fix(adblock): resolve race condition on rapid DNS domain changes by gsanchietti · Pull Request #1663 · NethServer/nethsecurity

gsanchietti · 2026-05-13T09:48:14Z

Summary

Store whitelist/blacklist in UCI instead of direct file writes. When multiple rapid API calls add/edit/delete domains, changes are staged to UCI (no restart). The init.d script reads UCI during start/reload and writes physical files.

procd's reload trigger (5s debounce) coalesces rapid UCI commits into a single reload_service call. Using reload (not restart) prevents file clearing that caused 'running with 0 blocked domains' broken state.

Related issue

#1572

How to test

ssh root@192.168.100.215
Add multiple domains rapidly: api-cli ns.threatshield dns-add-allowed --data '{"address":"test1.com","description":""}' &
Check UCI staged (should show all entries): api-cli ns.threatshield dns-list-allowed
Apply from UI (or uci commit && reload_config from shell)
Wait 5-6s for procd reload
Verify whitelist file written and adblock status shows enabled (not broken 'running/0')

Files changed

ns.threatshield: dns_get_local_list() reads from UCI; dns_write_local_list() writes to UCI + save
adblock.init: f_write_local_lists() writes UCI lists to physical files during start/reload
99_adblock_migrate_lists.sh: one-time migration of existing files to UCI (new)
Makefile: install migration script

For the sake of god, avoid to loose the history at every reboot

Sync the local adblock fork to upstream 4.5.5-3 while keeping the NethSecurity-specific ts-dns hooks, bypass migration, and nft bypass rules intact. Assisted-by: Copilot:gpt-5.4

Normalize dns bypass values from UCI and restart adblock after dns settings, blocklist, and bypass API changes so nft rules follow the requested state immediately. Assisted-by: Copilot:gpt-5.4

Changes: - add a new `nft-reload` action inside adbblock.sh - trigger reload when the configuration has been updated - call nft-reload on reload The above changes will recreated the nft chain when the bypass configuration has been changed.

Store Threat Shield DNS local allow and block list edits in UCI so rapid API calls no longer rewrite adblock files or restart the service immediately. Write the physical adblock list files during the next reload, add a one-shot migration for existing list files, and document the staged workflow for the affected API methods. Refs NethServer#1572 Assisted-by: Copilot:gpt-5.4

gsanchietti · 2026-05-15T06:54:20Z

Closing this draft so the same issue1572 branch can be reopened against adblock-update.

gsanchietti self-assigned this May 13, 2026

Tbaile and others added 29 commits May 14, 2026 15:28

build: openwrt 25.12.1

9b8c00e

chore: updated build container

a32a362

build(ppp): upstream patched the package

5d98f3d

build: openwrt 25.12.2

e299a93

build(netifyd): updated binaries

f039ea5

fix: updated syntax due to python update

964c6ee

chore: updated checkmk version

345e97b

build: added suffix support

c3502f5

updated variable generation

090ede7

chore: updated python semver package

399719f

fixed release path

4a789df

feat: added victoria-metrics package

62d8b77

feat: added victoria-logs

a7f68cb

feat: added telegraf package

bd98338

fix: updated spdx

d0f94c0

feat: compiling packages

41fe021

fix: accidentally overwrote telegraf config

bf316b2

fix: addressed deprecation warnings and removed not useful comments

4e94508

fix: adjusted config for sensors and ethtool

a89406a

chore: updated monitoring tools

80581e6

chore: downgraded version to keep compatibility with go

1e06291

chore: added skill to update packages

64761cf

ci: fixed versioning for image build

64bb62e

chore: removed ipcalc fork

7a5eca2

chore: removed jinja2 fork

2c37ad3

build: updated signing method for APKs (NethServer#1659)

f351c76

build: compiling avahi mdns (NethServer#1657)

2f6487d

build: updated debian version and openwrt version

9c20b7e

chore: move back history to persistend dir

1f60266

For the sake of god, avoid to loose the history at every reboot

Tbaile and others added 6 commits May 14, 2026 15:29

updated openwrt package update script

50f9c6c

chore: updated adblock

5e50fbe

build(adblock): update adblock package

7195fd0

Sync the local adblock fork to upstream 4.5.5-3 while keeping the NethSecurity-specific ts-dns hooks, bypass migration, and nft bypass rules intact. Assisted-by: Copilot:gpt-5.4

fix(threatshield): apply dns changes live

2e81cbd

Normalize dns bypass values from UCI and restart adblock after dns settings, blocklist, and bypass API changes so nft rules follow the requested state immediately. Assisted-by: Copilot:gpt-5.4

fix(adblock): reload nft rules

dc7da95

Changes: - add a new `nft-reload` action inside adbblock.sh - trigger reload when the configuration has been updated - call nft-reload on reload The above changes will recreated the nft chain when the bypass configuration has been changed.

gsanchietti force-pushed the issue1572 branch from 51a6162 to af4bdea Compare May 15, 2026 06:53

gsanchietti closed this May 15, 2026

This was referenced May 15, 2026

fix(adblock): resolve race condition on rapid DNS domain changes #1673

Merged

chore: adblock update #1653

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix(adblock): resolve race condition on rapid DNS domain changes#1663

fix(adblock): resolve race condition on rapid DNS domain changes#1663
gsanchietti wants to merge 35 commits into
NethServer:mainfrom
gsanchietti:issue1572

gsanchietti commented May 13, 2026

Uh oh!

gsanchietti commented May 15, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Conversation

gsanchietti commented May 13, 2026

Summary

Related issue

How to test

Files changed

Uh oh!

gsanchietti commented May 15, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants