Release [Fork] Asuswrt-Merlin 374 LTS release 45EC

[MON@H Rasta]

john9527, so how can I run scripts and avoid this timeout or how can I increase it?

 

[ColinTaylor]

john9527, so how can I run scripts and avoid this timeout or how can I increase it?

If your script is taking "several minutes" to run then it probably need to be redesigned or called from a different event. If that can't be done I suggest that you put all of those commands into a separate script (e.g. myscript.sh) and spawn it as a separate process:

# Run script now
/jffs/scripts/myscript.sh &

 

[MON@H Rasta]

ColinTaylor, i need SD Card to be mounted when my scripts run, this is why I chose post-mount. If I will run them separately I will need to check if the SD Card is mounted and sleep until it is. Can you suggest the way to do it, also I wonder can you tell me the way to check if the ip_set module is loaded?

Spoiler: hosts-update-script.sh

/jffs/scripts/hosts-update-script.sh - Pastebin.com

Pastebin.com is the number one paste tool since 2002. Pastebin is a website where you can store text online for a set period of time.

pastebin.com

Spoiler: init_ipset.sh

modprobe ip_set

modprobe ip_set_iphash

modprobe ip_set_nethash

modprobe ip_set_setlist



ipset --create unblock iphash

Spoiler: unblock_ipset.sh

#!/bin/sh



until ADDRS=$(dig +short google.com [USER=52002]@localhost[/USER]) && [ -n "$ADDRS" ] > /dev/null 2>&1; do sleep 5; done



while read line || [ -n "$line" ]; do



  [ -z "$line" ] && continue

  [ "${line:0:1}" = "#" ] && continue



  addr=$(echo $line | grep -Eo '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}')



  if [ ! -z "$addr" ]; then

    ipset --add unblock $addr

    continue

  fi

 

  dig +short $line [USER=52002]@localhost[/USER] | grep -Eo '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | awk '{system("ipset --add unblock "$1)}'



done < /tmp/mnt/microsd/dnsmasq/unblock.txt

Spoiler: nat-start

#!/bin/sh



iptables -t nat -A PREROUTING -i br0 -p tcp -m set --set unblock dst -j REDIRECT --to-port 9141

 

[john9527]

john9527, so how can I run scripts and avoid this timeout or how can I increase it?

The timeout is hardcoded at 2 min so currently no way to change it.

Just a warning about trying to do large scale 'DNS Poisoning' with dnsmasq. if that's what your are trying to do (Not sure what you are doing in your hosts-update-script) It really wasn't designed with that in mind and can get bogged down. I remember someone was trying to add 600,000 entries and it crashed dnsmasq.

 

[ColinTaylor]

ColinTaylor, i need SD Card to be mounted when my scripts run, this is why I chose post-mount. If I will run them separately I will need to check if the SD Card is mounted and sleep until it is. Can you suggest the way to do it, also I wonder can you tell me the way to check if the ip_set module is loaded?

You can still run your scripts from post-mount, you just need to invoke it as a separate process as shown in my example.

 

[MON@H Rasta]

john9527, thanks for your warning. Updated my post with scripts. I have 264048 in my /tmp/mnt/microsd/dnsmasq/hosts.blocked and it seems to work just fine.

ColinTaylor, thanks, got it.

What about checking if the ip_set module is loaded, can you suggest me the way, please?
Also, I have a bunch of spam in log like:

Spoiler: log

Dec  8 03:03:00 dnsmasq[30532]: failed to update ipset unblock: File exists
Dec  8 03:03:00 dnsmasq[30532]: failed to update ipset unblock: File exists
Dec  8 03:03:00 dnsmasq[30532]: failed to update ipset unblock: File exists
Dec  8 03:03:00 dnsmasq[30532]: failed to update ipset unblock: File exists
Dec  8 03:03:00 dnsmasq[30532]: failed to update ipset unblock: File exists
Dec  8 03:03:00 dnsmasq[30532]: failed to update ipset unblock: File exists
Dec  8 03:03:01 dnsmasq[30532]: failed to update ipset unblock: File exists
Dec  8 03:03:01 dnsmasq[30532]: failed to update ipset unblock: File exists
Dec  8 03:03:01 dnsmasq[30532]: failed to update ipset unblock: File exists
Dec  8 03:03:01 dnsmasq[30532]: failed to update ipset unblock: File exists
Dec  8 03:03:01 dnsmasq[30532]: failed to update ipset unblock: File exists
Dec  8 03:03:01 dnsmasq[30532]: failed to update ipset unblock: File exists
Dec  8 03:03:01 dnsmasq[30532]: failed to update ipset unblock: File exists
Dec  8 03:03:01 dnsmasq[30532]: failed to update ipset unblock: File exists
Dec  8 03:03:01 dnsmasq[30532]: failed to update ipset unblock: File exists
Dec  8 03:03:01 dnsmasq[30532]: failed to update ipset unblock: File exists

This is due to command I use:

Spoiler: unblock_ipset.sh

#!/bin/sh



until ADDRS=$(dig +short google.com [USER=52002]@localhost[/USER]) && [ -n "$ADDRS" ] > /dev/null 2>&1; do sleep 5; done



while read line || [ -n "$line" ]; do



  [ -z "$line" ] && continue

  [ "${line:0:1}" = "#" ] && continue



  addr=$(echo $line | grep -Eo '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}')



  if [ ! -z "$addr" ]; then

    ipset --add unblock $addr

    continue

  fi



  dig +short $line [USER=52002]@localhost[/USER] | grep -Eo '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | awk '{system("ipset --add unblock "$1)}'



done < /tmp/mnt/microsd/dnsmasq/unblock.txt

Can you suggest how to avoid this spam?

