From: Dirk Brenken Date: Thu, 12 Mar 2026 19:39:02 +0000 (+0100) Subject: adblock: update 4.5.2‑4 X-Git-Url: http://git.99rst.org/?a=commitdiff_plain;h=2657120d5f203e3f1d993b77dcc6aca2a7722411;p=openwrt-packages.git adblock: update 4.5.2‑4 * optimized the awk for the Top10 statistics in the DNS Report, removed the faulty caching (reported in the forum) * minor improvement in the f_switch function * readme update Signed-off-by: Dirk Brenken --- diff --git a/net/adblock/Makefile b/net/adblock/Makefile index afd53f4b5..f59490b1b 100644 --- a/net/adblock/Makefile +++ b/net/adblock/Makefile @@ -7,7 +7,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=adblock PKG_VERSION:=4.5.2 -PKG_RELEASE:=3 +PKG_RELEASE:=4 PKG_LICENSE:=GPL-3.0-or-later PKG_MAINTAINER:=Dirk Brenken diff --git a/net/adblock/files/README.md b/net/adblock/files/README.md index bdbf89ef8..fc86008e8 100644 --- a/net/adblock/files/README.md +++ b/net/adblock/files/README.md @@ -1,10 +1,12 @@ -# DNS based ad/abuse domain blocking +# DNS based ad/abuse domain blocking ## Description -A lot of people already use adblocker plugins within their desktop browsers, but what if you are using your (smart) phone, tablet, watch or any other (wlan) gadget!? Getting rid of annoying ads, trackers and other abuse sites (like facebook) is simple: block them with your router. When the DNS server on your router receives DNS requests, you will sort out queries that ask for the resource records of ad servers and return a simple 'NXDOMAIN'. This is nothing but **N**on-e**X**istent Internet or Intranet domain name, if domain name is unable to resolved using the DNS server, a condition called the 'NXDOMAIN' occurred. +A lot of people already use adblocker plugins within their desktop browsers, but what if you are using your (smart) phone, tablet, watch or any other (wlan) gadget!? Getting rid of annoying ads, trackers and other abuse sites (like facebook) is simple: block them with your router. + +When the DNS server on your router receives DNS requests, you will sort out queries that ask for the resource records of ad servers and return a simple 'NXDOMAIN'. This is nothing but **N**on-e**X**istent Internet or Intranet domain name, if a domain name cannot be resolved using the DNS server, a condition called the 'NXDOMAIN' occurred. ## Main Features @@ -86,17 +88,17 @@ A lot of people already use adblocker plugins within their desktop browsers, but ## Prerequisites -* **[OpenWrt](https://openwrt.org)**, latest stable release 24.x or a development snapshot +* **[OpenWrt](https://openwrt.org)**, latest stable release or a development snapshot * A usual setup with a working DNS backend * A download utility with SSL support: 'wget', 'uclient-fetch' with one of the 'libustream-*' ssl libraries or 'curl' is required * A certificate store such as 'ca-bundle' or 'ca-certificates', as adblock checks the validity of the SSL certificates of all download sites by default * For E-Mail notifications you need to install and setup the additional 'msmtp' package * For DNS reporting you need to install the additional package 'tcpdump-mini' or 'tcpdump' -**Please note:** +**Please note:** * Devices with less than 128MB of RAM are **_not_** supported * For performance reasons, adblock depends on gnu sort and gawk -* Before update from former adblock releases please make a backup of your local allow- and blocklists. In the latest adblock 4.4.x these lists have been renamed to '/etc/adblock/adblock.allowlist' and '/etc/adblock/adblock.blocklist'. There is no automatic content transition to the new files. +* Before update from former adblock releases please make a backup of your local allow- and blocklists. In the latest adblock these lists have been renamed to '/etc/adblock/adblock.allowlist' and '/etc/adblock/adblock.blocklist'. There is no automatic content transition to the new files. * The uci configuration of adblock is automatically migrated during package installation via the uci-defaults mechanism using a housekeeping script @@ -105,7 +107,7 @@ A lot of people already use adblocker plugins within their desktop browsers, but * Install the LuCI companion package 'luci-app-adblock' which also installs the main 'adblock' package as a dependency * Enable the adblock system service (System -> Startup) and enable adblock itself (adblock -> General Settings) * It's strongly recommended to use the LuCI frontend to easily configure all aspects of adblock, the application is located in LuCI under the 'Services' menu -* It is also strongly recommended to configure a ‘Startup Trigger Interface’ to ensure automatic adblock startup on WAN-ifup events during boot or reboot of your router +* It's also strongly recommended to configure a ‘Startup Trigger Interface’ to ensure automatic adblock startup on WAN-ifup events during boot or reboot of your router ## Adblock CLI interface @@ -200,13 +202,13 @@ Available commands: ## Examples -**Change the DNS backend to 'unbound':** +**Change the DNS backend to 'unbound':** No further configuration is needed, adblock deposits the final blocklist 'adb_list.overall' in '/var/lib/unbound' by default. To preserve the DNS cache after adblock processing please install the additional package 'unbound-control'. -**Change the DNS backend to 'bind':** +**Change the DNS backend to 'bind':** Adblock deposits the final blocklist 'adb_list.overall' in '/var/lib/bind' by default. -To preserve the DNS cache after adblock processing please install the additional package 'bind-rdnc'. +To preserve the DNS cache after adblock processing please install the additional package 'bind-rndc'. To use the blocklist please modify '/etc/bind/named.conf': ``` @@ -222,42 +224,41 @@ and at the end of the file add: }; ``` -**Change the DNS backend to 'kresd':** +**Change the DNS backend to 'kresd':** Adblock deposits the final blocklist 'adb_list.overall' in '/tmp/kresd', no further configuration needed. -**Change the DNS backend to 'smartdns':** +**Change the DNS backend to 'smartdns':** No further configuration is needed, adblock deposits the final blocklist 'adb_list.overall' in '/tmp/smartdns' by default. -**Service status output:** +**Service status output:** In LuCI you'll see the realtime status in the 'Runtime' section on the overview page. To get the status in the CLI, just call _/etc/init.d/adblock status_ or _/etc/init.d/adblock status\_service_: -``` -~# /etc/init.d/adblock status +```sh +root@blackhole:~# /etc/init.d/adblock status ::: adblock runtime information + adblock_status : enabled - + frontend_ver : 4.5.2-r1 - + backend_ver : 4.5.2-r1 - + blocked_domains : 753 951 + + frontend_ver : 4.5.2-r4 + + backend_ver : 4.5.2-r4 + + blocked_domains : 888 135 + active_feeds : 1hosts, adguard, adguard_tracking, bitcoin, certpl, doh_blocklist, hagezi, ipfire_dbl, phishing_army, smarttv_tracking, stevenblack, winspy - + dns_backend : unbound (1.24.2-r1), /mnt/data/adblock/backup, 297.66 MB + + dns_backend : unbound (1.24.2-r1), /mnt/data/adblock/backup, 346.57 MB + run_ifaces : trigger: wan, report: br-lan - + run_information : base: /mnt/data/adblock, dns: /var/lib/unbound, backup: /mnt/data/adblock/backup, report: /mnt/data/adblock/report, error: /mnt/data/adblock/adb_error.log - + run_flags : shift: ✔, custom feed: ✘, ext. DNS (std/prot/remote/bridge): ✘/✔/✔/✔, force: ✔, flush: ✘, tld: ✔, search: ✘, report: ✔, mail: ✔, jail: ✘ - + last_run : mode: restart, 2026-03-01T06:20:27+01:00, duration: 0m 24s, 1342.71 MB available - + system_info : cores: 4, fetch: curl, Bananapi BPI-R3, mediatek/filogic, OpenWrt SNAPSHOT (r33197-cf4cd07777) + + run_information : base: /mnt/data/adblock, dns: /var/lib/unbound, backup: /mnt/data/adblock/backup, report: /mnt/data/adblock/report, error: /dev/null + + run_flags : shift: ✔, custom feed: ✘, ext. DNS (std/prot/remote/bridge): ✘/✔/✔/✔, force: ✔, flush: ✘, tld: ✔, search: ✘, report: ✔, mail: ✔, jail: ✘, debug: ✘ + + last_run : mode: reload, 2026-03-12T19:08:41+01:00, duration: 0m 57s, 1337.01 MB available + + system_info : cores: 4, fetch: curl, Bananapi BPI-R3, mediatek/filogic, OpenWrt SNAPSHOT (r33360-ab0872a734) ``` - -## Best practise and tweaks + +## Best practice and tweaks **Recommendation for low memory systems** -adblock uses RAM by design and avoids writing to flash. On devices with 128–256 MB RAM, you can reduce memory pressure with the following optimizations: - -* use external storage: point 'adb_basedir', 'adb_backupdir' and 'adb_reportdir' to an USB drive or SSD -* limit CPU processing to one core: set 'adb_cores' to '1' to reduce peak memory usage during feed processing -* enable blocklist shifting: activate 'adb_dnsshift' to store