Re: 20.xx: postponse LuCI HTTPS per default
Given that the first login via LuCI, on a fresh install, is not with a password anyway. What if setting the initial password sets up letsencrypt also. Then when letsencrypt's first successful cert install, https gets enabled as the default and then requests the user reboot to complete the setup and will force their next session to https. I agree that https with self-signed certs are not good, especially on a first boot/install device. Cheers Derek On 11/19/20 6:09 PM, Paul Spooren wrote: Hi, The current list of release goals for 20.xx states[0] that LuCI should use HTTPS per default. This works by creating on-device a self-signed certificate. Self-signed certificates result in warnings and may cause more harm than good, multiple discussion are found in the mail archive. As no clean solution seems in reach while 20.xx seems close, I'd like to suggest to postponse HTTPS LuCI (`luci-ssl` vs `luci`) per default. This isn't a vote but a request for developer/user opinions. Sunshine, Paul [0]: https://openwrt.org/docs/guide-developer/releases/goals/20.xx ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] Ath10k driver load fails to load on 18.06.1 and latest trunk
Having problems using the ath10k/QCA988X for Compex WLE600VX mini pcie wifi card to load in the APU X86 X64 system. I've used the Compex 200 series card with good success, so wanted to try a more up to date card with the 600 series. I've tried the 18.06.1 and the latest trunk but I get the same errors. Even with the errors the car seems to limp along and 1/2 work, but not in a usable way. Wondering if its a bad card or are the drivers known to have issues with these cards. Here are the system messages I get at boot. Sun Jan 27 16:12:37 2019 kern.info kernel: [ 7.415352] ath10k_pci :01:00.0: pci irq msi oper_irq_mode 2 irq_mode 0 reset_mode 0 Sun Jan 27 16:12:37 2019 kern.warn kernel: [ 7.653890] ath10k_pci :01:00.0: Direct firmware load for ath10k/pre-cal-pci-:01:00.0.bin failed with error -2 Sun Jan 27 16:12:37 2019 kern.warn kernel: [ 7.664864] ath10k_pci :01:00.0: Falling back to user helper Sun Jan 27 16:12:37 2019 kern.err kernel: [ 7.677730] firmware ath10k!pre-cal-pci-:01:00.0.bin: firmware_loading_store: map pages failed Sun Jan 27 16:12:37 2019 kern.warn kernel: [ 7.687198] ath10k_pci :01:00.0: Direct firmware load for ath10k/cal-pci-:01:00.0.bin failed with error -2 Sun Jan 27 16:12:37 2019 kern.warn kernel: [ 7.698039] ath10k_pci :01:00.0: Falling back to user helper Sun Jan 27 16:12:37 2019 kern.err kernel: [ 7.710433] firmware ath10k!cal-pci-:01:00.0.bin: firmware_loading_store: map pages failed Sun Jan 27 16:12:37 2019 kern.warn kernel: [ 7.720756] ath10k_pci :01:00.0: Direct firmware load for ath10k/QCA988X/hw2.0/firmware-6.bin failed with error -2 Sun Jan 27 16:12:37 2019 kern.warn kernel: [ 7.731877] ath10k_pci :01:00.0: Falling back to user helper Sun Jan 27 16:12:37 2019 kern.err kernel: [ 7.745497] firmware ath10k!QCA988X!hw2.0!firmware-6.bin: firmware_loading_store: map pages failed Sun Jan 27 16:12:37 2019 kern.info kernel: [ 7.766983] ath10k_pci :01:00.0: qca988x hw2.0 target 0x4100016c chip_id 0x043222ff sub : Sun Jan 27 16:12:37 2019 kern.info kernel: [ 7.776578] ath10k_pci :01:00.0: kconfig debug 0 debugfs 1 tracing 0 dfs 1 testmode 1 Sun Jan 27 16:12:37 2019 kern.info kernel: [ 7.787839] ath10k_pci :01:00.0: firmware ver 10.2.4-1.0-00041 api 5 features no-p2p,raw-mode,mfp,allows-mesh-bcast crc32 f43fa422 Sun Jan 27 16:12:37 2019 kern.warn kernel: [ 7.832906] ath10k_pci :01:00.0: Direct firmware load for ath10k/QCA988X/hw2.0/board-2.bin failed with error -2 Sun Jan 27 16:12:37 2019 kern.warn kernel: [ 7.843667] ath10k_pci :01:00.0: Falling back to user helper Sun Jan 27 16:12:37 2019 kern.err kernel: [ 7.856609] firmware ath10k!QCA988X!hw2.0!board-2.bin: firmware_loading_store: map pages failed Sun Jan 27 16:12:37 2019 kern.info kernel: [ 7.866578] ath10k_pci :01:00.0: board_file api 1 bmi_id N/A crc32 bebc7c08 Sun Jan 27 16:12:37 2019 kern.info kernel: [ 9.008780] ath10k_pci :01:00.0: htt-ver 2.1 wmi-op 5 htt-op 2 cal otp max-sta 128 raw 0 hwcrypto 1 Thanks Derek ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] [LEDE-DEV] Wifi-related kernel-oops on mt7621 after 4.14 update
On 04/12/2018 07:02 AM, John Crispin wrote: On 12/04/18 12:42, Kristian Evensen wrote: Hello, I have recently updated some ramips mt7621-devices (ZBT WG3526) to the latest nightly. Almost everything seems to work fine, but using either wifi interface in client mode seems triggers an oops. I see two different oops-messages: Message 1: [ 66.442802] CPU 1 Unable to handle kernel paging request at virtual address e9e9e0d5, epc == 8f3e060c, ra == 8ec86fac [ 66.453460] Oops[#1]: [ 66.455743] CPU: 1 PID: 3679 Comm: wifib Tainted: G W 4.14.32 #0 [ 66.462857] task: 8e223200 task.stack: 8e1b4000 [ 66.467374] $ 0 : 0001 7abc2e80 0020 [ 66.472612] $ 4 : 8ec48bc0 8e76dc20 e9e9dae0 8e1b5848 [ 66.477847] $ 8 : 8ec4902c 80452968 00ee4000 ff80 [ 66.483061] $12 : 80583f8c 0040 77f0f3c0 [ 66.488276] $16 : 8ec49560 8f578000 8e76d480 8ec48bc0 [ 66.493493] $20 : 0002 8e1b5cb8 0008 [ 66.498711] $24 : 77e74ff0 [ 66.503937] $28 : 8e1b4000 8e1b5780 8ec86fac [ 66.509153] Hi : [ 66.512020] Lo : 0068 [ 66.514913] epc : 8f3e060c 0x8f3e060c [ 66.518866] ra : 8ec86fac sta_set_sinfo+0xcc/0xbb0 [mac80211] [ 66.524843] Status: 11007c03 KERNEL EXL IE [ 66.529015] Cause : 4088 (ExcCode 02) [ 66.533005] BadVA : e9e9e0d5 [ 66.535869] PrId : 0001992f (MIPS 1004Kc) [ 66.539941] Modules linked in: rt2800pci rt2800mmio rt2800lib qcserial ppp_async option usb_wwan rt2x00pci rt2x00mmio rt2x00lib rndis_host qmi_wwan ppp_generic nf_nat_pptp nf_conntrack_pptp nf_conntrack_ipv6p [ 66.610889] nf_nat_snmp_basic nf_nat_sip nf_nat_redirect nf_nat_proto_gre nf_nat_masquerade_ipv4 nf_nat_irc nf_conntrack_ipv4 nf_nat_ipv4 nf_nat_h323 nf_nat_ftp nf_nat_amanda nf_nat nf_log_ipv4 nf_flow_tablt [ 66.681822] ip_set_hash_netiface ip_set_hash_netport ip_set_hash_netnet ip_set_hash_net ip_set_hash_netportnet