 

[ColinTaylor]

What about checking if the ip_set module is loaded, can you suggest me the way, please?

You could use the following code. It will return true if the module is loaded and false if it isn't.

lsmod | grep -qw ip_set

 

[john9527]

@MON@H Rasta
Just a quick question.....I see in post-mount that you are also running Diversion. Do you really need to be adding more?

 

[dave14305]

john9527, thanks for your warning. Updated my post with scripts. I have 264048 in my /tmp/mnt/microsd/dnsmasq/hosts.blocked and it seems to work just fine.

ColinTaylor, thanks, got it.

What about checking if the ip_set module is loaded, can you suggest me the way, please?
Also, I have a bunch of spam in log like:

Spoiler: log

Dec  8 03:03:00 dnsmasq[30532]: failed to update ipset unblock: File exists
Dec  8 03:03:00 dnsmasq[30532]: failed to update ipset unblock: File exists
Dec  8 03:03:00 dnsmasq[30532]: failed to update ipset unblock: File exists
Dec  8 03:03:00 dnsmasq[30532]: failed to update ipset unblock: File exists
Dec  8 03:03:00 dnsmasq[30532]: failed to update ipset unblock: File exists
Dec  8 03:03:00 dnsmasq[30532]: failed to update ipset unblock: File exists
Dec  8 03:03:01 dnsmasq[30532]: failed to update ipset unblock: File exists
Dec  8 03:03:01 dnsmasq[30532]: failed to update ipset unblock: File exists
Dec  8 03:03:01 dnsmasq[30532]: failed to update ipset unblock: File exists
Dec  8 03:03:01 dnsmasq[30532]: failed to update ipset unblock: File exists
Dec  8 03:03:01 dnsmasq[30532]: failed to update ipset unblock: File exists
Dec  8 03:03:01 dnsmasq[30532]: failed to update ipset unblock: File exists
Dec  8 03:03:01 dnsmasq[30532]: failed to update ipset unblock: File exists
Dec  8 03:03:01 dnsmasq[30532]: failed to update ipset unblock: File exists
Dec  8 03:03:01 dnsmasq[30532]: failed to update ipset unblock: File exists
Dec  8 03:03:01 dnsmasq[30532]: failed to update ipset unblock: File exists

This is due to command I use:

Spoiler: unblock_ipset.sh

#!/bin/sh



until ADDRS=$(dig +short google.com [USER=52002]@localhost[/USER]) && [ -n "$ADDRS" ] > /dev/null 2>&1; do sleep 5; done



while read line || [ -n "$line" ]; do



  [ -z "$line" ] && continue

  [ "${line:0:1}" = "#" ] && continue



  addr=$(echo $line | grep -Eo '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}')



  if [ ! -z "$addr" ]; then

    ipset --add unblock $addr

    continue

  fi



  dig +short $line [USER=52002]@localhost[/USER] | grep -Eo '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | awk '{system("ipset --add unblock "$1)}'



done < /tmp/mnt/microsd/dnsmasq/unblock.txt

Can you suggest how to avoid this spam?

ipset has command line options to suppress errors like this. Is this available on your version?

-!      Ignore errors when creating or adding sets or
        elements that do exist or when deleting elements
        that don't exist.

 

[MON@H Rasta]

john9527, I don't run Diversion, only installed entware with amtm to have TOR onboard. Not using Diversion.

dave14305, I guess not. -q maybe?

Spoiler: ipset --help

RT-N66U:/jffs/scripts# ipset --help
ipset v4.5

Usage: ipset -N new-set settype [options]
       ipset -[XFLSH] [set] [options]
       ipset -[EW] from-set to-set
       ipset -[ADT] set IP
       ipset -R
       ipset -v
       ipset -h (print this help information)

Commands:
Either long or short options are allowed.
  --create  -N setname settype <options>
                    Create a new set
  --destroy -X [setname]
                    Destroy a set or all sets
  --flush   -F [setname]
                    Flush a set or all sets
  --rename  -E from-set to-set
                    Rename from-set to to-set
  --swap    -W from-set to-set
                    Swap the content of two existing sets
  --list    -L [setname] [options]
                    List the IPs in a set or all sets
  --save    -S [setname]
                    Save the set or all sets to stdout
  --restore -R [option]
                    Restores a saved state
  --add     -A setname IP
                    Add an IP to a set
  --del     -D setname IP
                    Deletes an IP from a set
  --test    -T setname IP
                    Tests if an IP exists in a set.
  --help    -H [settype]
                    Prints this help, and settype specific help
  --version -V
                    Prints version information

Options:
  --sorted     -s   Numeric sort of the IPs in -L
  --numeric    -n   Numeric output of addresses in a -L (default)
  --resolve    -r   Try to resolve addresses in a -L
  --quiet      -q   Suppress any output to stdout and stderr.

