Residential Gateway mode, hence wan0?

Dec 31 18:01:13 kernel: IPv6: ADDRCONF(NETDEV_UP): eth0: link is not ready
Dec 31 18:01:13 kernel: netdev path : wan0 -> eth0
Dec 31 18:01:13 kernel: BCMVLAN : eth0 mode was set to RG
Dec 31 18:01:13 kernel: IPv6: ADDRCONF(NETDEV_UP): wan0: link is not ready
Dec 31 18:01:13 kernel: VLAN Rule Table : eth0, Rx, nbrOfTags 1, default DROP

@Adamm, do you see a workaround?

 

[swejuggalo]

When Diversion updates the blocklists I regularly see this on the AX88U (auto sent to my mail).
"Waiting for Skynet to finish task...
Error: Unable to refresh Skynet to whitelist domains in shared-Diversion-whitelist.
Restart Skynet manually to immediately include the new whitelisted domains."
But I am not getting errors on a BE88U.
AX88U have sightly less scripts, but otherwise very similarly configured, so it feels like the differance is the the different firmware.
Don't think I ever seen this on older Skynet (v7).

Recently I was also forced to reinstall Skynet due to a failed update on the AX88U, but no problems on BE88U.
Anything I should try? I can try to collect more data on the problem if this seems to be a rarity.
If I didn't have the mail setup I probably would not notice it... So there could be many more that has it but not knowing about it.

 

[JB_1366]

I'm guessing?? because I'm translating packets via router & not the ONT, router is using Residential Gateway mode, hence wan0?

Dec 31 18:01:13 kernel: IPv6: ADDRCONF(NETDEV_UP): eth0: link is not ready
Dec 31 18:01:13 kernel: netdev path : wan0 -> eth0
Dec 31 18:01:13 kernel: BCMVLAN : eth0 mode was set to RG
Dec 31 18:01:13 kernel: IPv6: ADDRCONF(NETDEV_UP): wan0: link is not ready
Dec 31 18:01:13 kernel: VLAN Rule Table : eth0, Rx, nbrOfTags 1, default DROP

@Adamm, do you see a workaround?

after installing Unbound, my problem with skynet on reboot disappeared. Im assuming skynet restarts an extra time to fix problem, as thats what i had to do manually

Thanks @Adamm for all your hard work..any timeline on ipv6 support?

 

[Twiglets]

@Adamm

A request for a change/addition to the banner of Skynet.
Now that you can change the size of the log file it would be useful to display the current size of the log file in the banner.

Assuming the Log size = 12.532M of 20.000M (62.66%)

╔═════════════════════ System ══════════════════════════════════════════════════════════════════════════════╗
║ Router Model         │ RT-AX86U_PRO                                                                       ║
║ Skynet Version       │ v8.0.9 (05/01/2026)                                                                ║
║ └── Hash             │ 50789653b274e6efcc8c3b8edfab4cfc                                                   ║
║ Install Dir          │ /tmp/mnt/RT-AX86UPro/skynet                                                        ║
║ FW Version           │ ASUSWRT-Merlin v102.5_0 (Kernel 4.19.183) (Aug 3 2025)                             ║
║ iptables             │ iptables v1.4.15                                                                   ║
║ ipset                │ ipset v7.6, protocol version: 7                                                    ║
║ Public IP            │ xxx.xxx.xxx.xxx                                                                    ║
║ WAN Info             │ ppp0 - pppoe                                                                       ║
║ Banned Countries     │ ad ae af ag ai al am ao aq ar as aw ax az ba bb bd bf bg bh bi bj bl bm bn bo bq + ║
║ Custom Filter URL    │ xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx                                                ║
║ Log File Size        │ 12.532M of 20.000M (62.66%)                                                        ║
╚══════════════════════╧════════════════════════════════════════════════════════════════════════════════════╝

Many Thanks.

 

[K3r1m0]

Hi,
I have Skynet 8.0.9 installed.
Everything works flawlessly and I am a satisfied user.
In the chart layout in the GUI, it gets darker every time I hover the mouse over it. I don't know if that's how it should be or if I may be remembering wrong that it got brighter when hovering.
Thanks for a great addon!

