From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4ZJWDn079Mz332Y for ; Thu, 20 Mar 2025 16:26:49 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature RSA-PSS (4096 bits)) (Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4ZJWDh5fjcz2xMD for ; Thu, 20 Mar 2025 16:26:44 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4ZJWDg5zYfz6BG; Thu, 20 Mar 2025 16:26:43 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1742488004; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=i5JqgdlIGg5gVZG53IURPlBEhKDBombhMYPqpnv/oMc=; b=Os3eSSOf8Cg7vtnJbtmp/F9SnWBCO+7w/2uRHk+04rREqvr57SKj12N3SAvjR69lHr9V4n 9BNo5dji9t2/+3BQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1742488004; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=i5JqgdlIGg5gVZG53IURPlBEhKDBombhMYPqpnv/oMc=; b=m4OnZq4Q/yHDOsX9g8y5PoLc3eXdggJIMGtWpkelHwned922ky+axXjMYd7A4/EJtcT0j5 bPrZD45rbOdY6A7L7RkK1fNBVAojfhB52WkZdlIhW0/loXY3nVFpmM4f86lzNy7UBfgzHF hOq+S6sowxRSEqjJ1HyAjSQ1lnk8Tl0TNho6OlQQsStfJaIfzFiaX8vBCGztFqllvjOy6Q buvMM8kT+mmxArQUBfK9fACLMnaQ64/NK8MclIV0aae251V8kUSr7T5xy50885/vEdSfNU HFYSb6kCyeZh4g4QAtusgl11RAF/L8vg4MDhNk9qvjdV07zyY8JQdSTkyHfQpw== Content-Type: text/plain; charset=utf-8 Precedence: list List-Id: List-Subscribe: , List-Unsubscribe: , List-Post: List-Help: Sender: Mail-Followup-To: Mime-Version: 1.0 Subject: Re: [PATCH] RPZ: update code to include WEBGUI and additional languages From: Michael Tremer In-Reply-To: Date: Thu, 20 Mar 2025 16:26:43 +0000 Cc: "IPFire: Development-List" Content-Transfer-Encoding: quoted-printable Message-Id: <89101199-33D1-40AC-8CCE-DD97583129F2@ipfire.org> References: <20250206163522.2363178-1-jon.murphy@ipfire.org> <8b594873-86ca-46b9-bb4b-94fd6b0239b1@ipfire.org> <9A0DBDA4-75B0-40D2-AE06-78D9BA5EE7D3@ipfire.org> To: Jon Murphy Hello Jon, Please don=E2=80=99t forget to Cc the list... > On 19 Mar 2025, at 18:27, Jon Murphy wrote: >=20 > Michael, >=20 >> Where in the code is this implemented? I cannot find anything like = this: >=20 > Keep in mind I am not a "C" person. Maybe in this section?: >=20 > = https://git.ipfire.org/?p=3Dthirdparty/unbound.git;a=3Dblob;f=3Dservices/a= uthzone.c;hb=3D30b9cb5f813003d0a2b1c2e678652396615b1b7d#l5875 This where the AXFR response is being handled when doing a DNS zone = transfer. This code is not being called when performing a HTTP download. I understand that you don=E2=80=99t speak C, but you got the information = from somewhere. Documentation maybe? Since that is out of date very = often I like to consult the code. > =E2=80=94 >=20 > When I was just learning about RPZ I created a separate RPZ file for = testing. When I changed the SOA line with a new serial number, the RPZ = file download would happen in about 5 minutes. >=20 > https://people.ipfire.org/~jon/sblack-adhoc.rpz It might well be that the file is not being reloaded if the download = matches the content that unbound already has. That would of course save = some resources. However that won=E2=80=99t solve our problem with redundant downloads = and having no cache. > That is how I found out the SOA line is watched for a serial number = change. >=20 > I=E2=80=99ll reconfirm my findings. >=20 >=20 >>>> The second reason is that we have a lot of firewalls out there. Not = all of them will enable this feature and all of the lists, but even if = it is a good chunk, we will generate terabytes of traffic which put load = on the infrastructure and will cost money. It simply is not what we want = to do, regardless of self-hosting those lists and pulling them from = somewhere else. >=20 > So I understand, are you thinking of hosting RPZ AXFR (DNS zone = transfer) on IPFire infrastructure? No, I don=E2=80=99t think that we can generally do this. The biggest = problem is licensing as we cannot take anyones content and host it = ourselves. We would re-distribute those lists and that will only work = with permission of the publishers. I assume that would be too much work = to actually get some useful content out there. We might limit ourselves = to only those lists that are under a very permissive license. Nobody = wants that. =46rom a technical point of view, DNS over TCP might not be very nice in = terms of forging the transfer and so we would need TLS as well=E2=80=A6 = It should work, but even if we would be able to encourage other people = to publish their lists I doubt they would implement DNS over TLS for = authoritative DNS. That standard is in very early stages as well. As far as I can see, those vendors who offer a list as a commercial = product are using DNS to distribute it (e.g. Spamhaus). Those people who = have made this all a hobby are throwing the lists onto GitHub and let = them handle the traffic. Maybe we need to implement both? -Michael > Jon >=20 >=20 >=20 > On 3/19/25 5:35 AM, Michael Tremer wrote: >> Hello Jon, >>=20 >> Where in the code is this implemented? I cannot find anything like = this: >>=20 >> Unbound loads the entire file into memory and then starts parsing it. = The only special treatment there is is to check whether the first line = is a valid zone entry. It does not even have to be a SOA record. >>=20 >> = https://git.ipfire.org/?p=3Dthirdparty/unbound.git;a=3Dblob;f=3Dservices/a= uthzone.c;hb=3D30b9cb5f813003d0a2b1c2e678652396615b1b7d#l1188 >>=20 >> I am also concerned that Unbound will not be able to support an = upstream proxy for any downloads. The caching situation is also unclear = for me, so I believe that we will be looking at writing a custom = downloader that implements all these things. >>=20 >> -Michael >>=20 >>> On 19 Mar 2025, at 02:58, Jon Murphy wrote: >>>=20 >>> Michael, >>>=20 >>>> The emphasis is on the repeated downloads of the same list. That is >>> =E2=80=8B> what cannot happen. >>>=20 >>> The Unbound RPZ code, as installed within IPFire, watches for a = change >>> =E2=80=8Bin the SOA line of each RPZ file. This is an example of = the first few >>> =E2=80=8Blines for every RPZ file. >>>=20 >>> $TTL 300 >>> @ SOA localhost. root.localhost. 1742298960 43200 3600 86400 300 >>> NS localhost. >>> ; >>> ; Title: HaGeZi's Pop-Up Ads DNS Blocklist >>> ; Description: Blocks annoying and malicious pop-up ads. >>>=20 >>> If the SOA serial number changes (e.g. the 1742298960), then Unbound = RPZ >>> =E2=80=8Bcode does its thing and downloads. Otherwise there is no = download. >>>=20 >>>> So there has to be a way to ensure that we won=E2=80=99t download a = list again >>> =E2=80=8B> unless it has actually changed. >>>=20 >>> This should do what you want but I may be missing your point. >>>=20 >>>> DNS has a builtin functionality called AXFR. It simply does the job >>> =E2=80=8B> for you. I was just wondering whether that was not being = used. >>>=20 >>> I need to read about AXFR/IXFR and learn a little more. >>>=20 >>> Jon >>>=20 >>> On 3/17/25 5:35 AM, Michael Tremer wrote: >>>> Good Morning Jon, >>>>=20 >>>>> On 16 Mar 2025, at 17:00, Jon Murphy = wrote: >>>>>=20 >>>>> Michael, >>>>>=20 >>>>> I was reading through you response again an I want to understand = this post: >>>>>=20 >>>>>> I have also stated that we cannot download any lists over HTTPS = again and again and again. The implementation that we have here seems to = exactly do that and therefore I think that my feedback has been = dismissed entirely. >>>>> So if RPZ doesn't use HTTPS, what is it using? I am missing a key = point here. >>>> The emphasis is on the repeated downloads of the same list. That is = what cannot happen. >>>>=20 >>>> Although it might not affect a lot of people in our general = user-base, there are some that have a metered connection and will pay = for data by volume. Some of the lists I looked at are just under 20 MiB. = Therefore we need to keep any traffic down to a minimum. The second = reason is that we have a lot of firewalls out there. Not all of them = will enable this feature and all of the lists, but even if it is a good = chunk, we will generate terabytes of traffic which put load on the = infrastructure and will cost money. It simply is not what we want to do, = regardless of self-hosting those lists and pulling them from somewhere = else. >>>>=20 >>>> So there has to be a way to ensure that we won=E2=80=99t download a = list again unless it has actually changed. >>>>=20 >>>> DNS has a builtin functionality called AXFR. It simply does the job = for you. I was just wondering whether that was not being used. >>>>=20 >>>> HTTPS is an option because that is simply what we use elsewhere, = but extra functionality will have to be built for it. >>>>=20 >>>> -Michael >>>>=20 >>>>> Jon >>>>>=20 >>>>>=20 >>>>> On 2/13/25 3:34 PM, jon wrote: >>>>>> Michael, >>>>>>=20 >>>>>> I=E2=80=99ve read through your comments a few times and I ended = up with many more questions. >>>>>>=20 >>>>>>=20 >>>>>>> What I rather mean is that it has never been added as a topic on = the agenda and it has not been pitched by yourself. >>>>>> To me the efforts to get new code accepted seem to have changed = and it seemed easier in the past. In the past I made the Core Team = aware via the Dev Mailing List and wrote a simple two or three = paragraphs of "What is it? / What is the value? / Here is the code" >>>>>>=20 >>>>>>=20 >>>>>> So in an effort to move forward: How exactly is something = presented to the Core Team? >>>>>>=20 >>>>>> Is there an example of a recent effort that was presented that I = can see as a sample? (This type of info can also be added to the Wiki) >>>>>>=20 >>>>>> I understand you want it this way, but I don=E2=80=99t know what = exactly is needed. Please be specific. >>>>>>=20 >>>>>>=20 >>>>>> Jon >>>>>>=20 >>>>>> PS - I am not ignoring your other comments, I am just trying to = move forward and keep things simple. >>>>>>=20 >>>>>>=20 >>>>>>=20 >>>>>>> On Feb 8, 2025, at 1:27=E2=80=AFPM, Michael Tremer = wrote: >>>>>>>=20 >>>>>>> Hello Jon, >>>>>>>=20 >>>>>>> Thanks for your reply. And good that you are copying everyone = into this conversation. >>>>>>>=20 >>>>>>>> On 8 Feb 2025, at 18:41, jon wrote: >>>>>>>>=20 >>>>>>>> Michael, >>>>>>>>=20 >>>>>>>>> I think I have covered this all at lengths before that this = project has been started as a separate effort >>>>>>>> Yes, this has been a separate effort (a very public separate = effort). Yes, as you pointed this out early on with the = "proof-of-concept" and then my request for people to help test RPZ. = Nothing was hidden. >>>>>>>>=20 >>>>>>>> This was done because you (and maybe others) did not have the = time and I wanted to help and because I needed assistance with RPZ. I = tried my best to do this without bothering you. >>>>>>> I don=E2=80=99t that it is accurate that nobody wanted to help = on this. The list was always open - although