ip_set_hash_mac ip_set_hash_ipportnet ip_set_hash_ipportip ip_set_hash_ipport ip_set_hash_ipmarm [ 66.753184] ohci_hcd ehci_platform sd_mod scsi_mod ehci_hcd gpio_button_hotplug usbcore nls_base usb_common mii [ 66.763357] Process wifib (pid: 3679, threadinfo=8e1b4000, task=8e223200, tls=77f10ec0) [ 66.771321] Stack : 8e1b5848 8f578000 [ 66.779654] 8e76d480 8ec48bc0 8f578130 0002 8e1b5cb8 0008 8ec86fac [ 66.787987] 0100 8e134628 0007 8e1b5b98 8e134628 8e1b5b90 8ec49014 [ 66.796325] 8e76d000 fffe 0002 8e1b5cb8 8ec9e338 8ec315ac [ 66.804661] 01d2 8058 8e134628 8e068840 8ec1fb28 [ 66.812996] ... [ 66.815446] Call Trace: [ 66.817894] [<8f3e060c>] 0x8f3e060c [ 66.821370] Code: 000630c0 02063021 94f40002 <90d205f5> 00e0b025 1682 3253 2414001f 96d50004 [ 66.831098] [ 66.833187] ---[ end trace 8c8a003de3eabcd8 ]--- [ 66.841897] Kernel panic - not syncing: Fatal exception [ 66.849317] Rebooting in 3 seconds.. Message 2: [ 132.613293] CPU 0 Unable to handle kernel paging request at virtual address ea9160d5, epc == 8f2c060c, ra == 8ec86fac [ 132.623927] Oops[#1]: [ 132.626199] CPU: 0 PID: 41 Comm: kworker/u8:3 Tainted: G W 4.14.32 #0 [ 132.633882] Workqueue: phy0 ieee80211_ibss_leave [mac80211] [ 132.639431] task: 8fd48c80 task.stack: 8fd94000 [ 132.643933] $ 0 : 0001 7ac52e80 0020 [ 132.649141] $ 4 : 8f2d0bc0 8e04dc20 ea915ae0 8f122400 [ 132.654350] $ 8 : 80452970 8fc02b00 0005376b [ 132.659558] $12 : 12d8 001c [ 132.664766] $16 : 8f2d1560 8f58a000 8e04d480 8f2d0bc0 [ 132.669973] $20 : 0001 8f2d1014 [ 132.675181] $24 : 3b9aca00 [ 132.680390] $28 : 8fd94000 8fd95c88 8ece1618 8ec86fac [ 132.685605] Hi : 07d0 [ 132.688473] Lo : 0bb8 [ 132.691357] epc : 8f2c060c 0x8f2c060c [ 132.695235] ra : 8ec86fac sta_set_sinfo+0xcc/0xbb0 [mac80211] [ 132.701212] Status: 11008403 KERNEL EXL IE [ 132.705391] Cause : 4088 (ExcCode 02) [ 132.709380] BadVA : ea9160d5 [ 132.712247] PrId : 0001992f (MIPS 1004Kc) [ 132.716320] Modules linked in: rt2800pci rt2800mmio rt2800lib qcserial ppp_async option usb_wwan rt2x00pci rt2x00mmio rt2x00lib rndis_host qmi_wwan ppp_generic nf_nat_pptp nf_conntrack_pptp nf_conntrack_ipv6p [ 132.787381] nf_nat_snmp_basic nf_nat_sip nf_nat_redirect nf_nat_proto_gre nf_nat_masquerade_ipv4 nf_nat_irc nf_conntrack_ipv4 nf_nat_ipv4 nf_nat_h323 nf_nat_ftp nf_nat_amanda nf_nat nf_log_ipv4 nf_flow_tablt [ 132.858369] ip_set_hash_netiface ip_set_hash_netport ip_set_hash_netnet ip_set_hash_net ip_set_hash_netportnet ip_set_hash_mac ip_set_hash_ipportnet ip_set_hash_ipportip ip_set_hash_ipport ip_set_hash_ipmarm [ 132.929808] ohci_hcd ehci_platform sd_mod scsi_mod ehci_hcd gpio_button_hotplug usbcore nls_base
[OpenWrt-Devel] kernel NULL pointer issue in latest master branch with rt2800usb rt2800lib rt2x00usb rt2x00lib