 

[Viktor Jaep]

Hi,
I have Skynet 8.0.9 installed.
Everything works flawlessly and I am a satisfied user.
In the chart layout in the GUI, it gets darker every time I hover the mouse over it. I don't know if that's how it should be or if I may be remembering wrong that it got brighter when hovering.
Thanks for a great addon!

LOL that's one of the craziest things I've ever seen! Must be a feature, not a bug!

 

[EmeraldDeer]

I am seeing the same thing, but with uiDivStats rather than Skynet.

The Brave browser F12 Console errors are:

user8.asp:51
Uncaught ReferenceError: comma is not defined
    at n.label (user8.asp:51:4481)
    at chart.js:7:93178
    at Object.each (chart.js:7:27348)
    at n.getBody (chart.js:7:93060)
    at n.update (chart.js:7:94641)
    at n.handleEvent (chart.js:7:100802)
    at tn.eventHandler (chart.js:7:111285)
    at n (chart.js:7:110528)
    at Se.<computed> (chart.js:7:87040)

chart.js:7
Uncaught TypeError: Cannot read properties of undefined (reading 'length')
    at n.drawBody (chart.js:7:98438)
    at n.draw (chart.js:7:100363)
    at tn._drawTooltip (chart.js:7:108823)
    at tn.draw (chart.js:7:107805)
    at tn.render (chart.js:7:107370)
    at Object.callback (chart.js:7:27212)
    at Object.advance (chart.js:7:39167)
    at Object.startDigest (chart.js:7:38918)
    at chart.js:7:38871

The code from which it throws:

                            tooltips: {
                                callbacks: {
                                    title: function(t, e) {
                                        return e.labels[t[0].index]
                                    },
                                    label: function(t, e) {
                                        return comma(e.datasets[t.datasetIndex].data[t.index])
                                    }
                                },
                                mode: "point",
                                position: "cursor",
                                intersect: !0
                            },

Here is the similar code from Skynet:

                tooltips: {
                    callbacks: {
                        title: function(tooltipItem, data) {
                            return data.labels[tooltipItem[0].index];
                        },
                        label: function(tooltipItem, data) {
                            return comma(data.datasets[tooltipItem.datasetIndex].data[tooltipItem.index]);
                        }
                    },
                    mode: 'point',
                    position: 'cursor',
                    intersect: true
                },

 

[EmeraldDeer]

As a side note, I no longer have mouse over menus under General and Advanced Settings in index.asp

 

[Ripshod]

Those with issues, have you updated amtm?

 

[EmeraldDeer]

Those with issues, have you updated amtm?

Yes, to amtm 6.2

 

[dave14305]

The code from which it throws:

The comma errors are due to the removal of the Tomato files on recent firmwares. An alternate JavaScript function needs to be found or just removed (it’s only a cosmetic feature to insert commas into larger numbers). Everyone should probably just rewrite with toLocaleString().

webui: remove legacy Tomato files that are no longer used by our firm… · RMerl/asuswrt-merlin.ng@e547f8e

…ware The ROG UI still has the old TrafficMonitor pages - 3004.388 devices will need to be taken care of (hopefully from upstream)

github.com

asuswrt-merlin.ng/release/src/router/www/tmmenu.js at 4090acdc79f6bbece1daa91d347287a3c96af31a · RMerl/asuswrt-merlin.ng

Third party firmware for Asus routers (newer codebase) - RMerl/asuswrt-merlin.ng

github.com

 

[Twiglets]

@Adamm

A request for a change/addition to the banner of Skynet.
Now that you can change the size of the log file it would be useful to display the current size of the log file in the banner.

Assuming the Log size = 12.532M of 20.000M (62.66%)

╔═════════════════════ System ══════════════════════════════════════════════════════════════════════════════╗
║ Router Model         │ RT-AX86U_PRO                                                                       ║
║ Skynet Version       │ v8.0.9 (05/01/2026)                                                                ║
║ └── Hash             │ 50789653b274e6efcc8c3b8edfab4cfc                                                   ║
║ Install Dir          │ /tmp/mnt/RT-AX86UPro/skynet                                                        ║
║ FW Version           │ ASUSWRT-Merlin v102.5_0 (Kernel 4.19.183) (Aug 3 2025)                             ║
║ iptables             │ iptables v1.4.15                                                                   ║
║ ipset                │ ipset v7.6, protocol version: 7                                                    ║
║ Public IP            │ xxx.xxx.xxx.xxx                                                                    ║
║ WAN Info             │ ppp0 - pppoe                                                                       ║
║ Banned Countries     │ ad ae af ag ai al am ao aq ar as aw ax az ba bb bd bf bg bh bi bj bl bm bn bo bq + ║
║ Custom Filter URL    │ xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx                                                ║
║ Log File Size        │ 12.532M of 20.000M (62.66%)                                                        ║
╚══════════════════════╧════════════════════════════════════════════════════════════════════════════════════╝

Many Thanks.

Found that you already displayed this info when displaying Option 13 Stats to screen.
Un-officially patched 'Firewall' to display the same lines in the initial banner !!!

╔═════════════════════ System ══════════════════════════════════════════════════════════════════════════════╗
║ Router Model         │ RT-AX86U_PRO                                                                       ║
║ Skynet Version       │ v8.0.9 (05/01/2026)                                                                ║
║ └── Hash             │ 4ca3f0839f286942d90834aa59a5bd15                                                   ║
║ Install Dir          │ /tmp/mnt/RT-AX86UPro/skynet                                                        ║
║ FW Version           │ ASUSWRT-Merlin v102.5_0 (Kernel 4.19.183) (Aug 3 2025)                             ║
║ iptables             │ iptables v1.4.15                                                                   ║
║ ipset                │ ipset v7.6, protocol version: 7                                                    ║
║ Public IP            │ xxx.xxx.xxx.xxx                                                                    ║
║ WAN Info             │ ppp0 - pppoe                                                                       ║
║ Banned Countries     │ ad ae af ag ai al am ao aq ar as aw ax az ba bb bd bf bg bh bi bj bl bm bn bo bq + ║
║ Skynet Log           │ /tmp/mnt/RT-AX86UPro/skynet/skynet.log                                             ║
║ └── Used/Total       │ 43.7M / 50MB                                                                       ║
║ Custom Filter URL    │ xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx                                                  ║
╚══════════════════════╧════════════════════════════════════════════════════════════════════════════════════╝

 

[JimbobJay]

When Diversion updates the blocklists I regularly see this on the AX88U (auto sent to my mail).
"Waiting for Skynet to finish task...
Error: Unable to refresh Skynet to whitelist domains in shared-Diversion-whitelist.
Restart Skynet manually to immediately include the new whitelisted domains."
But I am not getting errors on a BE88U.
AX88U have sightly less scripts, but otherwise very similarly configured, so it feels like the differance is the the different firmware.
Don't think I ever seen this on older Skynet (v7).

Recently I was also forced to reinstall Skynet due to a failed update on the AX88U, but no problems on BE88U.
Anything I should try? I can try to collect more data on the problem if this seems to be a rarity.
If I didn't have the mail setup I probably would not notice it... So there could be many more that has it but not knowing about it.

I too am seeing this issue with v8 on my RT-AX86U_Pro.

This is a recent issue, since the update to v8. I am frequently getting emails from Diversion informing me that the automatic Blocking List Update has failed because it is stuck

Waiting for Skynet to finish task...
Waiting for Skynet to finish task...
Waiting for Skynet to finish task...

This issue occurs on a weekly basis (makes sense as Diversion auto-updating blocking list is weekly). But first starting to see it definitely correlates with the update to v8 of Skynet.

Not sure what exactly changed, but clearly something about Diversion compatibility has been broken since the v8 update.

 

[Twiglets]

I too am seeing this issue with v8 on my RT-AX86U_Pro.

This is a recent issue, since the update to v8. I am frequently getting emails from Diversion informing me that the automatic Blocking List Update has failed because it is stuck

Waiting for Skynet to finish task...
Waiting for Skynet to finish task...
Waiting for Skynet to finish task...

This issue occurs on a weekly basis (makes sense as Diversion auto-updating blocking list is weekly). But first starting to see it definitely correlates with the update to v8 of Skynet.

Not sure what exactly changed, but clearly something about Diversion compatibility has been broken since the v8 update.

