From mboxrd@z Thu Jan  1 00:00:00 1970
From: jon <jon.murphy@ipfire.org>
To: development@lists.ipfire.org
Subject:
 Re: [PATCH] RPZ: update code to include WEBGUI and additional languages
Date: Sat, 08 Feb 2025 12:41:14 -0600
Message-ID: <ED243073-E39A-47BA-BBF0-728A13C439BF@ipfire.org>
In-Reply-To: <A0568469-68D8-4C26-9154-E9961F4AAA60@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============7051854566217718399=="
List-Id: <development.lists.ipfire.org>

--===============7051854566217718399==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Michael,

> I think I have covered this all at lengths before that this project has bee=
n started as a separate effort

Yes, this has been a separate effort (a very public separate effort).  Yes, a=
s you pointed this out early on with the "proof-of-concept" and then my reque=
st for people to help test RPZ.  Nothing was hidden. =20

This was done because you (and maybe others) did not have the time and I want=
ed to help and because I needed assistance with RPZ.  I tried my best to do t=
his without bothering you.



> and as far as I am aware none of the other team members has been involved. =
This has not been discussed either on this list, on our calls.

You were aware many steps along the way.  See your email on July 28, 2024, Au=
gust 15, 2024, September 30, 2024, December 23, 2024, and January 16.  My att=
empts to get the team involved were met with "things are busy" and sometimes =
silence.  (Yes, I get it, people are busy.)

You and Adolf, Leo, Erik and Bernhard have been aware since the beginning.  Y=
ou mention you were aware of the "proof-of-concept".  If you include those be=
ginning posts, since Sep 2023.



> This has not been discussed . . . on our calls.=20

On the July 28th you stated:
"We have talked about RPZ many times on the monthly call since the URL filter=
 feature is falling more and more out of fashion. I think there is also many =
posts about this on the forum."

Please don=E2=80=99t insult me again by stating "you know what I mean".

And it has been discussed but not documented in the Monthly Meeting notes.



>  Instead there has been a separate conversation on the forum with the occas=
ional dip here to the list. But that was not a regular two-way conversation. =


Regular conversation on the Dev Mailing list is many times met with silence. =
 I get it, people are busy. =20

And regular two-way conversation doesn=E2=80=99t happen on the list.  At leas=
t not with me.  I=E2=80=99d be happy to point out the posts that were met wit=
h silence. =20
Again, I get it, people are busy. =20

But the "dip here to the list" were my attempts to get a conversation started=
.  As I said, many time met with silence.

The only place I was not met with silence was on the Community.  You have a g=
reat group of people in the Community.  It is a shame you don=E2=80=99t want =
to have others help.  It would reduce your workload.



>  Therefore, what am I supposed to do with this email?

To me it is beyond obvious=E2=80=A6 =20

  If it isn=E2=80=99t what you want, then guide me with how to do this the co=
rrect way.  And be specific.  I am trying to help.  I am trying to make thing=
s better. I am trying to do things the right way.



> I don=E2=80=99t want to merge code that I don=E2=80=99t agree with.

I asked multiple times if you "agreed with the concept" and again, met with s=
ilence. Yes I get it, people are busy.=20



>  So many fundamental things that I have been raising have either not been d=
iscussed or outright dismissed.

You mentioned this a in the past, but for some reason you do not disclose wha=
t I dismissed.  Why do you continue to make this harder, wouldn=E2=80=99t it =
not be easier to tell me what I have dismissed?

I have sent multiple emails trying to answer your concerns and comments.  On =
July 28, Aug 14, Aug 22, Aug 23, Sep 30, etc.

I=E2=80=99ve gone through all of the questions you asked and I cannot find a =
"dismissed" item.



> I don=E2=80=99t want to merge code that has no future inside IPFire as ther=
e is no constructive conversation with the maintainers of it.

The maintainers of Unbound and/or RPZ? =20

The maintainers of Hagezi list, the threatfox list, the urlhaus list, etc.?

What else?  The maintainers or the RPZ scripts?  That is me.  Let=E2=80=99s t=
alk!


See, this is where it gets confusing.  There are hundreds of open source pack=
ages as part of IPFire.  Pick the last five years of items added to the IPFir=
e build.  You're telling me you have "constructive conversation with the main=
tainers" of all of the added packages?

Pick the IP Blocklists list (i.e., 3CORESEC, ABUSECH, DSHIELD, SPAMHAUS, etc.=
)  or the Suricata lists (i.e., Emergingthreats.net, Abuse.ch, etc.).  So you=
=E2=80=99ve have "constructive conversation with the maintainers"?



> Having been trying for a long time to make you aware of this, nothing of th=
is should come as a surprise.

Ha!  Yes a surprise.  In the beginning you seemed interested as IPFire needed=
 a replacement for URL Filter.  You asked good questions about the lists pick=
ed, asked for the value to the users, etc.  And I answered the best I could.

You even asked: =E2=80=9CWhy is this realised as an add-on and not part of th=
e core system?=E2=80=9D from your Jul 28, 2024 email.

And on January 16, 2025 I wrote a message looking for help.  And you were kin=
d to respond quickly.  So in three weeks time, since the kind response, somet=
hing has changed.  You went from supportive to "this".

So yes, I am surprised.


> Please consider if that can be changed and if there is a path forward with =
this.

Be more specific, what has to change?  What exactly did I dismiss?


Jon



> On Feb 6, 2025, at 2:13=E2=80=AFPM, Michael Tremer <michael.tremer(a)ipfire=
.org> wrote:
>=20
> Hello Jon,
>=20
> Well, here we are again with another patch regarding this feature.
>=20
> I cannot quite see from your email what the question is, but if this is a r=
equest to have this merged into IPFire, I am once again sorry to disappoint y=
ou.
>=20
> I think I have covered this all at lengths before that this project has bee=
n started as a separate effort and as far as I am aware none of the other tea=
m members has been involved. This has not been discussed either on this list,=
 on our calls. Instead there has been a separate conversation on the forum wi=
th the occasional dip here to the list. But that was not a regular two-way co=
nversation. Therefore, what am I supposed to do with this email?
>=20
> I don=E2=80=99t want to merge code that I don=E2=80=99t agree with. So many=
 fundamental things that I have been raising have either not been discussed o=
r outright dismissed.
>=20
> I don=E2=80=99t want to merge code that has no future inside IPFire as ther=
e is no constructive conversation with the maintainers of it.
>=20
> Having been trying for a long time to make you aware of this, nothing of th=
is should come as a surprise.
>=20
> Please consider if that can be changed and if there is a path forward with =
this.
>=20
> All the best,
> -Michael
>=20
>> On 6 Feb 2025, at 16:35, Jon Murphy <jon.murphy(a)ipfire.org> wrote:
>>=20
>> What is it?
>> Response Policy Zone (RPZ) is a mechanism to define local policies in a
>> standardized way and load those policies from external sources.
>> Bottom line: RPZ allows admins to easily block access to websites via DNS =
lookup.
>>=20
>> RPZ can block websites via categories.  Examples include: fake websites, a=
nnoying
>> pop-up ads, newly registered domains, DoH bypass sites, bad "host" service=
s,
>> maliscious top level domains (e.g., *.zip, *.mov), piracy, gambling, porno=
graphy,
>> and more.  RPZ lists come from various RPZ providers and their available
>> catagories.
>>=20
>> This RPZ add-on enables the RPZ functionality by adding a couple lines in a
>> configuration file.  This add-on simply adds configuration files and adds
>> scripts (config, metrics and sleep) to make RPZ easier for the admin to us=
e.
>>=20
>> The RPZ scripts include additional languages: German, Spanish, French, Tur=
kish,
>> and Italian.
>>=20
>> RPZ itself was release in 2010 and has been part of the IPFire build since=
 ~2015.
>>=20
>> Why is it needed?  What is its value?
>>=20
>> - The RPZ concept places this filtering into IPFire, our internet access
>> gateway, which is (should be) solely used as DNS source of the internal ne=
twork.
>>=20
>> - As most sites use HTTPS it makes it difficult to filter traffic with URL
>> Filter without also properly configuring conventional (non-transparent)
>> mode on the proxy.  RPZ is a nice replacement for the URL Filter.
>>=20
>> - No need to install and maintain an additional device like PiHole or AdBl=
ock
>> browser extensions on multiple user devices.
>>=20
>> - This is an additional layer of protection for users. Less worry someone =
will
>> click on something that gets them into trouble. And, saying this with emph=
asis,
>> the ability to do it in one place!
>>=20
>> - Blocked sites save on unneeded traffic and can lessen the threat of malw=
are
>> in advertisements
>>=20
>> - Logging allows the admin to see the site blocked and take actions
>>=20
>> - RPZ will be used at the home, home-office (work from home), schools,
>> ministerial, and at the office.  Device counts are small (2-6) to medium (=
~80)
>> to mediam-large (200+).
>>=20
>> - RPZ can block ads, popups, phishing, scammers, spyware, malware, annoying
>> popups, NSFW links, DOH servers, and the usual internet trash.
>>=20
>> ------------------------------
>>=20
>> Change Log for RPZ add-on
>>=20
>> rpz-1.0.0-18 on 2025-02-05
>> - Build for approval & release as IPFire add-on
>>=20
>> ---
>>=20
>> rpz-beta-0.1.18-18.ipfire on 2025-02-01
>> rpz.cgi:
>> - new feature: added a mod key to force a unbound restart
>>=20
>> rpz-config and rpz-make:
>> - new feature: added action for unbound restart `rpz-config unbound-restar=
t`
>>=20
>> rpz-metrics:
>> - simple reformatting
>> - rename far right column from "last update" to "last download"
>>=20
>> ---
>>=20
>> rpz-beta-0.1.17-17.ipfire on 2024-12-09
>> rpz-make
>> - bug fix: corrected validation regex for wildcards like: `*.domain.com`
>>=20
>> ---
>>=20
>> rpz-beta-0.1.16-16.ipfire on 2024-11-18
>> rpz-make
>> - new feature: updated validation regex
>> - bug fix: moved validation to beginning of process.  Now we validate befo=
re
>> creating config files.
>>=20
>> rpz.cgi:
>> - new feature: use CSS color variables of the main ipfire theme
>> - bug fix: empty zonefile remarks were stored as =E2=80=9Cundef=E2=80=9D a=
nd caused a warning
>> - bug fix: HTML textarea removes the first empty line in a custom list
>> - thank you Leo!
>>=20
>> ---
>>=20
>> rpz-beta-0.1.15-15.ipfire on 2024-11-04
>> rpz.cgi:
>> - new feature: added new language file for Turkish (thank you Peppe)
>>=20
>> rpz-make
>> - bug fix: corrected empty allow/block list issue.  An empty allow/block l=
ist
>> will now remove contents of allow/block.rpz files and remove unneeded
>> allow/block.conf file.  (thank you iptom)
>>=20
>> ---
>>=20
>> rpz-beta-0.1.14-14.ipfire on  2024-10-29
>> rpz-config:
>> - bug fix: correct missing rpz extension. `rpz-config list` displayed URL
>> incorrectly (thank you Bernhard)
>>=20
>> rpz.cgi:
>> - bug fix: remove extra `"` in language files (thank you Bernhard)
>> - new feature: slightly dim "apply" button when not enabled
>>=20
>> ---
>>=20
>> rpz-beta-0.1.13-13.ipfire on 2024-10-27
>> - skipped
>>=20
>> ---
>>=20
>> rpz-beta-0.1.12-12.ipfire on 2024-10-21
>> rpz.cgi:
>> - new feature: added new language file for French  (thank you gw-ipfire)
>>=20
>> ---
>>=20
>> rpz-beta-0.1.11-11.ipfire on 2024-10-18
>> rpz.cgi:
>> - new feature: added new language file for Italian (thank you umberto)
>> - new feature: added new language file for Spanish (thank you Roberto)
>>=20
>> ---
>>=20
>> rpz-beta-0.1.10-10.ipfire on 2024-10-15
>> rpz-make:
>> - bug fix: corrected validation error for a custom list entry (thank you s=
iosios)
>>  - e.g., `*.cloudflare-dns.com`
>>=20
>> install.sh:
>> - bug fix: add chown to correct user created files
>>=20
>> update.sh:
>> - bug fix: add chown to correct user created files (thank you siosios)
>>=20
>> ---
>>=20
>> rpz-beta-0.1.9-9.ipfire on 2024-10-08
>> rpz.cgi:
>> - new feature: added new language file for German (thank you Leo)
>> - bug fix: add missing "rpz exitcode 110"
>> - bug fix: corrected missing RPZ menu item at menu > IPFire
>>=20
>> ---
>>=20
>> rpz-beta-0.1.8-8.ipfire on 2024-10-04
>> - skipped
>>=20
>> ---
>>=20
>> rpz-beta-0.1.7-7.ipfire on 2024-10-03
>> All:
>> - new feature: includes beta version numbers for pakfire package,
>> instead of only `rpz-1.0.0-1.ipfire`, for each release.
>>=20
>> rpz.cgi:
>> - new feature: added new WebGUI at `rpz.cgi`
>>   - a BIG thank you to Leo Hofmann for all of his work creating the webgui=
!!
>> - bug fix: corrected missing RPZ menu item at menu > IPFire
>>=20
>> rpz-make:
>> - new feature: validate entries in allowlist and blocklist
>> - new feature: add "no-reload" option for WebGUI
>>=20
>> rpz-metrics:
>> - new feature: info can be sorted by name, by hit count, by line count, by
>> "enabled" list or all lists
>>=20
>> backups:
>> - bug fix: include all files in `/var/ipfire/dns/rpz` directory in backup
>>=20
>> update.sh:
>> - bug fix: corrected ownership for `/var/ipfire/dns/rpz` directory during =
an
>> update
>>=20
>> Build:
>> - bug fix: `block.rpz.conf` and `block.rpz` from build.  Files to be creat=
ed
>> by `rpz-make`
>>=20
>> WebGUI and German language file
>> Contribution-by: Leo-Andres Hofmann <hofmann(a)leo-andres.de>
>>=20
>> Spanish language file
>> Contribution-by: Roberto Pe=C3=B1a
>>=20
>> Italian language file
>> Contribution-by: Umberto Parma
>>=20
>> French language file
>> Contribution-by: gw-ipfire
>>=20
>> Turkish language file
>> Contribution-by: Peppe Tech
>>=20
>> Contribution-by: Bernhard Bitsch <bbitsch(a)ipfire.org>
>> Contribution-by: Erik Kapfer <erik.kapfer(a)ipfire.org>
>> Signed-off-by: Jon Murphy <jon.murphy(a)ipfire.org
>> ---
>> config/backup/includes/rpz                 |   4 +
>> config/cfgroot/manualpages                 |   1 +
>> config/menu/EX-rpz.menu                    |   6 +
>> config/rootfiles/common/configroot         |   1 +
>> config/rootfiles/common/web-user-interface |   1 +
>> config/rootfiles/packages/rpz              |  20 +
>> config/rpz/00-rpz.conf                     |  10 +
>> config/rpz/rpz-config                      | 130 +++
>> config/rpz/rpz-functions                   |  85 ++
>> config/rpz/rpz-make                        | 203 +++++
>> config/rpz/rpz-metrics                     | 170 ++++
>> config/rpz/rpz-sleep                       |  58 ++
>> config/rpz/rpz.de.pl                       |  30 +
>> config/rpz/rpz.en.pl                       |  30 +
>> config/rpz/rpz.es.pl                       |  30 +
>> config/rpz/rpz.fr.pl                       |  30 +
>> config/rpz/rpz.it.pl                       |  30 +
>> config/rpz/rpz.tr.pl                       |  30 +
>> html/cgi-bin/rpz.cgi                       | 923 +++++++++++++++++++++
>> lfs/rpz                                    |  96 +++
>> make.sh                                    |   3 +-
>> src/paks/rpz/install.sh                    |  36 +
>> src/paks/rpz/uninstall.sh                  |  38 +
>> src/paks/rpz/update.sh                     |  52 ++
>> 24 files changed, 2016 insertions(+), 1 deletion(-)
>> create mode 100644 config/backup/includes/rpz
>> create mode 100644 config/menu/EX-rpz.menu
>> create mode 100644 config/rootfiles/packages/rpz
>> create mode 100644 config/rpz/00-rpz.conf
>> create mode 100644 config/rpz/rpz-config
>> create mode 100644 config/rpz/rpz-functions
>> create mode 100644 config/rpz/rpz-make
>> create mode 100755 config/rpz/rpz-metrics
>> create mode 100755 config/rpz/rpz-sleep
>> create mode 100644 config/rpz/rpz.de.pl
>> create mode 100644 config/rpz/rpz.en.pl
>> create mode 100644 config/rpz/rpz.es.pl
>> create mode 100644 config/rpz/rpz.fr.pl
>> create mode 100644 config/rpz/rpz.it.pl
>> create mode 100644 config/rpz/rpz.tr.pl
>> create mode 100644 html/cgi-bin/rpz.cgi
>> create mode 100644 lfs/rpz
>> create mode 100644 src/paks/rpz/install.sh
>> create mode 100644 src/paks/rpz/uninstall.sh
>> create mode 100644 src/paks/rpz/update.sh
>>=20
>> diff --git a/config/backup/includes/rpz b/config/backup/includes/rpz
>> new file mode 100644
>> index 000000000..36513e494
>> --- /dev/null
>> +++ b/config/backup/includes/rpz
>> @@ -0,0 +1,4 @@
>> +/var/ipfire/dns/rpz/*
>> +/etc/unbound/zonefiles/allow.rpz
>> +/etc/unbound/zonefiles/block.rpz
>> +/etc/unbound/local.d/*rpz.conf
>> diff --git a/config/cfgroot/manualpages b/config/cfgroot/manualpages
>> index 1f7e01efc..d3a48c633 100644
>> --- a/config/cfgroot/manualpages
>> +++ b/config/cfgroot/manualpages
>> @@ -70,6 +70,7 @@ pakfire.cgi=3Dconfiguration/ipfire/pakfire
>> wlanap.cgi=3Daddons/wireless
>> tor.cgi=3Daddons/tor
>> samba.cgi=3Daddons/samba
>> +rpz.cgi=3Daddons/rpz
>>=20
>> # Logs menu
>> logs.cgi/summary.dat=3Dconfiguration/logs/summary
>> diff --git a/config/menu/EX-rpz.menu b/config/menu/EX-rpz.menu
>> new file mode 100644
>> index 000000000..2f4daf410
>> --- /dev/null
>> +++ b/config/menu/EX-rpz.menu
>> @@ -0,0 +1,6 @@
>> +$subipfire->{'20.rpz'} =3D {
>> +    'caption' =3D> $Lang::tr{'rpz'},
>> +    'uri' =3D> '/cgi-bin/rpz.cgi',
>> +    'title' =3D> "RPZ",
>> +    'enabled' =3D> 1,
>> +};
>> diff --git a/config/rootfiles/common/configroot b/config/rootfiles/common/=
configroot
>> index 9839eee45..b30d6aae4 100644
>> --- a/config/rootfiles/common/configroot
>> +++ b/config/rootfiles/common/configroot
>> @@ -120,6 +120,7 @@ var/ipfire/menu.d/70-log.menu
>> #var/ipfire/menu.d/EX-apcupsd.menu
>> #var/ipfire/menu.d/EX-guardian.menu
>> #var/ipfire/menu.d/EX-mympd.menu
>> +#var/ipfire/menu.d/EX-rpz.menu
>> #var/ipfire/menu.d/EX-samba.menu
>> #var/ipfire/menu.d/EX-tor.menu
>> #var/ipfire/menu.d/EX-transmission.menu
>> diff --git a/config/rootfiles/common/web-user-interface b/config/rootfiles=
/common/web-user-interface
>> index 816241dae..e00464076 100644
>> --- a/config/rootfiles/common/web-user-interface
>> +++ b/config/rootfiles/common/web-user-interface
>> @@ -69,6 +69,7 @@ srv/web/ipfire/cgi-bin/proxy.cgi
>> srv/web/ipfire/cgi-bin/qos.cgi
>> srv/web/ipfire/cgi-bin/remote.cgi
>> srv/web/ipfire/cgi-bin/routing.cgi
>> +#srv/web/ipfire/cgi-bin/rpz.cgi
>> #srv/web/ipfire/cgi-bin/samba.cgi
>> srv/web/ipfire/cgi-bin/services.cgi
>> srv/web/ipfire/cgi-bin/shutdown.cgi
>> diff --git a/config/rootfiles/packages/rpz b/config/rootfiles/packages/rpz
>> new file mode 100644
>> index 000000000..1c8663049
>> --- /dev/null
>> +++ b/config/rootfiles/packages/rpz
>> @@ -0,0 +1,20 @@
>> +etc/unbound/local.d/00-rpz.conf
>> +etc/unbound/zonefiles
>> +etc/unbound/zonefiles/allow.rpz
>> +usr/sbin/rpz-config
>> +usr/sbin/rpz-functions
>> +usr/sbin/rpz-make
>> +usr/sbin/rpz-metrics
>> +usr/sbin/rpz-sleep
>> +var/ipfire/addon-lang/rpz.de.pl
>> +var/ipfire/addon-lang/rpz.en.pl
>> +var/ipfire/addon-lang/rpz.es.pl
>> +var/ipfire/addon-lang/rpz.fr.pl
>> +var/ipfire/addon-lang/rpz.it.pl
>> +var/ipfire/addon-lang/rpz.tr.pl
>> +var/ipfire/backup/addons/includes/rpz
>> +var/ipfire/dns/rpz
>> +var/ipfire/dns/rpz/allowlist
>> +var/ipfire/dns/rpz/blocklist
>> +var/ipfire/menu.d/EX-rpz.menu
>> +srv/web/ipfire/cgi-bin/rpz.cgi
>> diff --git a/config/rpz/00-rpz.conf b/config/rpz/00-rpz.conf
>> new file mode 100644
>> index 000000000..f005a4f2e
>> --- /dev/null
>> +++ b/config/rpz/00-rpz.conf
>> @@ -0,0 +1,10 @@
>> +server:
>> +    module-config: "respip validator iterator"
>> +
>> +rpz:
>> +    name:                    allow.rpz
>> +    zonefile:                /etc/unbound/zonefiles/allow.rpz
>> +    rpz-action-override:     passthru
>> +    rpz-log:                 yes
>> +    rpz-log-name:            allow
>> +    rpz-signal-nxdomain-ra:  yes
>> diff --git a/config/rpz/rpz-config b/config/rpz/rpz-config
>> new file mode 100644
>> index 000000000..c72d50f9b
>> --- /dev/null
>> +++ b/config/rpz/rpz-config
>> @@ -0,0 +1,130 @@
>> +#!/bin/bash
>> +#########################################################################=
######
>> +#                                                                        =
     #
>> +#  IPFire.org - A linux based firewall                                   =
     #
>> +#  Copyright (C) 2024-2025  IPFire Team  <info(a)ipfire.org>             =
       #
>> +#                                                                        =
     #
>> +#  This program is free software: you can redistribute it and/or modify  =
     #
>> +#  it under the terms of the GNU General Public License as published by  =
     #
>> +#  the Free Software Foundation, either version 3 of the License, or     =
     #
>> +#  (at your option) any later version.                                   =
     #
>> +#                                                                        =
     #
>> +#  This program is distributed in the hope that it will be useful,       =
     #
>> +#  but WITHOUT ANY WARRANTY; without even the implied warranty of        =
     #
>> +#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the         =
     #
>> +#  GNU General Public License for more details.                          =
     #
>> +#                                                                        =
     #
>> +#  You should have received a copy of the GNU General Public License     =
     #
>> +#  along with this program.  If not, see <http://www.gnu.org/licenses/>. =
     #
>> +#                                                                        =
     #
>> +#########################################################################=
######
>> +
>> +version=3D"2025-01-11 - v44"
>> +
>> +###############     Functions     ###############
>> +
>> +source /usr/sbin/rpz-functions
>> +
>> +###############       Main        ###############
>> +
>> +tagName=3D"unbound"
>> +
>> +rpzAction=3D"${1}"                    #  input RPZ action
>> +rpzName=3D"${2}"                      #  input RPZ name
>> +rpzURL=3D"${3}"                       #  input RPZ URL
>> +rpzOption1=3D"${4}"                   #  input RPZ option #1
>> +rpzOption2=3D"${5}"                   #  input RPZ option #2
>> +
>> +rpzConfig=3D"/etc/unbound/local.d/${rpzName}.rpz.conf"    #  output zone =
conf file
>> +rpzFile=3D"/etc/unbound/zonefiles/${rpzName}.rpz"         #  output for R=
PZ file
>> +
>> +rpzLog=3D"yes"                        #  log default is yes
>> +ucReload=3D"yes"                      #  reload default is yes
>> +
>> +while [[ $# -gt 0 ]] ; do
>> +    case "$1" in
>> +        --no-log )      rpzLog=3D"no"   ;;
>> +        --no-reload )   ucReload=3D"no" ; checkConf=3D"no" ;;
>> +    esac
>> +    shift       # Shift after checking all the cases to get next option
>> +done
>> +
>> +case "${rpzAction}" in
>> +    #  add new rpz list
>> +    add )
>> +        check_name "${rpzName}"             #  is this a valid name?
>> +        #  does this config already exist?  If yes, then exit
>> +        if [[ -f "${rpzConfig}" ]] ; then
>> +            msg_log "error: rpz: duplicate - ${rpzConfig} already exists.=
 exit"
>> +            exit 104
>> +        fi
>> +
>> +        #  is this a valid URL?
>> +        regex=3D'^https://[-[:alnum:]\+&@#/%?=3D~_|!:,.;]*[-[:alnum:]\+&@=
#/%=3D~_|]'
>> +        if ! [[ "${rpzURL}" =3D~ $regex ]] ; then
>> +            msg_log "error: rpz: the URL is not valid: \"${rpzURL}\". exi=
t."
>> +            exit 105
>> +        fi
>> +
>> +        #  create the zone config file
>> +        {
>> +        echo "rpz:"
>> +        echo "    name:                   ${rpzName}.rpz"
>> +        echo "    zonefile:               ${rpzFile}"
>> +        echo "    url:                    ${rpzURL}"
>> +        echo "    rpz-action-override:    nxdomain"
>> +        echo "    rpz-log:                ${rpzLog}"
>> +        echo "    rpz-log-name:           ${rpzName}"
>> +        echo "    rpz-signal-nxdomain-ra: yes"
>> +        } > "${rpzConfig}"
>> +
>> +        #  set-up zonefile
>> +        #    create an empty rpz file if it does not exist
>> +        if [[ ! -f "${rpzFile}" ]] ; then
>> +            touch "${rpzFile}"
>> +            #  unbound requires these settings for rpz files
>> +            set_permissions "${rpzFile}" "${rpzConfig}"
>> +        fi
>> +        ;;
>> +
>> +    #  trash config file & rpz file
>> +    remove )
>> +        if ! [[ -f "${rpzConfig}" ]] ; then
>> +            msg_log "error: rpz: cannot remove ${rpzConfig}, does not exi=
st. exit"
>> +            exit 106
>> +        fi
>> +
>> +        msg_log "info: rpz: remove config file & rpz file \"${rpzName}\""
>> +        rm "${rpzConfig}"
>> +        rm "${rpzFile}"
>> +        ;;
>> +
>> +    reload )
>> +        check_unbound_conf "${checkConf}"
>> +        ;;
>> +
>> +    list )
>> +        awk -F':' '/^\s*name:/{ gsub(/[[:blank:]]|\.rpz/, "",$2) ; NAME=
=3D$2 } \
>> +            /^\s*url:/{ gsub(/[[:blank:]]/, "") ; print NAME"=3D"$2":"$3}=
 '  \
>> +            /etc/unbound/local.d/*rpz.conf
>> +        exit
>> +        ;;
>> +
>> +    unbound-restart )
>> +        check_unbound_conf "${checkConf}"
>> +        unbound_restart
>> +        exit
>> +        ;;
>> +
>> +    * )
>> +        msg_log "error: rpz: missing or incorrect parameter"
>> +        printf "Usage:   $(basename "$0") <ACTION> <NAME> <URL> <OPTION> =
<OPTION>\n"
>> +        printf "Version: ${version}\n"
>> +        exit 108
>> +        ;;
>> +
>> +esac
>> +
>> +unbound_control_reload "${ucReload}"
>> +
>> +exit
>> diff --git a/config/rpz/rpz-functions b/config/rpz/rpz-functions
>> new file mode 100644
>> index 000000000..ace1d2690
>> --- /dev/null
>> +++ b/config/rpz/rpz-functions
>> @@ -0,0 +1,85 @@
>> +#!/bin/bash
>> +#########################################################################=
######
>> +#                                                                        =
     #
>> +#  IPFire.org - A linux based firewall                                   =
     #
>> +#  Copyright (C) 2024  IPFire Team  <info(a)ipfire.org>                  =
       #
>> +#                                                                        =
     #
>> +#  This program is free software: you can redistribute it and/or modify  =
     #
>> +#  it under the terms of the GNU General Public License as published by  =
     #
>> +#  the Free Software Foundation, either version 3 of the License, or     =
     #
>> +#  (at your option) any later version.                                   =
     #
>> +#                                                                        =
     #
>> +#  This program is distributed in the hope that it will be useful,       =
     #
>> +#  but WITHOUT ANY WARRANTY; without even the implied warranty of        =
     #
>> +#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the         =
     #
>> +#  GNU General Public License for more details.                          =
     #
>> +#                                                                        =
     #
>> +#  You should have received a copy of the GNU General Public License     =
     #
>> +#  along with this program.  If not, see <http://www.gnu.org/licenses/>. =
     #
>> +#                                                                        =
     #
>> +#########################################################################=
######
>> +
>> +version=3D"2024-12-10 - v02"
>> +
>> +###############     Functions     ###############
>> +
>> +msg_log () {
>> +    logger --tag "${tagName}" "$*"
>> +    if tty --silent ; then
>> +        echo "${tagName}:" "$*"
>> +    fi
>> +}
>> +
>> +#  check for a valid name
>> +check_name () {
>> +    local theName=3D"${1}"
>> +
>> +    regex=3D'^[a-zA-Z0-9_]+$'             # no dash or plus, alpha numeri=
c only
>> +    regex1=3D'^(allow|block)$'            # allow and block are reserved =
NAMEs
>> +    if [[ ! "${theName}" =3D~ $regex ]] || [[ "${theName}" =3D~ $regex1 ]=
] ; then
>> +        msg_log "error: rpz: the NAME is not valid: \"${theName}\". exit."
>> +        exit 101
>> +    fi
>> +}
>> +
>> +set_permissions () {
>> +    chown nobody:nobody "$@"
>> +    chmod 644 "$@"
>> +}
>> +
>> +check_unbound_conf () {
>> +    local thecheckConf=3D"${1:-yes}"      #   check config default is yes
>> +
>> +    #  check the above config files
>> +    if [[ "${thecheckConf}" =3D=3D yes ]] ; then
>> +        msg_log "info: rpz: check for errors with \"unbound-checkconf\""
>> +
>> +        if ! unbound-checkconf ; then
>> +            msg_log "error: rpz: unbound-checkconf found invalid configur=
ation."
>> +            msg_log \
>> +              "error: rpz: In Terminal run the command \"unbound-checkcon=
f\" for more information. exit."
>> +            exit 102
>> +        fi
>> +    fi
>> +}
>> +
>> +unbound_control_reload () {
>> +    local theReload=3D"${1:-yes}"     #   reload default is yes
>> +
>> +    if [[ "${theReload}" =3D=3D yes ]] ; then
>> +        #  reload due to the changes
>> +        msg_log  "info: rpz: run \"unbound-control reload\""
>> +
>> +        if ! unbound-control reload ; then
>> +            msg_log "error: rpz: unbound-control reload. exit."
>> +            exit 109
>> +        fi
>> +    fi
>> +}
>> +
>> +unbound_restart () {
>> +    #  restart due to the changes
>> +    msg_log  "info: rpz: run \"unbound restart\""
>> +
>> +    /usr/local/bin/unboundctrl restart
>> +}
>> diff --git a/config/rpz/rpz-make b/config/rpz/rpz-make
>> new file mode 100644
>> index 000000000..927d55170
>> --- /dev/null
>> +++ b/config/rpz/rpz-make
>> @@ -0,0 +1,203 @@
>> +#!/bin/bash
>> +#########################################################################=
######
>> +#                                                                        =
     #
>> +#  IPFire.org - A linux based firewall                                   =
     #
>> +#  Copyright (C) 2024-2025  IPFire Team  <info(a)ipfire.org>             =
       #
>> +#                                                                        =
     #
>> +#  This program is free software: you can redistribute it and/or modify  =
     #
>> +#  it under the terms of the GNU General Public License as published by  =
     #
>> +#  the Free Software Foundation, either version 3 of the License, or     =
     #
>> +#  (at your option) any later version.                                   =
     #
>> +#                                                                        =
     #
>> +#  This program is distributed in the hope that it will be useful,       =
     #
>> +#  but WITHOUT ANY WARRANTY; without even the implied warranty of        =
     #
>> +#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the         =
     #
>> +#  GNU General Public License for more details.                          =
     #
>> +#                                                                        =
     #
>> +#  You should have received a copy of the GNU General Public License     =
     #
>> +#  along with this program.  If not, see <http://www.gnu.org/licenses/>. =
     #
>> +#                                                                        =
     #
>> +#########################################################################=
######
>> +
>> +version=3D"2025-01-11 - v14"
>> +
>> +###############     Functions     ###############
>> +
>> +source /usr/sbin/rpz-functions
>> +
>> +#   create the config file for allow
>> +make_allow_config () {
>> +    local theLog=3D"${1:-yes}"                            #  log default =
ON
>> +    local theConfig=3D"/etc/unbound/local.d/00-rpz.conf"  #  output zone =
conf file
>> +    local theList=3D"/var/ipfire/dns/rpz/allowlist"       #  input custom=
 list of domains
>> +
>> +    msg_log "info: rpz: make config file \"00-rpz.conf\""
>> +
>> +    echo "server:
>> +    module-config: \"respip validator iterator\"" > "${theConfig}"
>> +
>> +    #  does allow list exist?
>> +    if [[ -s "${theList}" ]] && grep -q . "${theList}" ; then
>> +
>> +    echo "rpz:
>> +    name:                   allow.rpz
>> +    zonefile:               /etc/unbound/zonefiles/allow.rpz
>> +    rpz-action-override:    passthru
>> +    rpz-log:                ${theLog}
>> +    rpz-log-name:           allow
>> +    rpz-signal-nxdomain-ra: yes" >> "${theConfig}"
>> +
>> +    fi
>> +
>> +    #  set-up zonefile - unbound requires these settings for rpz files
>> +    set_permissions "${theConfig}"
>> +}
>> +
>> +#   create the config file for block
>> +make_block_config () {
>> +    local theLog=3D"${1:-yes}"                                #  log defa=
ult ON
>> +    local theConfig=3D"/etc/unbound/local.d/block.rpz.conf"   #  output z=
one conf file
>> +    local theList=3D"/var/ipfire/dns/rpz/blocklist"           #  input cu=
stom list of domains
>> +
>> +    msg_log "info: rpz: make config file \"block.rpz.conf\""
>> +
>> +    #  does block list exist?
>> +    if [[ -s "${theList}" ]] && grep -q . "${theList}" ; then
>> +
>> +    echo "rpz:
>> +    name:                   block.rpz
>> +    zonefile:               /etc/unbound/zonefiles/block.rpz
>> +    rpz-action-override:    nxdomain
>> +    rpz-log:                ${theLog}
>> +    rpz-log-name:           block
>> +    rpz-signal-nxdomain-ra: yes" > "${theConfig}"
>> +
>> +        #  set-up zonefile - unbound requires these settings for rpz files
>> +        set_permissions "${theConfig}"
>> +    else
>> +        #   no - trash the config file
>> +        rm --verbose /etc/unbound/local.d/block.rpz.conf
>> +    fi
>> +}
>> +
>> +#   create an RPZ file for allow or block
>> +make_rpz_file () {
>> +    local theName=3D"${1}"        #   allow or block
>> +    local theAction=3D'.'         # the default is nxdomain or block
>> +    local actionList
>> +
>> +    local theList=3D"/var/ipfire/dns/rpz/${theName}list"         #  input=
 custom list of domains
>> +    local theZonefile=3D"/etc/unbound/zonefiles/${theName}.rpz"  #  outpu=
t file for RPZ
>> +
>> +    #  does a list exist?
>> +    if [[ -s "${theList}" ]] && grep -q . "${theList}" ; then
>> +
>> +        # for allow set to passthru
>> +        [[ "${theName}" =3D=3D allow ]] && theAction=3D'rpz-passthru.'
>> +
>> +        #  drop any extra "blanks" and add "CNAME <RPZ action>." to each =
line
>> +        actionList=3D$( awk '{$1=3D$1};1' "${theList}" |
>> +            sed "/^[^;].*[[:alnum:]]/ s|$|  CNAME   ${theAction}|" )
>> +
>> +        msg_log "info: rpz: create zonefile for \"${theName}list\""
>> +
>> +echo "; Name:             ${theName} list
>> +; Last modified:    $(date "+%Y-%m-%d at %H.%M.%S %Z")
>> +;
>> +;   domains with actions list
>> +;
>> +${actionList}" > "${theZonefile}"
>> +
>> +        #  set-up zonefile - unbound requires these settings for rpz files
>> +        set_permissions "${theZonefile}"
>> +        #  set-up allow/block list files
>> +        set_permissions "${theList}"
>> +    else
>> +        msg_log "info: rpz: the ${theList} is empty."
>> +
>> +        rm --verbose "${theZonefile}"   # trash the RPZ file
>> +    fi
>> +}
>> +
>> +#   check if allow/block list is valid
>> +validate_list () {
>> +    local theName=3D"${1}"        #   allow or block
>> +    local theList=3D"/var/ipfire/dns/rpz/${theName}list"  #  input custom=
 list of domains
>> +
>> + #   remove good:
>> + #    - properly formated domain names with or without leading wildcard
>> + #    - properly formated top level domain (TLD) names with wildcard
>> + #    - blank lines and comment lines
>> + #   remaining lines are considered "bad"
>> +    bad_lines=3D$( sed --regexp-extended  \
>> +        '/^(\*\.)?([a-zA-Z0-9](([a-zA-Z0-9\-]){0,61}[a-zA-Z0-9])?\.)+([a-=
zA-Z]{2,}|xn--[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])$/d ;
>> +         /^(\*\.)([a-z]{2,61}|xn--[a-z0-9]{1,60})$/d ;
>> +         /^$/d ; /^;/d' "${theList}" )
>> +
>> +    if [[ ! -z "${bad_lines}" ]] ; then
>> +        msg_log "error: rpz: invalid line(s) in ${theList}."
>> +        printf "%s\n" "bad line(s): ${bad_lines}"
>> +        exit 110
>> +    fi
>> +}
>> +
>> +
>> +###############       Main        ###############
>> +
>> +tagName=3D"unbound"
>> +
>> +rpzName=3D"${1}"                      #  input RPZ name
>> +
>> +rpzLog=3D"yes"                        #  log default is yes
>> +ucReload=3D"yes"                      #  reload default is yes
>> +
>> +while [[ $# -gt 0 ]] ; do
>> +    case "$1" in
>> +        --no-log )      rpzLog=3D"no"   ;;
>> +        --no-reload )   ucReload=3D"no" ;  checkConf=3D"no" ;;
>> +    esac
>> +    shift       # Shift after checking all the cases to get next option
>> +done
>> +
>> +case "${rpzName}" in
>> +    #  make a new allow or block rpz file
>> +
>> +    allow )
>> +        validate_list 'allow'           #   is the allowlist valid?
>> +        make_allow_config "${rpzLog}"
>> +        make_rpz_file 'allow'
>> +        ;;
>> +
>> +    allowblock )
>> +        validate_list 'allow'           #   is the list valid?
>> +        make_allow_config "${rpzLog}"
>> +        make_rpz_file 'allow'
>> +        ;&
>> +
>> +    block )
>> +        validate_list 'block'           #   is the blocklist valid?
>> +        make_block_config "${rpzLog}"
>> +        make_rpz_file 'block'
>> +        ;;
>> +
>> +    reload )
>> +        check_unbound_conf "${checkConf}"
>> +        ;;
>> +
>> +    unbound-restart )
>> +        check_unbound_conf "${checkConf}"
>> + unbound_restart
>> + exit
>> +        ;;
>> +
>> +    * )
>> +        msg_log "error: rpz: missing or incorrect parameter"
>> +        printf "Usage:   $(basename "$0") <NAME> <OPTION> <OPTION>\n"
>> +        printf "Version: ${version}\n"
>> +        exit 108
>> +        ;;
>> +esac
>> +
>> +unbound_control_reload "${ucReload}"
>> +
>> +exit
>> diff --git a/config/rpz/rpz-metrics b/config/rpz/rpz-metrics
>> new file mode 100755
>> index 000000000..4d43e1629
>> --- /dev/null
>> +++ b/config/rpz/rpz-metrics
>> @@ -0,0 +1,170 @@
>> +#!/bin/bash
>> +#########################################################################=
######
>> +#                                                                        =
     #
>> +#  IPFire.org - A linux based firewall                                   =
     #
>> +#  Copyright (C) 2024  IPFire Team  <info(a)ipfire.org>                  =
       #
>> +#                                                                        =
     #
>> +#  This program is free software: you can redistribute it and/or modify  =
     #
>> +#  it under the terms of the GNU General Public License as published by  =
     #
>> +#  the Free Software Foundation, either version 3 of the License, or     =
     #
>> +#  (at your option) any later version.                                   =
     #
>> +#                                                                        =
     #
>> +#  This program is distributed in the hope that it will be useful,       =
     #
>> +#  but WITHOUT ANY WARRANTY; without even the implied warranty of        =
     #
>> +#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the         =
     #
>> +#  GNU General Public License for more details.                          =
     #
>> +#                                                                        =
     #
>> +#  You should have received a copy of the GNU General Public License     =
     #
>> +#  along with this program.  If not, see <http://www.gnu.org/licenses/>. =
     #
>> +#                                                                        =
     #
>> +#########################################################################=
######
>> +
>> +version=3D"2025-01-20 - v25"
>> +
>> +###############       Main        ###############
>> +
>> +weeks=3D"2"                   #   default to two message logs
>> +sortBy=3D"name"               #   default "by name"
>> +rpzActive=3D"enabled"         #   default "enabled only"
>> +
>> +while [[ $# -gt 0 ]] ; do
>> +    case "$1" in
>> +        --by-names | --by-name | name ) sortBy=3D"name"   ;;
>> +
>> +        --by-hits | --by-hit | hits | hit )      sortBy=3D"hit"    ;;
>> +
>> +        --by-lines | --by-line | lines | line )     sortBy=3D"line"   ;;
>> +
>> +        --by-effect ) sortBy=3D"effect"   ;;
>> +
>> +        --enabled-only )             rpzActive=3D"enabled" ;;
>> +
>> +        --active-all | --all | all )       rpzActive=3D"all"     ;;
>> +
>> +        [0-9] | [0-9][0-9] )         weeks=3D$1        ;;
>> +    esac
>> +    shift       # Shift after checking all the cases to get next option
>> +done
>> +
>> +#  get the list of message logs for N weeks
>> +messageLogs=3D$( find /var/log/messages* -type f | sort --version-sort |
>> +    head -"${weeks}" )
>> +
>> +#  get the list of RPZ names & counts from the message log(s)
>> +rpzNameCount=3D$( for logf in ${messageLogs} ; do
>> +    zgrep --text --fixed-strings 'info: rpz: applied' "${logf}" |
>> +      awk '$10 ~ /\[\w*]/ { print $10 }' ;
>> +    done | sort | uniq --count )
>> +
>> +#  flip results and remove brackets `[` and `]`
>> +rpzNameCount=3D$( echo "${rpzNameCount}" |
>> +    awk '{ print $2, $1 }' |
>> +    sed --regexp-extended 's|^\[(.*)\]|\1|' )
>> +
>> +#  grab only names
>> +rpzNames=3D$( echo "${rpzNameCount}" | awk '{ print $1 }' )
>> +
>> +#  get list of RPZ files
>> +rpzFileList=3D$( find /etc/unbound/zonefiles -type f -iname "*.rpz" )
>> +
>> +#  get basename of those files
>> +rpzBaseNames=3D$( echo "${rpzFileList}" |
>> +    sed 's|/etc/unbound/zonefiles/||g ; s|\.rpz||g ;' )
>> +
>> +#  add to rpzNames
>> +rpzNames=3D"${rpzNames}"$'\n'"${rpzBaseNames}"
>> +
>> +#  drop duplicate names
>> +rpzNames=3D$( echo "${rpzNames}" | sort --unique  )
>> +
>> +#  get line count for each RPZ
>> +lineCount=3D$( echo "${rpzFileList}" | xargs wc -l )
>> +
>> +#  get comment line count and blank line count for each RPZ
>> +commentCount=3D$( echo "${rpzFileList}" | xargs grep --count -e "^$" -e "=
^;" )
>> +
>> +#  get modified date each RPZ
>> +modDateList=3D$( echo "${rpzFileList}" | xargs stat -c '%.10y  %n' )
>> +
>> +ucListAuthZones=3D$( unbound-control list_auth_zones )
>> +
>> +#  get width of RPZ names
>> +pWidth=3D$( echo "${rpzNames}" | awk '{ print $1"   " }' | wc -L )
>> +pFormat=3D"%-${pWidth}s %-8s %-8s %8s %12s %12s\n"
>> +
>> +#  print title line
>> +printf "${pFormat}" "name" "hits" "active" "lines" " hits/line" "last dow=
nload"
>> +printf -- "--------------"
>> +
>> +theResults=3D""
>> +totalLines=3D0
>> +totalHits=3D0
>> +while read -r theName
>> +do
>> +    printf -- "--"        #   pretend progress bar
>> +
>> +    #  is this RPZ list active?
>> +    theActive=3D"disabled"
>> +    if grep --quiet "^${theName}\.rpz" <<< "${ucListAuthZones}"
>> +    then
>> +        theActive=3D"enabled"
>> +    else
>> +        [[ "${rpzActive}" =3D=3D enabled ]] && continue
>> +    fi
>> +
>> +    #  get hit count
>> +    theHits=3D"0"
>> +    if output=3D$( grep "^${theName}\s" <<< "${rpzNameCount}" ) ; then
>> +        theHits=3D$( echo "${output}" | awk '{ print $2 }' )
>> +        totalHits=3D$(( totalHits + theHits ))
>> +    fi
>> +
>> +    #  get line count
>> +    theLines=3D"n/a"
>> +    hitsPerLine=3D"0"
>> +    if output=3D$( grep --fixed-strings "/${theName}.rpz" <<< "${lineCoun=
t}" ) ; then
>> +        theLines=3D$( echo "${output}" | awk '{ print $1 }' )
>> +        totalLines=3D$(( totalLines + theLines ))
>> +
>> +        if [[ "${theLines}" -gt 2 ]] ; then
>> +            hitsPerLine=3D$(( 100 * theHits / theLines ))
>> +        fi
>> +    fi
>> +
>> +    #  get modification date
>> +    theModDate=3D"n/a"
>> +    if output=3D$( grep --fixed-strings "/${theName}.rpz" <<< "${modDateL=
ist}" ) ; then
>> +        theModDate=3D$( echo "${output}" | awk '{ print $1 }' )
>> +    fi
>> +
>> +    #  add to results list
>> +    theResults+=3D"${theName} ${theHits} ${theActive} ${theLines} ${hitsP=
erLine} ${theModDate}"$'\n'
>> +
>> +done <<< "${rpzNames}"
>> +
>> +case "${sortBy}" in
>> +    #  sort by "active" then by "name"
>> +    name) sortArg=3D(-k3,3r -k1,1) ;;
>> +
>> +    #  sort by "active" then by "hits" then by "name"
>> +    hit)  sortArg=3D(-k3,3r -k2,2nr -k1,1) ;;
>> +
>> +    #  sort by "active" then by "lines" then by "name"
>> +    line) sortArg=3D(-k3,3r -k4,4nr -k1,1) ;;
>> +
>> +    #  sort by "active" then by "effect" then by "name"
>> +    effect) sortArg=3D(-k3,3r -k5,5nr -k1,1) ;;
>> +esac
>> +
>> +printf -- "--------------\n"
>> +#  remove blank lines, sort, print as columns
>> +echo "${theResults}" |
>> +    awk '!/^[[:space:]]*$/' |
>> +    sort "${sortArg[@]}"    |
>> +    awk --assign=3Dwidth=3D"${pWidth}" \
>> +        '{ printf "%-*s %-8s %-8s %8s %10s %% %12s\n", width, $1, $2, $3,=
 $4, $5, $6 }'
>> +
>> +printf "${pFormat}" "" "=3D=3D=3D=3D=3D=3D=3D" "" "=3D=3D=3D=3D=3D=3D=3D=
=3D" "" ""
>> +printf "${pFormat}" "Totals -->" "${totalHits}" "" "${totalLines}" "" ""
>> +
>> +exit
>> diff --git a/config/rpz/rpz-sleep b/config/rpz/rpz-sleep
>> new file mode 100755
>> index 000000000..dd3603599
>> --- /dev/null
>> +++ b/config/rpz/rpz-sleep
>> @@ -0,0 +1,58 @@
>> +#!/bin/bash
>> +#########################################################################=
######
>> +#                                                                        =
     #
>> +#  IPFire.org - A linux based firewall                                   =
     #
>> +#  Copyright (C) 2024  IPFire Team  <info(a)ipfire.org>                  =
       #
>> +#                                                                        =
     #
>> +#  This program is free software: you can redistribute it and/or modify  =
     #
>> +#  it under the terms of the GNU General Public License as published by  =
     #
>> +#  the Free Software Foundation, either version 3 of the License, or     =
     #
>> +#  (at your option) any later version.                                   =
     #
>> +#                                                                        =
     #
>> +#  This program is distributed in the hope that it will be useful,       =
     #
>> +#  but WITHOUT ANY WARRANTY; without even the implied warranty of        =
     #
>> +#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the         =
     #
>> +#  GNU General Public License for more details.                          =
     #
>> +#                                                                        =
     #
>> +#  You should have received a copy of the GNU General Public License     =
     #
>> +#  along with this program.  If not, see <http://www.gnu.org/licenses/>. =
     #
>> +#                                                                        =
     #
>> +#########################################################################=
######
>> +
>> +version=3D"2024-08-16"        # v05
>> +
>> +###############     Functions     ###############
>> +
>> +#   send message to message log
>> +msg_log () {
>> +    logger --tag "${tagName}" "$*"
>> +    if tty --silent ; then
>> +        echo "${tagName}:" "$*"
>> +    fi
>> +}
>> +
>> +###############       Main        ###############
>> +
>> +tagName=3D"unbound"
>> +
>> +sleepTime=3D"${1:-5m}"            #  default to sleep for 5m (5 minutes)
>> +
>> +zoneList=3D$( unbound-control list_auth_zones | awk '{print $1}' )
>> +
>> +for zone in ${zoneList} ; do
>> +    printf "disable ${zone}\t"
>> +    unbound-control rpz_disable "${zone}"
>> +done
>> +
>> +msg_log "info: rpz: disabled all zones for ${sleepTime}"
>> +
>> +sleep "${sleepTime}"
>> +
>> +for zone in ${zoneList} ; do
>> +    printf "enable ${zone}\t"
>> +    unbound-control rpz_enable "${zone}"
>> +done
>> +
>> +msg_log "info: rpz: enabled all zones"
>> +
>> +exit
>> diff --git a/config/rpz/rpz.de.pl b/config/rpz/rpz.de.pl
>> new file mode 100644
>> index 000000000..3770c6bb0
>> --- /dev/null
>> +++ b/config/rpz/rpz.de.pl
>> @@ -0,0 +1,30 @@
>> +#  Added for Response Policy Zone (RPZ) add-on
>> +%tr =3D (%tr,
>> +'rpz' =3D> 'Response Policy Zones (RPZ)',
>> +'rpz apply' =3D> '=C3=9Cbernehmen',
>> +'rpz cl allow enable' =3D> 'Benutzerdefinierte Allowlist aktivieren:',
>> +'rpz cl allow info' =3D> 'Zugelassene Domains (eine pro Zeile)<br>Beispie=
l: domain.com, *.domain.com',
>> +'rpz cl allow' =3D> 'Benutzerdefinierte Allowlist',
>> +'rpz cl block enable' =3D> 'Benutzerdefinierte Blocklist aktivieren:',
>> +'rpz cl block info' =3D> 'Gesperrte Domains (eine pro Zeile)<br>Beispiel:=
 domain.com, *.domain.com',
>> +'rpz cl block' =3D> 'Benutzerdefinierte Blocklist',
>> +'rpz cl' =3D> 'Benutzerdefinierte Listen',
>> +'rpz exitcode 101' =3D> 'Der Name enth=C3=A4lt unzul=C3=A4ssige Zeichen',
>> +'rpz exitcode 102' =3D> 'unbound-checkconf hat eine fehlerhafte Konfigura=
tion ermittelt. F=C3=BChren Sie das Kommando unbound-checkconf auf der Konsol=
e aus, um weitere Informationen zu erhalten.',
>> +'rpz exitcode 103' =3D> 'Die benutzerdefinierte Allow-/Blocklist ist leer=
',
>> +'rpz exitcode 104' =3D> 'Ein Eintrag mit identischem Namen existiert bere=
its',
>> +'rpz exitcode 105' =3D> 'Die URL ist ung=C3=BCltig',
>> +'rpz exitcode 106' =3D> 'Eintrag kann nicht entfernt werden, der Name exi=
stiert nicht',
>> +'rpz exitcode 107' =3D> 'Der Name ist ung=C3=BCltig - nur "allow" oder "b=
lock" m=C3=B6glich',
>> +'rpz exitcode 108' =3D> 'Fehlende oder inkorrekte Parameter',
>> +'rpz exitcode 109' =3D> 'unbound-control reload ist fehlgeschlagen',
>> +'rpz exitcode 110' =3D> 'Die benutzerdefinierte Allow-/Blocklist enth=C3=
=A4lt unzul=C3=A4ssige Eintr=C3=A4ge',
>> +'rpz exitcode 201' =3D> 'Die Anmerkung enth=C3=A4lt unzul=C3=A4ssige Zeic=
hen',
>> +'rpz exitcode 202' =3D> 'Ung=C3=BCltiger Eintrag in der benutzerdefiniert=
en Allowlist, Zeile ',
>> +'rpz exitcode 203' =3D> 'Ung=C3=BCltiger Eintrag in der benutzerdefiniert=
en Blocklist, Zeile ',
>> +'rpz exitcode 204' =3D> 'Ausgew=C3=A4hlter Eintrag existiert nicht: ',
>> +'rpz zf editor' =3D> 'Zonendatei-Eintrag bearbeiten',
>> +'rpz zf imported' =3D> '(importiert aus rpz-config)',
>> +'rpz zf remark info' =3D> 'Erlaubte Zeichen sind a-z, A-Z, 0-9 und Unters=
triche',
>> +'rpz zf' =3D> 'Zonendateien',
>> +);
>> diff --git a/config/rpz/rpz.en.pl b/config/rpz/rpz.en.pl
>> new file mode 100644
>> index 000000000..0720a8940
>> --- /dev/null
>> +++ b/config/rpz/rpz.en.pl
>> @@ -0,0 +1,30 @@
>> +#  Added for Response Policy Zone (RPZ) add-on
>> +%tr =3D (%tr,
>> +'rpz' =3D> 'Response Policy Zones (RPZ)',
>> +'rpz apply' =3D> 'Apply',
>> +'rpz cl allow enable' =3D> 'Enable custom allowlist:',
>> +'rpz cl allow info' =3D> 'Allowed domains (one per line)<br>Example: doma=
in.com, *.domain.com',
>> +'rpz cl allow' =3D> 'Custom allowlist',
>> +'rpz cl block enable' =3D> 'Enable custom blocklist:',
>> +'rpz cl block info' =3D> 'Blocked domains (one per line)<br>Example: doma=
in.com, *.domain.com',
>> +'rpz cl block' =3D> 'Custom blocklist',
>> +'rpz cl' =3D> 'Custom lists',
>> +'rpz exitcode 101' =3D> 'the NAME is not valid',
>> +'rpz exitcode 102' =3D> 'unbound-checkconf found invalid configuration. I=
n the Terminal run the command unbound-checkconf for more information',
>> +'rpz exitcode 103' =3D> 'the allow/block list is empty',
>> +'rpz exitcode 104' =3D> 'duplicate - NAME already exists',
>> +'rpz exitcode 105' =3D> 'the URL is not valid',
>> +'rpz exitcode 106' =3D> 'cannot remove the NAME does not exist',
>> +'rpz exitcode 107' =3D> 'the NAME is not valid - "allow" or "block" only',
>> +'rpz exitcode 108' =3D> 'missing or incorrect parameter',
>> +'rpz exitcode 109' =3D> 'unbound-control reload failed',
>> +'rpz exitcode 110' =3D> 'custom Allowlist/Blocklist contains invalid entr=
ies',
>> +'rpz exitcode 201' =3D> 'the REMARK is not valid',
>> +'rpz exitcode 202' =3D> 'invalid entry in allowlist, line ',
>> +'rpz exitcode 203' =3D> 'invalid entry in blocklist, line ',
>> +'rpz exitcode 204' =3D> 'Selected entry does not exist: ',
>> +'rpz zf editor' =3D> 'Edit zonefiles entry',
>> +'rpz zf imported' =3D> '(imported from rpz-config)',
>> +'rpz zf remark info' =3D> 'Valid characters are a-z, A-Z, 0-9 and undersc=
ore.',
>> +'rpz zf' =3D> 'Zonefiles',
>> +);
>> diff --git a/config/rpz/rpz.es.pl b/config/rpz/rpz.es.pl
>> new file mode 100644
>> index 000000000..98628e4aa
>> --- /dev/null
>> +++ b/config/rpz/rpz.es.pl
>> @@ -0,0 +1,30 @@
>> +#  Added for Response Policy Zone (RPZ) add-on
>> +%tr =3D (%tr,
>> +'rpz' =3D> 'Zonas de pol=C3=ADtica de respuesta (RPZ)',
>> +'rpz apply' =3D> 'Aplicar',
>> +'rpz cl allow enable' =3D> 'Habilitar la lista blanca personalizada:',
>> +'rpz cl allow info' =3D> 'Dominio permitido (uno por l=C3=ADnea)<br>Ejemp=
lo: domain.com, *.domain.com',
>> +'rpz cl allow' =3D> 'Lista blanca personalizada',
>> +'rpz cl block enable' =3D> 'Habilitar la lista negra personalizada:',
>> +'rpz cl block info' =3D> 'Dominio bloqueado (uno por l=C3=ADnea)<br>Ejemp=
lo: domain.com, *.domain.com',
>> +'rpz cl block' =3D> 'Lista negra personalizada',
>> +'rpz cl' =3D> 'Lista personalizada',
>> +'rpz exitcode 101' =3D> 'El NOMBRE no es v=C3=A1lido',
>> +'rpz exitcode 102' =3D> 'unbound-checkconf ha encontrado una configuraci=
=C3=B3n no v=C3=A1lida. Desde Terminal, ejecute el comando unbound-checkconf =
para mayor informaci=C3=B3n',
>> +'rpz exitcode 103' =3D> 'La lista de permitidos/bloqueados est=C3=A1 vac=
=C3=ADa',
>> +'rpz exitcode 104' =3D> 'duplicado - NOMBRE ya existe',
>> +'rpz exitcode 105' =3D> 'la URL no es v=C3=A1lida',
>> +'rpz exitcode 106' =3D> 'no es posible eliminar el NOMBRE que no existe',
>> +'rpz exitcode 107' =3D> 'el NOMBRE no es v=C3=A1lido - s=C3=B3lo "permiti=
r" o "bloquear"',
>> +'rpz exitcode 108' =3D> 'par=C3=A1metro faltante o incorrecto',
>> +'rpz exitcode 109' =3D> 'Error al recargar unbound-control',
>> +'rpz exitcode 110' =3D> 'la Lista blanca/Lista negra personalizada contie=
ne entradas no v=C3=A1lidas',
>> +'rpz exitcode 201' =3D> 'el COMENTARIO no es v=C3=A1lido',
>> +'rpz exitcode 202' =3D> 'entrada no v=C3=A1lida en la lista blanca, l=C3=
=ADnea ',
>> +'rpz exitcode 203' =3D> 'entrada no v=C3=A1lida en la lista negra, l=C3=
=ADnea ',
>> +'rpz exitcode 204' =3D> 'La entrada seleccionada no existe: ',
>> +'rpz zf editor' =3D> 'Editar la entrada de archivos de zona',
>> +'rpz zf imported' =3D> '(importado de rpz-config)',
>> +'rpz zf remark info' =3D> 'Los caracteres v=C3=A1lidos son a-z, A-Z, 0-9 =
y gui=C3=B3n bajo',
>> +'rpz zf' =3D> 'Archivos de zona',
>> +);
>> diff --git a/config/rpz/rpz.fr.pl b/config/rpz/rpz.fr.pl
>> new file mode 100644
>> index 000000000..f35f3c2d0
>> --- /dev/null
>> +++ b/config/rpz/rpz.fr.pl
>> @@ -0,0 +1,30 @@
>> +#  Added for Response Policy Zone (RPZ) add-on
>> +%tr =3D (%tr,
>> +'rpz' =3D> 'Response Policy Zones (RPZ)',
>> +'rpz apply' =3D> 'Appliquer',
>> +'rpz cl allow enable' =3D> 'Activer la liste d\'autorisations personnalis=
=C3=A9e:',
>> +'rpz cl allow info' =3D> 'Domaines autoris=C3=A9s (un par ligne)<br>Examp=
le: domain.com, *.domain.com',
>> +'rpz cl allow' =3D> 'Liste d\'autorisations personnalis=C3=A9e',
>> +'rpz cl block enable' =3D> 'Activer la liste de blocage personnalis=C3=A9=
e:',
>> +'rpz cl block info' =3D> 'Domaines bloqu=C3=A9s (un par ligne)<br>Example=
: domain.com, *.domain.com',
>> +'rpz cl block' =3D> 'liste de blocage personnalis=C3=A9',
>> +'rpz cl' =3D> 'Listes personnalis=C3=A9es',
>> +'rpz exitcode 101' =3D> 'le NOM n\'est pas valide',
>> +'rpz exitcode 102' =3D> 'unbound-checkconf configuration non valide trouv=
=C3=A9e. Dans le terminal, ex=C3=A9cutez la commande unbound-checkconf pour p=
lus d\'informations',
>> +'rpz exitcode 103' =3D> 'la liste autoriser/bloquer est vide',
>> +'rpz exitcode 104' =3D> 'le NOM existe d=C3=A9j=C3=A0',
>> +'rpz exitcode 105' =3D> 'L\'URL n\'est pas valide',
>> +'rpz exitcode 106' =3D> 'impossible de supprimer le NOM n\'existe pas',
>> +'rpz exitcode 107' =3D> 'le NOM n\'est pas valide - =C2=AB autoriser =C2=
=BB ou =C2=AB bloquer =C2=BB seulement',
>> +'rpz exitcode 108' =3D> 'param=C3=A8tre manquant ou incorrect',
>> +'rpz exitcode 109' =3D> 'unbound-control rechargement =C3=A9chou=C3=A9',
>> +'rpz exitcode 110' =3D> 'la liste autoriser/bloquer contient des entr=C3=
=A9es non valides',
>> +'rpz exitcode 201' =3D> 'la REMARQUE n\'est pas valable',
>> +'rpz exitcode 202' =3D> 'entr=C3=A9e non valide dans la liste d\'autorisa=
tion, ligne ',
>> +'rpz exitcode 203' =3D> 'entr=C3=A9e non valide dans la liste de blocs, l=
igne ',
>> +'rpz exitcode 204' =3D> 'L\'entr=C3=A9e s=C3=A9lectionn=C3=A9e n\'existe =
pas: ',
>> +'rpz zf editor' =3D> 'Modifier l\'entr=C3=A9e Fichiers Zone',
>> +'rpz zf imported' =3D> '(import=C3=A9 de rpz-config)',
>> +'rpz zf remark info' =3D> 'Les caract=C3=A8res valides sont a-z, A-Z, 0-9=
 et soulignement.',
>> +'rpz zf' =3D> 'Fichiers Zone',
>> +);
>> diff --git a/config/rpz/rpz.it.pl b/config/rpz/rpz.it.pl
>> new file mode 100644
>> index 000000000..ee81605c9
>> --- /dev/null
>> +++ b/config/rpz/rpz.it.pl
>> @@ -0,0 +1,30 @@
>> +#  Added for Response Policy Zone (RPZ) add-on
>> +%tr =3D (%tr,
>> +'rpz' =3D> 'Response Policy Zones (RPZ)',
>> +'rpz apply' =3D> 'Applica',
>> +'rpz cl allow enable' =3D> 'Abilita la Whitelist personalizzata:',
>> +'rpz cl allow info' =3D> 'Domini consentiti (uno per riga)<br>Esempio: do=
main.com, *.domain.com',
>> +'rpz cl allow' =3D> 'Whitelist personalizzata',
>> +'rpz cl block enable' =3D> 'Abilita la Blacklist personalizzata:',
>> +'rpz cl block info' =3D> 'Domini bloccati (uno per riga)<br>Esempio: doma=
in.com, *.domain.com',
>> +'rpz cl block' =3D> 'Blacklist personalizzata',
>> +'rpz cl' =3D> 'Liste personalizzate',
>> +'rpz exitcode 101' =3D> 'il NOME non =C3=A8 valido',
>> +'rpz exitcode 102' =3D> 'unbound-checkconf ha trovato una configurazione =
non valida. Dal Terminale esegui il comando unbound-checkconf per maggiori in=
formazioni',
>> +'rpz exitcode 103' =3D> 'l\'elenco consentiti/bloccati =C3=A8 vuoto',
>> +'rpz exitcode 104' =3D> 'duplicato - NAME esiste di gi=C3=A0',
>> +'rpz exitcode 105' =3D> 'l\'URL non =C3=A8 valido',
>> +'rpz exitcode 106' =3D> 'non =C3=A8 possibile rimuovere il NOME non esist=
e',
>> +'rpz exitcode 107' =3D> 'il NOME non =C3=A8 valido - solo "consenti" o "b=
locca"',
>> +'rpz exitcode 108' =3D> 'parametro mancante o non corretto',
>> +'rpz exitcode 109' =3D> 'ricaricamento del controllo non associato non ri=
uscito',
>> +'rpz exitcode 110' =3D> 'la Whitelist/Blacklist personalizzata contiene v=
oci non valide',
>> +'rpz exitcode 201' =3D> 'l"OSSERVAZIONE non =C3=A8 valida',
>> +'rpz exitcode 202' =3D> 'voce non valida nella Whitelist, riga ',
>> +'rpz exitcode 203' =3D> 'voce non valida nella Blacklist, riga ',
>> +'rpz exitcode 204' =3D> 'La voce selezionata non esiste: ',
>> +'rpz zf editor' =3D> 'Modifica la voce dei file di zona',
>> +'rpz zf imported' =3D> '(importato da rpz-config)',
>> +'rpz zf remark info' =3D> 'I caratteri validi sono a-z, A-Z, 0-9 e tratti=
no basso',
>> +'rpz zf' =3D> 'Zonefiles',
>> +);
>> diff --git a/config/rpz/rpz.tr.pl b/config/rpz/rpz.tr.pl
>> new file mode 100644
>> index 000000000..00226e192
>> --- /dev/null
>> +++ b/config/rpz/rpz.tr.pl
>> @@ -0,0 +1,30 @@
>> +#  I=EF=BF=BDin eklendi Ayriyeten Response Policy Zone (RPZ)
>> +%tr =3D (%tr,
>> +'rpz' =3D> 'Response Policy Zones (RPZ)',
>> +'rpz apply' =3D> 'Uygulamak',
>> +'rpz cl allow enable' =3D> '=EF=BF=BDzel Etkinlestir allowlist:',
>> +'rpz cl allow info' =3D> 'Izin verilmis domains (satir basina bir)<br>=EF=
=BF=BDrnegin: domain.com, *.domain.com',
>> +'rpz cl allow' =3D> 'Etkinlestir allowlist',
>> +'rpz cl block enable' =3D> '=EF=BF=BDzel Etkinlestir blocklist:',
>> +'rpz cl block info' =3D> 'Engellenmis domains (satir basina bir)<br>=EF=
=BF=BDrnegin: domain.com, *.domain.com',
>> +'rpz cl block' =3D> 'Engellenmis blocklist',
>> +'rpz cl' =3D> 'Engellenmis lists',
>> +'rpz exitcode 101' =3D> 'NAME ge=EF=BF=BDerli degil',
>> +'rpz exitcode 102' =3D> 'unbound-checkconf ge=EF=BF=BDersiz yapilandirma =
bulundu. Terminalde daha fazla bilgi i=EF=BF=BDin Unbound-checkConf komutunu =
=EF=BF=BDalistirin',
>> +'rpz exitcode 103' =3D> 'allow/block liste bos',
>> +'rpz exitcode 104' =3D> 'kopyalamak - NAME zaten var',
>> +'rpz exitcode 105' =3D> 'URL ge=EF=BF=BDerli degil',
>> +'rpz exitcode 106' =3D> '=EF=BF=BDikarilamiyor NAME yok',
>> +'rpz exitcode 107' =3D> 'NAME ge=EF=BF=BDerli degil - "allow" veya "block=
" yalniz',
>> +'rpz exitcode 108' =3D> 'Parametre eksik veya yanlis',
>> +'rpz exitcode 109' =3D> 'unbound-control basarisiz',
>> +'rpz exitcode 110' =3D> 'Engellenmis Allowlist/Blocklist ge=EF=BF=BDersiz=
 girisler i=EF=BF=BDerir',
>> +'rpz exitcode 201' =3D> 'REMARK ge=EF=BF=BDerli degil',
>> +'rpz exitcode 202' =3D> 'Ge=EF=BF=BDersiz giris allowlist, line ',
>> +'rpz exitcode 203' =3D> 'Ge=EF=BF=BDersiz giris blocklist, line ',
>> +'rpz exitcode 204' =3D> 'Se=EF=BF=BDilen giris yok: ',
>> +'rpz zf editor' =3D> 'yazimlamak zonefiles giris',
>> +'rpz zf imported' =3D> '(ithal edildi rpz-config)',
>> +'rpz zf remark info' =3D> 'Ge=EF=BF=BDerli karakterler a-z, A-Z, 0-9ve al=
t=EF=BF=BDst.',
>> +'rpz zf' =3D> 'Zonefiles',
>> +);
>> diff --git a/html/cgi-bin/rpz.cgi b/html/cgi-bin/rpz.cgi
>> new file mode 100644
>> index 000000000..a821c92ac
>> --- /dev/null
>> +++ b/html/cgi-bin/rpz.cgi
>> @@ -0,0 +1,923 @@
>> +#!/usr/bin/perl
>> +#########################################################################=
######
>> +#                                                                        =
     #
>> +# IPFire.org - A linux based firewall                                    =
     #
>> +# Copyright (C) 2005-2024  IPFire Team  <info(a)ipfire.org>              =
       #
>> +#                                                                        =
     #
>> +# This program is free software: you can redistribute it and/or modify   =
     #
>> +# it under the terms of the GNU General Public License as published by   =
     #
>> +# the Free Software Foundation, either version 3 of the License, or      =
     #
>> +# (at your option) any later version.                                    =
     #
>> +#                                                                        =
     #
>> +# This program is distributed in the hope that it will be useful,        =
     #
>> +# but WITHOUT ANY WARRANTY; without even the implied warranty of         =
     #
>> +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the          =
     #
>> +# GNU General Public License for more details.                           =
     #
>> +#                                                                        =
     #
>> +# You should have received a copy of the GNU General Public License      =
     #
>> +# along with this program.  If not, see <http://www.gnu.org/licenses/>.  =
     #
>> +#                                                                        =
     #
>> +#########################################################################=
######
>> +
>> +use strict;
>> +use Scalar::Util qw(looks_like_number);
>> +
>> +# debugging
>> +#use warnings;
>> +#use CGI::Carp 'fatalsToBrowser';
>> +#use Data::Dumper;
>> +
>> +require '/var/ipfire/general-functions.pl';
>> +require "${General::swroot}/lang.pl";
>> +require "${General::swroot}/header.pl";
>> +
>> +###--- Extra HTML ---###
>> +my $extraHead =3D <<END
>> +<style>
>> + /* alternating row background */
>> + .tbl tr:nth-child(2n+2) {
>> + background-color: var(--color-light-grey);
>> + }
>> + .tbl tr:nth-child(2n+3) {
>> + background-color: var(--color-grey);
>> + }
>> + /* text styles */
>> + .tbl th:not(:last-child) {
>> + text-align: left;
>> + }
>> + div.right {
>> + text-align: right;
>> + margin-top: 0.5em;
>> + }
>> + /* customlist input */
>> + textarea.domainlist {
>> + margin: 0.5em 0;
>> + resize: vertical;
>> + min-height: 10em;
>> + overflow: auto;
>> + white-space: pre;
>> + }
>> + button[type=3Dsubmit]:disabled {
>> + opacity: 0.6;
>> + }
>> +</style>
>> +END
>> +;
>> +###--- End of extra HTML ---###
>> +
>> +
>> +### Settings ###
>> +
>> +# Request DNS service reload after configuration change
>> +my $RPZ_RELOAD_FLAG =3D "${General::swroot}/dns/rpz/reload.flag";
>> +
>> +# Configuration file for all available zonefiles
>> +# Format: index, name (unique), enabled (on/off), URL, remark
>> +my $ZONEFILES_CONF =3D "${General::swroot}/dns/rpz/zonefiles.conf";
>> +
>> +# Configuration file for custom lists
>> +# IDs: 0=3Dallowlist, 1=3Dblocklist, 2=3Doptions (allow/block enabled)
>> +my $CUSTOMLISTS_CONF =3D "${General::swroot}/dns/rpz/customlists.conf";
>> +
>> +# Export custom lists to rpz-config
>> +my $RPZ_ALLOWLIST =3D "${General::swroot}/dns/rpz/allowlist";
>> +my $RPZ_BLOCKLIST =3D "${General::swroot}/dns/rpz/blocklist";
>> +
>> +
>> +### Preparation ###
>> +
>> +# Create missing config files
>> +unless(-f $ZONEFILES_CONF) { &General::system('touch', "$ZONEFILES_CONF")=
; }
>> +unless(-f $CUSTOMLISTS_CONF) { &General::system('touch', "$CUSTOMLISTS_CO=
NF"); }
>> +
>> +
>> +## Global gui data
>> +my $errormessage =3D "";
>> +
>> +## Global configuration data
>> +my %zonefiles =3D ();
>> +my %customlists =3D ();
>> +&_zonefiles_load();
>> +&_customlists_load();
>> +
>> +## Global CGI form data
>> +my %cgiparams =3D ();
>> +&Header::getcgihash(\%cgiparams);
>> +
>> +my $action =3D $cgiparams{'ACTION'} // 'NONE';
>> +my $action_key =3D $cgiparams{'KEY'} // ''; # entry being edited, empty =
=3D none/new
>> +
>> +
>> +###--- Process form actions ---###
>> +
>> +# Zonefiles action: Check whether the requested entry exists
>> +if((substr($action, 0, 3) eq 'ZF_') && ($action_key)) {
>> + unless(defined $zonefiles{$action_key}) {
>> + $errormessage =3D &_rpz_error_tr(204, $action_key);
>> + $action =3D 'NONE';
>> + }
>> +}
>> +
>> +## Perform actions
>> +if($action eq 'ZF_SAVE') { ## Save new or modified zonefiles entry
>> + if(&_action_zf_save()) {
>> + $action =3D 'NONE'; # success, return to main page
>> + &_http_prg_redirect();
>> + } else {
>> + $action =3D 'ZF_EDIT'; # error occured, keep editing
>> + }
>> +
>> +} elsif($action eq 'ZF_TOGGLE') { ## Toggle on/off
>> + if(&_action_zf_toggle()) {
>> + $action =3D 'NONE';
>> + &_http_prg_redirect();
>> + }
>> +
>> +} elsif($action eq 'ZF_REMOVE') { ## Remove entry
>> + if(&_action_zf_remove()) {
>> + $action =3D 'NONE';
>> + &_http_prg_redirect();
>> + }
>> +
>> +} elsif($action eq 'CL_SAVE') { ## Save custom lists
>> + if(&_action_cl_save()) {
>> + $action =3D 'NONE';
>> + &_http_prg_redirect();
>> + }
>> +
>> +} elsif($action eq 'RPZ_RELOAD') { ## Reload dns configuration
>> + if(&_action_rpz_reload()) {
>> + $action =3D 'NONE';
>> + &_http_prg_redirect();
>> + }
>> +
>> +} elsif($action eq 'UNB_RESTART') { ## Restart unbound service
>> + if(&_action_unb_restart()) {
>> + $action =3D 'NONE';
>> + &_http_prg_redirect();
>> + }
>> +
>> +}
>> +
>> +
>> +###--- Start GUI ---###
>> +
>> +## Start http output
>> +&Header::showhttpheaders();
>> +
>> +# Start HTML
>> +&Header::openpage($Lang::tr{'rpz'}, 1, $extraHead);
>> +&Header::openbigbox('100%', 'left', '');
>> +
>> +# Show error messages
>> +if($errormessage) {
>> + &_print_message($errormessage);
>> +}
>> +
>> +# Handle zonefile add/edit mode
>> +if($action eq "ZF_EDIT") {
>> + &_print_zonefile_editor();
>> +
>> + # Finalize page and exit cleanly
>> + &Header::closebigbox();
>> + &Header::closepage();
>> + exit(0);
>> +}
>> +
>> +# Show gui elements
>> +&_print_zonefiles();
>> +&_print_customlists();
>> +&_print_gui_extras();
>> +
>> +&Header::closebigbox();
>> +&Header::closepage();
>> +
>> +###--- End of GUI ---###
>> +
>> +
>> +###--- Internal configuration file functions ---###
>> +
>> +# Load all available zonefiles from rpz-config and the internal configura=
tion
>> +sub _zonefiles_load {
>> + # Clean start
>> + %zonefiles =3D ();
>> +
>> + # Source 1: Get the currently enabled zonefiles from rpz-config (expecte=
d format [name]=3D[URL])
>> + my @enabled_files =3D &General::system_output('/usr/sbin/rpz-config', 'l=
ist');
>> +
>> + foreach my $row (@enabled_files) {
>> + chomp($row);
>> +
>> + # Use regex instead of split() to skip non-matching lines
>> + next unless($row =3D~ /^(\w+)=3D(.+)$/);
>> + my ($name, $url) =3D ($1, $2);
>> +
>> + # Unique names are already guaranteed by rpz-config
>> + if(&_rpz_validate_zonefile($name, $url, '', 0) =3D=3D 0) {
>> + # Populate global data hash, mark all found entries as enabled
>> + my %entry =3D ('enabled' =3D> 'on',
>> + 'url' =3D> $url,
>> + 'remark' =3D> $Lang::tr{'rpz zf imported'});
>> +
>> + $zonefiles{$name} =3D \%entry;
>> + }
>> + }
>> +
>> + # Source 2: Get additional data and disabled entries from configuration =
file
>> + my %configured_files =3D ();
>> + &General::readhasharray($ZONEFILES_CONF, \%configured_files);
>> +
>> + foreach my $row (values (%configured_files)) {
>> + my ($name, $enabled, $url, $remark) =3D @$row;
>> + $remark //=3D "";
>> +
>> + next unless($name);
>> +
>> + # Check whether this row belongs to an entry already imported from rpz-c=
onfig
>> + if(defined $zonefiles{$name}) {
>> + # Existing entry, only merge additional data
>> + $zonefiles{$name}{'remark'} =3D $remark;
>> + } else {
>> + # Skip entry if it is marked as enabled but not found by rpz-config. It =
was then deleted manually
>> + if($enabled ne 'on') {
>> + # Populate global data hash
>> + my %entry =3D ('enabled' =3D> 'off',
>> + 'url' =3D> $url // "",
>> + 'remark' =3D> $remark);
>> +
>> + $zonefiles{$name} =3D \%entry;
>> + }
>> + }
>> + }
>> +}
>> +
>> +# Save internal zonefiles configuration
>> +sub _zonefiles_save_conf {
>> + my $index =3D 0;
>> + my %export =3D ();
>> +
>> + # Loop trough all zonefiles and create "hasharray" type export
>> + foreach my $name (keys %zonefiles) {
>> + my @entry =3D ($name,
>> + $zonefiles{$name}{'enabled'},
>> + $zonefiles{$name}{'url'},
>> + $zonefiles{$name}{'remark'});
>> +
>> + $export{$index++} =3D \@entry;
>> + }
>> +
>> + &General::writehasharray($ZONEFILES_CONF, \%export);
>> +}
>> +
>> +# Load custom lists from rpz-config and the internal configuration
>> +sub _customlists_load {
>> + # Clean start
>> + %customlists =3D ();
>> +
>> + # Load configuration file
>> + my %lists_conf =3D ();
>> + &General::readhasharray($CUSTOMLISTS_CONF, \%lists_conf);
>> +
>> + # Get list options, enabled by default to start import
>> + $customlists{'allow'}{'enabled'} =3D $lists_conf{2}[0] // 'on';
>> + $customlists{'block'}{'enabled'} =3D $lists_conf{2}[1] // 'on';
>> +
>> + # Import enabled list from rpz-config, otherwise retrieve stored or empt=
y list from configuration file
>> + if($customlists{'allow'}{'enabled'} eq 'on') {
>> + &_customlist_import('allow', $RPZ_ALLOWLIST);
>> + } else {
>> + $customlists{'allow'}{'list'} =3D $lists_conf{0} // [];
>> + }
>> + if($customlists{'block'}{'enabled'} eq 'on') {
>> + &_customlist_import('block', $RPZ_BLOCKLIST);
>> + } else {
>> + $customlists{'block'}{'list'} =3D $lists_conf{1} // [];
>> + }
>> +}
>> +
>> +# Save internal custom lists configuration
>> +sub _customlists_save_conf {
>> + my %export =3D ();
>> +
>> + # Match IDs with import function
>> + $export{0} =3D $customlists{'allow'}{'list'};
>> + $export{1} =3D $customlists{'block'}{'list'};
>> + $export{2} =3D [$customlists{'allow'}{'enabled'}, $customlists{'block'}{=
'enabled'}];
>> +
>> + &General::writehasharray($CUSTOMLISTS_CONF, \%export);
>> +}
>> +
>> +# Import a custom list from plain file, returns empty list if file is mis=
sing
>> +sub _customlist_import {
>> + my ($listname, $filename) =3D @_;
>> + my @list =3D ();
>> +
>> + # File exists, load and check all lines
>> + if(-f $filename) {
>> + open(my $FH, '<', $filename) or die "Can't read $filename: $!";
>> + while(my $line =3D <$FH>) {
>> + chomp($line);
>> + push(@list, $line);
>> + }
>> + close($FH);
>> +
>> + # Clean up imported data
>> + &_rpz_validate_customlist(\@list, 1);
>> + }
>> +
>> + $customlists{$listname}{'list'} =3D \@list;
>> +}
>> +
>> +# Export a custom list to plain file or clear file if list is disabled
>> +sub _customlist_export {
>> + my ($listname, $filename) =3D @_;
>> + return unless(defined $customlists{$listname});
>> +
>> + # Write enabled domain list to file, otherwise save empty file
>> + open(my $FH, '>', $filename) or die "Can't write $filename: $!";
>> +
>> + if($customlists{$listname}{'enabled'} eq 'on') {
>> + foreach my $line (@{$customlists{$listname}{'list'}}) {
>> + print $FH "$line\n";
>> + }
>> + } else {
>> + print $FH "; Note: This list is currently disabled by $ENV{'SCRIPT_NAME'=
}\n";
>> + }
>> +
>> + close($FH);
>> +}
>> +
>> +
>> +###--- Internal gui functions ---###
>> +
>> +# Show simple message box
>> +sub _print_message {
>> + my ($message, $title) =3D @_;
>> + $title ||=3D $Lang::tr{'error messages'};
>> +
>> + &Header::openbox('100%', 'left', $title);
>> + print "<span>$message</span>";
>> + &Header::closebox();
>> +}
>> +
>> +# Show all zone files and related gui elements
>> +sub _print_zonefiles {
>> + &Header::openbox('100%', 'left', $Lang::tr{'rpz zf'});
>> +
>> + print <<END
>> +<table class=3D"tbl" width=3D"100%">
>> + <tr>
>> + <th>$Lang::tr{'name'}</th>
>> + <th>URL</th>
>> + <th>$Lang::tr{'remark'}</th>
>> + <th colspan=3D"3">$Lang::tr{'action'}</th>
>> + </tr>
>> +END
>> +;
>> +
>> + # Sort zonefiles by name and loop trough all entries
>> + foreach my $name (sort keys %zonefiles) {
>> +
>> + # Toggle button label translation
>> + my $toggle_tr =3D ($zonefiles{$name}{'enabled'} eq 'on') ? $Lang::tr{'cl=
ick to disable'} : $Lang::tr{'click to enable'};
>> +
>> + print <<END
>> + <tr>
>> + <td>$name</td>
>> + <td>$zonefiles{$name}{'url'}</td>
>> + <td>$zonefiles{$name}{'remark'}</td>
>> +
>> + <td align=3D"center" width=3D"5%">
>> + <form method=3D"post" action=3D"$ENV{'SCRIPT_NAME'}">
>> + <input type=3D"hidden" name=3D"KEY" value=3D"$name">
>> + <input type=3D"hidden" name=3D"ACTION" value=3D"ZF_TOGGLE">
>> + <input type=3D"image" src=3D"/images/$zonefiles{$name}{'enabled'}.gif" t=
itle=3D"$toggle_tr" alt=3D"$toggle_tr">
>> + </form>
>> + </td>
>> + <td align=3D"center" width=3D"5%">
>> + <form method=3D"post" action=3D"$ENV{'SCRIPT_NAME'}">
>> + <input type=3D"hidden" name=3D"KEY" value=3D"$name">
>> + <input type=3D"hidden" name=3D"ACTION" value=3D"ZF_EDIT">
>> + <input type=3D"image" src=3D"/images/edit.gif" title=3D"$Lang::tr{'edit'=
}" alt=3D"$Lang::tr{'edit'}">
>> + </form>
>> + </td>
>> + <td align=3D"center" width=3D"5%">
>> + <form method=3D"post" action=3D"$ENV{'SCRIPT_NAME'}">
>> + <input type=3D"hidden" name=3D"KEY" value=3D"$name">
>> + <input type=3D"hidden" name=3D"ACTION" value=3D"ZF_REMOVE">
>> + <input type=3D"image" src=3D"/images/delete.gif" title=3D"$Lang::tr{'rem=
ove'}" alt=3D"$Lang::tr{'remove'}">
>> + </form>
>> + </td>
>> + </tr>
>> +END
>> +;
>> + }
>> +
>> + # Disable reload button if not needed
>> + my $reload_state =3D &_rpz_needs_reload() ? "" : " disabled";
>> +
>> + print <<END
>> +</table>
>> +
>> +<div class=3D"right">
>> + <form method=3D"post" action=3D"$ENV{'SCRIPT_NAME'}">
>> + <input type=3D"hidden" name=3D"KEY" value=3D"">
>> + <button type=3D"submit" name=3D"ACTION" value=3D"ZF_EDIT">$Lang::tr{'add=
'}</button>
>> + <button type=3D"submit" name=3D"ACTION" value=3D"RPZ_RELOAD" class=3D"co=
mmit"$reload_state>$Lang::tr{'rpz apply'}</button>
>> + </form>
>> +</div>
>> +END
>> +;
>> +
>> + &Header::closebox();
>> +}
>> +
>> +# Show zonefiles entry editor
>> +sub _print_zonefile_editor {
>> +
>> + # Key specified: Edit existing entry
>> + if(($action_key) && (defined $zonefiles{$action_key})) {
>> + # Load data to be edited, but don't override already present values (all=
ows user to edit after error)
>> + $cgiparams{'ZF_NAME'} //=3D $action_key;
>> + $cgiparams{'ZF_URL'} //=3D $zonefiles{$action_key}{'url'};
>> + $cgiparams{'ZF_REMARK'} //=3D $zonefiles{$action_key}{'remark'};
>> + }
>> +
>> + # Fallback to empty form
>> + $cgiparams{'ZF_NAME'} //=3D "";
>> + $cgiparams{'ZF_URL'} //=3D "";
>> + $cgiparams{'ZF_REMARK'} //=3D "";
>> +
>> + &Header::openbox('100%', 'left', $Lang::tr{'rpz zf editor'});
>> +
>> + print <<END
>> +<form method=3D"post" action=3D"$ENV{'SCRIPT_NAME'}">
>> +<input type=3D"hidden" name=3D"KEY" value=3D"$action_key">
>> +<table width=3D"100%">
>> + <tr>
>> + <td width=3D"20%">$Lang::tr{'name'}:&nbsp;<img src=3D"/blob.gif" alt=3D"=
*"></td>
>> + <td><input type=3D"text" name=3D"ZF_NAME" value=3D"$cgiparams{'ZF_NAME'}=
" size=3D"40" maxlength=3D"32" title=3D"$Lang::tr{'rpz zf remark info'}" patt=
ern=3D"[a-zA-Z0-9_]{1,32}" required></td>
>> + </tr>
>> + <tr>
>> + <td width=3D"20%">URL:&nbsp;<img src=3D"/blob.gif" alt=3D"*"></td>
>> + <td><input type=3D"url" name=3D"ZF_URL" value=3D"$cgiparams{'ZF_URL'}" s=
ize=3D"40" maxlength=3D"128" required></td>
>> + </tr>
>> + <tr>
>> + <td width=3D"20%">$Lang::tr{'remark'}:</td>
>> + <td><input type=3D"text" name=3D"ZF_REMARK" value=3D"$cgiparams{'ZF_REMA=
RK'}" size=3D"40" maxlength=3D"32"></td>
>> + </tr>
>> + <tr>
>> + <td colspan=3D"2"><hr></td>
>> + </tr>
>> + <tr>
>> + <td width=3D"55%"><img src=3D"/blob.gif" alt=3D"*">&nbsp;$Lang::tr{'requ=
ired field'}</td>
>> + <td align=3D"right"><button type=3D"submit" name=3D"ACTION" value=3D"ZF_=
SAVE">$Lang::tr{'save'}</button></td>
>> + </tr>
>> +</table>
>> +</form>
>> +
>> +<div class=3D"right">
>> + <form method=3D"post" action=3D"$ENV{'SCRIPT_NAME'}">
>> + <button type=3D"submit" name=3D"ACTION" value=3D"NONE">$Lang::tr{'back'}=
</button>
>> + </form>
>> +</div>
>> +END
>> +;
>> +
>> + &Header::closebox();
>> +}
>> +
>> +# Show custom allow/block files and related gui elements
>> +sub _print_customlists {
>> +
>> + # Load lists from config, unless they are currently being edited
>> + if($action ne 'CL_SAVE') {
>> + $cgiparams{'ALLOW_LIST'} =3D join("\n", @{$customlists{'allow'}{'list'}}=
);
>> + $cgiparams{'BLOCK_LIST'} =3D join("\n", @{$customlists{'block'}{'list'}}=
);
>> +
>> + $cgiparams{'ALLOW_ENABLED'} =3D ($customlists{'allow'}{'enabled'} eq 'on=
') ? 'on' : undef;
>> + $cgiparams{'BLOCK_ENABLED'} =3D ($customlists{'block'}{'enabled'} eq 'on=
') ? 'on' : undef;
>> + }
>> +
>> + # Fallback to empty form
>> + $cgiparams{'ALLOW_LIST'} //=3D "";
>> + $cgiparams{'BLOCK_LIST'} //=3D "";
>> +
>> + # HTML checkboxes, unchecked =3D no or undef value in POST data
>> + my %checked =3D ();
>> + $checked{'ALLOW_ENABLED'} =3D (defined $cgiparams{'ALLOW_ENABLED'}) ? " =
checked" : "";
>> + $checked{'BLOCK_ENABLED'} =3D (defined $cgiparams{'BLOCK_ENABLED'}) ? " =
checked" : "";
>> +
>> + # Disable reload button if not needed
>> + my $reload_state =3D &_rpz_needs_reload() ? "" : " disabled";
>> +
>> + &Header::openbox('100%', 'left', $Lang::tr{'rpz cl'});
>> +
>> + print <<END
>> +<form method=3D"post" action=3D"$ENV{'SCRIPT_NAME'}">
>> +<table width=3D"100%">
>> + <tr>
>> + <td colspan=3D"2"><b>$Lang::tr{'rpz cl allow'}</b><br>$Lang::tr{'rpz cl =
allow info'}</td>
>> + <td colspan=3D"2"><b>$Lang::tr{'rpz cl block'}</b><br>$Lang::tr{'rpz cl =
block info'}</td>
>> + </tr>
>> + <tr>
>> + <td colspan=3D"2"><textarea name=3D"ALLOW_LIST" class=3D"domainlist" col=
s=3D"45">
>> +$cgiparams{'ALLOW_LIST'}</textarea></td>
>> + <td colspan=3D"2"><textarea name=3D"BLOCK_LIST" class=3D"domainlist" col=
s=3D"45">
>> +$cgiparams{'BLOCK_LIST'}</textarea></td>
>> + </tr>
>> + <tr>
>> + <td><label for=3D"allow_enabled">$Lang::tr{'rpz cl allow enable'}</label=
></td>
>> + <td width=3D"15%"><input type=3D"checkbox" name=3D"ALLOW_ENABLED" id=3D"=
allow_enabled"$checked{'ALLOW_ENABLED'}></td>
>> + <td><label for=3D"block_enabled">$Lang::tr{'rpz cl block enable'}</label=
></td>
>> + <td width=3D"15%"><input type=3D"checkbox" name=3D"BLOCK_ENABLED" id=3D"=
block_enabled"$checked{'BLOCK_ENABLED'}></td>
>> + </tr>
>> + <tr>
>> + <td colspan=3D"4"><hr></td>
>> + </tr>
>> + <tr>
>> + <td align=3D"right" colspan=3D"4">
>> + <button type=3D"submit" name=3D"ACTION" value=3D"CL_SAVE">$Lang::tr{'sav=
e'}</button>
>> + <button type=3D"submit" name=3D"ACTION" value=3D"RPZ_RELOAD" class=3D"co=
mmit"$reload_state>$Lang::tr{'rpz apply'}</button>
>> + </td>
>> +</table>
>> +</form>
>> +END
>> +;
>> +
>> + &Header::closebox();
>> +}
>> +
>> +# Output javascript and extra gui elements
>> +sub _print_gui_extras {
>> +
>> + # Apply/Restart button modifier key handler
>> + if(&_rpz_needs_reload()) {
>> + print <<END
>> +<script>
>> + // Commit modifier key handler
>> + (function(jq, document) {
>> + var keyEventsOn =3D false; // Keyboard events attached
>> + var keyModify =3D false; // Modifier key pressed
>> + var mouseHover =3D false; // Mouse over commit button
>> + var btnModified =3D false; // Button modified to "Restart"
>> +
>> + // Document-level key events, enable only while cursor is over button
>> + function attachKeyEvents() {
>> + if(keyEventsOn) {
>> + return;
>> + }
>> + keyEventsOn =3D true;
>> +
>> + jq(document).on("keydown.rpz", function(event) {
>> + if((!keyModify) && event.shiftKey) {
>> + keyModify =3D true;
>> + handleModify();
>> + }
>> + });
>> + jq(document).on("keyup.rpz", function(event) {
>> + if(keyModify && (!event.shiftKey)) {
>> + keyModify =3D false;
>> + handleModify();
>> + }
>> + });
>> + }
>> + function removeKeyEvents() {
>> + keyModify =3D false;
>> + if(keyEventsOn) {
>> + jq(document).off("keydown.rpz keyup.rpz");
>> + keyEventsOn =3D false;
>> + }
>> + }
>> +
>> + // Attach mouse hover events to commit buttons
>> + function attachMouseEvents() {
>> + jq("button.commit").on("mouseenter", function(event) {
>> + if(!mouseHover) {
>> + mouseHover =3D true;
>> + attachKeyEvents();
>> + // Handle already pressed key
>> + keyModify =3D !!(event.shiftKey);
>> + handleModify();
>> + }
>> + });
>> +
>> + // Cursor moved away: Disable key listener to minimize events
>> + jq("button.commit").on("mouseleave", function() {
>> + if(mouseHover) {
>> + mouseHover =3D false;
>> + removeKeyEvents();
>> + handleModify();
>> + }
>> + });
>> + }
>> +
>> + // Modify commit button
>> + function handleModify() {
>> + let modify =3D mouseHover && keyModify;
>> + if(btnModified !=3D modify) {
>> + if(modify) {
>> + jq("button.commit").text("$Lang::tr{'restart'}").val("UNB_RESTART");
>> + } else {
>> + jq("button.commit").text("$Lang::tr{'rpz apply'}").val("RPZ_RELOAD");
>> + }
>> + btnModified =3D modify;
>> + }
>> + }
>> +
>> + // jQuery DOM ready
>> + jq(function() {
>> + attachMouseEvents();
>> + });
>> + })(jQuery, document);
>> +</script>
>> +END
>> +;
>> + } # End of modifier key handler
>> +
>> +}
>> +
>> +
>> +###--- Internal action processing functions ---###
>> +
>> +# Toggle zonefile on/off
>> +sub _action_zf_toggle {
>> + return unless(defined $zonefiles{$action_key});
>> +
>> + my $result =3D 0;
>> + my $enabled =3D $zonefiles{$action_key}{'enabled'};
>> +
>> + # Perform toggle action
>> + if($enabled eq 'on') {
>> + $enabled =3D 'off';
>> + $result =3D &General::system('/usr/sbin/rpz-config', 'remove', $action_k=
ey, '--no-reload');
>> + } else {
>> + $enabled =3D 'on';
>> + $result =3D &General::system('/usr/sbin/rpz-config', 'add', $action_key,=
 $zonefiles{$action_key}{'url'}, '--no-reload');
>> + }
>> +
>> + # Check for errors, request service reload on success
>> + return unless &_rpz_check_result($result, 1);
>> +
>> + # Save changes
>> + $zonefiles{$action_key}{'enabled'} =3D $enabled;
>> + &_zonefiles_save_conf();
>> +
>> + return 1;
>> +}
>> +
>> +# Remove zonefile
>> +sub _action_zf_remove {
>> + return unless(defined $zonefiles{$action_key});
>> +
>> + # Remove from rpz-config if currently active
>> + if($zonefiles{$action_key}{'enabled'} eq 'on') {
>> + my $result =3D &General::system('/usr/sbin/rpz-config', 'remove', $actio=
n_key, '--no-reload');
>> +
>> + # Check for errors, request service reload on success
>> + return unless &_rpz_check_result($result, 1);
>> + }
>> +
>> + # Remove from data hash and save changes
>> + delete $zonefiles{$action_key};
>> + &_zonefiles_save_conf();
>> +
>> + # Clear action_key, as the entry is now removed entirely
>> + $action_key =3D "";
>> +
>> + return 1;
>> +}
>> +
>> +# Create or update zonefile entry
>> +# Returns undef if gui needs to stay in editor mode
>> +sub _action_zf_save {
>> + my $result =3D 0;
>> +
>> + my $name =3D $cgiparams{'ZF_NAME'} // "";
>> + my $url =3D $cgiparams{'ZF_URL'} // "";
>> + my $remark =3D $cgiparams{'ZF_REMARK'} // "";
>> + my $enabled =3D 'on'; # Enable new entries by default
>> +
>> + # Note on variables:
>> + # name =3D unique key, will be used to address the entry
>> + # action_key =3D name of the entry being edited, empty for new entry
>> +
>> + # Only check for unique name if it changed
>> + # (this also checks new entries because the action_key is empty in this =
case)
>> + $result =3D &_rpz_validate_zonefile($name, $url, $remark, (lc($name) ne =
lc($action_key)));
>> + return unless &_rpz_check_result($result, 0);
>> +
>> + # Edit existing entry: Determine what was changed
>> + if(($action_key) && (defined $zonefiles{$action_key})) {
>> + # Name und URL remain unchanged, only save remark and finish
>> + if(($name eq $action_key) && ($url eq $zonefiles{$action_key}{'url'})) {
>> + $zonefiles{$action_key}{'remark'} =3D $remark;
>> + &_zonefiles_save_conf();
>> +
>> + return 1;
>> + }
>> +
>> + # Entry was changed and needs to be recreated, preserve status
>> + $enabled =3D $zonefiles{$action_key}{'enabled'};
>> +
>> + # Remove from rpz-config
>> + return unless &_action_zf_remove();
>> + }
>> +
>> + # Add new entry to rpz-config
>> + if($enabled eq 'on') {
>> + $result =3D &General::system('/usr/sbin/rpz-config', 'add', $name, $url,=
 '--no-reload');
>> +
>> + # Check for errors, request service reload on success
>> + return unless &_rpz_check_result($result, 1);
>> + }
>> +
>> + # Add to global data hash and save changes
>> + my %entry =3D ('enabled' =3D> $enabled,
>> + 'url' =3D> $url,
>> + 'remark' =3D> $remark);
>> +
>> + $zonefiles{$name} =3D \%entry;
>> + &_zonefiles_save_conf();
>> +
>> + return 1;
>> +}
>> +
>> +# Save custom lists
>> +sub _action_cl_save {
>> + return unless((defined $cgiparams{'ALLOW_LIST'}) && (defined $cgiparams{=
'BLOCK_LIST'}));
>> +
>> + my $result =3D 0;
>> +
>> + my @allowlist =3D split(/\R/, $cgiparams{'ALLOW_LIST'});
>> + my @blocklist =3D split(/\R/, $cgiparams{'BLOCK_LIST'});
>> +
>> + # Validate lists
>> + $result =3D &_rpz_validate_customlist(\@allowlist);
>> + if($result !=3D 0) {
>> + $errormessage =3D &_rpz_error_tr(202, $result);
>> + return;
>> + }
>> + $result =3D &_rpz_validate_customlist(\@blocklist);
>> + if($result !=3D 0) {
>> + $errormessage =3D &_rpz_error_tr(203, $result);
>> + return;
>> + }
>> +
>> + # Add to global data hash and save changes
>> + $customlists{'allow'}{'list'} =3D \@allowlist;
>> + $customlists{'block'}{'list'} =3D \@blocklist;
>> + $customlists{'allow'}{'enabled'} =3D (defined $cgiparams{'ALLOW_ENABLED'=
}) ? 'on' : 'off';
>> + $customlists{'block'}{'enabled'} =3D (defined $cgiparams{'BLOCK_ENABLED'=
}) ? 'on' : 'off';
>> +
>> + &_customlists_save_conf();
>> + &_customlist_export('allow', $RPZ_ALLOWLIST);
>> + &_customlist_export('block', $RPZ_BLOCKLIST);
>> +
>> + # Make new lists, request service reload on success
>> + $result =3D &General::system('/usr/sbin/rpz-make', 'allowblock', '--no-r=
eload');
>> + return unless &_rpz_check_result($result, 1);
>> +
>> + return 1;
>> +}
>> +
>> +# Trigger rpz-config reload
>> +sub _action_rpz_reload {
>> + return 1 unless &_rpz_needs_reload();
>> +
>> + # Immediately clear flag to prevent multiple reloads
>> + if(-f $RPZ_RELOAD_FLAG) {
>> + unlink($RPZ_RELOAD_FLAG) or die "Can't remove $RPZ_RELOAD_FLAG: $!";
>> + }
>> +
>> + # Perform reload, recreate reload flag on error to enable retry
>> + my $result =3D &General::system('/usr/sbin/rpz-config', 'reload');
>> + if(not &_rpz_check_result($result, 0)) {
>> + &General::system('touch', "$RPZ_RELOAD_FLAG");
>> + return;
>> + }
>> +
>> + return 1;
>> +}
>> +
>> +# Trigger unbound restart
>> +sub _action_unb_restart {
>> + return 1 unless &_rpz_needs_reload();
>> +
>> + # Immediately clear flag to prevent multiple restarts
>> + if(-f $RPZ_RELOAD_FLAG) {
>> + unlink($RPZ_RELOAD_FLAG) or die "Can't remove $RPZ_RELOAD_FLAG: $!";
>> + }
>> +
>> + # Perform restart, unboundctrl always exits zero
>> + &General::system('/usr/local/bin/unboundctrl', 'restart');
>> +
>> + return 1;
>> +}
>> +
>> +
>> +###--- Internal rpz-config functions ---###
>> +
>> +# Translate rpz-config exitcodes and messages
>> +# 100-199: rpz-config, 200-299: webgui
>> +sub _rpz_error_tr {
>> + my ($error, $append) =3D @_;
>> + $append //=3D '';
>> +
>> + # Translate numeric exit codes
>> + if(looks_like_number($error)) {
>> + if(defined $Lang::tr{"rpz exitcode $error"}) {
>> + $error =3D $Lang::tr{"rpz exitcode $error"};
>> + }
>> + }
>> +
>> + return "RPZ $Lang::tr{'error'}: $error" . &Header::escape($append);
>> +}
>> +
>> +# Check result of rpz-config system call, request reload on success
>> +sub _rpz_check_result {
>> + my ($result, $request_reload) =3D @_;
>> + $request_reload //=3D 0;
>> +
>> + # exitcode 0 =3D success
>> + if($result !=3D 0) {
>> + $errormessage =3D &_rpz_error_tr($result);
>> + return;
>> + }
>> +
>> + # Set reload flag
>> + if($request_reload) {
>> + &General::system('touch', "$RPZ_RELOAD_FLAG");
>> + }
>> +
>> + return 1;
>> +}
>> +
>> +# Test whether reload flag is set
>> +sub _rpz_needs_reload {
>> + return (-f $RPZ_RELOAD_FLAG);
>> +}
>> +
>> +# Validate a zonefile entry, returns rpz-config exitcode on failure. Use =
_rpz_check_result to verify.
>> +# unique =3D check for unique name
>> +sub _rpz_validate_zonefile {
>> + my ($name, $url, $remark, $unique) =3D @_;
>> + $unique //=3D 1;
>> +
>> + unless($name =3D~ /^[a-zA-Z0-9_]{1,32}$/) {
>> + return 101;
>> + }
>> + unless($url =3D~ /^[\w+\.:;\/\\&@#%?=3D\-~|!]{1,128}$/) {
>> + return 105;
>> + }
>> + unless($remark =3D~ /^[\w \-()\.:;*\/\\?!&=3D]{0,32}$/) {
>> + return 201;
>> + }
>> +
>> + # Check against already existing names
>> + if($unique) {
>> + foreach my $existing (keys %zonefiles) {
>> + if(lc($name) eq lc($existing)) {
>> + return 104;
>> + }
>> + }
>> + }
>> +
>> + return 0;
>> +}
>> +
>> +# Validate a custom list, returns number of rejected line on failure. Che=
ck for non-zero results.
>> +# listref =3D array reference, cleanup =3D remove invalid entries instead=
 of returning an error
>> +sub _rpz_validate_customlist {
>> + my ($listref, $cleanup) =3D @_;
>> + $cleanup //=3D 0;
>> +
>> + foreach my $index (reverse 0..$#{$listref}) {
>> + my $row =3D @$listref[$index];
>> + next unless($row); # Skip/allow empty lines
>> +
>> + # Reject/remove everything besides wildcard domains and remarks
>> + if((not &General::validwildcarddomainname($row)) && (not $row =3D~ /^;[\=
w \-()\.:;*\/\\?!&=3D]*$/)) {
>> + unless($cleanup) {
>> + # +1 for user friendly line number and to ensure non-zero exitcode
>> + return $index + 1;
>> + }
>> +
>> + # Remove current row
>> + splice(@$listref, $index, 1);
>> + }
>> + }
>> +
>> + return 0;
>> +}
>> +
>> +
>> +###--- Internal misc functions ---###
>> +
>> +# Send HTTP 303 redirect headers for post/request/get pattern
>> +# (Must be sent before calling &Header::showhttpheaders())
>> +sub _http_prg_redirect {
>> + my $location =3D "https://$ENV{'SERVER_NAME'}:$ENV{'SERVER_PORT'}$ENV{'S=
CRIPT_NAME'}";
>> + print "Status: 303 See Other\n";
>> + print "Location: $location\n";
>> +}
>> diff --git a/lfs/rpz b/lfs/rpz
>> new file mode 100644
>> index 000000000..7ddbc38e5
>> --- /dev/null
>> +++ b/lfs/rpz
>> @@ -0,0 +1,96 @@
>> +#########################################################################=
######
>> +#                                                                        =
     #
>> +# IPFire.org - A linux based firewall                                    =
     #
>> +# Copyright (C) 2024  IPFire Team  <info(a)ipfire.org>                   =
       #
>> +#                                                                        =
     #
>> +# This program is free software: you can redistribute it and/or modify   =
     #
>> +# it under the terms of the GNU General Public License as published by   =
     #
>> +# the Free Software Foundation, either version 3 of the License, or      =
     #
>> +# (at your option) any later version.                                    =
     #
>> +#                                                                        =
     #
>> +# This program is distributed in the hope that it will be useful,        =
     #
>> +# but WITHOUT ANY WARRANTY; without even the implied warranty of         =
     #
>> +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the          =
     #
>> +# GNU General Public License for more details.                           =
     #
>> +#                                                                        =
     #
>> +# You should have received a copy of the GNU General Public License      =
     #
>> +# along with this program.  If not, see <http://www.gnu.org/licenses/>.  =
     #
>> +#                                                                        =
     #
>> +#########################################################################=
######
>> +
>> +#########################################################################=
######
>> +#  Definitions
>> +#########################################################################=
######
>> +
>> +include Config
>> +
>> +SUMMARY    =3D response policy zone - RPZ reputation system for unbound D=
NS
>> +
>> +VER        =3D 1.0.0
>> +
>> +THISAPP    =3D rpz-$(VER)
>> +DIR_APP    =3D $(DIR_SRC)/$(THISAPP)
>> +TARGET     =3D $(DIR_INFO)/$(THISAPP)
>> +
>> +PROG       =3D rpz
>> +PAK_VER    =3D 18
>> +
>> +DEPS       =3D
>> +
>> +SERVICES   =3D
>> +
>> +#########################################################################=
######
>> +# Top-level Rules
>> +#########################################################################=
######
>> +
>> +install : $(TARGET)
>> +
>> +check :
>> +
>> +download :
>> +
>> +b2 :
>> +
>> +dist:
>> + @$(PAK)
>> +
>> +#########################################################################=
######
>> +# Installation Details
>> +#########################################################################=
######
>> +
>> +$(TARGET) :
>> + @$(PREBUILD)
>> + @rm -rf $(DIR_APP)
>> +
>> + #  RPZ scripts
>> + install --verbose --mode=3D755 \
>> +  $(DIR_CONF)/rpz/{rpz-config,rpz-metrics,rpz-sleep,rpz-make,rpz-function=
s} \
>> +  --target-directory=3D/usr/sbin
>> +
>> + #  RPZ config files
>> + mkdir -pv /etc/unbound/local.d
>> + install --verbose --mode=3D644 --owner=3Dnobody --group=3Dnobody \
>> +  $(DIR_CONF)/rpz/00-rpz.conf \
>> +  --target-directory=3D/etc/unbound/local.d
>> + chown --verbose --recursive nobody:nobody /etc/unbound/local.d
>> +
>> + #  RPZ custom list files for allow and block
>> + mkdir -pv /var/ipfire/dns/rpz
>> + touch /var/ipfire/dns/rpz/{allowlist,blocklist}
>> + chown --verbose --recursive nobody:nobody /var/ipfire/dns/rpz
>> +
>> + #  RPZ zone files
>> + #   create empty RPZ config file to avoid a unbound config error
>> + mkdir -pv /etc/unbound/zonefiles
>> + touch /etc/unbound/zonefiles/allow.rpz
>> + chown --verbose --recursive nobody:nobody /etc/unbound/zonefiles
>> +
>> + # Install addon-specific language-files
>> + install --verbose --mode=3D004 $(DIR_CONF)/rpz/rpz.*.pl \
>> +  --target-directory=3D/var/ipfire/addon-lang
>> +
>> + # Install backup definition
>> + cp -vf $(DIR_CONF)/backup/includes/rpz /var/ipfire/backup/addons/include=
s/rpz
>> +
>> + @rm -rf $(DIR_APP)
>> + @$(POSTBUILD)
>> diff --git a/make.sh b/make.sh
>> index 827ea9e77..a77535b13 100755
>> --- a/make.sh
>> +++ b/make.sh
>> @@ -390,7 +390,7 @@ prepareenv() {
>> if [ "${free_space}" -lt "${required_space}" ]; then
>> # Add any consumed space
>> while read -r consumed_space path; do
>> - (( free_space +=3D consumed_space / 1024 / 1024 ))=20
>> + (( free_space +=3D consumed_space / 1024 / 1024 ))
>> done <<< "$(du --summarize --bytes "${BUILD_DIR}" "${IMAGES_DIR}" "${LOG_D=
IR}" 2>/dev/null)"
>> fi
>>=20
>> @@ -2087,6 +2087,7 @@ build_system() {
>> lfsmake2 btrfs-progs
>> lfsmake2 inotify-tools
>> lfsmake2 grub-btrfs
>> + lfsmake2 rpz
>>=20
>> lfsmake2 linux
>> lfsmake2 rtl8812au
>> diff --git a/src/paks/rpz/install.sh b/src/paks/rpz/install.sh
>> new file mode 100644
>> index 000000000..ef99bf742
>> --- /dev/null
>> +++ b/src/paks/rpz/install.sh
>> @@ -0,0 +1,36 @@
>> +#!/bin/bash
>> +#########################################################################=
######
>> +#                                                                        =
     #
>> +#  IPFire.org - A linux based firewall                                   =
     #
>> +#  Copyright (C) 2024  IPFire Team  <info(a)ipfire.org>                  =
       #
>> +#                                                                        =
     #
>> +#  This program is free software: you can redistribute it and/or modify  =
     #
>> +#  it under the terms of the GNU General Public License as published by  =
     #
>> +#  the Free Software Foundation, either version 3 of the License, or     =
     #
>> +#  (at your option) any later version.                                   =
     #
>> +#                                                                        =
     #
>> +#  This program is distributed in the hope that it will be useful,       =
     #
>> +#  but WITHOUT ANY WARRANTY; without even the implied warranty of        =
     #
>> +#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the         =
     #
>> +#  GNU General Public License for more details.                          =
     #
>> +#                                                                        =
     #
>> +#  You should have received a copy of the GNU General Public License     =
     #
>> +#  along with this program.  If not, see <http://www.gnu.org/licenses/>. =
     #
>> +#                                                                        =
     #
>> +#########################################################################=
######
>> +#
>> +. /opt/pakfire/lib/functions.sh
>> +extract_files
>> +restore_backup ${NAME}
>> +
>> +# fix user created files
>> +chown --verbose --recursive nobody:nobody \
>> + /var/ipfire/dns/rpz    \
>> + /etc/unbound/zonefiles \
>> + /etc/unbound/local.d
>> +
>> +# Update Language cache
>> +/usr/local/bin/update-lang-cache
>> +
>> +#  restart unbound to load config file
>> +/etc/init.d/unbound restart
>> diff --git a/src/paks/rpz/uninstall.sh b/src/paks/rpz/uninstall.sh
>> new file mode 100644
>> index 000000000..e11427df3
>> --- /dev/null
>> +++ b/src/paks/rpz/uninstall.sh
>> @@ -0,0 +1,38 @@
>> +#!/bin/bash
>> +#########################################################################=
######
>> +#                                                                        =
     #
>> +#  IPFire.org - A linux based firewall                                   =
     #
>> +#  Copyright (C) 2024  IPFire Team  <info(a)ipfire.org>                  =
       #
>> +#                                                                        =
     #
>> +#  This program is free software: you can redistribute it and/or modify  =
     #
>> +#  it under the terms of the GNU General Public License as published by  =
     #
>> +#  the Free Software Foundation, either version 3 of the License, or     =
     #
>> +#  (at your option) any later version.                                   =
     #
>> +#                                                                        =
     #
>> +#  This program is distributed in the hope that it will be useful,       =
     #
>> +#  but WITHOUT ANY WARRANTY; without even the implied warranty of        =
     #
>> +#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the         =
     #
>> +#  GNU General Public License for more details.                          =
     #
>> +#                                                                        =
     #
>> +#  You should have received a copy of the GNU General Public License     =
     #
>> +#  along with this program.  If not, see <http://www.gnu.org/licenses/>. =
     #
>> +#                                                                        =
     #
>> +#########################################################################=
######
>> +#
>> +. /opt/pakfire/lib/functions.sh
>> +
>> +#  stop unbound to delete RPZ conf file
>> +/etc/init.d/unbound stop
>> +
>> +make_backup ${NAME}
>> +remove_files
>> +
>> +#  delete rpz config files.  Otherwise unbound will throw error:
>> +#    "[1723428668] unbound-control[17117:0] error: connect: Connection re=
fused for 127.0.0.1 port 8953"
>> +/bin/rm --verbose --force /etc/unbound/local.d/*.rpz.conf
>> +
>> +# Update Language cache
>> +/usr/local/bin/update-lang-cache
>> +
>> +#  start unbound to load unbound config file
>> +/etc/init.d/unbound start
>> diff --git a/src/paks/rpz/update.sh b/src/paks/rpz/update.sh
>> new file mode 100644
>> index 000000000..9bc340bc6
>> --- /dev/null
>> +++ b/src/paks/rpz/update.sh
>> @@ -0,0 +1,52 @@
>> +#!/bin/bash
>> +#########################################################################=
######
>> +#                                                                        =
     #
>> +#  IPFire.org - A linux based firewall                                   =
     #
>> +#  Copyright (C) 2024  IPFire Team  <info(a)ipfire.org>                  =
       #
>> +#                                                                        =
     #
>> +#  This program is free software: you can redistribute it and/or modify  =
     #
>> +#  it under the terms of the GNU General Public License as published by  =
     #
>> +#  the Free Software Foundation, either version 3 of the License, or     =
     #
>> +#  (at your option) any later version.                                   =
     #
>> +#                                                                        =
     #
>> +#  This program is distributed in the hope that it will be useful,       =
     #
>> +#  but WITHOUT ANY WARRANTY; without even the implied warranty of        =
     #
>> +#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the         =
     #
>> +#  GNU General Public License for more details.                          =
     #
>> +#                                                                        =
     #
>> +#  You should have received a copy of the GNU General Public License     =
     #
>> +#  along with this program.  If not, see <http://www.gnu.org/licenses/>. =
     #
>> +#                                                                        =
     #
>> +#########################################################################=
######
>> +#
>> +. /opt/pakfire/lib/functions.sh
>> +
>> +#  from update.sh
>> +extract_backup_includes
>> +
>> +#  stop unbound to delete RPZ conf file
>> +/etc/init.d/unbound stop
>> +
>> +#  from uninstall.sh
>> +make_backup ${NAME}
>> +remove_files
>> +
>> +#  delete rpz config files.  Otherwise unbound will throw error:
>> +#    "unbound-control[nn:0] error: connect: Connection refused for 127.0.=
0.1 port 8953"
>> +/bin/rm --verbose --force /etc/unbound/local.d/*.rpz.conf
>> +
>> +#  from install.sh
>> +extract_files
>> +restore_backup ${NAME}
>> +
>> +# fix user created files
>> +chown --verbose --recursive nobody:nobody \
>> + /var/ipfire/dns/rpz    \
>> + /etc/unbound/zonefiles \
>> + /etc/unbound/local.d
>> +
>> +# Update Language cache
>> +/usr/local/bin/update-lang-cache
>> +
>> +#  restart unbound to load config files
>> +/etc/init.d/unbound start
>> --=20
>> 2.39.5
>>=20
>=20

Jon


--=20
Jon Murphy
jon.murphy(a)ipfire.org





--===============7051854566217718399==--