v2.1.1 - Critical Bug Fixes & Review Hardening

Mikrotik Domain Filter Script v2.1.1

Critical bug fixes found during post-release code review of v2.1.0.

Critical Fixes

• Standalone subdomains silently dropped -- domains classified as "other" (e.g., api.stripe.com without stripe.com in input) were excluded from DNS check
• Classification order-dependent -- children processed before parents due to alphabetical sort, causing broken deduplication
• trap_cleanup always exited with code 0 -- signal exit code was masked by log return value

Bug Fixes

• check_updates_needed did not strip inline comments from source files (unlike load_lists)
• update_gists ARG_MAX risk: file content passed as command-line argument instead of temp file
• Whitelist silently ignored 5+ level domains and non-PSL 4-level domains
• Per-signal traps (INT=130, TERM=143) guarantee correct exit codes on interruption
• URL whitespace validation in load_lists and check_updates_needed
• grep -F substring match replaced with awk field match in MD5 comparison
• mv error check added for sorted domain registry
• SC2155: local var=$() split into declaration and assignment
• update_gists jq error handling with proper temp file cleanup on failure
• Fixed CI: bats $output variable collision with bats builtin, test_helpers sed pattern

Removed

• Unreachable exit 1 after error() call
• Unreachable else branch in check_updates_needed
• Unused subdirectory creation in process_domains

Testing

• Added bats tests for process_domains() classification (4 tests)
• Added bats tests for apply_whitelist() 4+ level handling (4 tests)
• Fixed existing extract_domains and validate_domain tests
• All 25 bats tests passing
• ShellCheck clean

Full Changelog

See CHANGELOG.md for complete details.

Full Changelog: v2.1.0...v2.1.1

---

Testing Environment:

• Bash scripts validated on Ubuntu 22.04 and Debian 12
• Mikrotik RouterOS script tested on ROS 6.17 Stable and ROS 7.20.6 Stable

Benchmarking:

Environment: Amazon Lightsail (512 MB RAM, 2 vCPUs, 20 GB SSD, Debian 12.8)
Processing: 86K domains + 12K whitelist + 2.7K special -> 1,970 unique (main) + 431 unique (special)
Performance: 24 min processing time, 42% peak CPU

Production Status:

• This is a production-ready version, but please proceed with caution! 🚀

v2.1.0 - Security Hardening & Critical Bug Fixes

Mikrotik Domain Filter Script v2.1.0

Security hardening, critical bug fixes, and Linux-only simplification.

Breaking Changes

• Dropped macOS support -- Linux only (Debian 10+, Ubuntu 20.04+)
• Removed unused GNU parallel dependency; flock (util-linux) is now required
• Replaced grep -P (PCRE) with grep -E (ERE) for broader Linux compatibility

Security

• GITHUB_TOKEN no longer exposed in process list (uses temp header file with chmod 600)
• .env numeric values validated to prevent curl argument injection; zero values rejected
• GIST_ID format validated (hex, 20-32 chars) to prevent GitHub API path traversal
• URL scheme validation enforces HTTPS-only; --proto '=https' on all curl calls
• Lock file moved from world-writable /tmp to WORK_DIR/tmp (prevents symlink attacks)
• File and directory permissions tightened from 755/644 to owner-only 700/600
• .env file permissions warning when not restricted to 600/400
• GitHub Actions actions/checkout pinned to commit SHA (v4.2.2)
• RouterOS script: entry count limit (5000) to prevent memory exhaustion

Bug Fixes

• Critical: set -e + ((var++)) causing script abort when counter starts at 0
• Critical: DNS validation using NS records instead of A records (subdomains were incorrectly rejected)
• Replaced fragile grep-based JSON parsing with jq in DNS validation
• grep -v exit code 1 no longer treated as error when whitelist filters all lines
• Empty update_state.dat no longer causes arithmetic error on first run
• extract_domains output now properly feeds into initial_filter (Clash-format domains no longer lost)
• Whitelist regex patterns now escape dots to prevent false matches
• Predictable temp file names replaced with mktemp XXXXXX
• cleanup() path matching uses glob instead of regex (safe with special chars)
• Double cleanup/release_lock on normal exit path removed
• Duplicate error output to stderr removed

Removed

• Dead DNS_RATE_LIMIT configuration variable
• Dead functions: handle_cache_error(), save_state(), handle_temp_file(), get_domain_type()
• ~85 lines of dead code removed

Testing

• Added bats-core unit tests for validate_domain() (11 tests) and extract_domains() (6 tests)
• Tests integrated into CI/CD workflow (GitHub Actions)

Installation

git clone https://github.com/smkrv/mikrotik-domain-filter-script.git
cd mikrotik-domain-filter-script
make deps && make setup && make run

Full Changelog

See CHANGELOG.md for complete details.

Full Changelog: v2.0.0...v2.1.0

---

Testing Environment:

• Bash scripts validated on Ubuntu 22.04 and Debian 12
• Mikrotik RouterOS script tested on ROS 6.17 Stable and ROS 7.20.6 Stable

Benchmarking:

Environment: Amazon Lightsail (512 MB RAM, 2 vCPUs, 20 GB SSD, Debian 12.8)
Processing: 86K domains + 12K whitelist + 2.7K special -> 1,970 unique (main) + 431 unique (special)
Performance: 24 min processing time, 42% peak CPU

Production Status:

• This is a production-ready version, but please proceed with caution! 🚀

v2.0.0 - Major Refactoring & Repository Restructure

🚀 Mikrotik Domain Filter Script v2.0.0

Major refactoring release with improved architecture, security fixes, and better developer experience.

⚠️ Breaking Changes

• Repository structure reorganized:
  • scripts/mikrotik-domain-filter-bash.sh → bin/mikrotik-domain-filter
  • scripts/*.example → config/*.example
  • scripts/dns-static-updater.rsc → routeros/dns-static-updater.rsc
  • assets/images/ → docs/images/
  • REQUIREMENTS.md → docs/REQUIREMENTS.md
• License changed from CC BY-NC-SA 4.0 to MIT License

✨ New Features

• Makefile with convenient commands:

  make setup     # Create work directory with configs
  make run       # Run the script
  make install   # System-wide installation
  make version   # Show version
  make bump-*    # Version management

• Semantic Versioning via VERSION file
• CHANGELOG.md for tracking changes
• .editorconfig for consistent code style across editors
• Configurable performance settings via environment variables:
  • MAX_PARALLEL_JOBS, DNS_TIMEOUT, DNS_MAX_RETRIES, CACHE_TTL_DAYS

🔧 Improvements

• Improved parallel DNS checking with atomic file operations
• Enhanced .env file loading with key validation (whitelist-based)
• Better error messages and logging throughout
• Cross-platform stat command support (Linux + macOS)
• Improved source loading with inline comment handling
• Public Suffix List handling with validation and fallback

🐛 Bug Fixes

• Critical: Fixed incorrect path in release_lock() (/proc/$$fd/9 → /proc/$$/fd/9)
• Critical: Fixed race condition in parallel DNS processing
• Fixed double negation in check_required_files()
• Replaced magic numbers with named constants
• Resolved various ShellCheck warnings

📦 Installation

# Quick start
git clone https://github.com/smkrv/mikrotik-domain-filter-script.git
cd mikrotik-domain-filter-script
make deps && make setup && make run

# System-wide installation
sudo make install

📋 Full Changelog

See CHANGELOG.md for complete details.

---

Testing Environment:

• Bash scripts validated on Ubuntu 22.04 and Debian 12
• Mikrotik RouterOS script tested on ROS 6.17 Stable and ROS 7.20.6 Stable

Benchmarking:

Environment: Amazon Lightsail (512 MB RAM, 2 vCPUs, 20 GB SSD, Debian 12.8)
Processing: 86K domains + 12K whitelist + 2.7K special → 1,970 unique (main) + 431 unique (special)
Performance: 24 min processing time, 42% peak CPU

Production Status:

• This is a production-ready version, but please proceed with caution! 🚀

v1.0.7

Version 1.0.7 Release Notes:

• Make WORK_DIR auto-detectable based on script location
• Add support for WORK_DIR environment variable override
• Refactor main() function to eliminate code duplication
• Replace eval usage with safer array-based command construction
• Add command-line argument parsing (--help, --version)
• Improve user experience with detailed help information
• Enhance security by removing eval usage in cleanup function
• Create unified process_domain_list() function for better maintainability

All changes maintain backward compatibility while significantly improving
code quality, security, and user experience.

---

Testing Environment:

• Bash scripts validated on Ubuntu 22.04 and Debian 12
• Mikrotik RouterOS script tested on ROS 6.17 Stable and ROS 7.17 Stable

Benchmarking:

Environment: Amazon Lightsail (512 MB RAM, 2 vCPUs, 20 GB SSD, Debian 12.8)
Processing: 86K domains + 12K whitelist + 2.7K special → 1,970 unique (main) + 431 unique (special)
Performance: 24 min processing time, 42% peak CPU

Production Status:

• This is a production-ready version, but please proceed with caution! 🚀

Important Notes:

• Before deploying to production, test thoroughly with a smaller dataset in your environment
• Always maintain proper backups before making any changes
• While the code is production-ready, you're using it at your own risk

Support Policy: Please note that this is a community project - the author doesn't provide individual support or consulting. Feel free to modify the code according to the license terms, but make sure to test your changes thoroughly.