You are misreading the messages.

The message:

"Waiting for Skynet to finish task...

Error: Unable to refresh Skynet to whitelist domains in shared-Diversion-whitelist.

means that Skynet is currently performing some processing, there is a lock file to prevent Diversion changing files that Skynet is using.
If Skynet is 'Busy' too long Diversion continues without completing the Skynet restart/update.
If you manually restart Skynet it will complete the update itself.
If you do nothing the next time Skynet restarts it will complete the update. [Cronjob exists to run 'banmalware' update once a day]
Nothing is 'Stuck' ... this is the way it is supposed to work !!!

 

[JimbobJay]

You are misreading the messages.

I don't believe that I am. I understood that that was what was happening, and nothing you wrote is new information for me.

means that Skynet is currently performing some processing, there is a lock file to prevent Diversion changing files that Skynet is using.
If Skynet is 'Busy' too long Diversion continues without completing the Skynet restart/update.

The point of my post, and I suspect @swejuggalo 's also, is that Skynet "currently performing some processing" and having the lock file in place seems to be a much more frequent occurrence since updating to Skynet v8. I never before had seen this message from Diversion, before updating to v8 of Skynet.

So my point is, what changed in v8 of Skynet that is causing it to be "performing some processing" and have the lock file in place (such that it is stopping other scripts performing their automatic tasks), so much more frequently than before?

If you manually restart Skynet it will complete the update itself.

What has changed, and why must I suddenly start performing this manual step to complete the update since updating to Skynet v8, when I never once had to do this on previous versions?

 

[dave14305]

I don't believe that I am. I understood that that was what was happening, and nothing you wrote is new information for me.


The point of my post, and I suspect @swejuggalo 's also, is that Skynet "currently performing some processing" and having the lock file in place seems to be a much more frequent occurrence since updating to Skynet v8. I never before had seen this message from Diversion, before updating to v8 of Skynet.

So my point is, what changed in v8 of Skynet that is causing it to be "performing some processing" and have the lock file in place (such that it is stopping other scripts performing their automatic tasks), so much more frequently than before?


What has changed, and why must I suddenly start performing this manual step to complete the update since updating to Skynet v8, when I never once had to do this on previous versions?

Skynet's lock file handling changed a lot in v8. Diversion only checks the presence of the lock file, not whether it's still valid or "active". I would speculate that Skynet isn't even running but somehow left behind a lockfile that ends up blocking Diversion from completing the whitelist refresh.

Instead of restarting Skynet, just try running the refresh manually and see if it completes or also complains of a lockfile. This is the command that Diversion is waiting to run:

/bin/sh /jffs/scripts/firewall whitelist refresh

 

[XxUnkn0wnxX]

@Adamm would it be possible to add CGNAT/double-NAT detection when it pulls the "Public IP" on the info screen, or wherever it is also displayed/used in.
like get it to query an external site like: "https://myip.dnsomatic.com/" for example for the real Public IP.

or just add a toggle for it in settings to pull from an external site vs what is provided by the router from nvram..
Kind of wish Merlin had an option for this built in TBH to show in the main page my real IP

 

[Adamm]

When Diversion updates the blocklists I regularly see this on the AX88U (auto sent to my mail).
"Waiting for Skynet to finish task...
Error: Unable to refresh Skynet to whitelist domains in shared-Diversion-whitelist.
Restart Skynet manually to immediately include the new whitelisted domains."
But I am not getting errors on a BE88U.
AX88U have sightly less scripts, but otherwise very similarly configured, so it feels like the differance is the the different firmware.
Don't think I ever seen this on older Skynet (v7).

Recently I was also forced to reinstall Skynet due to a failed update on the AX88U, but no problems on BE88U.
Anything I should try? I can try to collect more data on the problem if this seems to be a rarity.
If I didn't have the mail setup I probably would not notice it... So there could be many more that has it but not knowing about it.

I don't believe that I am. I understood that that was what was happening, and nothing you wrote is new information for me.


The point of my post, and I suspect @swejuggalo 's also, is that Skynet "currently performing some processing" and having the lock file in place seems to be a much more frequent occurrence since updating to Skynet v8. I never before had seen this message from Diversion, before updating to v8 of Skynet.