the blocklist in the backup directory on a USB stick and only create a symlink in RAM. -* Firewall DNS redirection: use nftables based DNS routing to external filtered DNS serves and only use a minimal set of local blocklists +adblock keeps all working data in RAM to avoid unnecessary flash wear. On devices with only 128–256 MB RAM, you can reduce memory pressure with the following optimizations: +* Use external storage: Set adb_basedir, adb_backupdir and adb_reportdir to a USB drive or SSD to offload temporary and persistent data +* Limit CPU parallelism: Set adb_cores=1 to reduce peak memory usage during feed processing +* Enable blocklist shifting: Activate adb_dnsshift to store the generated blocklist on external storage and keep only a symlink in RAM +* Use firewall‑based DNS redirection: Route DNS queries via nftables to external filtered DNS resolvers and keep only a minimal local blocklist active **Sensible choice of blocklists** The following feeds are just my personal recommendation as an initial setup: @@ -268,9 +269,7 @@ Please note: don't just blindly activate too many feeds at once, sooner or later **DNS reporting, enable the GeoIP Map** adblock includes a powerful reporting tool on the DNS Report tab which shows the latest DNS statistics generated by tcpdump. To get the latest statistics always press the "Refresh" button. -In addition to a tabular overview adblock reporting includes a GeoIP map in a modal popup window/iframe that shows the geolocation of your own uplink addresses (in green) and the locations of blocked domains in red. To enable the GeoIP Map set the following option in "Advanced Report Settings" config tab: - - * set 'adb_map' to '1' to include the external components listed below and activate the GeoIP map +In addition to a tabular overview adblock reporting includes a GeoIP map in a modal popup window/iframe that shows the geolocation of your own uplink addresses (in green) and the locations of blocked domains in red. To enable the GeoIP Map set the following option in "Advanced Report Settings" config tab: set 'adb_map' to '1' to include the external components listed below and activate the GeoIP map. To make this work, adblock uses the following external components: * [Leaflet](https://leafletjs.com/) is a lightweight open-source JavaScript library for interactive maps @@ -285,20 +284,20 @@ The test runs entirely in the browser and does not require additional configurat **Firewall‑Based DNS Control** adblock provides several advanced firewall‑integrated features that allow you to enforce DNS policies directly at the network layer. These mechanisms operate independently of the local DNS resolver and ensure that DNS traffic follows your filtering rules, even when clients attempt to bypass them. -* unfiltered external DNS Routing: routes DNS queries from selected devices or interfaces to an external unfiltered DNS resolver -* filtered external DNS Routing: routes DNS queries from selected devices or interfaces to an external filtered DNS resolver -* force DNS: blocks or redirects all external DNS traffic to ensure that clients use the local resolver +* Unfiltered external DNS Routing: routes DNS queries from selected devices or interfaces to an external unfiltered DNS resolver +* Filtered external DNS Routing: routes DNS queries from selected devices or interfaces to an external filtered DNS resolver +* Force DNS: blocks or redirects all external DNS traffic to ensure that clients use the local resolver The DNS routing allows you to apply external DNS (unfiltered and/or filtered) to specific devices or entire network segments. DNS queries from these targets are transparently redirected to a chosen external resolver (IPv4 and/or IPv6): * MAC‑based targeting for individual devices * Interface/VLAN targeting for entire segments -* separate IPv4/IPv6 resolver selection -* transparent DNS redirection without client‑side configuration +* Separate IPv4/IPv6 resolver selection +* Transparent DNS redirection without client‑side configuration This mode is ideal for guest networks, IoT devices, or environments where certain clients require stricter/lesser DNS filtering. force DNS ensures that all DNS traffic on your network by specific devices or entire network segments is processed by the local resolver. Any attempt to use external