From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail01.ipfire.org by mail01.haj.ipfire.org with LMTP id AHeUJuUlz2fC+QMA8Gcflg (envelope-from ) for ; Mon, 10 Mar 2025 17:48:21 +0000 Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) client-signature ECDSA (secp384r1)) (Client CN "mail02.haj.ipfire.org", Issuer "E5" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4ZBPWT39k7z7h8 for ; Mon, 10 Mar 2025 17:48:21 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4ZBPWT232Wz377K for ; Mon, 10 Mar 2025 17:48:21 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature RSA-PSS (4096 bits)) (Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4ZBPWM11Fbz33xG for ; Mon, 10 Mar 2025 17:48:15 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4ZBPWJ575vz4lj; Mon, 10 Mar 2025 17:48:12 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1741628894; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=9mVROxbvcozcXDpMS1uwLN+qdH9cDfDYxt/A3loZy70=; b=5BVpqmdGLsBEtOKoGjw6+jlI40tlhsXMXdVeYKCZ2iUjVNU39RZ6B5GuCvs0z5C8OzC/Bo crW+YkgfhQ/vrPDA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1741628894; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=9mVROxbvcozcXDpMS1uwLN+qdH9cDfDYxt/A3loZy70=; b=XS4nZk0vCbyng1KZXU257seXFtLfIKs6stBFTKTEwHX65lwmHV4Gf57am4IDDQBqX1XcTu ogFdkbj3RrMq4uZsfMvJgP0M6jfEtAzSgUs+CQcmOuxSVH4Shq+w4uIMZYWVf81fPQNlZA SMLYh7yaqxPU6namTzj8gH4S5nQxCOd2ymMzuupjxLFRF+ED5PhfrU8KGaWOYLZ2NBwZ2+ nqSB5u7MNJk8plOU2Pb10AbXGgoVgL4nA6qlE5aRMCWGbFFf1oOkOq8bXVvmeAOdgEM/nO w9J0PYzH1MxdSvo8ebIODLbIOnaa/b7XyNAxEVy+WV46Lxx85jCwWTxSP93TwQ== From: jon Message-Id: <02C0C954-80A6-4090-9056-EA114E8CB36B@ipfire.org> Content-Type: multipart/alternative; boundary="Apple-Mail=_D1492734-9C20-4AE9-8945-3EE7ACA92BBD" Precedence: list List-Id: List-Subscribe: , List-Unsubscribe: , List-Post: List-Help: Sender: Mail-Followup-To: Mime-Version: 1.0 Subject: Re: [PATCH] RPZ: update code to include WEBGUI and additional languages Date: Mon, 10 Mar 2025 12:47:58 -0500 In-Reply-To: <664b8eb1-7607-4d7c-ad0d-1f1e370dce4c@ipfire.org> Cc: "IPFire: Development-List" To: Adolf Belka References: <20250206163522.2363178-1-jon.murphy@ipfire.org> <66701a67-cdf8-423b-ad4b-e9e44d598f1c@ipfire.org> <3BF29525-C9F4-4FD2-834D-FBE791E99E8C@ipfire.org> <664b8eb1-7607-4d7c-ad0d-1f1e370dce4c@ipfire.org> --Apple-Mail=_D1492734-9C20-4AE9-8945-3EE7ACA92BBD Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 Draft version: https://www.ipfire.org/docs/roadmap/rpz > On Mar 2, 2025, at 4:51=E2=80=AFAM, Adolf Belka = wrote: >=20 > Hi Jon, >=20 > On 01/03/2025 23:22, jon wrote: >> No thank you. I pass. >=20 > Okay. >=20 > You should definitely look at putting together an entry for the = Roadmap as outlined by Michael. There is a template page you can use to = put together an initial entry which can then be used for further = discussions in the dev mailing list. >=20 > Best regards, >=20 > Adolf. >=20 >> Jon >>> On Mar 1, 2025, at 4:18=E2=80=AFAM, Adolf Belka = wrote: >>>=20 >>> Hi Jon, >>>=20 >>> Would you like to have this topic added to the agenda for the next = Dev Conf Call scheduled for 10th March? >>>=20 >>> The time of the conf call is 8:00 to 10:00pm Central European Time. >>>=20 >>> Best regards, >>>=20 >>> Adolf. >>>=20 >>>=20 >>> On 14/02/2025 13:07, Michael Tremer wrote: >>>> Hello Jon, >>>>=20 >>>> It very much depends on the kind of contribution. A one-line patch = obviously has fewer strings attached to it than a larger patch set like = this. >>>>=20 >>>> However, we have outlined the process in the wiki already, starting = from here: >>>>=20 >>>> https://www.ipfire.org/docs/devel/submit-patches >>>>=20 >>>> This contains some useful pointers about the how (how do I actually = make my changes happen, how do I build IPFire, etc), and at the bottom = it contains a lot of information about the format the changes should be = submitted; split into smaller chunks that are ideally as independent = from each other so that they can be individually reviewed and merged. = Usually a development process takes long time and we have already = shipped parts of code that we will need for certain features that are = not ready yet. This is a good practice to let code mature, especially = when it is touching rather critical bits like the firewall and = networking stacks. >>>>=20 >>>> There are also some guidelines on how to write a good commit = message and how to use Git tags: >>>>=20 >>>> https://www.ipfire.org/docs/devel/git/commit-messages >>>> https://www.ipfire.org/docs/devel/git/tags >>>>=20 >>>> Then there is something about how to get in touch with the right = person and legal stuff: >>>>=20 >>>> https://www.ipfire.org/docs/devel/contact >>>> https://www.ipfire.org/docs/legal/ipca >>>>=20 >>>> Finally, we have a bit of an underused roadmap section on the wiki. = It would be nice if we could use that a little bit more because then it = would be easier for everyone to keep track of progress on certain = features; people could see what is being worked on and see if they can = help development and testing and so on: >>>>=20 >>>> https://www.ipfire.org/docs/roadmap >>>>=20 >>>> There is a template on how to create new pages: >>>>=20 >>>> https://www.ipfire.org/docs/roadmap/template >>>>=20 >>>> And this is a good example of what this could look like: >>>>=20 >>>> https://www.ipfire.org/docs/roadmap/openvpn-26 >>>>=20 >>>> All of these steps are coming *after* there has been some initial = discussion about what actually has a chance to become part of the = distribution. For that, we do not have any specific guidelines because = it is not very trivial to write these things. There are just too many = possibilities. In the past, there has also been very little need for = this, but that does not mean that there have not been problems before. >>>>=20 >>>> The reason why I am raising the bar this high here is simply that = we have made mistakes in the past that we don=E2=80=99t want to repeat. = We have learned a couple of lessons in a not very pleasant way and I = under no circumstances would want to do this again. The objective is = that we want to provide an excellent distribution. Although IPFire of = course has its shortcomings here and there, it is a very stable = distribution and we have a very good track record that I want to keep. = This is what our users deserve. >>>>=20 >>>> In the past, people have =E2=80=9Cdropped=E2=80=9D their patches on = this list (or sometimes elsewhere) and we were left with dealing with = the entire integration only to find out later what problems there were = hidden in the code. The original author(s) had no interest in fixing any = of that because it worked just fine for them, and so why spend any time = on the problems of somebody else? Usually I am the fallback for this and = I simply don=E2=80=99t want to be that. I have lots of my own projects = inside IPFire that are moving at snail speed because fixing existing = code usually takes priority over writing new code. >>>>=20 >>>> Therefore we need a commitment to sort out these problems in the = first place. It has to be proven that people actually *care* about the = patches that they post here. I am not sure this needs writing down as = this should be the same policy with almost any open source project. If = you contribute a line, there is probably less maintenance required in = the future, but if you contribute a large code base, then you will need = to look after it for the foreseeable future. It is your feature and not = mine after all. >>>>=20 >>>> Then, what actually has a chance to make it into the distribution? = Probably not a lot. IPFire has a very clear use case. There will not be = any space for a desktop environment and running Chrome on it, we also = don=E2=80=99t it to make coffee and cook me a dinner. We would currently = only accept things that were actually maintainable by the current team = in case a contributor moves on (see above), because we simply only have = so much man power. We already have a large zoo of features that are very = abandoned and we are potentially looking at getting rid of more things = simply because we cannot support them properly. Time just doesn=E2=80=99t = permit. Adding something large is therefore very difficult at the = moment. >>>>=20 >>>> I understand that in this specific case you have been trying to not = involve the development team and I understand your motivation. But you = cannot forget about how much time and effort a review process can take. = Therefore we want to plan things well; we want to even split it; and we = want to have a conversation in advance so that the roadmap is clear and = the actual code review ideally only becomes a formality. >>>>=20 >>>> All of this above has been for a general case. Please read through = this and feel free to ask any questions if something isn=E2=80=99t = clear. >>>>=20 >>>> To move forward with this feature, we should start by planning a = roadmap. We need to discuss what this project should cover and what it = should not cover. I believe we don=E2=80=99t need to talk much about = implementation details because you have figured out a lot of them; we = need to find what feature we want to provide to our users. Are you up = for that? >>>>=20 >>>> Best, >>>> -Michael >>>>=20 >>>>> On 13 Feb 2025, at 21:34, jon wrote: >>>>>=20 >>>>> Michael, >>>>>=20 >>>>> I=E2=80=99ve read through your comments a few times and I ended up = with many more questions. >>>>>=20 >>>>>=20 >>>>>> What I rather mean is that it has never been added as a topic on = the agenda and it has not been pitched by yourself. >>>>>=20 >>>>> To me the efforts to get new code accepted seem to have changed = and it seemed easier in the past. In the past I made the Core Team = aware via the Dev Mailing List and wrote a simple two or three = paragraphs of "What is it? / What is the value? / Here is the code" >>>>>=20 >>>>>=20 >>>>> So in an effort to move forward: How exactly is something = presented to the Core Team? >>>>>=20 >>>>> Is there an example of a recent effort that was presented that I = can see as a sample? (This type of info can also be added to the Wiki) >>>>>=20 >>>>> I understand you want it this way, but I don=E2=80=99t know what = exactly is needed. Please be specific. >>>>>=20 >>>>>=20 >>>>> Jon >>>>>=20 >>>>> PS - I am not ignoring your other comments, I am just trying to = move forward and keep things simple. >>>>>=20 >>>>>=20 >>>>>=20 >>>>>> On Feb 8, 2025, at 1:27=E2=80=AFPM, Michael Tremer = wrote: >>>>>>=20 >>>>>> Hello Jon, >>>>>>=20 >>>>>> Thanks for your reply. And good that you are copying everyone = into this conversation. >>>>>>=20 >>>>>>> On 8 Feb 2025, at 18:41, jon wrote: >>>>>>>=20 >>>>>>> Michael, >>>>>>>=20 >>>>>>>> I think I have covered this all at lengths before that this = project has been started as a separate effort >>>>>>> Yes, this has been a separate effort (a very public separate = effort). Yes, as you pointed this out early on with the = "proof-of-concept" and then my request for people to help test RPZ. = Nothing was hidden. >>>>>>>=20 >>>>>>> This was done because you (and maybe others) did not have the = time and I wanted to help and because I needed assistance with RPZ. I = tried my best to do this without bothering you. >>>>>> I don=E2=80=99t that it is accurate that nobody wanted to help on = this. The list was always open - although not every email has been = replied to swiftly it is also your responsibility to raise a question = again if it was missed. People here have open ears. >>>>>>=20 >>>>>> It was also stated on this very list on in our documentation that = working on something without involving the core team is a risky = undertaking. Of course IPFire is free software and so everyone is free = to fork if they wish to do so. >>>>>>=20 >>>>>>>> and as far as I am aware none of the other team members has = been involved. This has not been discussed either on this list, on our = calls. >>>>>>> You were aware many steps along the way. See your email on July = 28, 2024, August 15, 2024, September 30, 2024, December 23, 2024, and = January 16. My attempts to get the team involved were met with "things = are busy" and sometimes silence. (Yes, I get it, people are busy.) >>>>>>>=20 >>>>>>> You and Adolf, Leo, Erik and Bernhard have been aware since the = beginning. You mention you were aware of the "proof-of-concept". If = you include those beginning posts, since Sep 2023. >>>>>> Yes, I am aware of a proof-of-concept that I have been running = myself for a long time. I am also aware of the efforts that you have = been taking. >>>>>>=20 >>>>>> Yet I don=E2=80=99t think there has ever been any joint effort, = or am I seeing that wrong? >>>>>>=20 >>>>>>>> This has not been discussed . . . on our calls. >>>>>>> On the July 28th you stated: >>>>>>> "We have talked about RPZ many times on the monthly call since = the URL filter feature is falling more and more out of fashion. I think = there is also many posts about this on the forum." >>>>>>>=20 >>>>>>> Please don=E2=80=99t insult me again by stating "you know what I = mean". >>>>>>>=20 >>>>>>> And it has been discussed but not documented in the Monthly = Meeting notes. >>>>>> I am not at all insulting you. I don=E2=80=99t want to take this = down to a personal level at all. This is a public mailing list and = people who read this don=E2=80=99t need to listen to an argument we are = having. They are here for the tech inside IPFire. >>>>>>=20 >>>>>> When I wrote that it has not been discussed that does not mean = that we have not been touching on the topic. We have been talking about = lots of things on the calls, the weather, politics, how our pets are. = None of that makes it to the logs. What I rather mean is that it has = never been added as a topic on the agenda and it has not been pitched by = yourself. >>>>>>=20 >>>>>>>> Instead there has been a separate conversation on the forum = with the occasional dip here to the list. But that was not a regular = two-way conversation. >>>>>>> Regular conversation on the Dev Mailing list is many times met = with silence. I get it, people are busy. >>>>>>>=20 >>>>>>> And regular two-way conversation doesn=E2=80=99t happen on the = list. At least not with me. I=E2=80=99d be happy to point out the = posts that were met with silence. >>>>>>> Again, I get it, people are busy. >>>>>> And you think my emails are not being met with silence? This has = nothing to do with this specific topic. This has something to do with = how occupied people are and how engaged they are on certain topics. Not = everyone is involved in all the things and simply will ignore emails = simply based on their subject line. >>>>>>=20 >>>>>>> But the "dip here to the list" were my attempts to get a = conversation started. As I said, many time met with silence. >>>>>>>=20 >>>>>>> The only place I was not met with silence was on the Community. = You have a great group of people in the Community. It is a shame you = don=E2=80=99t want to have others help. It would reduce your workload. >>>>>> You should stop making statements that are not true. Who = doesn=E2=80=99t want anyone to help? >>>>>>=20 >>>>>> Not having this conversation on a Saturday evening would reduce = my workload. At least it would free up time for something else. Helping = with the things that are already on the go would reduce the workload of = the entire team. Starting one thing at a time and finishing it is a lot = better to manage than starting a hundred things and not even finish one. = I can tell you that I already have a hundred things on the go. >>>>>>=20 >>>>>>>> Therefore, what am I supposed to do with this email? >>>>>>> To me it is beyond obvious=E2=80=A6 >>>>>>>=20 >>>>>>> If it isn=E2=80=99t what you want, then guide me with how to do = this the correct way. And be specific. I am trying to help. I am = trying to make things better. I am trying to do things the right way. >>>>>> To me it isn=E2=80=99t. This is yet another project that has been = dumped to the list like so many before and later on everyone has left to = have the team deal with the rest. >>>>>>=20 >>>>>> It is a huge patch set. You explained what the vision is, but = that is about it. There is no chance this will continue if this = disagreement isn=E2=80=99t solved first. I didn=E2=80=99t even look at = the code. >>>>>>=20 >>>>>>>> I don=E2=80=99t want to merge code that I don=E2=80=99t agree = with. >>>>>>> I asked multiple times if you "agreed with the concept" and = again, met with silence. Yes I get it, people are busy. >>>>>> Having support for RPZ? Yes, it was definitely on the roadmap. = That I agree with. >>>>>>=20 >>>>>>>> So many fundamental things that I have been raising have either = not been discussed or outright dismissed. >>>>>>> You mentioned this a in the past, but for some reason you do not = disclose what I dismissed. Why do you continue to make this harder, = wouldn=E2=80=99t it not be easier to tell me what I have dismissed? >>>>>>>=20 >>>>>>> I have sent multiple emails trying to answer your concerns and = comments. On July 28, Aug 14, Aug 22, Aug 23, Sep 30, etc. >>>>>>>=20 >>>>>>> I=E2=80=99ve gone through all of the questions you asked and I = cannot find a "dismissed" item. >>>>>> Maybe I need to be *more clear*. I feel humoured by this. >>>>>>=20 >>>>>> It is late on a Saturday and I want my dinner soon, but certainly = I have stated that this should never be an add-on considering it is = supposed to replace URL Filter. We should never allow people to add = their own sources. I have also stated that we cannot download any lists = over HTTPS again and again and again. The implementation that we have = here seems to exactly do that and therefore I think that my feedback has = been dismissed entirely. >>>>>>=20 >>>>>>>> I don=E2=80=99t want to merge code that has no future inside = IPFire as there is no constructive conversation with the maintainers of = it. >>>>>>> The maintainers of Unbound and/or RPZ? >>>>>>>=20 >>>>>>> The maintainers of Hagezi list, the threatfox list, the urlhaus = list, etc.? >>>>>>>=20 >>>>>>> What else? The maintainers or the RPZ scripts? That is me. = Let=E2=80=99s talk! >>>>>> You. I don=E2=80=99t care much about the providers of the lists. >>>>>>=20 >>>>>>> See, this is where it gets confusing. There are hundreds of = open source packages as part of IPFire. Pick the last five years of = items added to the IPFire build. You're telling me you have = "constructive conversation with the maintainers" of all of the added = packages? >>>>>> They publish their software and they don=E2=80=99t care whether I = am pulling it or not. They publish it with the commitment to maintain it = - sometimes for better and sometimes for worse. >>>>>>=20 >>>>>> You care about me pulling your code and I don=E2=80=99t know = whether you would commit to maintain this. >>>>>>=20 >>>>>> These two are very different cases. >>>>>>=20 >>>>>>> Pick the IP Blocklists list (i.e., 3CORESEC, ABUSECH, DSHIELD, = SPAMHAUS, etc.) or the Suricata lists (i.e., Emergingthreats.net, = Abuse.ch, etc.). So you=E2=80=99ve have "constructive conversation with = the maintainers"? >>>>>> Yes, occasionally I have phone calls with a few of these = providers. >>>>>>=20 >>>>>>>> Having been trying for a long time to make you aware of this, = nothing of this should come as a surprise. >>>>>>> Ha! Yes a surprise. In the beginning you seemed interested as = IPFire needed a replacement for URL Filter. You asked good questions = about the lists picked, asked for the value to the users, etc. And I = answered the best I could. >>>>>>>=20 >>>>>>> You even asked: =E2=80=9CWhy is this realised as an add-on and = not part of the core system?=E2=80=9D from your Jul 28, 2024 email. >>>>>> Ah, so, why is the patch creating an add-on? Not that I am saying = that what I say is law, but it has not been challenged either. If my = input is being ignored, why should I put this to the top of my list of = priorities? I am not disappointed about this, just trying to be very = good with my time. >>>>>>=20 >>>>>>> And on January 16, 2025 I wrote a message looking for help. And = you were kind to respond quickly. So in three weeks time, since the = kind response, something has changed. You went from supportive to = "this". >>>>>>>=20 >>>>>>> So yes, I am surprised. >>>>>> Well, maybe I should not have replied to that email. It was clear = that you were on some path that was not right, but you were not = interested before in finding the right path from the beginning. >>>>>>=20 >>>>>>>> Please consider if that can be changed and if there is a path = forward with this. >>>>>>> Be more specific, what has to change? What exactly did I = dismiss? >>>>>> Dismissal is just my assumption. I don=E2=80=99t know what you = actually did with my feedback. I can only see the end product that does = not seem contain much of it. Repeatedly I have been pointing out that we = should think before we build. I am sure a lot of hours have now gone = into some code that simply does not satisfy me. And I am not not talking = about the code itself, what it does is what I don=E2=80=99t think is = right for us. >>>>>>=20 >>>>>> The process is very clear for me that we should first of all = think whether we want a certain feature now. Then there should be a = clear roadmap for everyone to follow; tasks can be split-up as we go and = hopefully then have something that is maintainable, interesting for our = users and even would do us proud. This is how this should work. >>>>>>=20 >>>>>> So, what has to change? I don=E2=80=99t think with shouting at = each other, throwing patches around and making me generally unhappy is a = good start. >>>>>>=20 >>>>>> -Michael >>>>>>=20 >>>>>>> Jon >>>>>>>=20 >>>>>>>=20 >>>>>>>=20 >>>>>>>> On Feb 6, 2025, at 2:13=E2=80=AFPM, Michael Tremer = wrote: >>>>>>>>=20 >>>>>>>> Hello Jon, >>>>>>>>=20 >>>>>>>> Well, here we are again with another patch regarding this = feature. >>>>>>>>=20 >>>>>>>> I cannot quite see from your email what the question is, but if = this is a request to have this merged into IPFire, I am once again sorry = to disappoint you. >>>>>>>>=20 >>>>>>>> I think I have covered this all at lengths before that this = project has been started as a separate effort and as far as I am aware = none of the other team members has been involved. This has not been = discussed either on this list, on our calls. Instead there has been a = separate conversation on the forum with the occasional dip here to the = list. But that was not a regular two-way conversation. Therefore, what = am I supposed to do with this email? >>>>>>>>=20 >>>>>>>> I don=E2=80=99t want to merge code that I don=E2=80=99t agree = with. So many fundamental things that I have been raising have either = not been discussed or outright dismissed. >>>>>>>>=20 >>>>>>>> I don=E2=80=99t want to merge code that has no future inside = IPFire as there is no constructive conversation with the maintainers of = it. >>>>>>>>=20 >>>>>>>> Having been trying for a long time to make you aware of this, = nothing of this should come as a surprise. >>>>>>>>=20 >>>>>>>> Please consider if that can be changed and if there is a path = forward with this. >>>>>>>>=20 >>>>>>>> All the best, >>>>>>>> -Michael >>>>>>>>=20 >>>>>>>>> On 6 Feb 2025, at 16:35, Jon Murphy = wrote: >>>>>>>>>=20 >>>>>>>>> What is it? >>>>>>>>> Response Policy Zone (RPZ) is a mechanism to define local = policies in a >>>>>>>>> standardized way and load those policies from external = sources. >>>>>>>>> Bottom line: RPZ allows admins to easily block access to = websites via DNS lookup. >>>>>>>>>=20 >>>>>>>>> RPZ can block websites via categories. Examples include: fake = websites, annoying >>>>>>>>> pop-up ads, newly registered domains, DoH bypass sites, bad = "host" services, >>>>>>>>> maliscious top level domains (e.g., *.zip, *.mov), piracy, = gambling, pornography, >>>>>>>>> and more. RPZ lists come from various RPZ providers and their = available >>>>>>>>> catagories. >>>>>>>>>=20 >>>>>>>>> This RPZ add-on enables the RPZ functionality by adding a = couple lines in a >>>>>>>>> configuration file. This add-on simply adds configuration = files and adds >>>>>>>>> scripts (config, metrics and sleep) to make RPZ easier for the = admin to use. >>>>>>>>>=20 >>>>>>>>> The RPZ scripts include additional languages: German, Spanish, = French, Turkish, >>>>>>>>> and Italian. >>>>>>>>>=20 >>>>>>>>> RPZ itself was release in 2010 and has been part of the IPFire = build since ~2015. >>>>>>>>>=20 >>>>>>>>> Why is it needed? What is its value? >>>>>>>>>=20 >>>>>>>>> - The RPZ concept places this filtering into IPFire, our = internet access >>>>>>>>> gateway, which is (should be) solely used as DNS source of the = internal network. >>>>>>>>>=20 >>>>>>>>> - As most sites use HTTPS it makes it difficult to filter = traffic with URL >>>>>>>>> Filter without also properly configuring conventional = (non-transparent) >>>>>>>>> mode on the proxy. RPZ is a nice replacement for the URL = Filter. >>>>>>>>>=20 >>>>>>>>> - No need to install and maintain an additional device like = PiHole or AdBlock >>>>>>>>> browser extensions on multiple user devices. >>>>>>>>>=20 >>>>>>>>> - This is an additional layer of protection for users. Less = worry someone will >>>>>>>>> click on something that gets them into trouble. And, saying = this with emphasis, >>>>>>>>> the ability to do it in one place! >>>>>>>>>=20 >>>>>>>>> - Blocked sites save on unneeded traffic and can lessen the = threat of malware >>>>>>>>> in advertisements >>>>>>>>>=20 >>>>>>>>> - Logging allows the admin to see the site blocked and take = actions >>>>>>>>>=20 >>>>>>>>> - RPZ will be used at the home, home-office (work from home), = schools, >>>>>>>>> ministerial, and at the office. Device counts are small (2-6) = to medium (~80) >>>>>>>>> to mediam-large (200+). >>>>>>>>>=20 >>>>>>>>> - RPZ can block ads, popups, phishing, scammers, spyware, = malware, annoying >>>>>>>>> popups, NSFW links, DOH servers, and the usual internet trash. >>>>>>>>>=20 >>>>>>>>> ------------------------------ >>>>>>>>>=20 >>>>>>>>> Change Log for RPZ add-on >>>>>>>>>=20 >>>>>>>>> rpz-1.0.0-18 on 2025-02-05 >>>>>>>>> - Build for approval & release as IPFire add-on >>>>>>>>>=20 >>>>>>>>> --- >>>>>>>>>=20 >>>>>>>>> rpz-beta-0.1.18-18.ipfire on 2025-02-01 >>>>>>>>> rpz.cgi: >>>>>>>>> - new feature: added a mod key to force a unbound restart >>>>>>>>>=20 >>>>>>>>> rpz-config and rpz-make: >>>>>>>>> - new feature: added action for unbound restart `rpz-config = unbound-restart` >>>>>>>>>=20 >>>>>>>>> rpz-metrics: >>>>>>>>> - simple reformatting >>>>>>>>> - rename far right column from "last update" to "last = download" >>>>>>>>>=20 >>>>>>>>> --- >>>>>>>>>=20 >>>>>>>>> rpz-beta-0.1.17-17.ipfire on 2024-12-09 >>>>>>>>> rpz-make >>>>>>>>> - bug fix: corrected validation regex for wildcards like: = `*.domain.com` >>>>>>>>>=20 >>>>>>>>> --- >>>>>>>>>=20 >>>>>>>>> rpz-beta-0.1.16-16.ipfire on 2024-11-18 >>>>>>>>> rpz-make >>>>>>>>> - new feature: updated validation regex >>>>>>>>> - bug fix: moved validation to beginning of process. Now we = validate before >>>>>>>>> creating config files. >>>>>>>>>=20 >>>>>>>>> rpz.cgi: >>>>>>>>> - new feature: use CSS color variables of the main ipfire = theme >>>>>>>>> - bug fix: empty zonefile remarks were stored as =E2=80=9Cundef=E2= =80=9D and caused a warning >>>>>>>>> - bug fix: HTML textarea removes the first empty line in a = custom list >>>>>>>>> - thank you Leo! >>>>>>>>>=20 >>>>>>>>> --- >>>>>>>>>=20 >>>>>>>>> rpz-beta-0.1.15-15.ipfire on 2024-11-04 >>>>>>>>> rpz.cgi: >>>>>>>>> - new feature: added new language file for Turkish (thank you = Peppe) >>>>>>>>>=20 >>>>>>>>> rpz-make >>>>>>>>> - bug fix: corrected empty allow/block list issue. An empty = allow/block list >>>>>>>>> will now remove contents of allow/block.rpz files and remove = unneeded >>>>>>>>> allow/block.conf file. (thank you iptom) >>>>>>>>>=20 >>>>>>>>> --- >>>>>>>>>=20 >>>>>>>>> rpz-beta-0.1.14-14.ipfire on 2024-10-29 >>>>>>>>> rpz-config: >>>>>>>>> - bug fix: correct missing rpz extension. `rpz-config list` = displayed URL >>>>>>>>> incorrectly (thank you Bernhard) >>>>>>>>>=20 >>>>>>>>> rpz.cgi: >>>>>>>>> - bug fix: remove extra `"` in language files (thank you = Bernhard) >>>>>>>>> - new feature: slightly dim "apply" button when not enabled >>>>>>>>>=20 >>>>>>>>> --- >>>>>>>>>=20 >>>>>>>>> rpz-beta-0.1.13-13.ipfire on 2024-10-27 >>>>>>>>> - skipped >>>>>>>>>=20 >>>>>>>>> --- >>>>>>>>>=20 >>>>>>>>> rpz-beta-0.1.12-12.ipfire on 2024-10-21 >>>>>>>>> rpz.cgi: >>>>>>>>> - new feature: added new language file for French (thank you = gw-ipfire) >>>>>>>>>=20 >>>>>>>>> --- >>>>>>>>>=20 >>>>>>>>> rpz-beta-0.1.11-11.ipfire on 2024-10-18 >>>>>>>>> rpz.cgi: >>>>>>>>> - new feature: added new language file for Italian (thank you = umberto) >>>>>>>>> - new feature: added new language file for Spanish (thank you = Roberto) >>>>>>>>>=20 >>>>>>>>> --- >>>>>>>>>=20 >>>>>>>>> rpz-beta-0.1.10-10.ipfire on 2024-10-15 >>>>>>>>> rpz-make: >>>>>>>>> - bug fix: corrected validation error for a custom list entry = (thank you siosios) >>>>>>>>> - e.g., `*.cloudflare-dns.com` >>>>>>>>>=20 >>>>>>>>> install.sh: >>>>>>>>> - bug fix: add chown to correct user created files >>>>>>>>>=20 >>>>>>>>> update.sh: >>>>>>>>> - bug fix: add chown to correct user created files (thank you = siosios) >>>>>>>>>=20 >>>>>>>>> --- >>>>>>>>>=20 >>>>>>>>> rpz-beta-0.1.9-9.ipfire on 2024-10-08 >>>>>>>>> rpz.cgi: >>>>>>>>> - new feature: added new language file for German (thank you = Leo) >>>>>>>>> - bug fix: add missing "rpz exitcode 110" >>>>>>>>> - bug fix: corrected missing RPZ menu item at menu > IPFire >>>>>>>>>=20 >>>>>>>>> --- >>>>>>>>>=20 >>>>>>>>> rpz-beta-0.1.8-8.ipfire on 2024-10-04 >>>>>>>>> - skipped >>>>>>>>>=20 >>>>>>>>> --- >>>>>>>>>=20 >>>>>>>>> rpz-beta-0.1.7-7.ipfire on 2024-10-03 >>>>>>>>> All: >>>>>>>>> - new feature: includes beta version numbers for pakfire = package, >>>>>>>>> instead of only `rpz-1.0.0-1.ipfire`, for each release. >>>>>>>>>=20 >>>>>>>>> rpz.cgi: >>>>>>>>> - new feature: added new WebGUI at `rpz.cgi` >>>>>>>>> - a BIG thank you to Leo Hofmann for all of his work creating = the webgui!! >>>>>>>>> - bug fix: corrected missing RPZ menu item at menu > IPFire >>>>>>>>>=20 >>>>>>>>> rpz-make: >>>>>>>>> - new feature: validate entries in allowlist and blocklist >>>>>>>>> - new feature: add "no-reload" option for WebGUI >>>>>>>>>=20 >>>>>>>>> rpz-metrics: >>>>>>>>> - new feature: info can be sorted by name, by hit count, by = line count, by >>>>>>>>> "enabled" list or all lists >>>>>>>>>=20 >>>>>>>>> backups: >>>>>>>>> - bug fix: include all files in `/var/ipfire/dns/rpz` = directory in backup >>>>>>>>>=20 >>>>>>>>> update.sh: >>>>>>>>> - bug fix: corrected ownership for `/var/ipfire/dns/rpz` = directory during an >>>>>>>>> update >>>>>>>>>=20 >>>>>>>>> Build: >>>>>>>>> - bug fix: `block.rpz.conf` and `block.rpz` from build. Files = to be created >>>>>>>>> by `rpz-make` >>>>>>>>>=20 >>>>>>>>> WebGUI and German language file >>>>>>>>> Contribution-by: Leo-Andres Hofmann >>>>>>>>>=20 >>>>>>>>> Spanish language file >>>>>>>>> Contribution-by: Roberto Pe=C3=B1a >>>>>>>>>=20 >>>>>>>>> Italian language file >>>>>>>>> Contribution-by: Umberto Parma >>>>>>>>>=20 >>>>>>>>> French language file >>>>>>>>> Contribution-by: gw-ipfire >>>>>>>>>=20 >>>>>>>>> Turkish language file >>>>>>>>> Contribution-by: Peppe Tech >>>>>>>>>=20 >>>>>>>>> Contribution-by: Bernhard Bitsch >>>>>>>>> Contribution-by: Erik Kapfer >>>>>>>>> Signed-off-by: Jon Murphy >>>>>>>> --- >>>>>>>>> config/backup/includes/rpz | 4 + >>>>>>>>> config/cfgroot/manualpages | 1 + >>>>>>>>> config/menu/EX-rpz.menu | 6 + >>>>>>>>> config/rootfiles/common/configroot | 1 + >>>>>>>>> config/rootfiles/common/web-user-interface | 1 + >>>>>>>>> config/rootfiles/packages/rpz | 20 + >>>>>>>>> config/rpz/00-rpz.conf | 10 + >>>>>>>>> config/rpz/rpz-config | 130 +++ >>>>>>>>> config/rpz/rpz-functions | 85 ++ >>>>>>>>> config/rpz/rpz-make | 203 +++++ >>>>>>>>> config/rpz/rpz-metrics | 170 ++++ >>>>>>>>> config/rpz/rpz-sleep | 58 ++ >>>>>>>>> config/rpz/rpz.de.pl | 30 + >>>>>>>>> config/rpz/rpz.en.pl | 30 + >>>>>>>>> config/rpz/rpz.es.pl | 30 + >>>>>>>>> config/rpz/rpz.fr.pl | 30 + >>>>>>>>> config/rpz/rpz.it.pl | 30 + >>>>>>>>> config/rpz/rpz.tr.pl | 30 + >>>>>>>>> html/cgi-bin/rpz.cgi | 923 = +++++++++++++++++++++ >>>>>>>>> lfs/rpz | 96 +++ >>>>>>>>> make.sh | 3 +- >>>>>>>>> src/paks/rpz/install.sh | 36 + >>>>>>>>> src/paks/rpz/uninstall.sh | 38 + >>>>>>>>> src/paks/rpz/update.sh | 52 ++ >>>>>>>>> 24 files changed, 2016 insertions(+), 1 deletion(-) >>>>>>>>> create mode 100644 config/backup/includes/rpz >>>>>>>>> create mode 100644 config/menu/EX-rpz.menu >>>>>>>>> create mode 100644 config/rootfiles/packages/rpz >>>>>>>>> create mode 100644 config/rpz/00-rpz.conf >>>>>>>>> create mode 100644 config/rpz/rpz-config >>>>>>>>> create mode 100644 config/rpz/rpz-functions >>>>>>>>> create mode 100644 config/rpz/rpz-make >>>>>>>>> create mode 100755 config/rpz/rpz-metrics >>>>>>>>> create mode 100755 config/rpz/rpz-sleep >>>>>>>>> create mode 100644 config/rpz/rpz.de.pl >>>>>>>>> create mode 100644 config/rpz/rpz.en.pl >>>>>>>>> create mode 100644 config/rpz/rpz.es.pl >>>>>>>>> create mode 100644 config/rpz/rpz.fr.pl >>>>>>>>> create mode 100644 config/rpz/rpz.it.pl >>>>>>>>> create mode 100644 config/rpz/rpz.tr.pl >>>>>>>>> create mode 100644 html/cgi-bin/rpz.cgi >>>>>>>>> create mode 100644 lfs/rpz >>>>>>>>> create mode 100644 src/paks/rpz/install.sh >>>>>>>>> create mode 100644 src/paks/rpz/uninstall.sh >>>>>>>>> create mode 100644 src/paks/rpz/update.sh >>>>>>>>>=20 >>>>>>>>> diff --git a/config/backup/includes/rpz = b/config/backup/includes/rpz >>>>>>>>> new file mode 100644 >>>>>>>>> index 000000000..36513e494 >>>>>>>>> --- /dev/null >>>>>>>>> +++ b/config/backup/includes/rpz >>>>>>>>> @@ -0,0 +1,4 @@ >>>>>>>>> +/var/ipfire/dns/rpz/* >>>>>>>>> +/etc/unbound/zonefiles/allow.rpz >>>>>>>>> +/etc/unbound/zonefiles/block.rpz >>>>>>>>> +/etc/unbound/local.d/*rpz.conf >>>>>>>>> diff --git a/config/cfgroot/manualpages = b/config/cfgroot/manualpages >>>>>>>>> index 1f7e01efc..d3a48c633 100644 >>>>>>>>> --- a/config/cfgroot/manualpages >>>>>>>>> +++ b/config/cfgroot/manualpages >>>>>>>>> @@ -70,6 +70,7 @@ pakfire.cgi=3Dconfiguration/ipfire/pakfire >>>>>>>>> wlanap.cgi=3Daddons/wireless >>>>>>>>> tor.cgi=3Daddons/tor >>>>>>>>> samba.cgi=3Daddons/samba >>>>>>>>> +rpz.cgi=3Daddons/rpz >>>>>>>>>=20 >>>>>>>>> # Logs menu >>>>>>>>> logs.cgi/summary.dat=3Dconfiguration/logs/summary >>>>>>>>> diff --git a/config/menu/EX-rpz.menu b/config/menu/EX-rpz.menu >>>>>>>>> new file mode 100644 >>>>>>>>> index 000000000..2f4daf410 >>>>>>>>> --- /dev/null >>>>>>>>> +++ b/config/menu/EX-rpz.menu >>>>>>>>> @@ -0,0 +1,6 @@ >>>>>>>>> +$subipfire->{'20.rpz'} =3D { >>>>>>>>> + 'caption' =3D> $Lang::tr{'rpz'}, >>>>>>>>> + 'uri' =3D> '/cgi-bin/rpz.cgi', >>>>>>>>> + 'title' =3D> "RPZ", >>>>>>>>> + 'enabled' =3D> 1, >>>>>>>>> +}; >>>>>>>>> diff --git a/config/rootfiles/common/configroot = b/config/rootfiles/common/configroot >>>>>>>>> index 9839eee45..b30d6aae4 100644 >>>>>>>>> --- a/config/rootfiles/common/configroot >>>>>>>>> +++ b/config/rootfiles/common/configroot >>>>>>>>> @@ -120,6 +120,7 @@ var/ipfire/menu.d/70-log.menu >>>>>>>>> #var/ipfire/menu.d/EX-apcupsd.menu >>>>>>>>> #var/ipfire/menu.d/EX-guardian.menu >>>>>>>>> #var/ipfire/menu.d/EX-mympd.menu >>>>>>>>> +#var/ipfire/menu.d/EX-rpz.menu >>>>>>>>> #var/ipfire/menu.d/EX-samba.menu >>>>>>>>> #var/ipfire/menu.d/EX-tor.menu >>>>>>>>> #var/ipfire/menu.d/EX-transmission.menu >>>>>>>>> diff --git a/config/rootfiles/common/web-user-interface = b/config/rootfiles/common/web-user-interface >>>>>>>>> index 816241dae..e00464076 100644 >>>>>>>>> --- a/config/rootfiles/common/web-user-interface >>>>>>>>> +++ b/config/rootfiles/common/web-user-interface >>>>>>>>> @@ -69,6 +69,7 @@ srv/web/ipfire/cgi-bin/proxy.cgi >>>>>>>>> srv/web/ipfire/cgi-bin/qos.cgi >>>>>>>>> srv/web/ipfire/cgi-bin/remote.cgi >>>>>>>>> srv/web/ipfire/cgi-bin/routing.cgi >>>>>>>>> +#srv/web/ipfire/cgi-bin/rpz.cgi >>>>>>>>> #srv/web/ipfire/cgi-bin/samba.cgi >>>>>>>>> srv/web/ipfire/cgi-bin/services.cgi >>>>>>>>> srv/web/ipfire/cgi-bin/shutdown.cgi >>>>>>>>> diff --git a/config/rootfiles/packages/rpz = b/config/rootfiles/packages/rpz >>>>>>>>> new file mode 100644 >>>>>>>>> index 000000000..1c8663049 >>>>>>>>> --- /dev/null >>>>>>>>> +++ b/config/rootfiles/packages/rpz >>>>>>>>> @@ -0,0 +1,20 @@ >>>>>>>>> +etc/unbound/local.d/00-rpz.conf >>>>>>>>> +etc/unbound/zonefiles >>>>>>>>> +etc/unbound/zonefiles/allow.rpz >>>>>>>>> +usr/sbin/rpz-config >>>>>>>>> +usr/sbin/rpz-functions >>>>>>>>> +usr/sbin/rpz-make >>>>>>>>> +usr/sbin/rpz-metrics >>>>>>>>> +usr/sbin/rpz-sleep >>>>>>>>> +var/ipfire/addon-lang/rpz.de.pl >>>>>>>>> +var/ipfire/addon-lang/rpz.en.pl >>>>>>>>> +var/ipfire/addon-lang/rpz.es.pl >>>>>>>>> +var/ipfire/addon-lang/rpz.fr.pl >>>>>>>>> +var/ipfire/addon-lang/rpz.it.pl >>>>>>>>> +var/ipfire/addon-lang/rpz.tr.pl >>>>>>>>> +var/ipfire/backup/addons/includes/rpz >>>>>>>>> +var/ipfire/dns/rpz >>>>>>>>> +var/ipfire/dns/rpz/allowlist >>>>>>>>> +var/ipfire/dns/rpz/blocklist >>>>>>>>> +var/ipfire/menu.d/EX-rpz.menu >>>>>>>>> +srv/web/ipfire/cgi-bin/rpz.cgi >>>>>>>>> diff --git a/config/rpz/00-rpz.conf b/config/rpz/00-rpz.conf >>>>>>>>> new file mode 100644 >>>>>>>>> index 000000000..f005a4f2e >>>>>>>>> --- /dev/null >>>>>>>>> +++ b/config/rpz/00-rpz.conf >>>>>>>>> @@ -0,0 +1,10 @@ >>>>>>>>> +server: >>>>>>>>> + module-config: "respip validator iterator" >>>>>>>>> + >>>>>>>>> +rpz: >>>>>>>>> + name: allow.rpz >>>>>>>>> + zonefile: /etc/unbound/zonefiles/allow.rpz >>>>>>>>> + rpz-action-override: passthru >>>>>>>>> + rpz-log: yes >>>>>>>>> + rpz-log-name: allow >>>>>>>>> + rpz-signal-nxdomain-ra: yes >>>>>>>>> diff --git a/config/rpz/rpz-config b/config/rpz/rpz-config >>>>>>>>> new file mode 100644 >>>>>>>>> index 000000000..c72d50f9b >>>>>>>>> --- /dev/null >>>>>>>>> +++ b/config/rpz/rpz-config >>>>>>>>> @@ -0,0 +1,130 @@ >>>>>>>>> +#!/bin/bash >>>>>>>>> = +#########################################################################= ###### >>>>>>>>> +# = # >>>>>>>>> +# IPFire.org - A linux based firewall = # >>>>>>>>> +# Copyright (C) 2024-2025 IPFire Team = # >>>>>>>>> +# = # >>>>>>>>> +# This program is free software: you can redistribute it = and/or modify # >>>>>>>>> +# it under the terms of the GNU General Public License as = published by # >>>>>>>>> +# the Free Software Foundation, either version 3 of the = License, or # >>>>>>>>> +# (at your option) any later version. = # >>>>>>>>> +# = # >>>>>>>>> +# This program is distributed in the hope that it will be = useful, # >>>>>>>>> +# but WITHOUT ANY WARRANTY; without even the implied = warranty of # >>>>>>>>> +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See = the # >>>>>>>>> +# GNU General Public License for more details. = # >>>>>>>>> +# = # >>>>>>>>> +# You should have received a copy of the GNU General Public = License # >>>>>>>>> +# along with this program. If not, see = . # >>>>>>>>> +# = # >>>>>>>>> = +#########################################################################= ###### >>>>>>>>> + >>>>>>>>> +version=3D"2025-01-11 - v44" >>>>>>>>> + >>>>>>>>> +############### Functions ############### >>>>>>>>> + >>>>>>>>> +source /usr/sbin/rpz-functions >>>>>>>>> + >>>>>>>>> +############### Main ############### >>>>>>>>> + >>>>>>>>> +tagName=3D"unbound" >>>>>>>>> + >>>>>>>>> +rpzAction=3D"${1}" # input RPZ action >>>>>>>>> +rpzName=3D"${2}" # input RPZ name >>>>>>>>> +rpzURL=3D"${3}" # input RPZ URL >>>>>>>>> +rpzOption1=3D"${4}" # input RPZ option #1 >>>>>>>>> +rpzOption2=3D"${5}" # input RPZ option #2 >>>>>>>>> + >>>>>>>>> +rpzConfig=3D"/etc/unbound/local.d/${rpzName}.rpz.conf" # = output zone conf file >>>>>>>>> +rpzFile=3D"/etc/unbound/zonefiles/${rpzName}.rpz" # = output for RPZ file >>>>>>>>> + >>>>>>>>> +rpzLog=3D"yes" # log default is yes >>>>>>>>> +ucReload=3D"yes" # reload default is = yes >>>>>>>>> + >>>>>>>>> +while [[ $# -gt 0 ]] ; do >>>>>>>>> + case "$1" in >>>>>>>>> + --no-log ) rpzLog=3D"no" ;; >>>>>>>>> + --no-reload ) ucReload=3D"no" ; checkConf=3D"no" ;; >>>>>>>>> + esac >>>>>>>>> + shift # Shift after checking all the cases to get = next option >>>>>>>>> +done >>>>>>>>> + >>>>>>>>> +case "${rpzAction}" in >>>>>>>>> + # add new rpz list >>>>>>>>> + add ) >>>>>>>>> + check_name "${rpzName}" # is this a = valid name? >>>>>>>>> + # does this config already exist? If yes, then exit >>>>>>>>> + if [[ -f "${rpzConfig}" ]] ; then >>>>>>>>> + msg_log "error: rpz: duplicate - ${rpzConfig} = already exists. exit" >>>>>>>>> + exit 104 >>>>>>>>> + fi >>>>>>>>> + >>>>>>>>> + # is this a valid URL? >>>>>>>>> + = regex=3D'^https://[-[:alnum:]\+&@#/%?=3D~_|!:,.;]*[-[:alnum:]\+&@#/%=3D~_|= ]' >>>>>>>>> + if ! [[ "${rpzURL}" =3D~ $regex ]] ; then >>>>>>>>> + msg_log "error: rpz: the URL is not valid: = \"${rpzURL}\". exit." >>>>>>>>> + exit 105 >>>>>>>>> + fi >>>>>>>>> + >>>>>>>>> + # create the zone config file >>>>>>>>> + { >>>>>>>>> + echo "rpz:" >>>>>>>>> + echo " name: ${rpzName}.rpz" >>>>>>>>> + echo " zonefile: ${rpzFile}" >>>>>>>>> + echo " url: ${rpzURL}" >>>>>>>>> + echo " rpz-action-override: nxdomain" >>>>>>>>> + echo " rpz-log: ${rpzLog}" >>>>>>>>> + echo " rpz-log-name: ${rpzName}" >>>>>>>>> + echo " rpz-signal-nxdomain-ra: yes" >>>>>>>>> + } > "${rpzConfig}" >>>>>>>>> + >>>>>>>>> + # set-up zonefile >>>>>>>>> + # create an empty rpz file if it does not exist >>>>>>>>> + if [[ ! -f "${rpzFile}" ]] ; then >>>>>>>>> + touch "${rpzFile}" >>>>>>>>> + # unbound requires these settings for rpz files >>>>>>>>> + set_permissions "${rpzFile}" "${rpzConfig}" >>>>>>>>> + fi >>>>>>>>> + ;; >>>>>>>>> + >>>>>>>>> + # trash config file & rpz file >>>>>>>>> + remove ) >>>>>>>>> + if ! [[ -f "${rpzConfig}" ]] ; then >>>>>>>>> + msg_log "error: rpz: cannot remove ${rpzConfig}, = does not exist. exit" >>>>>>>>> + exit 106 >>>>>>>>> + fi >>>>>>>>> + >>>>>>>>> + msg_log "info: rpz: remove config file & rpz file = \"${rpzName}\"" >>>>>>>>> + rm "${rpzConfig}" >>>>>>>>> + rm "${rpzFile}" >>>>>>>>> + ;; >>>>>>>>> + >>>>>>>>> + reload ) >>>>>>>>> + check_unbound_conf "${checkConf}" >>>>>>>>> + ;; >>>>>>>>> + >>>>>>>>> + list ) >>>>>>>>> + awk -F':' '/^\s*name:/{ gsub(/[[:blank:]]|\.rpz/, = "",$2) ; NAME=3D$2 } \ >>>>>>>>> + /^\s*url:/{ gsub(/[[:blank:]]/, "") ; print = NAME"=3D"$2":"$3} ' \ >>>>>>>>> + /etc/unbound/local.d/*rpz.conf >>>>>>>>> + exit >>>>>>>>> + ;; >>>>>>>>> + >>>>>>>>> + unbound-restart ) >>>>>>>>> + check_unbound_conf "${checkConf}" >>>>>>>>> + unbound_restart >>>>>>>>> + exit >>>>>>>>> + ;; >>>>>>>>> + >>>>>>>>> + * ) >>>>>>>>> + msg_log "error: rpz: missing or incorrect parameter" >>>>>>>>> + printf "Usage: $(basename "$0") =