⚠️ Remember: Test first, backup always, deploy confidently! 🛡️

Full Changelog: v1.0.6...v1.0.7

v1.0.6

Version 1.0.6 Release Notes:

Improvements:

• Enhanced and upgraded filtration mechanisms

Full Changelog: v1.0.5...v1.0.6

---

Testing Environment:

• Bash scripts validated on Ubuntu 22.04 and Debian 12
• Mikrotik RouterOS script tested on ROS 6.17 Stable and ROS 7.17 Stable

Benchmarking:

Environment: Amazon Lightsail (512 MB RAM, 2 vCPUs, 20 GB SSD, Debian 12.8)
Processing: 86K domains + 12K whitelist + 2.7K special → 1,970 unique (main) + 431 unique (special)
Performance: 24 min processing time, 42% peak CPU

Production Status:

• This is a production-ready version, but please proceed with caution! 🚀

Important Notes:

• Before deploying to production, test thoroughly with a smaller dataset in your environment
• Always maintain proper backups before making any changes
• While the code is production-ready, you're using it at your own risk

Support Policy: Please note that this is a community project - the author doesn't provide individual support or consulting. Feel free to modify the code according to the license terms, but make sure to test your changes thoroughly.

⚠️ Remember: Test first, backup always, deploy confidently! 🛡️

v1.0.5

Version 1.0.5 Release Notes:

Improvements:

• Enhanced MD5 source validation for more reliable change detection
• Upgraded filtration mechanisms
• Fixed ShellCheck errors

Full Changelog: v1.0.4...v1.0.5

---

Testing Environment:

• Bash scripts validated on Ubuntu 22.04 and Debian 12
• Mikrotik RouterOS script tested on ROS 6.17 Stable and ROS 7.17 Stable

Benchmarking:

Environment: Amazon Lightsail (512 MB RAM, 2 vCPUs, 20 GB SSD, Debian 12.8)
Processing: 86K domains + 12K whitelist + 2.7K special → 1,970 unique (main) + 431 unique (special)
Performance: 24 min processing time, 42% peak CPU

Production Status:

• This is a production-ready version, but please proceed with caution! 🚀

Important Notes:

• Before deploying to production, test thoroughly with a smaller dataset in your environment
• Always maintain proper backups before making any changes
• While the code is production-ready, you're using it at your own risk

Support Policy: Please note that this is a community project - the author doesn't provide individual support or consulting. Feel free to modify the code according to the license terms, but make sure to test your changes thoroughly.

⚠️ Remember: Test first, backup always, deploy confidently! 🛡️

v1.0.4

Version 1.0.4 Release Notes:

Improvements:

• Improved Clash list filtering

Full Changelog: v1.0.3...v1.0.4

---

Testing Environment:

• Bash scripts validated on Ubuntu 22.04 and Debian 12
• Mikrotik RouterOS script tested on ROS 6.17 Stable and ROS 7.17 Stable

Benchmarking:

Environment: Amazon Lightsail (512 MB RAM, 2 vCPUs, 20 GB SSD, Debian 12.8)
Processing: 86K domains + 12K whitelist + 2.7K special → 1,970 unique (main) + 431 unique (special)
Performance: 24 min processing time, 42% peak CPU

Production Status:

• This is a production-ready version, but please proceed with caution! 🚀

Important Notes:

• Before deploying to production, test thoroughly with a smaller dataset in your environment
• Always maintain proper backups before making any changes
• While the code is production-ready, you're using it at your own risk

Support Policy: Please note that this is a community project - the author doesn't provide individual support or consulting. Feel free to modify the code according to the license terms, but make sure to test your changes thoroughly.

⚠️ Remember: Test first, backup always, deploy confidently! 🛡️

v1.0.3

Version 1.0.3 Release Notes:

Improvements:

• Improved Clash list filtering
• Improved domain processing
• Improved whitelist handling
• Enhanced MD5 source validation for more reliable change detection
• Upgraded logging mechanisms

Full Changelog: v1.0.2...v1.0.3

---

Testing Environment:

• Bash scripts validated on Ubuntu 22.04 and Debian 12
• Mikrotik RouterOS script tested on ROS 6.17 Stable and ROS 7.17 Stable

Benchmarking:

Environment: Amazon Lightsail (512 MB RAM, 2 vCPUs, 20 GB SSD, Debian 12.8)
Processing: 86K domains + 12K whitelist + 2.7K special → 1,970 unique (main) + 431 unique (special)
Performance: 24 min processing time, 42% peak CPU

Production Status:

• This is a production-ready version, but please proceed with caution! 🚀

Important Notes:

• Before deploying to production, test thoroughly with a smaller dataset in your environment
• Always maintain proper backups before making any changes
• While the code is production-ready, you're using it at your own risk

Support Policy: Please note that this is a community project - the author doesn't provide individual support or consulting. Feel free to modify the code according to the license terms, but make sure to test your changes thoroughly.