DNS servers is blocked or redirected. -* blocks external DNS on port 53 and redirects DNS queries to the local resolver when appropriate -* also prevents DNS bypassing by clients with hardcoded DNS settings on other ports, e.g. on port 853 +* Blocks external DNS on port 53 and redirects DNS queries to the local resolver when appropriate +* Also prevents DNS bypassing by clients with hardcoded DNS settings on other ports, e.g. on port 853 This mode guarantees that adblock’s filtering pipeline is always applied. adblock's firewall rules are based on nftables in a separate isolated nftables table (inet adblock) and chains (prerouting), with MAC addresses stored in a nftables set. The configuration is carried out centrally in LuCI on the ‘Firewall Settings’ tab in adblock. @@ -307,18 +306,18 @@ adblock's firewall rules are based on nftables in a separate isolated nftables t This additional firewall feature lets selected client devices temporarily bypass local DNS blocking and use an external, unfiltered DNS resolver. It is designed for situations where a device needs short‑term access to content normally blocked by the adblock rules. A lightweight CGI endpoint handles the workflow: -* the client opens the URL, e.g. https://\cgi-bin/adblock (preferably transferred via QR code shown in LuCI) -* the script automatically detects the device’s MAC address -* if the MAC is authorized, the script displays the current status: - * not in the nftables set → option to request a temporary allow (“Renew”) - * already active → shows remaining timeout -* when renewing, the CGI adds the MAC to an nftables Set with a per‑entry timeout +* The client opens the URL, e.g. https://\cgi-bin/adblock (preferably transferred via QR code shown in LuCI) +* The script automatically detects the device’s MAC address +* If the MAC is authorized, the script displays the current status: + * Not in the nftables set → option to request a temporary allow (“Renew”) + * Already active → shows remaining timeout +* When renewing, the CGI adds the MAC to an nftables Set with a per‑entry timeout The CGI interface is mobile‑friendly and includes a LuCI‑style loading spinner during the renew process, giving immediate visual feedback while the nftables entry is created. All operations are atomic and safe even when multiple devices renew access in parallel. **Temporary DNS Bridging (Zero‑Downtime during DNS Restarts)** Adblock can optionally enable a temporary DNS bridging mode to avoid DNS downtime during DNS backend restarts. -When this feature is enabled, all DNS queries from LAN clients are briefly redirected to an external fallback resolver until the local DNS backend becomes available again. This ensures that DNS resolution continues to work seamlessly for all clients, even while adblock reloads blocklists or restarts the DNS service. Just set the options 'adb_nftbridging', 'adb_bridgednsv4' and 'adb_bridgednsv6' accordingly. +When this feature is enabled, all DNS queries from LAN clients are briefly redirected to an external fallback resolver until the local DNS backend becomes available again. This ensures that DNS resolution continues to work seamlessly for all clients, even while adblock reloads blocklists or restarts the DNS service. Just set the options 'adb_nftbridge', 'adb_bridgednsv4' and 'adb_bridgednsv6' accordingly. **Jail mode (allowlist-only):** Enforces a strict allowlist‑only DNS policy in which only domains listed in the allowlist file are resolved, while every other query is rejected. This mode is intended for highly restrictive environments and depends on a carefully maintained allowlist, typically managed manually. @@ -348,19 +347,19 @@ Finally enable E-Mail support, add a valid E-Mail receiver address in LuCI and s For a regular, automatic update of the used feeds or other regular adblock tasks set up a cron job. In LuCI you find the cron settings under 'System' => 'Scheduled Tasks'. On the command line the cron file is located at '/etc/crontabs/root': Example 1 -``` +```sh # update the adblock feeds every morning at 4 o'clock 00 04 * * * /etc/init.d/adblock reload ``` Example 2 -``` +```sh # update the adblock feeds every hour 0 */1 * * * /etc/init.d/adblock reload ``` Example 3 -``` +```sh # send an adblock E-Mail report every morning at 3 o'clock 00 03 * * * /etc/init.d/adblock report mail ``` @@ -369,7 +368,7 @@ Example 3 The adblock blocklist feeds are stored in an external JSON file '/etc/adblock/adblock.feeds'. All custom changes should be stored in an external JSON file '/etc/adblock/adblock.custom.feeds' (empty by default). It's recommended to use the LuCI based Custom Feed Editor to make changes to this file. A valid JSON source object contains the following information, e.g.: -``` +```json [...] "stevenblack": { "url": "https://raw.githubusercontent.com/StevenBlack/hosts/master/", @@ -380,7 +379,7 @@ A valid JSON source object contains the following information, e.g.: [...] ``` -Add an unique feed name (no spaces, no special chars) and make the required changes: adapt at least the URL, check/change the rule, the size and the description for a new feed. +Add a unique feed name (no spaces, no special chars) and make the required changes: adapt at least the URL, check/change the rule, the size and the description for a new feed. The rule consist of max. 4 individual, space separated parameters: 1. type: always 'feed' (required) 2. prefix: an optional search term (a string literal, no regex) to identify valid domain list entries, e.g. '0.0.0.0' @@ -390,13 +389,13 @@ The rule consist of max. 4 individual, space separated parameters: **Enable debug mode** Adblock provides an optional debug mode that writes diagnostic information to the system log and captures internal error output in a dedicated error logfile - by default located in the adblock base directory as '/tmp/adb_error.log'. The log file is automatically cleared at the beginning of each run. Under normal conditions, all error messages are discarded to keep regular runs clean and silent. To enable debug mode, set the option 'adb_debug' to '1'. When enabled, the script produces significantly more log output to assist with troubleshooting. -## Support +## Support Please join the adblock discussion in this [forum thread](https://forum.openwrt.org/t/adblock-support-thread/507) or contact me by mail -## Removal +## Removal Stop all adblock related services with _/etc/init.d/adblock stop_ and remove the adblock package if necessary. -## Donations +## Donations You like this project - is there a way to donate? Generally speaking "No" - I have a well-paying full-time job and my OpenWrt projects are just a hobby of mine in my spare time. If you still insist to donate some bucks ... diff --git a/net/adblock/files/adblock.sh b/net/adblock/files/adblock.sh index 06d3ca773..b8a817b60 100755 --- a/net/adblock/files/adblock.sh +++ b/net/adblock/files/adblock.sh @@ -1239,8 +1239,9 @@ f_switch() { # resume via external DNS bridge # if [ "${adb_nftbridge}" = "1" ] && "${adb_nftcmd}" list chain inet adblock dns-bridge >/dev/null 2>&1; then - "${adb_nftcmd}" flush chain inet adblock dns-bridge 2>>"${adb_errorlog}" - [ "${?}" = "0" ] && done="nft" + if "${adb_nftcmd}" flush chain inet adblock dns-bridge 2>>"${adb_errorlog}"; then + done="nft" + fi f_count "final" "${adb_finaldir}/${adb_dnsfile}" # resume via local DNS @@ -1826,44 +1827,43 @@ f_report() { # "${adb_awkcmd}" ' { + if (NF < 7) { + next + } client = $3 - iface = $4 - qtype = $5 domain = $6 rc = $7 - # normalize domain - gsub(/[\.]+$/, "", domain) + + if (domain == "" || domain == "-") { + next + } + + sub(/[\.]+$/, "", domain) domain = tolower(domain) - # total client counter + clients[client]++ - # remember OK per domain if (rc == "OK") { - ok_domain[domain] = 1 - ok_rr[domain SUBSEP qtype] = 1 + ok_domain[domain]++ } - # remember NX per domain - if (rc == "NX") { + else if (rc == "NX") { nx_domain[domain]++ - nx_rr[domain SUBSEP qtype]++ } - # total queries per domain all_domain[domain]++ } - END { - # top clients - for (c in clients) - printf "%d %s\n", clients[c], c > "'"${top_tmpclients}"'" - # domains & blocked domains - for (d in all_domain) { - if (ok_domain[d]) { - printf "%d %s\n", all_domain[d], d > "'"${top_tmpdomains}"'" - continue + END { + for (c in clients) { + printf "%d %s\n", clients[c], c > "'"${top_tmpclients}"'" + } + for (d in all_domain) { + if (d in ok_domain) { + printf "%d %s\n", ok_domain[d], d > "'"${top_tmpdomains}"'" } - if (nx_domain[d]) { + if (d in nx_domain) { printf "%d %s\n", nx_domain[d], d > "'"${top_tmpblocked}"'" } } - }' "${report_srt}" + } + ' "${report_srt}" # build json top lists #