So my point is, what changed in v8 of Skynet that is causing it to be "performing some processing" and have the lock file in place (such that it is stopping other scripts performing their automatic tasks), so much more frequently than before?


What has changed, and why must I suddenly start performing this manual step to complete the update since updating to Skynet v8, when I never once had to do this on previous versions?

Diversion has a hard coded 20s timeout waiting for Skynet to refresh and bases its checks on the existence of a lock file, we have transitioned to a smarter locking system using flock so some minor adjustments will need to be made by @thelonelycoder in update-bl.div

        if [ -f "/jffs/scripts/firewall" ] && /opt/bin/grep -q "sh /jffs/scripts/firewall" /jffs/scripts/firewall-start 2> /dev/null; then
            printf "\\n refreshing Skynet to whitelist domains in shared-Diversion-whitelist\\n"

            if [ -f "/tmp/skynet.lock" ]; then
                printf "\\n Skynet lockfile detected\\n"
                i=20
                until [ "$i" -eq "0" ]; do
                    i=$(($i-1))
                    if [ -f "/tmp/skynet.lock" ]; then
                        printf " Waiting for Skynet to finish task...\\n"
                        sleep 4
                    else
                        i=0
                    fi
                done
                if [ -f "/tmp/skynet.lock" ]; then
                    msg="Unable to refresh Skynet to whitelist domains in shared-Diversion-whitelist.\\n Restart Skynet manually to immediately include the new whitelisted domains."
                    printf " Error: $msg\\n"
                    lastError="$lastError\\n $msg"
                    logger -t Diversion "Unable to refresh Skynet to whitelist domains in shared-Diversion-whitelist."
                fi
            fi
            if [ ! -f "/tmp/skynet.lock" ]; then
                /bin/sh /jffs/scripts/firewall whitelist refresh >/dev/null 2>&1
                printf " shared-Diversion-whitelist refreshed in Skynet\\n"
            fi
        fi

Check_Lock() {
    # Open FD 9 for locking
    exec 9<>"$LOCK_FILE"

    # Try non-blocking lock
    if ! flock -n 9; then
        locked_cmd=$(cut -d'|' -f1 "$LOCK_FILE" 2>/dev/null)
        locked_pid=$(cut -d'|' -f2 "$LOCK_FILE" 2>/dev/null)
        lock_timestamp=$(cut -d'|' -f3 "$LOCK_FILE" 2>/dev/null)
        current_time=$(date +%s)

        # Re-entrant lock handling
        if [ "$locked_pid" = "$$" ]; then
            return 0
        fi

        # If we have a non-empty PID and that process exists
        if [ -n "$locked_pid" ] && [ -d "/proc/$locked_pid" ]; then
            age=$(( current_time - lock_timestamp ))

            if [ "$age" -gt 1800 ] 2>/dev/null; then
                # Stale lock: kill and re-acquire
                if kill "$locked_pid" 2>/dev/null; then
                    Log info -s "Killed stale Skynet process (pid=$locked_pid) after $age seconds"
                fi
                : > "$LOCK_FILE"
                if ! flock -n 9; then
                    Log error -s "Lock acquisition failed after killing stale process - Exiting (pid=$locked_pid)"
                    echo; exit 1
                fi
            else
                # Active lock held by running process
                Log error -s "Lock File Detected ($locked_cmd) (pid=$locked_pid, runtime=${age}s) - Exiting"
                echo; exit 1
            fi
        else
            # We *know* flock says the file is locked, but the metadata is missing
            # or corrupt. That usually means another Skynet instance is in the
            # middle of writing the lock line. Safer to just bail.
            Log error -s "Lock file busy but metadata invalid (pid='$locked_pid') - another Skynet instance is running - Exiting"
            echo; exit 1
        fi
    fi

    # We now hold the lock — record this invocation
    : > "$LOCK_FILE"
    echo "$0 $*|$$|$(date +%s)" >&9
}

 

[joe scian]

Skynet: USB install directory not ready — sleeping 10s (1/10) - reinstalling gives same error - swap file is there on /tmp/mnt/LINUXCULBUR/ - any ideas?