 

[ColinTaylor]

dave14305, I guess not. -q maybe?

@MON@H Rasta Have you always had these messages or is this something new since installing the current firmware release?

 

[MON@H Rasta]

ColinTaylor, they were always there. Just decided to ask, 'coz I posting here anyways
I tested -q flag and that spam is still there. I think I need to test if the IP is in the IP_SET already before adding.
I have modified the script like this, but not sure how to modify in that awk part. Can you please help me guys

Spoiler: unblock_ipset.sh

#!/bin/sh

logger "unblock_ipset.sh: start"

until ADDRS=$(dig +short google.com @localhost) && [ -n "$ADDRS" ] > /dev/null 2>&1; do sleep 5; done

while read line || [ -n "$line" ]; do

  [ -z "$line" ] && continue
  [ "${line:0:1}" = "#" ] && continue

  addr=$(echo $line | grep -Eo '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}')

  if [ ! -z "$addr" ]; then
    if [ ! ipset -T unblock $addr ]; then
      ipset -q --add unblock $addr
      continue
    fi
  fi

  dig +short $line @localhost | grep -Eo '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | awk '{system("ipset -q --add unblock "$1)}'

done < /tmp/mnt/microsd/dnsmasq/unblock.txt

logger "unblock_ipset.sh: finish"

 

[ColinTaylor]

ColinTaylor, they were always there. Just decided to ask, 'coz I posting here anyways
I tested -q flag and that spam is still there. I think I need to test if the IP is in the IP_SET already before adding.
I have modified the script like this, but not sure how to modify in that awk part. Can you please help me guys

Spoiler: unblock_ipset.sh

#!/bin/sh

logger "unblock_ipset.sh: start"

until ADDRS=$(dig +short google.com @localhost) && [ -n "$ADDRS" ] > /dev/null 2>&1; do sleep 5; done

while read line || [ -n "$line" ]; do

  [ -z "$line" ] && continue
  [ "${line:0:1}" = "#" ] && continue

  addr=$(echo $line | grep -Eo '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}')

  if [ ! -z "$addr" ]; then
    if [ ! ipset -T unblock $addr ]; then
      ipset -q --add unblock $addr
      continue
    fi
  fi

  dig +short $line @localhost | grep -Eo '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | awk '{system("ipset -q --add unblock "$1)}'

done < /tmp/mnt/microsd/dnsmasq/unblock.txt

logger "unblock_ipset.sh: finish"

I suggest you create a separate thread if you want help debugging your script as the problems don't appear the be specifically related to this thread (i.e. release 45EC).

 

[john9527]

@MON@H Rasta
If you want to give it a try.... 45EE is in the development folder.

nvram set blk_timeout=xxx (you can enter any value, but it will automatically be limited to a min of 120 or a max of 300 sec)
nvram commit

 

[MON@H Rasta]

@john9527, thanks, but it's not the problem anymore. My first script is running without problems whilst it takes more then 2 minutes and now I know how to run other scripts. I will create separate thread for question how to deal with IP_SET better.
Thanks to all you guys and sorry for off-topic.

 

[john9527]

Thanks to all you guys and sorry for off-topic.

Not a problem (it was only one line of code ). Wasn't sure how far you got with moving things (that's actually the better solution).

 

[Cromson]

Hi everyone and especially john9527!
This fork made my day and me finally the happy owner of a dedicated VPN-Router.

Merry Christmas everyone and take care!
Cromson

 

[L&LD]

@Cromson, that's great! Which router though?

 

[Cromson]

@Cromson, that's great! Which router though?

In my excitement, I forgot about the important stuff.

It's an Asus RT-AC66U Rev. A1 that i bought back in 2016 and it's really working well with Johns Fork and OpenVPN.

As the main server i use an AC86U and i bought it because the AC66U would occasionally got really slow when more devices were connected to it.

So i thought with the AC66U left i give Merlin and the OpenVPN a try again and finally it worked.
For the record... i live in Mainland China, so VPN is a must-have, but also get it to work on a Router like finding the needle in the haystack! But I found it...

Thanks again, great Forum with lots of useful information!!!

 

[R3S2a7i6]

Hi everyone and especially john9527,

Thank you for all the help and support so far and for keeping my Asus RT-AC66U Rev. A1 alive.

I am currently on "374.43_45ECj9527" and all seems to be working ok except for the print server which has stopped working. I reverted back to "374.43_44EAj9527" and the print server works fine.

Can someone kindly check and confirm whether the "print server" option on "374.43_45ECj9527" is working please?

With kind regards,