⚠️ Remember: Test first, backup always, deploy confidently! 🛡️

v1.0.2

Version 1.0.2 Release Notes:

BREAKING CHANGES:

• Removed external gist update scripts (update_gist.sh and update_gist_special.sh)
• Added direct GitHub Gist API integration

Features:

• Added built-in GitHub Gist update functionality
• Added support for environment variables via .env file
• Added new configuration options for GitHub Gist integration:
  • EXPORT_GISTS - enables/disables Gist updates (default: false)
  • GITHUB_TOKEN - GitHub Personal Access Token
  • GIST_ID_MAIN - Gist ID for main domain list
  • GIST_ID_SPECIAL - Gist ID for special domain list

Improvements:

• Reduced dependencies by removing external scripts
• Added proper error handling for Gist updates
• Added detailed logging for Gist operations
• Added support for both hardcoded and environment variables
• Improved security by supporting .env file for sensitive data

Configuration:
Variables can be set either in .env file or as environment variables:

EXPORT_GISTS=true
GITHUB_TOKEN="your-github-token"
GIST_ID_MAIN="your-main-gist-id"
GIST_ID_SPECIAL="your-special-gist-id"

Technical details:

• All changes comply with ShellCheck
• Maintains existing code style and logging format
• Added proper error handling and validation
• Improved security by supporting environment variables
• Added checks for required additional tools (jq)

Migration guide:

1. Remove external update_gist.sh and update_gist_special.sh scripts
2. Create .env file with required GitHub configuration
3. Set EXPORT_GISTS=true to enable Gist updates
4. Ensure curl and jq are installed

---

Testing Environment:

• Bash scripts validated on Ubuntu 22.04 and Debian 12
• Mikrotik RouterOS script tested on ROS 6.17 Stable and ROS 7.17 Stable

Benchmarking:

Environment: Amazon Lightsail (512 MB RAM, 2 vCPUs, 20 GB SSD, Debian 12.8)
Processing: 86K domains + 12K whitelist + 2.7K special → 1,970 unique (main) + 431 unique (special)
Performance: 24 min processing time, 42% peak CPU

Production Status:

• This is a production-ready version, but please proceed with caution! 🚀

Important Notes:

• Before deploying to production, test thoroughly with a smaller dataset in your environment
• Always maintain proper backups before making any changes
• While the code is production-ready, you're using it at your own risk

Support Policy: Please note that this is a community project - the author doesn't provide individual support or consulting. Feel free to modify the code according to the license terms, but make sure to test your changes thoroughly.

⚠️ Remember: Test first, backup always, deploy confidently! 🛡️

Full Changelog: v1.0.1...v1.0.2

v1.0.1

Version 1.0.1 Release Notes:

Major Changes:

1. process_domains() Function Improvements:

• Enhanced domain processing logic
• Fixed ShellCheck compliance issues
• Added proper validation checks

2. File Handling Enhancement:

• Added file existence checks in apply_whitelist() and load_lists() functions
• Implemented proper error messages for missing files
• Added script termination on critical errors

3. Error Handling Improvements:

• Added comprehensive error messages
• Implemented graceful exit on failures
• Improved script reliability

4. Technical Improvements:

• Added input validation
• Enhanced error reporting
• Fixed ShellCheck warnings
• Improved code documentation

These changes make the script more robust and reliable by preventing errors
related to missing files and improving overall error handling.

---

Testing Environment:

• Bash scripts validated on Ubuntu 22.04 and Debian 12
• Mikrotik RouterOS script tested on ROS 6.17 Stable and ROS 7.17 Stable

Benchmarking:

Environment: Amazon Lightsail (512 MB RAM, 2 vCPUs, 20 GB SSD, Debian 12.8)
Processing: 86K domains + 12K whitelist + 2.7K special → 1,970 unique (main) + 431 unique (special)
Performance: 24 min processing time, 42% peak CPU

Production Status:

• This is a production-ready version, but please proceed with caution! 🚀

Important Notes:

• Before deploying to production, test thoroughly with a smaller dataset in your environment
• Always maintain proper backups before making any changes
• While the code is production-ready, you're using it at your own risk

Support Policy: Please note that this is a community project - the author doesn't provide individual support or consulting. Feel free to modify the code according to the license terms, but make sure to test your changes thoroughly.

⚠️ Remember: Test first, backup always, deploy confidently! 🛡️

Full Changelog: v1.0.0...v1.0.1