not every email has been = replied to swiftly it is also your responsibility to raise a question = again if it was missed. People here have open ears. >>>>>>>=20 >>>>>>> It was also stated on this very list on in our documentation = that working on something without involving the core team is a risky = undertaking. Of course IPFire is free software and so everyone is free = to fork if they wish to do so. >>>>>>>=20 >>>>>>>>> and as far as I am aware none of the other team members has = been involved. This has not been discussed either on this list, on our = calls. >>>>>>>> You were aware many steps along the way. See your email on = July 28, 2024, August 15, 2024, September 30, 2024, December 23, 2024, = and January 16. My attempts to get the team involved were met with = "things are busy" and sometimes silence. (Yes, I get it, people are = busy.) >>>>>>>>=20 >>>>>>>> You and Adolf, Leo, Erik and Bernhard have been aware since the = beginning. You mention you were aware of the "proof-of-concept". If = you include those beginning posts, since Sep 2023. >>>>>>> Yes, I am aware of a proof-of-concept that I have been running = myself for a long time. I am also aware of the efforts that you have = been taking. >>>>>>>=20 >>>>>>> Yet I don=E2=80=99t think there has ever been any joint effort, = or am I seeing that wrong? >>>>>>>=20 >>>>>>>>> This has not been discussed . . . on our calls. >>>>>>>> On the July 28th you stated: >>>>>>>> "We have talked about RPZ many times on the monthly call since = the URL filter feature is falling more and more out of fashion. I think = there is also many posts about this on the forum." >>>>>>>>=20 >>>>>>>> Please don=E2=80=99t insult me again by stating "you know what = I mean". >>>>>>>>=20 >>>>>>>> And it has been discussed but not documented in the Monthly = Meeting notes. >>>>>>> I am not at all insulting you. I don=E2=80=99t want to take this = down to a personal level at all. This is a public mailing list and = people who read this don=E2=80=99t need to listen to an argument we are = having. They are here for the tech inside IPFire. >>>>>>>=20 >>>>>>> When I wrote that it has not been discussed that does not mean = that we have not been touching on the topic. We have been talking about = lots of things on the calls, the weather, politics, how our pets are. = None of that makes it to the logs. What I rather mean is that it has = never been added as a topic on the agenda and it has not been pitched by = yourself. >>>>>>>=20 >>>>>>>>> Instead there has been a separate conversation on the forum = with the occasional dip here to the list. But that was not a regular = two-way conversation. >>>>>>>> Regular conversation on the Dev Mailing list is many times met = with silence. I get it, people are busy. >>>>>>>>=20 >>>>>>>> And regular two-way conversation doesn=E2=80=99t happen on the = list. At least not with me. I=E2=80=99d be happy to point out the = posts that were met with silence. >>>>>>>> Again, I get it, people are busy. >>>>>>> And you think my emails are not being met with silence? This has = nothing to do with this specific topic. This has something to do with = how occupied people are and how engaged they are on certain topics. Not = everyone is involved in all the things and simply will ignore emails = simply based on their subject line. >>>>>>>=20 >>>>>>>> But the "dip here to the list" were my attempts to get a = conversation started. As I said, many time met with silence. >>>>>>>>=20 >>>>>>>> The only place I was not met with silence was on the Community. = You have a great group of people in the Community. It is a shame you = don=E2=80=99t want to have others help. It would reduce your workload. >>>>>>> You should stop making statements that are not true. Who = doesn=E2=80=99t want anyone to help? >>>>>>>=20 >>>>>>> Not having this conversation on a Saturday evening would reduce = my workload. At least it would free up time for something else. Helping = with the things that are already on the go would reduce the workload of = the entire team. Starting one thing at a time and finishing it is a lot = better to manage than starting a hundred things and not even finish one. = I can tell you that I already have a hundred things on the go. >>>>>>>=20 >>>>>>>>> Therefore, what am I supposed to do with this email? >>>>>>>> To me it is beyond obvious=E2=80=A6 >>>>>>>>=20 >>>>>>>> If it isn=E2=80=99t what you want, then guide me with how to do = this the correct way. And be specific. I am trying to help. I am = trying to make things better. I am trying to do things the right way. >>>>>>> To me it isn=E2=80=99t. This is yet another project that has = been dumped to the list like so many before and later on everyone has = left to have the team deal with the rest. >>>>>>>=20 >>>>>>> It is a huge patch set. You explained what the vision is, but = that is about it. There is no chance this will continue if this = disagreement isn=E2=80=99t solved first. I didn=E2=80=99t even look at = the code. >>>>>>>=20 >>>>>>>>> I don=E2=80=99t want to merge code that I don=E2=80=99t agree = with. >>>>>>>> I asked multiple times if you "agreed with the concept" and = again, met with silence. Yes I get it, people are busy. >>>>>>> Having support for RPZ? Yes, it was definitely on the roadmap. = That I agree with. >>>>>>>=20 >>>>>>>>> So many fundamental things that I have been raising have = either not been discussed or outright dismissed. >>>>>>>> You mentioned this a in the past, but for some reason you do = not disclose what I dismissed. Why do you continue to make this harder, = wouldn=E2=80=99t it not be easier to tell me what I have dismissed? >>>>>>>>=20 >>>>>>>> I have sent multiple emails trying to answer your concerns and = comments. On July 28, Aug 14, Aug 22, Aug 23, Sep 30, etc. >>>>>>>>=20 >>>>>>>> I=E2=80=99ve gone through all of the questions you asked and I = cannot find a "dismissed" item. >>>>>>> Maybe I need to be *more clear*. I feel humoured by this. >>>>>>>=20 >>>>>>> It is late on a Saturday and I want my dinner soon, but = certainly I have stated that this should never be an add-on considering = it is supposed to replace URL Filter. We should never allow people to = add their own sources. I have also stated that we cannot download any = lists over HTTPS again and again and again. The implementation that we = have here seems to exactly do that and therefore I think that my = feedback has been dismissed entirely. >>>>>>>=20 >>>>>>>>> I don=E2=80=99t want to merge code that has no future inside = IPFire as there is no constructive conversation with the maintainers of = it. >>>>>>>> The maintainers of Unbound and/or RPZ? >>>>>>>>=20 >>>>>>>> The maintainers of Hagezi list, the threatfox list, the urlhaus = list, etc.? >>>>>>>>=20 >>>>>>>> What else? The maintainers or the RPZ scripts? That is me. = Let=E2=80=99s talk! >>>>>>> You. I don=E2=80=99t care much about the providers of the lists. >>>>>>>=20 >>>>>>>> See, this is where it gets confusing. There are hundreds of = open source packages as part of IPFire. Pick the last five years of = items added to the IPFire build. You're telling me you have = "constructive conversation with the maintainers" of all of the added = packages? >>>>>>> They publish their software and they don=E2=80=99t care whether = I am pulling it or not. They publish it with the commitment to maintain = it - sometimes for better and sometimes for worse. >>>>>>>=20 >>>>>>> You care about me pulling your code and I don=E2=80=99t know = whether you would commit to maintain this. >>>>>>>=20 >>>>>>> These two are very different cases. >>>>>>>=20 >>>>>>>> Pick the IP Blocklists list (i.e., 3CORESEC, ABUSECH, DSHIELD, = SPAMHAUS, etc.) or the Suricata lists (i.e.,Emergingthreats.net = ,Abuse.ch , etc.). So = you=E2=80=99ve have "constructive conversation with the maintainers"? >>>>>>> Yes, occasionally I have phone calls with a few of these = providers. >>>>>>>=20 >>>>>>>>> Having been trying for a long time to make you aware of this, = nothing of this should come as a surprise. >>>>>>>> Ha! Yes a surprise. In the beginning you seemed interested as = IPFire needed a replacement for URL Filter. You asked good questions = about the lists picked, asked for the value to the users, etc. And I = answered the best I could. >>>>>>>>=20 >>>>>>>> You even asked: =E2=80=9CWhy is this realised as an add-on and = not part of the core system?=E2=80=9D from your Jul 28, 2024 email. >>>>>>> Ah, so, why is the patch creating an add-on? Not that I am = saying that what I say is law, but it has not been challenged either. If = my input is being ignored, why should I put this to the top of my list = of priorities? I am not disappointed about this, just trying to be very = good with my time. >>>>>>>=20 >>>>>>>> And on January 16, 2025 I wrote a message looking for help. = And you were kind to respond quickly. So in three weeks time, since the = kind response, something has changed. You went from supportive to = "this". >>>>>>>>=20 >>>>>>>> So yes, I am surprised. >>>>>>> Well, maybe I should not have replied to that email. It was = clear that you were on some path that was not right, but you were not = interested before in finding the right path from the beginning. >>>>>>>=20 >>>>>>>>> Please consider if that can be changed and if there is a path = forward with this. >>>>>>>> Be more specific, what has to change? What exactly did I = dismiss? >>>>>>> Dismissal is just my assumption. I don=E2=80=99t know what you = actually did with my feedback. I can only see the end product that does = not seem contain much of it. Repeatedly I have been pointing out that we = should think before we build. I am sure a lot of hours have now gone = into some code that simply does not satisfy me. And I am not not talking = about the code itself, what it does is what I don=E2=80=99t think is = right for us. >>>>>>>=20 >>>>>>> The process is very clear for me that we should first of all = think whether we want a certain feature now. Then there should be a = clear roadmap for everyone to follow; tasks can be split-up as we go and = hopefully then have something that is maintainable, interesting for our = users and even would do us proud. This is how this should work. >>>>>>>=20 >>>>>>> So, what has to change? I don=E2=80=99t think with shouting at = each other, throwing patches around and making me generally unhappy is a = good start. >>>>>>>=20 >>>>>>> -Michael >>>>>>>=20 >>>>>>>> Jon >>>>>>>>=20 >>>>>>>>=20 >>>>>>>>=20 >>>>>>>>> On Feb 6, 2025, at 2:13=E2=80=AFPM, Michael Tremer = wrote: >>>>>>>>>=20 >>>>>>>>> Hello Jon, >>>>>>>>>=20 >>>>>>>>> Well, here we are again with another patch regarding this = feature. >>>>>>>>>=20 >>>>>>>>> I cannot quite see from your email what the question is, but = if this is a request to have this merged into IPFire, I am once again = sorry to disappoint you. >>>>>>>>>=20 >>>>>>>>> I think I have covered this all at lengths before that this = project has been started as a separate effort and as far as I am aware = none of the other team members has been involved. This has not been = discussed either on this list, on our calls. Instead there has been a = separate conversation on the forum with the occasional dip here to the = list. But that was not a regular two-way conversation. Therefore, what = am I supposed to do with this email? >>>>>>>>>=20 >>>>>>>>> I don=E2=80=99t want to merge code that I don=E2=80=99t agree = with. So many fundamental things that I have been raising have either = not been discussed or outright dismissed. >>>>>>>>>=20 >>>>>>>>> I don=E2=80=99t want to merge code that has no future inside = IPFire as there is no constructive conversation with the maintainers of = it. >>>>>>>>>=20 >>>>>>>>> Having been trying for a long time to make you aware of this, = nothing of this should come as a surprise. >>>>>>>>>=20 >>>>>>>>> Please consider if that can be changed and if there is a path = forward with this. >>>>>>>>>=20 >>>>>>>>> All the best, >>>>>>>>> -Michael >>>>>>>>>=20 >>>>>>>>>> On 6 Feb 2025, at 16:35, Jon Murphy = wrote: >>>>>>>>>>=20 >>>>>>>>>> What is it? >>>>>>>>>> Response Policy Zone (RPZ) is a mechanism to define local = policies in a >>>>>>>>>> standardized way and load those policies from external = sources. >>>>>>>>>> Bottom line: RPZ allows admins to easily block access to = websites via DNS lookup. >>>>>>>>>>=20 >>>>>>>>>> RPZ can block websites via categories. Examples include: = fake websites, annoying >>>>>>>>>> pop-up ads, newly registered domains, DoH bypass sites, bad = "host" services, >>>>>>>>>> maliscious top level domains (e.g., *.zip, *.mov), piracy, = gambling, pornography, >>>>>>>>>> and more. RPZ lists come from various RPZ providers and = their available >>>>>>>>>> catagories. >>>>>>>>>>=20 >>>>>>>>>> This RPZ add-on enables the RPZ functionality by adding a = couple lines in a >>>>>>>>>> configuration file. This add-on simply adds configuration = files and adds >>>>>>>>>> scripts (config, metrics and sleep) to make RPZ easier for = the admin to use. >>>>>>>>>>=20 >>>>>>>>>> The RPZ scripts include additional languages: German, = Spanish, French, Turkish, >>>>>>>>>> and Italian. >>>>>>>>>>=20 >>>>>>>>>> RPZ itself was release in 2010 and has been part of the = IPFire build since ~2015. >>>>>>>>>>=20 >>>>>>>>>> Why is it needed? What is its value? >>>>>>>>>>=20 >>>>>>>>>> - The RPZ concept places this filtering into IPFire, our = internet access >>>>>>>>>> gateway, which is (should be) solely used as DNS source of = the internal network. >>>>>>>>>>=20 >>>>>>>>>> - As most sites use HTTPS it makes it difficult to filter = traffic with URL >>>>>>>>>> Filter without also properly configuring conventional = (non-transparent) >>>>>>>>>> mode on the proxy. RPZ is a nice replacement for the URL = Filter. >>>>>>>>>>=20 >>>>>>>>>> - No need to install and maintain an additional device like = PiHole or AdBlock >>>>>>>>>> browser extensions on multiple user devices. >>>>>>>>>>=20 >>>>>>>>>> - This is an additional layer of protection for users. Less = worry someone will >>>>>>>>>> click on something that gets them into trouble. And, saying = this with emphasis, >>>>>>>>>> the ability to do it in one place! >>>>>>>>>>=20 >>>>>>>>>> - Blocked sites save on unneeded traffic and can lessen the = threat of malware >>>>>>>>>> in advertisements >>>>>>>>>>=20 >>>>>>>>>> - Logging allows the admin to see the site blocked and take = actions >>>>>>>>>>=20 >>>>>>>>>> - RPZ will be used at the home, home-office (work from home), = schools, >>>>>>>>>> ministerial, and at the office. Device counts are small = (2-6) to medium (~80) >>>>>>>>>> to mediam-large (200+). >>>>>>>>>>=20 >>>>>>>>>> - RPZ can block ads, popups, phishing, scammers, spyware, = malware, annoying >>>>>>>>>> popups, NSFW links, DOH servers, and the usual internet = trash. >>>>>>>>>>=20 >>>>>>>>>> ------------------------------ >>>>>>>>>>=20 >>>>>>>>>> Change Log for RPZ add-on >>>>>>>>>>=20 >>>>>>>>>> rpz-1.0.0-18 on 2025-02-05 >>>>>>>>>> - Build for approval & release as IPFire add-on >>>>>>>>>>=20 >>>>>>>>>> --- >>>>>>>>>>=20 >>>>>>>>>> rpz-beta-0.1.18-18.ipfire on 2025-02-01 >>>>>>>>>> rpz.cgi: >>>>>>>>>> - new feature: added a mod key to force a unbound restart >>>>>>>>>>=20 >>>>>>>>>> rpz-config and rpz-make: >>>>>>>>>> - new feature: added action for unbound restart `rpz-config = unbound-restart` >>>>>>>>>>=20 >>>>>>>>>> rpz-metrics: >>>>>>>>>> - simple reformatting >>>>>>>>>> - rename far right column from "last update" to "last = download" >>>>>>>>>>=20 >>>>>>>>>> --- >>>>>>>>>>=20 >>>>>>>>>> rpz-beta-0.1.17-17.ipfire on 2024-12-09 >>>>>>>>>> rpz-make >>>>>>>>>> - bug fix: corrected validation regex for wildcards like: = `*.domain.com` >>>>>>>>>>=20 >>>>>>>>>> --- >>>>>>>>>>=20 >>>>>>>>>> rpz-beta-0.1.16-16.ipfire on 2024-11-18 >>>>>>>>>> rpz-make >>>>>>>>>> - new feature: updated validation regex >>>>>>>>>> - bug fix: moved validation to beginning of process. Now we = validate before >>>>>>>>>> creating config files. >>>>>>>>>>=20 >>>>>>>>>> rpz.cgi: >>>>>>>>>> - new feature: use CSS color variables of the main ipfire = theme >>>>>>>>>> - bug fix: empty zonefile remarks were stored as =E2=80=9Cundef= =E2=80=9D and caused a warning >>>>>>>>>> - bug fix: HTML textarea removes the first empty line in a = custom list >>>>>>>>>> - thank you Leo! >>>>>>>>>>=20 >>>>>>>>>> --- >>>>>>>>>>=20 >>>>>>>>>> rpz-beta-0.1.15-15.ipfire on 2024-11-04 >>>>>>>>>> rpz.cgi: >>>>>>>>>> - new feature: added new language file for Turkish (thank you = Peppe) >>>>>>>>>>=20 >>>>>>>>>> rpz-make >>>>>>>>>> - bug fix: corrected empty allow/block list issue. An empty = allow/block list >>>>>>>>>> will now remove contents of allow/block.rpz files and remove = unneeded >>>>>>>>>> allow/block.conf file. (thank you iptom) >>>>>>>>>>=20 >>>>>>>>>> --- >>>>>>>>>>=20 >>>>>>>>>> rpz-beta-0.1.14-14.ipfire on 2024-10-29 >>>>>>>>>> rpz-config: >>>>>>>>>> - bug fix: correct missing rpz extension. `rpz-config list` = displayed URL >>>>>>>>>> incorrectly (thank you Bernhard) >>>>>>>>>>=20 >>>>>>>>>> rpz.cgi: >>>>>>>>>> - bug fix: remove extra `"` in language files (thank you = Bernhard) >>>>>>>>>> - new feature: slightly dim "apply" button when not enabled >>>>>>>>>>=20 >>>>>>>>>> --- >>>>>>>>>>=20 >>>>>>>>>> rpz-beta-0.1.13-13.ipfire on 2024-10-27 >>>>>>>>>> - skipped >>>>>>>>>>=20 >>>>>>>>>> --- >>>>>>>>>>=20 >>>>>>>>>> rpz-beta-0.1.12-12.ipfire on 2024-10-21 >>>>>>>>>> rpz.cgi: >>>>>>>>>> - new feature: added new language file for French (thank you = gw-ipfire) >>>>>>>>>>=20 >>>>>>>>>> --- >>>>>>>>>>=20 >>>>>>>>>> rpz-beta-0.1.11-11.ipfire on 2024-10-18 >>>>>>>>>> rpz.cgi: >>>>>>>>>> - new feature: added new language file for Italian (thank you = umberto) >>>>>>>>>> - new feature: added new language file for Spanish (thank you = Roberto) >>>>>>>>>>=20 >>>>>>>>>> --- >>>>>>>>>>=20 >>>>>>>>>> rpz-beta-0.1.10-10.ipfire on 2024-10-15 >>>>>>>>>> rpz-make: >>>>>>>>>> - bug fix: corrected validation error for a custom list entry = (thank you siosios) >>>>>>>>>> - e.g., `*.cloudflare-dns.com` >>>>>>>>>>=20 >>>>>>>>>> install.sh: >>>>>>>>>> - bug fix: add chown to correct user created files >>>>>>>>>>=20 >>>>>>>>>> update.sh: >>>>>>>>>> - bug fix: add chown to correct user created files (thank you = siosios) >>>>>>>>>>=20 >>>>>>>>>> --- >>>>>>>>>>=20 >>>>>>>>>> rpz-beta-0.1.9-9.ipfire on 2024-10-08 >>>>>>>>>> rpz.cgi: >>>>>>>>>> - new feature: added new language file for German (thank you = Leo) >>>>>>>>>> - bug fix: add missing "rpz exitcode 110" >>>>>>>>>> - bug fix: corrected missing RPZ menu item at menu > IPFire >>>>>>>>>>=20 >>>>>>>>>> --- >>>>>>>>>>=20 >>>>>>>>>> rpz-beta-0.1.8-8.ipfire on 2024-10-04 >>>>>>>>>> - skipped >>>>>>>>>>=20 >>>>>>>>>> --- >>>>>>>>>>=20 >>>>>>>>>> rpz-beta-0.1.7-7.ipfire on 2024-10-03 >>>>>>>>>> All: >>>>>>>>>> - new feature: includes beta version numbers for pakfire = package, >>>>>>>>>> instead of only `rpz-1.0.0-1.ipfire`, for each release. >>>>>>>>>>=20 >>>>>>>>>> rpz.cgi: >>>>>>>>>> - new feature: added new WebGUI at `rpz.cgi` >>>>>>>>>> - a BIG thank you to Leo Hofmann for all of his work creating = the webgui!! >>>>>>>>>> - bug fix: corrected missing RPZ menu item at menu > IPFire >>>>>>>>>>=20 >>>>>>>>>> rpz-make: >>>>>>>>>> - new feature: validate entries in allowlist and blocklist >>>>>>>>>> - new feature: add "no-reload" option for WebGUI >>>>>>>>>>=20 >>>>>>>>>> rpz-metrics: >>>>>>>>>> - new feature: info can be sorted by name, by hit count, by = line count, by >>>>>>>>>> "enabled" list or all lists >>>>>>>>>>=20 >>>>>>>>>> backups: >>>>>>>>>> - bug fix: include all files in `/var/ipfire/dns/rpz` = directory in backup >>>>>>>>>>=20 >>>>>>>>>> update.sh: >>>>>>>>>> - bug fix: corrected ownership for `/var/ipfire/dns/rpz` = directory during an >>>>>>>>>> update >>>>>>>>>>=20 >>>>>>>>>> Build: >>>>>>>>>> - bug fix: `block.rpz.conf` and `block.rpz` from build. = Files to be created >>>>>>>>>> by `rpz-make` >>>>>>>>>>=20 >>>>>>>>>> WebGUI and German language file >>>>>>>>>> Contribution-by: Leo-Andres Hofmann >>>>>>>>>>=20 >>>>>>>>>> Spanish language file >>>>>>>>>> Contribution-by: Roberto Pe=C3=B1a >>>>>>>>>>=20 >>>>>>>>>> Italian language file >>>>>>>>>> Contribution-by: Umberto Parma >>>>>>>>>>=20 >>>>>>>>>> French language file >>>>>>>>>> Contribution-by: gw-ipfire >>>>>>>>>>=20 >>>>>>>>>> Turkish language file >>>>>>>>>> Contribution-by: Peppe Tech >>>>>>>>>>=20 >>>>>>>>>> Contribution-by: Bernhard Bitsch >>>>>>>>>> Contribution-by: Erik Kapfer >>>>>>>>>> Signed-off-by: Jon Murphy >>>>>>>>> --- >>>>>>>>>> config/backup/includes/rpz | 4 + >>>>>>>>>> config/cfgroot/manualpages | 1 + >>>>>>>>>> config/menu/EX-rpz.menu | 6 + >>>>>>>>>> config/rootfiles/common/configroot | 1 + >>>>>>>>>> config/rootfiles/common/web-user-interface | 1 + >>>>>>>>>> config/rootfiles/packages/rpz | 20 + >>>>>>>>>> config/rpz/00-rpz.conf | 10 + >>>>>>>>>> config/rpz/rpz-config | 130 +++ >>>>>>>>>> config/rpz/rpz-functions | 85 ++ >>>>>>>>>> config/rpz/rpz-make | 203 +++++ >>>>>>>>>> config/rpz/rpz-metrics | 170 ++++ >>>>>>>>>> config/rpz/rpz-sleep | 58 ++ >>>>>>>>>> config/rpz/rpz.de.pl | 30 + >>>>>>>>>> config/rpz/rpz.en.pl | 30 + >>>>>>>>>> config/rpz/rpz.es.pl | 30 + >>>>>>>>>> config/rpz/rpz.fr.pl | 30 + >>>>>>>>>> config/rpz/rpz.it.pl | 30 + >>>>>>>>>> config/rpz/rpz.tr.pl | 30 + >>>>>>>>>> html/cgi-bin/rpz.cgi | 923 = +++++++++++++++++++++ >>>>>>>>>> lfs/rpz | 96 +++ >>>>>>>>>> make.sh | 3 +- >>>>>>>>>> src/paks/rpz/install.sh | 36 + >>>>>>>>>> src/paks/rpz/uninstall.sh | 38 + >>>>>>>>>> src/paks/rpz/update.sh | 52 ++ >>>>>>>>>> 24 files changed, 2016 insertions(+), 1 deletion(-) >>>>>>>>>> create mode 100644 config/backup/includes/rpz >>>>>>>>>> create mode 100644 config/menu/EX-rpz.menu >>>>>>>>>> create mode 100644 config/rootfiles/packages/rpz >>>>>>>>>> create mode 100644 config/rpz/00-rpz.conf >>>>>>>>>> create mode 100644 config/rpz/rpz-config >>>>>>>>>> create mode 100644 config/rpz/rpz-functions >>>>>>>>>> create mode 100644 config/rpz/rpz-make >>>>>>>>>> create mode 100755 config/rpz/rpz-metrics >>>>>>>>>> create mode 100755 config/rpz/rpz-sleep >>>>>>>>>> create mode 100644 config/rpz/rpz.de.pl >>>>>>>>>> create mode 100644 config/rpz/rpz.en.pl >>>>>>>>>> create mode 100644 config/rpz/rpz.es.pl >>>>>>>>>> create mode 100644 config/rpz/rpz.fr.pl >>>>>>>>>> create mode 100644 config/rpz/rpz.it.pl >>>>>>>>>> create mode 100644 config/rpz/rpz.tr.pl >>>>>>>>>> create mode 100644 html/cgi-bin/rpz.cgi >>>>>>>>>> create mode 100644 lfs/rpz >>>>>>>>>> create mode 100644 src/paks/rpz/install.sh >>>>>>>>>> create mode 100644 src/paks/rpz/uninstall.sh >>>>>>>>>> create mode 100644 src/paks/rpz/update.sh >>>>>>>>>>=20 >>>>>>>>>> diff --git a/config/backup/includes/rpz = b/config/backup/includes/rpz >>>>>>>>>> new file mode 100644 >>>>>>>>>> index 000000000..36513e494 >>>>>>>>>> --- /dev/null >>>>>>>>>> +++ b/config/backup/includes/rpz >>>>>>>>>> @@ -0,0 +1,4 @@ >>>>>>>>>> +/var/ipfire/dns/rpz/* >>>>>>>>>> +/etc/unbound/zonefiles/allow.rpz >>>>>>>>>> +/etc/unbound/zonefiles/block.rpz >>>>>>>>>> +/etc/unbound/local.d/*rpz.conf >>>>>>>>>> diff --git a/config/cfgroot/manualpages = b/config/cfgroot/manualpages >>>>>>>>>> index 1f7e01efc..d3a48c633 100644 >>>>>>>>>> --- a/config/cfgroot/manualpages >>>>>>>>>> +++ b/config/cfgroot/manualpages >>>>>>>>>> @@ -70,6 +70,7 @@ pakfire.cgi=3Dconfiguration/ipfire/pakfire >>>>>>>>>> wlanap.cgi=3Daddons/wireless >>>>>>>>>> tor.cgi=3Daddons/tor >>>>>>>>>> samba.cgi=3Daddons/samba >>>>>>>>>> +rpz.cgi=3Daddons/rpz >>>>>>>>>>=20 >>>>>>>>>> # Logs menu >>>>>>>>>> logs.cgi/summary.dat=3Dconfiguration/logs/summary >>>>>>>>>> diff --git a/config/menu/EX-rpz.menu = b/config/menu/EX-rpz.menu >>>>>>>>>> new file mode 100644 >>>>>>>>>> index 000000000..2f4daf410 >>>>>>>>>> --- /dev/null >>>>>>>>>> +++ b/config/menu/EX-rpz.menu >>>>>>>>>> @@ -0,0 +1,6 @@ >>>>>>>>>> +$subipfire->{'20.rpz'} =3D { >>>>>>>>>> + 'caption' =3D> $Lang::tr{'rpz'}, >>>>>>>>>> + 'uri' =3D> '/cgi-bin/rpz.cgi', >>>>>>>>>> + 'title' =3D> "RPZ", >>>>>>>>>> + 'enabled' =3D> 1, >>>>>>>>>> +}; >>>>>>>>>> diff --git a/config/rootfiles/common/configroot = b/config/rootfiles/common/configroot >>>>>>>>>> index 9839eee45..b30d6aae4 100644 >>>>>>>>>> --- a/config/rootfiles/common/configroot >>>>>>>>>> +++ b/config/rootfiles/common/configroot >>>>>>>>>> @@ -120,6 +120,7 @@ var/ipfire/menu.d/70-log.menu >>>>>>>>>> #var/ipfire/menu.d/EX-apcupsd.menu >>>>>>>>>> #var/ipfire/menu.d/EX-guardian.menu >>>>>>>>>> #var/ipfire/menu.d/EX-mympd.menu >>>>>>>>>> +#var/ipfire/menu.d/EX-rpz.menu >>>>>>>>>> #var/ipfire/menu.d/EX-samba.menu >>>>>>>>>> #var/ipfire/menu.d/EX-tor.menu >>>>>>>>>> #var/ipfire/menu.d/EX-transmission.menu >>>>>>>>>> diff --git a/config/rootfiles/common/web-user-interface = b/config/rootfiles/common/web-user-interface >>>>>>>>>> index 816241dae..e00464076 100644 >>>>>>>>>> --- a/config/rootfiles/common/web-user-interface >>>>>>>>>> +++ b/config/rootfiles/common/web-user-interface >>>>>>>>>> @@ -69,6 +69,7 @@ srv/web/ipfire/cgi-bin/proxy.cgi >>>>>>>>>> srv/web/ipfire/cgi-bin/qos.cgi >>>>>>>>>> srv/web/ipfire/cgi-bin/remote.cgi >>>>>>>>>> srv/web/ipfire/cgi-bin/routing.cgi >>>>>>>>>> +#srv/web/ipfire/cgi-bin/rpz.cgi >>>>>>>>>> #srv/web/ipfire/cgi-bin/samba.cgi >>>>>>>>>> srv/web/ipfire/cgi-bin/services.cgi >>>>>>>>>> srv/web/ipfire/cgi-bin/shutdown.cgi >>>>>>>>>> diff --git a/config/rootfiles/packages/rpz = b/config/rootfiles/packages/rpz >>>>>>>>>> new file mode 100644 >>>>>>>>>> index 000000000..1c8663049 >>>>>>>>>> --- /dev/null >>>>>>>>>> +++ b/config/rootfiles/packages/rpz >>>>>>>>>> @@ -0,0 +1,20 @@ >>>>>>>>>> +etc/unbound/local.d/00-rpz.conf >>>>>>>>>> +etc/unbound/zonefiles >>>>>>>>>> +etc/unbound/zonefiles/allow.rpz >>>>>>>>>> +usr/sbin/rpz-config >>>>>>>>>> +usr/sbin/rpz-functions >>>>>>>>>> +usr/sbin/rpz-make >>>>>>>>>> +usr/sbin/rpz-metrics >>>>>>>>>> +usr/sbin/rpz-sleep >>>>>>>>>> +var/ipfire/addon-lang/rpz.de.pl >>>>>>>>>> +var/ipfire/addon-lang/rpz.en.pl >>>>>>>>>> +var/ipfire/addon-lang/rpz.es.pl >>>>>>>>>> +var/ipfire/addon-lang/rpz.fr.pl >>>>>>>>>> +var/ipfire/addon-lang/rpz.it.pl >>>>>>>>>> +var/ipfire/addon-lang/rpz.tr.pl >>>>>>>>>> +var/ipfire/backup/addons/includes/rpz >>>>>>>>>> +var/ipfire/dns/rpz >>>>>>>>>> +var/ipfire/dns/rpz/allowlist >>>>>>>>>> +var/ipfire/dns/rpz/blocklist >>>>>>>>>> +var/ipfire/menu.d/EX-rpz.menu >>>>>>>>>> +srv/web/ipfire/cgi-bin/rpz.cgi >>>>>>>>>> diff --git a/config/rpz/00-rpz.conf b/config/rpz/00-rpz.conf >>>>>>>>>> new file mode 100644 >>>>>>>>>> index 000000000..f005a4f2e >>>>>>>>>> --- /dev/null >>>>>>>>>> +++ b/config/rpz/00-rpz.conf >>>>>>>>>> @@ -0,0 +1,10 @@ >>>>>>>>>> +server: >>>>>>>>>> + module-config: "respip validator iterator" >>>>>>>>>> + >>>>>>>>>> +rpz: >>>>>>>>>> + name: allow.rpz >>>>>>>>>> + zonefile: = /etc/unbound/zonefiles/allow.rpz >>>>>>>>>> + rpz-action-override: passthru >>>>>>>>>> + rpz-log: yes >>>>>>>>>> + rpz-log-name: allow >>>>>>>>>> + rpz-signal-nxdomain-ra: yes >>>>>>>>>> diff --git a/config/rpz/rpz-config b/config/rpz/rpz-config >>>>>>>>>> new file mode 100644 >>>>>>>>>> index 000000000..c72d50f9b >>>>>>>>>> --- /dev/null >>>>>>>>>> +++ b/config/rpz/rpz-config >>>>>>>>>> @@ -0,0 +1,130 @@ >>>>>>>>>> +#!/bin/bash >>>>>>>>>> = +#########################################################################= ###### >>>>>>>>>> +# = # >>>>>>>>>> +# IPFire.org - A linux based firewall = # >>>>>>>>>> +# Copyright (C) 2024-2025 IPFire Team = # >>>>>>>>>> +# = # >>>>>>>>>> +# This program is free software: you can redistribute it = and/or modify # >>>>>>>>>> +# it under the terms of the GNU General Public License as = published by # >>>>>>>>>> +# the Free Software Foundation, either version 3 of the = License, or # >>>>>>>>>> +# (at your option) any later version. = # >>>>>>>>>> +# = # >>>>>>>>>> +# This program is distributed in the hope that it will be = useful, # >>>>>>>>>> +# but WITHOUT ANY WARRANTY; without even the implied = warranty of # >>>>>>>>>> +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See = the # >>>>>>>>>> +# GNU General Public License for more details. = # >>>>>>>>>> +# = # >>>>>>>>>> +# You should have received a copy of the GNU General Public = License # >>>>>>>>>> +# along with this program. If not, see = . # >>>>>>>>>> +# = # >>>>>>>>>> = +#########################################################################= ###### >>>>>>>>>> + >>>>>>>>>> +version=3D"2025-01-11 - v44" >>>>>>>>>> + >>>>>>>>>> +############### Functions ############### >>>>>>>>>> + >>>>>>>>>> +source /usr/sbin/rpz-functions >>>>>>>>>> + >>>>>>>>>> +############### Main ############### >>>>>>>>>> + >>>>>>>>>> +tagName=3D"unbound" >>>>>>>>>> + >>>>>>>>>> +rpzAction=3D"${1}" # input RPZ action >>>>>>>>>> +rpzName=3D"${2}" # input RPZ name >>>>>>>>>> +rpzURL=3D"${3}" # input RPZ URL >>>>>>>>>> +rpzOption1=3D"${4}" # input RPZ option #1 >>>>>>>>>> +rpzOption2=3D"${5}" # input RPZ option #2 >>>>>>>>>> + >>>>>>>>>> +rpzConfig=3D"/etc/unbound/local.d/${rpzName}.rpz.conf" # = output zone conf file >>>>>>>>>> +rpzFile=3D"/etc/unbound/zonefiles/${rpzName}.rpz" # = output for RPZ file >>>>>>>>>> + >>>>>>>>>> +rpzLog=3D"yes" # log default is yes >>>>>>>>>> +ucReload=3D"yes" # reload default is = yes >>>>>>>>>> + >>>>>>>>>> +while [[ $# -gt 0 ]] ; do >>>>>>>>>> + case "$1" in >>>>>>>>>> + --no-log ) rpzLog=3D"no" ;; >>>>>>>>>> + --no-reload ) ucReload=3D"no" ; checkConf=3D"no" = ;; >>>>>>>>>> + esac >>>>>>>>>> + shift # Shift after checking all the cases to get = next option >>>>>>>>>> +done >>>>>>>>>> + >>>>>>>>>> +case "${rpzAction}" in >>>>>>>>>> + # add new rpz list >>>>>>>>>> + add ) >>>>>>>>>> + check_name "${rpzName}" # is this a = valid name? >>>>>>>>>> + # does this config already exist? If yes, then = exit >>>>>>>>>> + if [[ -f "${rpzConfig}" ]] ; then >>>>>>>>>> + msg_log "error: rpz: duplicate - ${rpzConfig} = already exists. exit" >>>>>>>>>> + exit 104 >>>>>>>>>> + fi >>>>>>>>>> + >>>>>>>>>> + # is this a valid URL? >>>>>>>>>> + = regex=3D'^https://[-[:alnum:]\+&@#/%?=3D~_|!:,.;]*[-[:alnum:]\+&@#/%=3D~_|= ]' >>>>>>>>>> + if ! [[ "${rpzURL}" =3D~ $regex ]] ; then >>>>>>>>>> + msg_log "error: rpz: the URL is not valid: = \"${rpzURL}\". exit." >>>>>>>>>> + exit 105 >>>>>>>>>> + fi >>>>>>>>>> + >>>>>>>>>> + # create the zone config file >>>>>>>>>> + { >>>>>>>>>> + echo "rpz:" >>>>>>>>>> + echo " name: ${rpzName}.rpz" >>>>>>>>>> + echo " zonefile: ${rpzFile}" >>>>>>>>>> + echo " url: ${rpzURL}" >>>>>>>>>> + echo " rpz-action-override: nxdomain" >>>>>>>>>> + echo " rpz-log: ${rpzLog}" >>>>>>>>>> + echo " rpz-log-name: ${rpzName}" >>>>>>>>>> + echo " rpz-signal-nxdomain-ra: yes" >>>>>>>>>> + } > "${rpzConfig}" >>>>>>>>>> + >>>>>>>>>> + # set-up zonefile >>>>>>>>>> + # create an empty rpz file if it does not exist >>>>>>>>>> + if [[ ! -f "${rpzFile}" ]] ; then >>>>>>>>>> + touch "${rpzFile}" >>>>>>>>>> + # unbound requires these settings for rpz files >>>>>>>>>> + set_permissions "${rpzFile}" "${rpzConfig}" >>>>>>>>>> + fi >>>>>>>>>> + ;; >>>>>>>>>> + >>>>>>>>>> + # trash config file & rpz file >>>>>>>>>> + remove ) >>>>>>>>>> + if ! [[ -f "${rpzConfig}" ]] ; then >>>>>>>>>> + msg_log "error: rpz: cannot remove ${rpzConfig}, = does not exist. exit" >>>>>>>>>> + exit 106 >>>>>>>>>> + fi >>>>>>>>>> + >>>>>>>>>> + msg_log "info: rpz: remove config file & rpz file = \"${rpzName}\"" >>>>>>>>>> + rm "${rpzConfig}" >>>>>>>>>> + rm "${rpzFile}" >>>>>>>>>> + ;; >>>>>>>>>> + >>>>>>>>>> + reload ) >>>>>>>>>> + check_unbound_conf "${checkConf}" >>>>>>>>>> + ;; >>>>>>>>>> + >>>>>>>>>> + list ) >>>>>>>>>> + awk -F':' '/^\s*name:/{ gsub(/[[:blank:]]|\.rpz/, = "",$2) ; NAME=3D$2 } \ >>>>>>>>>> + /^\s*url:/{ gsub(/[[:blank:]]/, "") ; print = NAME"=3D"$2":"$3} ' \ >>>>>>>>>> + /etc/unbound/local.d/*rpz.conf >>>>>>>>>> + exit >>>>>>>>>> + ;; >>>>>>>>>> + >>>>>>>>>> + unbound-restart ) >>>>>>>>>> + check_unbound_conf "${checkConf}" >>>>>>>>>> + unbound_restart >>>>>>>>>> + exit >>>>>>>>>> + ;; >>>>>>>>>> + >>>>>>>>>> + * ) >>>>>>>>>> + msg_log "error: rpz: missing or incorrect parameter" >>>>>>>>>> + printf "Usage: $(basename "$0") =