Running latest development branch on my bpi-r1 my system for the past few weeks and find that the system is crashing about every 36 hours. It seems that it crashed when its under a little CPU load or multiple processes are actually doing work. I run e2guargian and squid on my router. When this crash happens it seems that cpu load is still low 10 - 20% range. I just switched to this branch vs the 17.01x series about 2 weeks ago in an effort to help test the new version before it is released. At that time the B53 switch drivers were not being loaded, seems some difference in the 4.9 and 4.14 versions of the kernel. This patch was created and fixed the switch issue. https://git.openwrt.org/?p=openwrt/openwrt.git;a=commit;h=b7b14fd64e09b523b2da6a9db6d7ff300964b955 I use a ralink RT chipset 5592 because the onboard 8291cu chip & drivers are junk. The ralink card has worked great for years on the 17.x and prior kernel versions. crash dump [45729.124237] Unable to handle kernel NULL pointer deref8 [45729.132661] pgd = edc4ad00 [45729.135502] [0028] *pgd=6e733003, *pmd=7fc26003 [45729.140895] Internal error: Oops: 207 [#1] PREEMPT SMP ARM [45729.146387] Modules linked in: rt2800usb rt2800lib rt2x00usb rt2x00lib pppoet [45729.217382] ip_set_bitmap_ipmac ip_set_bitmap_ip ip_set nfnetlink ip6t_REJEm [45729.235828] CPU: 0 PID: 4028 Comm: e2guardian Not tainted 4.14.25 #0 [45729.242172] Hardware name: Allwinner sun7i (A20) Family [45729.247391] task: edf71500 task.stack: edf7c000 [45729.251928] PC is at tcp_push+0x44/0xfc [45729.255761] LR is at 0xed34eb34 [45729.258899] pc : [] lr : [] psr: 4013 [45729.265156] sp : edf7de00 ip : ed416780 fp : ed34eb34 [45729.270373] r10: ed416780 r9 : a9b0 r8 : [45729.275591] r7 : da53 r6 : ed34ea40 r5 : r4 : ffe0 [45729.282108] r3 : 0001 r2 : 05a8 r1 : r0 : ed34ea40 [45729.288628] Flags: nZcv IRQs on FIQs on Mode SVC_32 ISA ARM Segment user [45729.295754] Control: 30c5387d Table: 6dc4ad00 DAC: fffd [45729.301493] Process e2guardian (pid: 4028, stack limit = 0xedf7c210) [45729.307838] Stack: (0xedf7de00 to 0xedf7e000) [45729.312195] de00: ffe0 da53 ed34ea40 da53 edf7dedc da53 ed414 Few relevant portions of the kernel boot log Linux 4.14.27 #0 SMP PREEMPT Wed Mar 21 22:24:09 2018 armv7l GNU/x [ 2.307730] usb 1-1: New USB device found, idVendor=148f, idProduct=5572 [ 2.314578] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 2.321805] usb 1-1: Product: 802.11 n WLAN [ 2.326064] usb 1-1: Manufacturer: Ralink [ 2.330131] usb 1-1: SerialNumber: 1.0 9.630858] usb 1-1: reset high-speed USB device number 2 using ehci-platform [ 9.840191] ieee80211 phy0: rt2x00_set_rt: Info - RT chipset 5592, rev 0222 detected [ 9.876184] ieee80211 phy0: rt2x00_set_rf: Info - RF chipset 000f detected [ 9.884937] ieee80211 phy0: Selected rate control algorithm 'minstrel_ht' [ 9.888448] usbcore: registered new interface driver rt2800usb [ 9.894671] kmodloader: done loading kernel modules from /etc/modules.d/* 14.337032] ieee80211 phy0: rt2x00lib_request_firmware: Info - Loading firmware file 'rt2870.bin' [ 14.350912] ieee80211 phy0: rt2x00lib_request_firmware: Info - Firmware detected - version: 0.36 Any advice on fixing this issue? Thanks Derek ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] Possible to define a tab for each TypedSection in a luci web-app?
I'm developing a web app for a configuration file with multiple sections in the configuration file. In the web app I would like a new tab for each TypedSection I define. For all the other luci web-apps I've seen, there are only multiple tabs in one TypedSection. When I define a tab under each of the TypedSections now, it places the tab outline around the title, but all the other tabs are listed below on the same page and not creating the sub pages. Thanks Derek ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] trunk for the sunxi platform has a few inconsistencies
I'm running the latest LEDE snapshop on the sunxi platform. The 4.4 kernel is a nice upgrade. While using the image I've noticed a few inconsistencies. The WAN LED is missing on this platform, could be since this uses a USB wifi adapter. I see from the wiki page the WAN leds seem to be created by default on other platofms and not an extra package. ls -l /sys/class/leds/ lrwxrwxrwx1 root root 0 Jan 1 1970 lamobo_r1:green:usr -> ../../devices/platform/leds/leds/lamobo_r1:green:usr lrwxrwxrwx1 root root 0 Feb 28 02:03 rt2800usb-phy0::assoc -> ../../devices/platform/soc@01c0/1c14000.usb/usb1/1-1/1-1:1.0/leds/rt2800usb-phy0::assoc lrwxrwxrwx1 root root 0 Feb 28 02:03 rt2800usb-phy0::quality -> ../../devices/platform/soc@01c0/1c14000.usb/usb1/1-1/1-1:1.0/leds/rt2800usb-phy0::quality lrwxrwxrwx1 root root 0 Feb 28 02:03 rt2800usb-phy0::radio -> ../../devices/platform/soc@01c0/1c14000.usb/usb1/1-1/1-1:1.0/leds/rt2800usb-phy0::radio Secondly I know that procd has had lots more development for this release. I'm finding that the Procd triggers for config file changes don't seem to work consistently. These triggers worked on CC 15.05.1. Are the procd rc.buttons working consistently? Sample relevant code section. #!/bin/sh /etc/rc.common # START=95 USE_PROCD=1 ... ... My customapp has service_triggers() Service_triggers() { procd_open_trigger procd_add_reload_trigger "mycustomapp" procd_close_trigger } Changing /etc/config/mycustomapp doesn't trigger a reload or restart of the /etc/init.d/mycustomapp Any advice much appreciated. Cheers Derek ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] Is there a way to list all registered procd service triggers?
When trying to debug startup scripts its useful to see if the service triggers are properly registered. cheers Derek ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] Slow DNSMasq with > 100, 000 entries in additional addresses file
Quick report - So I didn't test pihole per say, but used that method of storing the blacklist into the hosts file for dnsmasq to use. Dnsmasq must use a different storage method for its hosts file. I loaded 850439 entries in the hosts file and restarted dnsmasq. I uses 1/2 as much memory than if loaded as a conf-file like adblock does. And its super fast and virtually non existent cpu usage. DNS lookups perform just like it should. Though the hosts file is now returning an IP address I specified for the blocked hosts - would have been nice to do the nxdomain. Think this will work for my needs, I can put a second IP address on the router and run pixelserv on it or something like that. Cheers Derek On 12/29/2016 11:11 AM, Dave Taht wrote: On Thu, Dec 29, 2016 at 8:09 AM, TheWerthFam <thewerth...@gmail.com> wrote: Right now I'd rather not customize the code. There are two directions I'm going to try first. Give unbound a try to serve DNS, keeping Dnsmasq for DHCP. If that doesn't work try converting the list to a hosts file pointing to a local pixelsrv address. There are some other blog posts that indicate that the hosts file can handle a lot more entries. Like https://github.com/pi-hole/pi-hole Maybe just run pi-hole on openwrt. Well, I've had a bit of fun feeding large blocklists into cmph. Using the "chd" algorithm, it creates an index file from a 24MB blocklist into a 800K one. (but you still need the original data and a secondary index) I also fiddled a bit with bloom filters, which strike me as appropo. It seems feasible to establish a large dataset of read-only data with a fast index (that can be discarded in low memory situations, rather than swapped out) I'll take a look at pi-hole... Cheers Derek On 12/28/2016 02:21 PM, Dave Taht wrote: On Tue, Dec 27, 2016 at 11:03 PM, TheWerthFam <thewerth...@gmail.com> wrote: Thanks for the feedback, I'll look into NFQUEUE. I'm forcing the use of my dns by iptables. I'm also using a transparent squid and e2guardian to filter content. I like the idea of the dns based blacklist to add some filtering capabilities since I don't want to try and filter https types sites. I know no solution in perfect. I've been thinking about this, and given the large amount of active data in a very small memory space have been thinking that another approach would be more fruitful. Convert the giant table into a "minimally perfect hash", and mmap it into memory read-only, so it can be discarded under memory pressure, unlike ipset, squid, or dnsmasq based approaches. Cheers Derek On 12/27/2016 01:53 PM, philipp_s...