Description
When adding or removing domains in DNS Threat Shield (blocklist and allowlist), each operation is immediately applied and triggers a restart of the adblock service.
If multiple additions or deletions are performed in rapid sequence, the service may restart multiple times before previous executions complete. This can lead to a race condition where adblock ends up running without loading any lists, resulting in zero blocked domains and an inconsistent runtime state.
Steps to reproduce
- Go to Threat Shield DNS
- Open blocklist or allowlist management
- Add multiple domains quickly (one after another)
- Check adblock status
Expected result
Changes should be staged and applied only after user confirmation, ensuring a single controlled service restart.
Adblock should remain in a consistent "enabled" state with populated blocked domains.
Actual result
Each domain insertion triggers an immediate restart.
If multiple domains are added rapidly, a race condition may occur, resulting in adblock entering a broken state (adblock_status is running, blocked_domains are 0).
root@fw [P]:~# /etc/init.d/adblock status
::: adblock runtime information
+ adblock_status : running
+ adblock_version : 4.1.5
+ blocked_domains : 0
+ active_sources : malware_lvl2, yoroi_malware_level1, yoroi_malware_level2, yoroi_susp_level1, yoroi_susp_level2
+ dns_backend : dnsmasq (-), /tmp/dnsmasq.d
+ run_utils : download: /usr/libexec/wget-ssl, sort: /usr/libexec/sort-coreutils, awk: /usr/bin/gawk
+ run_ifaces : trigger: -, report: eth4
+ run_directories : base: /tmp, backup: /tmp/adblock-Backup, report: /tmp/adblock-Report, jail: /tmp
+ run_flags : backup: ✔, flush: ✘, force: ✔, search: ✘, re-dev+789942c16.20260306165641 v24.10.5
port: ✔, mail: ✘, jail: ✘
+ last_run : -
+ system : INTEL Corporation SHARKBAY, NethSecurity 8.7.1
Instead of the correct state:
root@fw [P]:~# /etc/init.d/adblock status
::: adblock runtime information
+ adblock_status : enabled
+ adblock_version : 4.1.5
+ blocked_domains : 811445
+ active_sources : malware_lvl2, yoroi_malware_level1, yoroi_malware_level2, yoroi_susp_level1, yoroi_susp_level2
+ dns_backend : dnsmasq (-), /tmp/dnsmasq.d
+ run_utils : download: /usr/libexec/wget-ssl, sort: /usr/libexec/sort-coreutils, awk: /usr/bin/gawk
+ run_ifaces : trigger: -, report: eth4
+ run_directories : base: /tmp, backup: /tmp/adblock-Backup, report: /tmp/adblock-Report, jail: /tmp
+ run_flags : backup: ✔, flush: ✘, force: ✔, search: ✘, report: ✔, mail: ✘, jail: ✘
+ last_run : restart, 0m 12s, 8071/4917/5603, 2026-03-17T13:12:29+01:00
+ system : INTEL Corporation SHARKBAY, NethSecurity 8.7.1
Components
NethSecurity 8.7.1
Description
When adding or removing domains in DNS Threat Shield (blocklist and allowlist), each operation is immediately applied and triggers a restart of the adblock service.
If multiple additions or deletions are performed in rapid sequence, the service may restart multiple times before previous executions complete. This can lead to a race condition where adblock ends up running without loading any lists, resulting in zero blocked domains and an inconsistent runtime state.
Steps to reproduce
Expected result
Changes should be staged and applied only after user confirmation, ensuring a single controlled service restart.
Adblock should remain in a consistent "enabled" state with populated blocked domains.
Actual result
Each domain insertion triggers an immediate restart.
If multiple domains are added rapidly, a race condition may occur, resulting in adblock entering a broken state (adblock_status is running, blocked_domains are 0).
Instead of the correct state:
Components
NethSecurity 8.7.1