@redfish-solutions.com wrote: On Dec 26, 2016, at 10:32 AM, TheWerthFam <thewerth...@gmail.com> wrote: Using the adblock set of scripts to block malware and porn sites. The porn sites list is 800,000 entries, about 10x the number of sites adblock normally uses. With the full list of malware and porn domains loaded, dnsmasq takes 115M of memory and normally sits around 50% CPU usage with moderate browsing usage. CPU and RAM usage isn't really a problem other than lookups are slow now. Platform is cc 15.05.1 r49389 on banana pi r1. The adblock script takes the different lists, creates files in /tmp/dnsmasq.d/ entries looking like local=/domainnottogoto.com/ one entry per line. The goal is to return NXDOMAIN to entries in the lists. Lists are sorted and with unique entries. I've tried increasing the cachesize to 10,000 but that made no change. Tried neg-ttl=3600 with default negative caching enabled with no change. Are there dnsmasq setting that will improve the performance? or should it be configured differently to achieve this goal? Perhaps unbound would be better suited? Cheers Derek Not to rain on your parade, but the obvious defeat of this solution would be to point to an external website which does DNS lookups for you, and then edit the URL to have an IP address in place of the host name. I would use netfilter’s NFQUEUE and make a user-space decision based on packet-destination (since it seems you’re filtering outbound traffic requests). After all, it’s not the NAME you don’t want to talk to… it’s the HOST that bears that NAME. -Philip ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] Slow DNSMasq with > 100, 000 entries in additional addresses file
Right now I'd rather not customize the code. There are two directions I'm going to try first. Give unbound a try to serve DNS, keeping Dnsmasq for DHCP. If that doesn't work try converting the list to a hosts file pointing to a local pixelsrv address. There are some other blog posts that indicate that the hosts file can handle a lot more entries. Like https://github.com/pi-hole/pi-hole Maybe just run pi-hole on openwrt. Cheers Derek On 12/28/2016 02:21 PM, Dave Taht wrote: On Tue, Dec 27, 2016 at 11:03 PM, TheWerthFam <thewerth...@gmail.com> wrote: Thanks for the feedback, I'll look into NFQUEUE. I'm forcing the use of my dns by iptables. I'm also using a transparent squid and e2guardian to filter content. I like the idea of the dns based blacklist to add some filtering capabilities since I don't want to try and filter https types sites. I know no solution in perfect. I've been thinking about this, and given the large amount of active data in a very small memory space have been thinking that another approach would be more fruitful. Convert the giant table into a "minimally perfect hash", and mmap it into memory read-only, so it can be discarded under memory pressure, unlike ipset, squid, or dnsmasq based approaches. Cheers Derek On 12/27/2016 01:53 PM, philipp_s...@redfish-solutions.com wrote: On Dec 26, 2016, at 10:32 AM, TheWerthFam <thewerth...@gmail.com> wrote: Using the adblock set of scripts to block malware and porn sites. The porn sites list is 800,000 entries, about 10x the number of sites adblock normally uses. With the full list of malware and porn domains loaded, dnsmasq takes 115M of memory and normally sits around 50% CPU usage with moderate browsing usage. CPU and RAM usage isn't really a problem other than lookups are slow now. Platform is cc 15.05.1 r49389 on banana pi r1. The adblock script takes the different lists, creates files in /tmp/dnsmasq.d/ entries looking like local=/domainnottogoto.com/ one entry per line. The goal is to return NXDOMAIN to entries in the lists. Lists are sorted and with unique entries. I've tried increasing the cachesize to 10,000 but that made no change. Tried neg-ttl=3600 with default negative caching enabled with no change. Are there dnsmasq setting that will improve the performance? or should it be configured differently to achieve this goal? Perhaps unbound would be better suited? Cheers Derek Not to rain on your parade, but the obvious defeat of this solution would be to point to an external website which does DNS lookups for you, and then edit the URL to have an IP address in place of the host name. I would use netfilter’s NFQUEUE and make a user-space decision based on packet-destination (since it seems you’re filtering outbound traffic requests). After all, it’s not the NAME you don’t want to talk to… it’s the HOST that bears that NAME. -Philip ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] Slow DNSMasq with > 100, 000 entries in additional addresses file
Thanks for the feedback, I'll look into NFQUEUE. I'm forcing the use of my dns by iptables. I'm also using a transparent squid and e2guardian to filter content. I like the idea of the dns based blacklist to add some filtering capabilities since I don't want to try and filter https types sites. I know no solution in perfect. Cheers Derek On 12/27/2016 01:53 PM, philipp_s...@redfish-solutions.com wrote: On Dec 26, 2016, at 10:32 AM, TheWerthFam <thewerth...@gmail.com> wrote: Using the adblock set of scripts to block malware and porn sites. The porn sites list is 800,000 entries, about 10x the number of sites adblock normally uses. With the full list of malware and porn domains loaded, dnsmasq takes 115M of memory and normally sits around 50% CPU usage with moderate browsing usage. CPU and RAM usage isn't really a problem other than lookups are slow now. Platform is cc 15.05.1 r49389 on banana pi r1. The adblock script takes the different lists, creates files in /tmp/dnsmasq.d/ entries looking like local=/domainnottogoto.com/ one entry per line. The goal is to return NXDOMAIN to entries in the lists. Lists are sorted and with unique entries. I've tried increasing the cachesize to 10,000 but that made no change. Tried neg-ttl=3600 with default negative caching enabled with no change. Are there dnsmasq setting that will improve the performance? or should it be configured differently to achieve this goal? Perhaps unbound would be better suited? Cheers Derek Not to rain on your parade, but the obvious defeat of this solution would be to point to an external website which does DNS lookups for you, and then edit the URL to have an IP address in place of the host name. I would use netfilter’s NFQUEUE and make a user-space decision based on packet-destination (since it seems you’re filtering outbound traffic requests). After all, it’s not the NAME you don’t want to talk to… it’s the HOST that bears that NAME. -Philip ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] Slow DNSMasq with > 100, 000 entries in additional addresses file
Problem with this method is that it misses lots of HTTPS based sites. I do already run squid though. Am I wrong that it will not proxy https sites unless you use MITM type setup? Thanks On 12/26/2016 08:47 PM, Lucian Cristian wrote: On 26.12.2016 19:32, TheWerthFam wrote: Using the adblock set of scripts to block malware and porn sites. The porn sites list is 800,000 entries, about 10x the number of sites adblock normally uses. With the full list of malware and porn domains loaded, dnsmasq takes 115M of memory and normally sits around 50% CPU usage with moderate browsing usage. CPU and RAM usage isn't really a problem other than lookups are slow now. Platform is cc 15.05.1 r49389 on banana pi r1. The adblock script takes the different lists, creates files in /tmp/dnsmasq.d/ entries looking like local=/domainnottogoto.com/ one entry per line. The goal is to return NXDOMAIN to entries in the lists. Lists are sorted and with unique entries. I've tried increasing the cachesize to 10,000 but that made no change. Tried neg-ttl=3600 with default negative caching enabled with no change. Are there dnsmasq setting that will improve the performance? or should it be configured differently to achieve this goal? Perhaps unbound would be better suited? Cheers Derek ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel use squid and squidguard regards ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] Slow DNSMasq with > 100, 000 entries in additional addresses file
Using the adblock set of scripts to block malware and porn sites. The porn sites list is 800,000 entries, about 10x the number of sites adblock normally uses. With the full list of malware and porn domains loaded, dnsmasq takes 115M of memory and normally sits around 50% CPU usage with moderate browsing usage. CPU and RAM usage isn't really a problem other than lookups are slow now. Platform is cc 15.05.1 r49389 on banana pi r1. The adblock script takes the different lists, creates files in /tmp/dnsmasq.d/ entries looking like local=/domainnottogoto.com/ one entry per line. The goal is to return NXDOMAIN to entries in the lists. Lists are sorted and with unique entries. I've tried increasing the cachesize to 10,000 but that made no change. Tried neg-ttl=3600 with default negative caching enabled with no change. Are there dnsmasq setting that will improve the performance? or should it be configured differently to achieve this goal? Perhaps unbound would be better suited? Cheers Derek ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel