From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4b3CHB1scvz336X for ; Thu, 22 May 2025 15:43:02 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature RSA-PSS (4096 bits)) (Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4b3CH62Yn9z32f1 for ; Thu, 22 May 2025 15:42:58 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4b3CH460Dpz8Y; Thu, 22 May 2025 15:42:56 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1747928577; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=3KY7ZDFtMkCOF6kvTphYelh68yGDZjwGp4tKpbTqW/I=; b=BDsW3DYC4qNHaKyGQfMFQMDm53ETnfxs297+yt3zgJ6N4fT8oX5oOXkZj629QAYHh1Uyrn M+NVHdgNbkRUO0AQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1747928577; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=3KY7ZDFtMkCOF6kvTphYelh68yGDZjwGp4tKpbTqW/I=; b=NvnUpEMPXMl/al7YLKluIKWgRDOFClapBCR6/msXD+hVbLEXaUE7HF4ZrOS4/5p0YFhVLr 7zSLfuyu4Q4YVr1WL6prSn3vp+quMOlVbLpyNFGps6RHgWLfdiaz8Zu6+RkjxLHs22t57l Ve1wrTfMc6XcUWB8anEDBDRuR1hU2uaDPyRlL5vXrtqYcF2uT8ViMrUtIsgM8z5VJJKC/C flEb2YdaH4fwixXqrnaBMyUrt64uygE1G3bl2gZWUZtelEZxw7wmnAwjINh9qXuIHswP57 A8Oc+mzQuKmjiTdjukNg7OavwjgX7rrqOi84t2zl9zkhMGM9KHBwPzzrLFCBHQ== From: "Jon Murphy" To: "Michael Tremer" Subject: Re[2]: [PATCH] RPZ: update code to include WEBGUI and additional languages Cc: "Bernhard Bitsch" , "IPFire: Development-List" Date: Thu, 22 May 2025 15:42:54 +0000 Message-Id: In-Reply-To: References: <20250206163522.2363178-1-jon.murphy@ipfire.org> <8b594873-86ca-46b9-bb4b-94fd6b0239b1@ipfire.org> <9A0DBDA4-75B0-40D2-AE06-78D9BA5EE7D3@ipfire.org> <89101199-33D1-40AC-8CCE-DD97583129F2@ipfire.org> <8703C3D8-C30C-4A56-9F30-7B90BB1E3027@ipfire.org> <502fa002-d6da-45d6-9b3e-d4130e59f50a@ipfire.org> <64617942-44E2-4E7B-A8AB-D5C22F94F68B@ipfire.org> <8D5093D0-A699-4C4E-AEA3-185AD323EF67@ipfire.org> <9221F825-15BB-484C-A921-118C7F3266AC@ipfire.org> Reply-To: "Jon Murphy" Precedence: list List-Id: List-Subscribe: , List-Unsubscribe: , List-Post: List-Help: Sender: Mail-Followup-To: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: quoted-printable Now I am curious! What is your use-case? Tell me more... ------ Original Message ------ >From "Michael Tremer" To "Jon Murphy" Cc "Bernhard Bitsch" ; "IPFire: Development-List"=20 Date 5/22/2025 10:40:38=E2=80=AFAM Subject Re: [PATCH] RPZ: update code to include WEBGUI and additional=20 languages >Hello Jon, > >I have not been spending on time on this at all since we talked last. > >I don=E2=80=99t need Unbound to download any files for my use-case either. > >-Michael > >> On 20 May 2025, at 17:30, Jon Murphy wrote: >> >> Michael, >> >> Were you able to debug RPZ and get Unbound to download `.rpz` files? >> >> >> Jon >> >> >> >> ------ Original Message ------ >> From "Michael Tremer" >> To "Jon Murphy" >> Cc "Bernhard Bitsch" ; "IPFire: Development-List" <= development@lists.ipfire.org> >> Date 3/24/2025 9:43:37=E2=80=AFAM >> Subject Re: [PATCH] RPZ: update code to include WEBGUI and additional l= anguages >> >>> Yes, I don=E2=80=99t need any debugging of this... >>> >>>> On 24 Mar 2025, at 14:42, Jon Murphy wrote: >>>> >>>> Is there a: >>>> >>>> server: >>>> module-config: "respip validator iterator" >>>> >>>> In your RPZ set-up? >>>> >>>> >>>> ------ Original Message ------ >>>> From "Michael Tremer" >>>> To "Jon Murphy" >>>> Cc "Bernhard Bitsch" ; "IPFire: Development-List" = >>>> Date 3/24/2025 9:40:15=E2=80=AFAM >>>> Subject Re: [PATCH] RPZ: update code to include WEBGUI and additional = languages >>>> >>>>> Because it is not doing it on my system... >>>>> >>>>>> On 24 Mar 2025, at 14:38, Jon Murphy wrote: >>>>>> >>>>>> Actually it did. >>>>>> >>>>>> Why do you think Unbound did not? >>>>>> >>>>>> >>>>>> ------ Original Message ------ >>>>>> From "Michael Tremer" >>>>>> To "Jon Murphy" >>>>>> Cc "Bernhard Bitsch" ; "IPFire: Development-Lis= t" >>>>>> Date 3/24/2025 9:36:53=E2=80=AFAM >>>>>> Subject Re: [PATCH] RPZ: update code to include WEBGUI and addition= al languages >>>>>> >>>>>>> Unbound did not put those there... >>>>>>> >>>>>>>> On 24 Mar 2025, at 14:33, Jon Murphy wrot= e: >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> And where are these stored? >>>>>>>> >>>>>>>> In `/etc/unbound/zonefiles`: >>>>>>>> >>>>>>>> >>>>>>>> [root@ipfire ~] # ls -al /etc/unbound/zonefiles >>>>>>>> total 20664 >>>>>>>> drwxr-xr-x 2 nobody nobody 4096 Mar 24 04:40 . >>>>>>>> drwxr-xr-x 4 root root 4096 Mar 19 16:24 .. >>>>>>>> -rw-r--r-- 1 nobody nobody 3999087 Mar 23 15:11 adhocSB.rpz >>>>>>>> -rw-r--r-- 1 nobody nobody 1411 Mar 23 14:23 allow.rpz >>>>>>>> -rw-r--r-- 1 nobody nobody 25355 Mar 24 04:40 AmazonTrkrHZ.rpz >>>>>>>> -rw-r--r-- 1 nobody nobody 7241 Mar 24 04:40 AppleTrkrHZ.rpz >>>>>>>> -rw-r--r-- 1 nobody nobody 178 Mar 23 14:23 block.rpz >>>>>>>> -rw-r--r-- 1 nobody nobody 78496 Mar 24 04:40 DOHblockHZ.rpz >>>>>>>> -rw-r--r-- 1 nobody nobody 16983551 Mar 24 04:40 MxProPlusHZ.rpz >>>>>>>> -rw-r--r-- 1 nobody nobody 2893 Mar 24 04:40 tldHZ.rpz >>>>>>>> -rw-r--r-- 1 nobody nobody 29419 Mar 24 04:40 WinTrkrHZ.rpz >>>>>>>> [root@ipfire ~] # >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> ------ Original Message ------ >>>>>>>> From "Michael Tremer" >>>>>>>> To "Bernhard Bitsch" >>>>>>>> Cc development@lists.ipfire.org >>>>>>>> Date 3/24/2025 9:25:40=E2=80=AFAM >>>>>>>> Subject Re: [PATCH] RPZ: update code to include WEBGUI and additi= onal languages >>>>>>>> >>>>>>>>> Hello, >>>>>>>>> >>>>>>>>>> >>>>>>>>>> On 24 Mar 2025, at 13:33, Bernhard Bitsch = wrote: >>>>>>>>>> Am 24.03.2025 um 11:17 schrieb Michael Tremer: >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> Hello Jon, >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> On 24 Mar 2025, at 00:00, Jon Murphy = wrote: >>>>>>>>>>>> Michael, >>>>>>>>>>>> FYI - I was wrong Unbound RPZ is _not_ watching the serial n= umber, it is watching the "refresh", the number after the serial number. >>>>>>>>>>> >>>>>>>>>>> Refresh just tells the client how often to check for an update= . >>>>>>>>>>> If that is actually being set by the list publisher, then we h= ave another problem here, because they could put some insanely low value th= ere and we would then DDoS their infrastructure. I think we should keep it= like we have it in other places that we control how often we want to check= or pull for updates. >>>>>>>>>>> >>>>>>>>>> You are right. But an extra update process wastes additional p= rocessor time. The update mechanism of unbound does the check for update (= however it is realized ) nevertheless. >>>>>>>>> >>>>>>>>> Yes, doing more things needs resources. But we are not seriousl= y considering whether an IPFire system has enough resources to perform the= download of a text file, or are we? >>>>>>>>> >>>>>>>>>> >>>>>>>>>>>> I understand that you don=E2=80=99t speak C, but you got the= information from somewhere. Documentation maybe? Since that is out of date= very often I like to consult the code. >>>>>>>>>>>> From testing. Downloading rpz files using rpz unbound, and wa= tching what happens. If the rpz file is setup for "once per day" refresh, t= hen it only downloads one time. >>>>>>>>>>>> However that won=E2=80=99t solve our problem . . . and hav= ing no cache. >>>>>>>>>>>> In `/etc/unbound/tuning.conf` there is `rrset-cache-size: 128= m`. Are you referring to a different cache. >>>>>>>>>>> >>>>>>>>>>> Naturally unbound is loading the zone into its memory which we = generally call cache. >>>>>>>>>>> When I say cache I am thinking about persistent data storage a= cross multiple restarts of Unbound. If I am downloading 100 MiB of RPZ list= s (which is presumably still on the lower end) and I reboot my firewall, I= do not want to download the same data again. We can only ever download a li= st *once* unless we are 100% certain that it has changed. Then we can downl= oad it once again. >>>>>>>>>> >>>>>>>>>> The RPZ lists are stored in files in persistent storage. Unbou= nd creates the internal cache from these. >>>>>>>>> >>>>>>>>> And where are these stored? >>>>>>>>> >>>>>>>>>> >>>>>>>>>>>> Maybe we need to implement both? >>>>>>>>>>>> Yes. There are very few AXFR list (I think only four were fo= und). And many more HTTPS rpz files. >>>>>>>>>>>> Jon >>>>>>>>>>>> ------ Original Message ------ >>>>>>>>>>>> From "Michael Tremer" >>>>>>>>>>>> To "Jon Murphy" >>>>>>>>>>>> Cc "IPFire: Development-List" >>>>>>>>>>>> Date 3/20/2025 11:26:43=E2=80=AFAM >>>>>>>>>>>> Subject Re: [PATCH] RPZ: update code to include WEBGUI and ad= ditional languages >>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> Hello Jon, >>>>>>>>>>>>> Please don=E2=80=99t forget to Cc the list... >>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> On 19 Mar 2025, at 18:27, Jon Murphy wrote: >>>>>>>>>>>>>> Michael, >>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Where in the code is this implemented? I cannot find anyt= hing like this: >>>>>>>>>>>>>> >>>>>>>>>>>>>> Keep in mind I am not a "C" person. Maybe in this section?= : >>>>>>>>>>>>>> https://git.ipfire.org/?p=3Dthirdparty/unbound.git;a=3Dblob= ;f=3Dservices/authzone.c;hb=3D30b9cb5f813003d0a2b1c2e678652396615b1b7d#l587= 5 >>>>>>>>>>>>> >>>>>>>>>>>>> This where the AXFR response is being handled when doing a= DNS zone transfer. This code is not being called when performing a HTTP dow= nload. >>>>>>>>>>>>> I understand that you don=E2=80=99t speak C, but you got the = information from somewhere. Documentation maybe? Since that is out of date = very often I like to consult the code. >>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> =E2=80=94 >>>>>>>>>>>>>> When I was just learning about RPZ I created a separate RPZ = file for testing. When I changed the SOA line with a new serial number, th= e RPZ file download would happen in about 5 minutes. >>>>>>>>>>>>>> https://people.ipfire.org/~jon/sblack-adhoc.rpz >>>>>>>>>>>>> >>>>>>>>>>>>> It might well be that the file is not being reloaded if the = download matches the content that unbound already has. That would of cours= e save some resources. >>>>>>>>>>>>> However that won=E2=80=99t solve our problem with redundant= downloads and having no cache. >>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> That is how I found out the SOA line is watched for a seri= al number change. >>>>>>>>>>>>>> I=E2=80=99ll reconfirm my findings. >>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> The second reason is that we have a lot of firewalls out = there. Not all of them will enable this feature and all of the lists, but= even if it is a good chunk, we will generate terabytes of traffic which put = load on the infrastructure and will cost money. It simply is not what we w= ant to do, regardless of self-hosting those lists and pulling them from som= ewhere else. >>>>>>>>>>>>>> >>>>>>>>>>>>>> So I understand, are you thinking of hosting RPZ AXFR (DNS = zone transfer) on IPFire infrastructure? >>>>>>>>>>>>> >>>>>>>>>>>>> No, I don=E2=80=99t think that we can generally do this. Th= e biggest problem is licensing as we cannot take anyones content and host i= t ourselves. We would re-distribute those lists and that will only work wit= h permission of the publishers. I assume that would be too much work to act= ually get some useful content out there. We might limit ourselves to only t= hose lists that are under a very permissive license. Nobody wants that. >>>>>>>>>>>>> From a technical point of view, DNS over TCP might not be ve= ry nice in terms of forging the transfer and so we would need TLS as well= =E2=80=A6 It should work, but even if we would be able to encourage other p= eople to publish their lists I doubt they would implement DNS over TLS for= authoritative DNS. That standard is in very early stages as well. >>>>>>>>>>>>> As far as I can see, those vendors who offer a list as a com= mercial product are using DNS to distribute it (e.g. Spamhaus). Those peopl= e who have made this all a hobby are throwing the lists onto GitHub and let = them handle the traffic. >>>>>>>>>>>>> Maybe we need to implement both? >>>>>>>>>>>>> -Michael >>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> Jon >>>>>>>>>>>>>> On 3/19/25 5:35 AM, Michael Tremer wrote: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Hello Jon, >>>>>>>>>>>>>>> Where in the code is this implemented? I cannot find anyth= ing like this: >>>>>>>>>>>>>>> Unbound loads the entire file into memory and then starts= parsing it. The only special treatment there is is to check whether the fir= st line is a valid zone entry. It does not even have to be a SOA record. >>>>>>>>>>>>>>> https://git.ipfire.org/?p=3Dthirdparty/unbound.git;a=3Dblo= b;f=3Dservices/authzone.c;hb=3D30b9cb5f813003d0a2b1c2e678652396615b1b7d#l11= 88 >>>>>>>>>>>>>>> I am also concerned that Unbound will not be able to suppo= rt an upstream proxy for any downloads. The caching situation is also uncle= ar for me, so I believe that we will be looking at writing a custom downloa= der that implements all these things. >>>>>>>>>>>>>>> -Michael >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> On 19 Mar 2025, at 02:58, Jon Murphy wrote: >>>>>>>>>>>>>>>> Michael, >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> The emphasis is on the repeated downloads of the same l= ist. That is >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> =E2=80=8B> what cannot happen. >>>>>>>>>>>>>>>> The Unbound RPZ code, as installed within IPFire, watches = for a change >>>>>>>>>>>>>>>> =E2=80=8Bin the SOA line of each RPZ file. This is an exa= mple of the first few >>>>>>>>>>>>>>>> =E2=80=8Blines for every RPZ file. >>>>>>>>>>>>>>>> $TTL 300 >>>>>>>>>>>>>>>> @ SOA localhost. root.localhost. 1742298960 43200 3600 86= 400 300 >>>>>>>>>>>>>>>> NS localhost. >>>>>>>>>>>>>>>> ; >>>>>>>>>>>>>>>> ; Title: HaGeZi's Pop-Up Ads DNS Blocklist >>>>>>>>>>>>>>>> ; Description: Blocks annoying and malicious pop-up ads. >>>>>>>>>>>>>>>> If the SOA serial number changes (e.g. the 1742298960), t= hen Unbound RPZ >>>>>>>>>>>>>>>> =E2=80=8Bcode does its thing and downloads. Otherwise the= re is no download. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> So there has to be a way to ensure that we won=E2=80=99= t download a list again >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> =E2=80=8B> unless it has actually changed. >>>>>>>>>>>>>>>> This should do what you want but I may be missing your po= int. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> DNS has a builtin functionality called AXFR. It simply= does the job >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> =E2=80=8B> for you. I was just wondering whether that wa= s not being used. >>>>>>>>>>>>>>>> I need to read about AXFR/IXFR and learn a little more. >>>>>>>>>>>>>>>> Jon >>>>>>>>>>>>>>>> On 3/17/25 5:35 AM, Michael Tremer wrote: >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Good Morning Jon, >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> On 16 Mar 2025, at 17:00, Jon Murphy wrote: >>>>>>>>>>>>>>>>>> Michael, >>>>>>>>>>>>>>>>>> I was reading through you response again an I want to u= nderstand this post: >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> I have also stated that we cannot download any lists= over HTTPS again and again and again. The implementation that we have here= seems to exactly do that and therefore I think that my feedback has been di= smissed entirely. >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> So if RPZ doesn't use HTTPS, what is it using? I am mi= ssing a key point here. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> The emphasis is on the repeated downloads of the same l= ist. That is what cannot happen. >>>>>>>>>>>>>>>>> Although it might not affect a lot of people in our gene= ral user-base, there are some that have a metered connection and will pay f= or data by volume. Some of the lists I looked at are just under 20 MiB. The= refore we need to keep any traffic down to a minimum. The second reason is= that we have a lot of firewalls out there. Not all of them will enable this = feature and all of the lists, but even if it is a good chunk, we will gene= rate terabytes of traffic which put load on the infrastructure and will cos= t money. It simply is not what we want to do, regardless of self-hosting th= ose lists and pulling them from somewhere else. >>>>>>>>>>>>>>>>> So there has to be a way to ensure that we won=E2=80=99t = download a list again unless it has actually changed. >>>>>>>>>>>>>>>>> DNS has a builtin functionality called AXFR. It simply d= oes the job for you. I was just wondering whether that was not being used. >>>>>>>>>>>>>>>>> HTTPS is an option because that is simply what we use el= sewhere, but extra functionality will have to be built for it. >>>>>>>>>>>>>>>>> -Michael >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> Jon >>>>>>>>>>>>>>>>>> On 2/13/25 3:34 PM, jon wrote: >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> Michael, >>>>>>>>>>>>>>>>>>> I=E2=80=99ve read through your comments a few times an= d I ended up with many more questions. >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> What I rather mean is that it has never been added a= s a topic on the agenda and it has not been pitched by yourself. >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> To me the efforts to get new code accepted seem to ha= ve changed and it seemed easier in the past. In the past I made the Core Te= am aware via the Dev Mailing List and wrote a simple two or three paragraph= s of "What is it? / What is the value? / Here is the code" >>>>>>>>>>>>>>>>>>> So in an effort to move forward: How exactly is someth= ing presented to the Core Team? >>>>>>>>>>>>>>>>>>> Is there an example of a recent effort that was presen= ted that I can see as a sample? (This type of info can also be added to the = Wiki) >>>>>>>>>>>>>>>>>>> I understand you want it this way, but I don=E2=80=99t = know what exactly is needed. Please be specific. >>>>>>>>>>>>>>>>>>> Jon >>>>>>>>>>>>>>>>>>> PS - I am not ignoring your other comments, I am just= trying to move forward and keep things simple. >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> On Feb 8, 2025, at 1:27=E2=80=AFPM, Michael Tremer <= michael.tremer@ipfire.org> wrote: >>>>>>>>>>>>>>>>>>>> Hello Jon, >>>>>>>>>>>>>>>>>>>> Thanks for your reply. And good that you are copying= everyone into this conversation. >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> On 8 Feb 2025, at 18:41, jon wrote: >>>>>>>>>>>>>>>>>>>>> Michael, >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> I think I have covered this all at lengths before= that this project has been started as a separate effort >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> Yes, this has been a separate effort (a very public = separate effort). Yes, as you pointed this out early on with the "proof-of= -concept" and then my request for people to help test RPZ. Nothing was hidd= en. >>>>>>>>>>>>>>>>>>>>> This was done because you (and maybe others) did not = have the time and I wanted to help and because I needed assistance with RP= Z. I tried my best to do this without bothering you. >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> I don=E2=80=99t that it is accurate that nobody want= ed to help on this. The list was always open - although not every email has = been replied to swiftly it is also your responsibility to raise a question = again if it was missed. People here have open ears. >>>>>>>>>>>>>>>>>>>> It was also stated on this very list on in our docume= ntation that working on something without involving the core team is a risk= y undertaking. Of course IPFire is free software and so everyone is free to = fork if they wish to do so. >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> and as far as I am aware none of the other team mem= bers has been involved. This has not been discussed either on this list, on = our calls. >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> You were aware many steps along the way. See your e= mail on July 28, 2024, August 15, 2024, September 30, 2024, December 23, 20= 24, and January 16. My attempts to get the team involved were met with "thi= ngs are busy" and sometimes silence. (Yes, I get it, people are busy.) >>>>>>>>>>>>>>>>>>>>> You and Adolf, Leo, Erik and Bernhard have been awar= e since the beginning. You mention you were aware of the "proof-of-concept"= . If you include those beginning posts, since Sep 2023. >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> Yes, I am aware of a proof-of-concept that I have be= en running myself for a long time. I am also aware of the efforts that you= have been taking. >>>>>>>>>>>>>>>>>>>> Yet I don=E2=80=99t think there has ever been any joi= nt effort, or am I seeing that wrong? >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> This has not been discussed . . . on our calls. >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> On the July 28th you stated: >>>>>>>>>>>>>>>>>>>>> "We have talked about RPZ many times on the monthly= call since the URL filter feature is falling more and more out of fashion.= I think there is also many posts about this on the forum." >>>>>>>>>>>>>>>>>>>>> Please don=E2=80=99t insult me again by stating "you = know what I mean". >>>>>>>>>>>>>>>>>>>>> And it has been discussed but not documented in the= Monthly Meeting notes. >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> I am not at all insulting you. I don=E2=80=99t want= to take this down to a personal level at all. This is a public mailing list = and people who read this don=E2=80=99t need to listen to an argument we ar= e having. They are here for the tech inside IPFire. >>>>>>>>>>>>>>>>>>>> When I wrote that it has not been discussed that does = not mean that we have not been touching on the topic. We have been talking = about lots of things on the calls, the weather, politics, how our pets are= . None of that makes it to the logs. What I rather mean is that it has neve= r been added as a topic on the agenda and it has not been pitched by yourse= lf. >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> Instead there has been a separate conversation on t= he forum with the occasional dip here to the list. But that was not a regul= ar two-way conversation. >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> Regular conversation on the Dev Mailing list is man= y times met with silence. I get it, people are busy. >>>>>>>>>>>>>>>>>>>>> And regular two-way conversation doesn=E2=80=99t hap= pen on the list. At least not with me. I=E2=80=99d be happy to point out th= e posts that were met with silence. >>>>>>>>>>>>>>>>>>>>> Again, I get it, people are busy. >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> And you think my emails are not being met with silen= ce? This has nothing to do with this specific topic. This has something to= do with how occupied people are and how engaged they are on certain topics. = Not everyone is involved in all the things and simply will ignore emails s= imply based on their subject line. >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> But the "dip here to the list" were my attempts to= get a conversation started. As I said, many time met with silence. >>>>>>>>>>>>>>>>>>>>> The only place I was not met with silence was on the = Community. You have a great group of people in the Community. It is a sham= e you don=E2=80=99t want to have others help. It would reduce your workload= . >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> You should stop making statements that are not true. = Who doesn=E2=80=99t want anyone to help? >>>>>>>>>>>>>>>>>>>> Not having this conversation on a Saturday evening wo= uld reduce my workload. At least it would free up time for something else.= Helping with the things that are already on the go would reduce the workloa= d of the entire team. Starting one thing at a time and finishing it is a lo= t better to manage than starting a hundred things and not even finish one.= I can tell you that I already have a hundred things on the go. >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> Therefore, what am I supposed to do with this email= ? >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> To me it is beyond obvious=E2=80=A6 >>>>>>>>>>>>>>>>>>>>> If it isn=E2=80=99t what you want, then guide me wit= h how to do this the correct way. And be specific. I am trying to help. I a= m trying to make things better. I am trying to do things the right way. >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> To me it isn=E2=80=99t. This is yet another project= that has been dumped to the list like so many before and later on everyone= has left to have the team deal with the rest. >>>>>>>>>>>>>>>>>>>> It is a huge patch set. You explained what the vision = is, but that is about it. There is no chance this will continue if this di= sagreement isn=E2=80=99t solved first. I didn=E2=80=99t even look at the co= de. >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> I don=E2=80=99t want to merge code that I don=E2=80= =99t agree with. >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> I asked multiple times if you "agreed with the conc= ept" and again, met with silence. Yes I get it, people are busy. >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> Having support for RPZ? Yes, it was definitely on th= e roadmap. That I agree with. >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> So many fundamental things that I have been raising = have either not been discussed or outright dismissed. >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> You mentioned this a in the past, but for some reas= on you do not disclose what I dismissed. Why do you continue to make this h= arder, wouldn=E2=80=99t it not be easier to tell me what I have dismissed? >>>>>>>>>>>>>>>>>>>>> I have sent multiple emails trying to answer your co= ncerns and comments. On July 28, Aug 14, Aug 22, Aug 23, Sep 30, etc. >>>>>>>>>>>>>>>>>>>>> I=E2=80=99ve gone through all of the questions you a= sked and I cannot find a "dismissed" item. >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> Maybe I need to be *more clear*. I feel humoured by= this. >>>>>>>>>>>>>>>>>>>> It is late on a Saturday and I want my dinner soon, b= ut certainly I have stated that this should never be an add-on considering= it is supposed to replace URL Filter. We should never allow people to add t= heir own sources. I have also stated that we cannot download any lists over = HTTPS again and again and again. The implementation that we have here seem= s to exactly do that and therefore I think that my feedback has been dismis= sed entirely. >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> I don=E2=80=99t want to merge code that has no futu= re inside IPFire as there is no constructive conversation with the maintain= ers of it. >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> The maintainers of Unbound and/or RPZ? >>>>>>>>>>>>>>>>>>>>> The maintainers of Hagezi list, the threatfox list,= the urlhaus list, etc.? >>>>>>>>>>>>>>>>>>>>> What else? The maintainers or the RPZ scripts? That= is me. Let=E2=80=99s talk! >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> You. I don=E2=80=99t care much about the providers o= f the lists. >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> See, this is where it gets confusing. There are hun= dreds of open source packages as part of IPFire. Pick the last five years o= f items added to the IPFire build. You're telling me you have "constructive = conversation with the maintainers" of all of the added packages? >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> They publish their software and they don=E2=80=99t c= are whether I am pulling it or not. They publish it with the commitment to= maintain it - sometimes for better and sometimes for worse. >>>>>>>>>>>>>>>>>>>> You care about me pulling your code and I don=E2=80= =99t know whether you would commit to maintain this. >>>>>>>>>>>>>>>>>>>> These two are very different cases. >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> Pick the IP Blocklists list (i.e., 3CORESEC, ABUSEC= H, DSHIELD, SPAMHAUS, etc.) or the Suricata lists (i.e.,Emergingthreats.net = ,Abuse.ch , etc.). So you= =E2=80=99ve have "constructive conversation with the maintainers"? >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> Yes, occasionally I have phone calls with a few of t= hese providers. >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> Having been trying for a long time to make you awar= e of this, nothing of this should come as a surprise. >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> Ha! Yes a surprise. In the beginning you seemed int= erested as IPFire needed a replacement for URL Filter. You asked good quest= ions about the lists picked, asked for the value to the users, etc. And I a= nswered the best I could. >>>>>>>>>>>>>>>>>>>>> You even asked: =E2=80=9CWhy is this realised as an= add-on and not part of the core system?=E2=80=9D from your Jul 28, 2024 ema= il. >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> Ah, so, why is the patch creating an add-on? Not tha= t I am saying that what I say is law, but it has not been challenged either= . If my input is being ignored, why should I put this to the top of my list = of priorities? I am not disappointed about this, just trying to be very go= od with my time. >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> And on January 16, 2025 I wrote a message looking f= or help. And you were kind to respond quickly. So in three weeks time, sinc= e the kind response, something has changed. You went from supportive to "th= is". >>>>>>>>>>>>>>>>>>>>> So yes, I am surprised. >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> Well, maybe I should not have replied to that email. = It was clear that you were on some path that was not right, but you were n= ot interested before in finding the right path from the beginning. >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> Please consider if that can be changed and if there = is a path forward with this. >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> Be more specific, what has to change? What exactly= did I dismiss? >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> Dismissal is just my assumption. I don=E2=80=99t kno= w what you actually did with my feedback. I can only see the end product th= at does not seem contain much of it. Repeatedly I have been pointing out th= at we should think before we build. I am sure a lot of hours have now gone= into some code that simply does not satisfy me. And I am not not talking ab= out the code itself, what it does is what I don=E2=80=99t think is right fo= r us. >>>>>>>>>>>>>>>>>>>> The process is very clear for me that we should first = of all think whether we want a certain feature now. Then there should be a = clear roadmap for everyone to follow; tasks can be split-up as we go and h= opefully then have something that is maintainable, interesting for our user= s and even would do us proud. This is how this should work. >>>>>>>>>>>>>>>>>>>> So, what has to change? I don=E2=80=99t think with sh= outing at each other, throwing patches around and making me generally unhap= py is a good start. >>>>>>>>>>>>>>>>>>>> -Michael >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> Jon >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> On Feb 6, 2025, at 2:13=E2=80=AFPM, Michael Tremer = wrote: >>>>>>>>>>>>>>>>>>>>>> Hello Jon, >>>>>>>>>>>>>>>>>>>>>> Well, here we are again with another patch regardin= g this feature. >>>>>>>>>>>>>>>>>>>>>> I cannot quite see from your email what the questio= n is, but if this is a request to have this merged into IPFire, I am once a= gain sorry to disappoint you. >>>>>>>>>>>>>>>>>>>>>> I think I have covered this all at lengths before t= hat this project has been started as a separate effort and as far as I am a= ware none of the other team members has been involved. This has not been di= scussed either on this list, on our calls. Instead there has been a separat= e conversation on the forum with the occasional dip here to the list. But t= hat was not a regular two-way conversation. Therefore, what am I supposed t= o do with this email? >>>>>>>>>>>>>>>>>>>>>> I don=E2=80=99t want to merge code that I don=E2=80= =99t agree with. So many fundamental things that I have been raising have e= ither not been discussed or outright dismissed. >>>>>>>>>>>>>>>>>>>>>> I don=E2=80=99t want to merge code that has no futu= re inside IPFire as there is no constructive conversation with the maintain= ers of it. >>>>>>>>>>>>>>>>>>>>>> Having been trying for a long time to make you awar= e of this, nothing of this should come as a surprise. >>>>>>>>>>>>>>>>>>>>>> Please consider if that can be changed and if there = is a path forward with this. >>>>>>>>>>>>>>>>>>>>>> All the best, >>>>>>>>>>>>>>>>>>>>>> -Michael >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> On 6 Feb 2025, at 16:35, Jon Murphy wrote: >>>>>>>>>>>>>>>>>>>>>>> What is it? >>>>>>>>>>>>>>>>>>>>>>> Response Policy Zone (RPZ) is a mechanism to defin= e local policies in a >>>>>>>>>>>>>>>>>>>>>>> standardized way and load those policies from exte= rnal sources. >>>>>>>>>>>>>>>>>>>>>>> Bottom line: RPZ allows admins to easily block acc= ess to websites via DNS lookup. >>>>>>>>>>>>>>>>>>>>>>> RPZ can block websites via categories. Examples in= clude: fake websites, annoying >>>>>>>>>>>>>>>>>>>>>>> pop-up ads, newly registered domains, DoH bypass s= ites, bad "host" services, >>>>>>>>>>>>>>>>>>>>>>> maliscious top level domains (e.g., *.zip, *.mov), = piracy, gambling, pornography, >>>>>>>>>>>>>>>>>>>>>>> and more. RPZ lists come from various RPZ provider= s and their available >>>>>>>>>>>>>>>>>>>>>>> catagories. >>>>>>>>>>>>>>>>>>>>>>> This RPZ add-on enables the RPZ functionality by a= dding a couple lines in a >>>>>>>>>>>>>>>>>>>>>>> configuration file. This add-on simply adds config= uration files and adds >>>>>>>>>>>>>>>>>>>>>>> scripts (config, metrics and sleep) to make RPZ ea= sier for the admin to use. >>>>>>>>>>>>>>>>>>>>>>> The RPZ scripts include additional languages: Germ= an, Spanish, French, Turkish, >>>>>>>>>>>>>>>>>>>>>>> and Italian. >>>>>>>>>>>>>>>>>>>>>>> RPZ itself was release in 2010 and has been part o= f the IPFire build since ~2015. >>>>>>>>>>>>>>>>>>>>>>> Why is it needed? What is its value? >>>>>>>>>>>>>>>>>>>>>>> - The RPZ concept places this filtering into IPFir= e, our internet access >>>>>>>>>>>>>>>>>>>>>>> gateway, which is (should be) solely used as DNS s= ource of the internal network. >>>>>>>>>>>>>>>>>>>>>>> - As most sites use HTTPS it makes it difficult to = filter traffic with URL >>>>>>>>>>>>>>>>>>>>>>> Filter without also properly configuring conventio= nal (non-transparent) >>>>>>>>>>>>>>>>>>>>>>> mode on the proxy. RPZ is a nice replacement for t= he URL Filter. >>>>>>>>>>>>>>>>>>>>>>> - No need to install and maintain an additional de= vice like PiHole or AdBlock >>>>>>>>>>>>>>>>>>>>>>> browser extensions on multiple user devices. >>>>>>>>>>>>>>>>>>>>>>> - This is an additional layer of protection for us= ers. Less worry someone will >>>>>>>>>>>>>>>>>>>>>>> click on something that gets them into trouble. An= d, saying this with emphasis, >>>>>>>>>>>>>>>>>>>>>>> the ability to do it in one place! >>>>>>>>>>>>>>>>>>>>>>> - Blocked sites save on unneeded traffic and can l= essen the threat of malware >>>>>>>>>>>>>>>>>>>>>>> in advertisements >>>>>>>>>>>>>>>>>>>>>>> - Logging allows the admin to see the site blocked = and take actions >>>>>>>>>>>>>>>>>>>>>>> - RPZ will be used at the home, home-office (work= from home), schools, >>>>>>>>>>>>>>>>>>>>>>> ministerial, and at the office. Device counts are= small (2-6) to medium (~80) >>>>>>>>>>>>>>>>>>>>>>> to mediam-large (200+). >>>>>>>>>>>>>>>>>>>>>>> - RPZ can block ads, popups, phishing, scammers, s= pyware, malware, annoying >>>>>>>>>>>>>>>>>>>>>>> popups, NSFW links, DOH servers, and the usual int= ernet trash. >>>>>>>>>>>>>>>>>>>>>>> ------------------------------ >>>>>>>>>>>>>>>>>>>>>>> Change Log for RPZ add-on >>>>>>>>>>>>>>>>>>>>>>> rpz-1.0.0-18 on 2025-02-05 >>>>>>>>>>>>>>>>>>>>>>> - Build for approval & release as IPFire add-on >>>>>>>>>>>>>>>>>>>>>>> --- >>>>>>>>>>>>>>>>>>>>>>> rpz-beta-0.1.18-18.ipfire on 2025-02-01 >>>>>>>>>>>>>>>>>>>>>>> rpz.cgi: >>>>>>>>>>>>>>>>>>>>>>> - new feature: added a mod key to force a unbound= restart >>>>>>>>>>>>>>>>>>>>>>> rpz-config and rpz-make: >>>>>>>>>>>>>>>>>>>>>>> - new feature: added action for unbound restart `r= pz-config unbound-restart` >>>>>>>>>>>>>>>>>>>>>>> rpz-metrics: >>>>>>>>>>>>>>>>>>>>>>> - simple reformatting >>>>>>>>>>>>>>>>>>>>>>> - rename far right column from "last update" to "l= ast download" >>>>>>>>>>>>>>>>>>>>>>> --- >>>>>>>>>>>>>>>>>>>>>>> rpz-beta-0.1.17-17.ipfire on 2024-12-09 >>>>>>>>>>>>>>>>>>>>>>> rpz-make >>>>>>>>>>>>>>>>>>>>>>> - bug fix: corrected validation regex for wildcard= s like: `*.domain.com` >>>>>>>>>>>>>>>>>>>>>>> --- >>>>>>>>>>>>>>>>>>>>>>> rpz-beta-0.1.16-16.ipfire on 2024-11-18 >>>>>>>>>>>>>>>>>>>>>>> rpz-make >>>>>>>>>>>>>>>>>>>>>>> - new feature: updated validation regex >>>>>>>>>>>>>>>>>>>>>>> - bug fix: moved validation to beginning of proces= s. Now we validate before >>>>>>>>>>>>>>>>>>>>>>> creating config files. >>>>>>>>>>>>>>>>>>>>>>> rpz.cgi: >>>>>>>>>>>>>>>>>>>>>>> - new feature: use CSS color variables of the main = ipfire theme >>>>>>>>>>>>>>>>>>>>>>> - bug fix: empty zonefile remarks were stored as = =E2=80=9Cundef=E2=80=9D and caused a warning >>>>>>>>>>>>>>>>>>>>>>> - bug fix: HTML textarea removes the first empty l= ine in a custom list >>>>>>>>>>>>>>>>>>>>>>> - thank you Leo! >>>>>>>>>>>>>>>>>>>>>>> --- >>>>>>>>>>>>>>>>>>>>>>> rpz-beta-0.1.15-15.ipfire on 2024-11-04 >>>>>>>>>>>>>>>>>>>>>>> rpz.cgi: >>>>>>>>>>>>>>>>>>>>>>> - new feature: added new language file for Turkish = (thank you Peppe) >>>>>>>>>>>>>>>>>>>>>>> rpz-make >>>>>>>>>>>>>>>>>>>>>>> - bug fix: corrected empty allow/block list issue. = An empty allow/block list >>>>>>>>>>>>>>>>>>>>>>> will now remove contents of allow/block.rpz files= and remove unneeded >>>>>>>>>>>>>>>>>>>>>>> allow/block.conf file. (thank you iptom) >>>>>>>>>>>>>>>>>>>>>>> --- >>>>>>>>>>>>>>>>>>>>>>> rpz-beta-0.1.14-14.ipfire on 2024-10-29 >>>>>>>>>>>>>>>>>>>>>>> rpz-config: >>>>>>>>>>>>>>>>>>>>>>> - bug fix: correct missing rpz extension. `rpz-con= fig list` displayed URL >>>>>>>>>>>>>>>>>>>>>>> incorrectly (thank you Bernhard) >>>>>>>>>>>>>>>>>>>>>>> rpz.cgi: >>>>>>>>>>>>>>>>>>>>>>> - bug fix: remove extra `"` in language files (tha= nk you Bernhard) >>>>>>>>>>>>>>>>>>>>>>> - new feature: slightly dim "apply" button when no= t enabled >>>>>>>>>>>>>>>>>>>>>>> --- >>>>>>>>>>>>>>>>>>>>>>> rpz-beta-0.1.13-13.ipfire on 2024-10-27 >>>>>>>>>>>>>>>>>>>>>>> - skipped >>>>>>>>>>>>>>>>>>>>>>> --- >>>>>>>>>>>>>>>>>>>>>>> rpz-beta-0.1.12-12.ipfire on 2024-10-21 >>>>>>>>>>>>>>>>>>>>>>> rpz.cgi: >>>>>>>>>>>>>>>>>>>>>>> - new feature: added new language file for French= (thank you gw-ipfire) >>>>>>>>>>>>>>>>>>>>>>> --- >>>>>>>>>>>>>>>>>>>>>>> rpz-beta-0.1.11-11.ipfire on 2024-10-18 >>>>>>>>>>>>>>>>>>>>>>> rpz.cgi: >>>>>>>>>>>>>>>>>>>>>>> - new feature: added new language file for Italian = (thank you umberto) >>>>>>>>>>>>>>>>>>>>>>> - new feature: added new language file for Spanish = (thank you Roberto) >>>>>>>>>>>>>>>>>>>>>>> --- >>>>>>>>>>>>>>>>>>>>>>> rpz-beta-0.1.10-10.ipfire on 2024-10-15 >>>>>>>>>>>>>>>>>>>>>>> rpz-make: >>>>>>>>>>>>>>>>>>>>>>> - bug fix: corrected validation error for a custom = list entry (thank you siosios) >>>>>>>>>>>>>>>>>>>>>>> - e.g., `*.cloudflare-dns.com` >>>>>>>>>>>>>>>>>>>>>>> install.sh: >>>>>>>>>>>>>>>>>>>>>>> - bug fix: add chown to correct user created files >>>>>>>>>>>>>>>>>>>>>>> update.sh: >>>>>>>>>>>>>>>>>>>>>>> - bug fix: add chown to correct user created files = (thank you siosios) >>>>>>>>>>>>>>>>>>>>>>> --- >>>>>>>>>>>>>>>>>>>>>>> rpz-beta-0.1.9-9.ipfire on 2024-10-08 >>>>>>>>>>>>>>>>>>>>>>> rpz.cgi: >>>>>>>>>>>>>>>>>>>>>>> - new feature: added new language file for German= (thank you Leo) >>>>>>>>>>>>>>>>>>>>>>> - bug fix: add missing "rpz exitcode 110" >>>>>>>>>>>>>>>>>>>>>>> - bug fix: corrected missing RPZ menu item at menu = > IPFire >>>>>>>>>>>>>>>>>>>>>>> --- >>>>>>>>>>>>>>>>>>>>>>> rpz-beta-0.1.8-8.ipfire on 2024-10-04 >>>>>>>>>>>>>>>>>>>>>>> - skipped >>>>>>>>>>>>>>>>>>>>>>> --- >>>>>>>>>>>>>>>>>>>>>>> rpz-beta-0.1.7-7.ipfire on 2024-10-03 >>>>>>>>>>>>>>>>>>>>>>> All: >>>>>>>>>>>>>>>>>>>>>>> - new feature: includes beta version numbers for p= akfire package, >>>>>>>>>>>>>>>>>>>>>>> instead of only `rpz-1.0.0-1.ipfire`, for each rel= ease. >>>>>>>>>>>>>>>>>>>>>>> rpz.cgi: >>>>>>>>>>>>>>>>>>>>>>> - new feature: added new WebGUI at `rpz.cgi` >>>>>>>>>>>>>>>>>>>>>>> - a BIG thank you to Leo Hofmann for all of his wo= rk creating the webgui!! >>>>>>>>>>>>>>>>>>>>>>> - bug fix: corrected missing RPZ menu item at menu = > IPFire >>>>>>>>>>>>>>>>>>>>>>> rpz-make: >>>>>>>>>>>>>>>>>>>>>>> - new feature: validate entries in allowlist and b= locklist >>>>>>>>>>>>>>>>>>>>>>> - new feature: add "no-reload" option for WebGUI >>>>>>>>>>>>>>>>>>>>>>> rpz-metrics: >>>>>>>>>>>>>>>>>>>>>>> - new feature: info can be sorted by name, by hit= count, by line count, by >>>>>>>>>>>>>>>>>>>>>>> "enabled" list or all lists >>>>>>>>>>>>>>>>>>>>>>> backups: >>>>>>>>>>>>>>>>>>>>>>> - bug fix: include all files in `/var/ipfire/dns/r= pz` directory in backup >>>>>>>>>>>>>>>>>>>>>>> update.sh: >>>>>>>>>>>>>>>>>>>>>>> - bug fix: corrected ownership for `/var/ipfire/dn= s/rpz` directory during an >>>>>>>>>>>>>>>>>>>>>>> update >>>>>>>>>>>>>>>>>>>>>>> Build: >>>>>>>>>>>>>>>>>>>>>>> - bug fix: `block.rpz.conf` and `block.rpz` from b= uild. Files to be created >>>>>>>>>>>>>>>>>>>>>>> by `rpz-make` >>>>>>>>>>>>>>>>>>>>>>> WebGUI and German language file >>>>>>>>>>>>>>>>>>>>>>> Contribution-by: Leo-Andres Hofmann >>>>>>>>>>>>>>>>>>>>>>> Spanish language file >>>>>>>>>>>>>>>>>>>>>>> Contribution-by: Roberto Pe=C3=B1a >>>>>>>>>>>>>>>>>>>>>>> Italian language file >>>>>>>>>>>>>>>>>>>>>>> Contribution-by: Umberto Parma >>>>>>>>>>>>>>>>>>>>>>> French language file >>>>>>>>>>>>>>>>>>>>>>> Contribution-by: gw-ipfire >>>>>>>>>>>>>>>>>>>>>>> Turkish language file >>>>>>>>>>>>>>>>>>>>>>> Contribution-by: Peppe Tech >>>>>>>>>>>>>>>>>>>>>>> Contribution-by: Bernhard Bitsch >>>>>>>>>>>>>>>>>>>>>>> Contribution-by: Erik Kapfer >>>>>>>>>>>>>>>>>>>>>>> Signed-off-by: Jon Murphy >>>>>>>>>>>>>>>>>>>>>> --- >>>>>>>>>>>>>>>>>>>>>>> config/backup/includes/rpz | 4 + >>>>>>>>>>>>>>>>>>>>>>> config/cfgroot/manualpages | 1 + >>>>>>>>>>>>>>>>>>>>>>> config/menu/EX-rpz.menu | 6 + >>>>>>>>>>>>>>>>>>>>>>> config/rootfiles/common/configroot | 1 + >>>>>>>>>>>>>>>>>>>>>>> config/rootfiles/common/web-user-interface | 1 + >>>>>>>>>>>>>>>>>>>>>>> config/rootfiles/packages/rpz | 20 + >>>>>>>>>>>>>>>>>>>>>>> config/rpz/00-rpz.conf | 10 + >>>>>>>>>>>>>>>>>>>>>>> config/rpz/rpz-config | 130 +++ >>>>>>>>>>>>>>>>>>>>>>> config/rpz/rpz-functions | 85 ++ >>>>>>>>>>>>>>>>>>>>>>> config/rpz/rpz-make | 203 +++++ >>>>>>>>>>>>>>>>>>>>>>> config/rpz/rpz-metrics | 170 ++++ >>>>>>>>>>>>>>>>>>>>>>> config/rpz/rpz-sleep | 58 ++ >>>>>>>>>>>>>>>>>>>>>>> config/rpz/rpz.de.pl | 30 + >>>>>>>>>>>>>>>>>>>>>>> config/rpz/rpz.en.pl | 30 + >>>>>>>>>>>>>>>>>>>>>>> config/rpz/rpz.es.pl | 30 + >>>>>>>>>>>>>>>>>>>>>>> config/rpz/rpz.fr.pl | 30 + >>>>>>>>>>>>>>>>>>>>>>> config/rpz/rpz.it.pl | 30 + >>>>>>>>>>>>>>>>>>>>>>> config/rpz/rpz.tr.pl | 30 + >>>>>>>>>>>>>>>>>>>>>>> html/cgi-bin/rpz.cgi | 923 +++++++++++++++++++++ >>>>>>>>>>>>>>>>>>>>>>> lfs/rpz | 96 +++ >>>>>>>>>>>>>>>>>>>>>>> make.sh | 3 +- >>>>>>>>>>>>>>>>>>>>>>> src/paks/rpz/install.sh | 36 + >>>>>>>>>>>>>>>>>>>>>>> src/paks/rpz/uninstall.sh | 38 + >>>>>>>>>>>>>>>>>>>>>>> src/paks/rpz/update.sh | 52 ++ >>>>>>>>>>>>>>>>>>>>>>> 24 files changed, 2016 insertions(+), 1 deletion(-= ) >>>>>>>>>>>>>>>>>>>>>>> create mode 100644 config/backup/includes/rpz >>>>>>>>>>>>>>>>>>>>>>> create mode 100644 config/menu/EX-rpz.menu >>>>>>>>>>>>>>>>>>>>>>> create mode 100644 config/rootfiles/packages/rpz >>>>>>>>>>>>>>>>>>>>>>> create mode 100644 config/rpz/00-rpz.conf >>>>>>>>>>>>>>>>>>>>>>> create mode 100644 config/rpz/rpz-config >>>>>>>>>>>>>>>>>>>>>>> create mode 100644 config/rpz/rpz-functions >>>>>>>>>>>>>>>>>>>>>>> create mode 100644 config/rpz/rpz-make >>>>>>>>>>>>>>>>>>>>>>> create mode 100755 config/rpz/rpz-metrics >>>>>>>>>>>>>>>>>>>>>>> create mode 100755 config/rpz/rpz-sleep >>>>>>>>>>>>>>>>>>>>>>> create mode 100644 config/rpz/rpz.de.pl >>>>>>>>>>>>>>>>>>>>>>> create mode 100644 config/rpz/rpz.en.pl >>>>>>>>>>>>>>>>>>>>>>> create mode 100644 config/rpz/rpz.es.pl >>>>>>>>>>>>>>>>>>>>>>> create mode 100644 config/rpz/rpz.fr.pl >>>>>>>>>>>>>>>>>>>>>>> create mode 100644 config/rpz/rpz.it.pl >>>>>>>>>>>>>>>>>>>>>>> create mode 100644 config/rpz/rpz.tr.pl >>>>>>>>>>>>>>>>>>>>>>> create mode 100644 html/cgi-bin/rpz.cgi >>>>>>>>>>>>>>>>>>>>>>> create mode 100644 lfs/rpz >>>>>>>>>>>>>>>>>>>>>>> create mode 100644 src/paks/rpz/install.sh >>>>>>>>>>>>>>>>>>>>>>> create mode 100644 src/paks/rpz/uninstall.sh >>>>>>>>>>>>>>>>>>>>>>> create mode 100644 src/paks/rpz/update.sh >>>>>>>>>>>>>>>>>>>>>>> diff --git a/config/backup/includes/rpz b/config/b= ackup/includes/rpz >>>>>>>>>>>>>>>>>>>>>>> new file mode 100644 >>>>>>>>>>>>>>>>>>>>>>> index 000000000..36513e494 >>>>>>>>>>>>>>>>>>>>>>> --- /dev/null >>>>>>>>>>>>>>>>>>>>>>> +++ b/config/backup/includes/rpz >>>>>>>>>>>>>>>>>>>>>>> @@ -0,0 +1,4 @@ >>>>>>>>>>>>>>>>>>>>>>> +/var/ipfire/dns/rpz/* >>>>>>>>>>>>>>>>>>>>>>> +/etc/unbound/zonefiles/allow.rpz >>>>>>>>>>>>>>>>>>>>>>> +/etc/unbound/zonefiles/block.rpz >>>>>>>>>>>>>>>>>>>>>>> +/etc/unbound/local.d/*rpz.conf >>>>>>>>>>>>>>>>>>>>>>> diff --git a/config/cfgroot/manualpages b/config/c= fgroot/manualpages >>>>>>>>>>>>>>>>>>>>>>> index 1f7e01efc..d3a48c633 100644 >>>>>>>>>>>>>>>>>>>>>>> --- a/config/cfgroot/manualpages >>>>>>>>>>>>>>>>>>>>>>> +++ b/config/cfgroot/manualpages >>>>>>>>>>>>>>>>>>>>>>> @@ -70,6 +70,7 @@ pakfire.cgi=3Dconfiguration/ipfi= re/pakfire >>>>>>>>>>>>>>>>>>>>>>> wlanap.cgi=3Daddons/wireless >>>>>>>>>>>>>>>>>>>>>>> tor.cgi=3Daddons/tor >>>>>>>>>>>>>>>>>>>>>>> samba.cgi=3Daddons/samba >>>>>>>>>>>>>>>>>>>>>>> +rpz.cgi=3Daddons/rpz >>>>>>>>>>>>>>>>>>>>>>> # Logs menu >>>>>>>>>>>>>>>>>>>>>>> logs.cgi/summary.dat=3Dconfiguration/logs/summary >>>>>>>>>>>>>>>>>>>>>>> diff --git a/config/menu/EX-rpz.menu b/config/menu= /EX-rpz.menu >>>>>>>>>>>>>>>>>>>>>>> new file mode 100644 >>>>>>>>>>>>>>>>>>>>>>> index 000000000..2f4daf410 >>>>>>>>>>>>>>>>>>>>>>> --- /dev/null >>>>>>>>>>>>>>>>>>>>>>> +++ b/config/menu/EX-rpz.menu >>>>>>>>>>>>>>>>>>>>>>> @@ -0,0 +1,6 @@ >>>>>>>>>>>>>>>>>>>>>>> +$subipfire->{'20.rpz'} =3D { >>>>>>>>>>>>>>>>>>>>>>> + 'caption' =3D> $Lang::tr{'rpz'}, >>>>>>>>>>>>>>>>>>>>>>> + 'uri' =3D> '/cgi-bin/rpz.cgi', >>>>>>>>>>>>>>>>>>>>>>> + 'title' =3D> "RPZ", >>>>>>>>>>>>>>>>>>>>>>> + 'enabled' =3D> 1, >>>>>>>>>>>>>>>>>>>>>>> +}; >>>>>>>>>>>>>>>>>>>>>>> diff --git a/config/rootfiles/common/configroot b/= config/rootfiles/common/configroot >>>>>>>>>>>>>>>>>>>>>>> index 9839eee45..b30d6aae4 100644 >>>>>>>>>>>>>>>>>>>>>>> --- a/config/rootfiles/common/configroot >>>>>>>>>>>>>>>>>>>>>>> +++ b/config/rootfiles/common/configroot >>>>>>>>>>>>>>>>>>>>>>> @@ -120,6 +120,7 @@ var/ipfire/menu.d/70-log.menu >>>>>>>>>>>>>>>>>>>>>>> #var/ipfire/menu.d/EX-apcupsd.menu >>>>>>>>>>>>>>>>>>>>>>> #var/ipfire/menu.d/EX-guardian.menu >>>>>>>>>>>>>>>>>>>>>>> #var/ipfire/menu.d/EX-mympd.menu >>>>>>>>>>>>>>>>>>>>>>> +#var/ipfire/menu.d/EX-rpz.menu >>>>>>>>>>>>>>>>>>>>>>> #var/ipfire/menu.d/EX-samba.menu >>>>>>>>>>>>>>>>>>>>>>> #var/ipfire/menu.d/EX-tor.menu >>>>>>>>>>>>>>>>>>>>>>> #var/ipfire/menu.d/EX-transmission.menu >>>>>>>>>>>>>>>>>>>>>>> diff --git a/config/rootfiles/common/web-user-inte= rface b/config/rootfiles/common/web-user-interface >>>>>>>>>>>>>>>>>>>>>>> index 816241dae..e00464076 100644 >>>>>>>>>>>>>>>>>>>>>>> --- a/config/rootfiles/common/web-user-interface >>>>>>>>>>>>>>>>>>>>>>> +++ b/config/rootfiles/common/web-user-interface >>>>>>>>>>>>>>>>>>>>>>> @@ -69,6 +69,7 @@ srv/web/ipfire/cgi-bin/proxy.cgi >>>>>>>>>>>>>>>>>>>>>>> srv/web/ipfire/cgi-bin/qos.cgi >>>>>>>>>>>>>>>>>>>>>>> srv/web/ipfire/cgi-bin/remote.cgi >>>>>>>>>>>>>>>>>>>>>>> srv/web/ipfire/cgi-bin/routing.cgi >>>>>>>>>>>>>>>>>>>>>>> +#srv/web/ipfire/cgi-bin/rpz.cgi >>>>>>>>>>>>>>>>>>>>>>> #srv/web/ipfire/cgi-bin/samba.cgi >>>>>>>>>>>>>>>>>>>>>>> srv/web/ipfire/cgi-bin/services.cgi >>>>>>>>>>>>>>>>>>>>>>> srv/web/ipfire/cgi-bin/shutdown.cgi >>>>>>>>>>>>>>>>>>>>>>> diff --git a/config/rootfiles/packages/rpz b/confi= g/rootfiles/packages/rpz >>>>>>>>>>>>>>>>>>>>>>> new file mode 100644 >>>>>>>>>>>>>>>>>>>>>>> index 000000000..1c8663049 >>>>>>>>>>>>>>>>>>>>>>> --- /dev/null >>>>>>>>>>>>>>>>>>>>>>> +++ b/config/rootfiles/packages/rpz >>>>>>>>>>>>>>>>>>>>>>> @@ -0,0 +1,20 @@ >>>>>>>>>>>>>>>>>>>>>>> +etc/unbound/local.d/00-rpz.conf >>>>>>>>>>>>>>>>>>>>>>> +etc/unbound/zonefiles >>>>>>>>>>>>>>>>>>>>>>> +etc/unbound/zonefiles/allow.rpz >>>>>>>>>>>>>>>>>>>>>>> +usr/sbin/rpz-config >>>>>>>>>>>>>>>>>>>>>>> +usr/sbin/rpz-functions >>>>>>>>>>>>>>>>>>>>>>> +usr/sbin/rpz-make >>>>>>>>>>>>>>>>>>>>>>> +usr/sbin/rpz-metrics >>>>>>>>>>>>>>>>>>>>>>> +usr/sbin/rpz-sleep >>>>>>>>>>>>>>>>>>>>>>> +var/ipfire/addon-lang/rpz.de.pl >>>>>>>>>>>>>>>>>>>>>>> +var/ipfire/addon-lang/rpz.en.pl >>>>>>>>>>>>>>>>>>>>>>> +var/ipfire/addon-lang/rpz.es.pl >>>>>>>>>>>>>>>>>>>>>>> +var/ipfire/addon-lang/rpz.fr.pl >>>>>>>>>>>>>>>>>>>>>>> +var/ipfire/addon-lang/rpz.it.pl >>>>>>>>>>>>>>>>>>>>>>> +var/ipfire/addon-lang/rpz.tr.pl >>>>>>>>>>>>>>>>>>>>>>> +var/ipfire/backup/addons/includes/rpz >>>>>>>>>>>>>>>>>>>>>>> +var/ipfire/dns/rpz >>>>>>>>>>>>>>>>>>>>>>> +var/ipfire/dns/rpz/allowlist >>>>>>>>>>>>>>>>>>>>>>> +var/ipfire/dns/rpz/blocklist >>>>>>>>>>>>>>>>>>>>>>> +var/ipfire/menu.d/EX-rpz.menu >>>>>>>>>>>>>>>>>>>>>>> +srv/web/ipfire/cgi-bin/rpz.cgi >>>>>>>>>>>>>>>>>>>>>>> diff --git a/config/rpz/00-rpz.conf b/config/rpz/0= 0-rpz.conf >>>>>>>>>>>>>>>>>>>>>>> new file mode 100644 >>>>>>>>>>>>>>>>>>>>>>> index 000000000..f005a4f2e >>>>>>>>>>>>>>>>>>>>>>> --- /dev/null >>>>>>>>>>>>>>>>>>>>>>> +++ b/config/rpz/00-rpz.conf >>>>>>>>>>>>>>>>>>>>>>> @@ -0,0 +1,10 @@ >>>>>>>>>>>>>>>>>>>>>>> +server: >>>>>>>>>>>>>>>>>>>>>>> + module-config: "respip validator iterator" >>>>>>>>>>>>>>>>>>>>>>> + >>>>>>>>>>>>>>>>>>>>>>> +rpz: >>>>>>>>>>>>>>>>>>>>>>> + name: allow.rpz >>>>>>>>>>>>>>>>>>>>>>> + zonefile: /etc/unbound/zonefiles/allow.rpz >>>>>>>>>>>>>>>>>>>>>>> + rpz-action-override: passthru >>>>>>>>>>>>>>>>>>>>>>> + rpz-log: yes >>>>>>>>>>>>>>>>>>>>>>> + rpz-log-name: allow >>>>>>>>>>>>>>>>>>>>>>> + rpz-signal-nxdomain-ra: yes >>>>>>>>>>>>>>>>>>>>>>> diff --git a/config/rpz/rpz-config b/config/rpz/rp= z-config >>>>>>>>>>>>>>>>>>>>>>> new file mode 100644 >>>>>>>>>>>>>>>>>>>>>>> index 000000000..c72d50f9b >>>>>>>>>>>>>>>>>>>>>>> --- /dev/null >>>>>>>>>>>>>>>>>>>>>>> +++ b/config/rpz/rpz-config >>>>>>>>>>>>>>>>>>>>>>> @@ -0,0 +1,130 @@ >>>>>>>>>>>>>>>>>>>>>>> +#!/bin/bash >>>>>>>>>>>>>>>>>>>>>>> +#################################################= ############################## >>>>>>>>>>>>>>>>>>>>>>> +# # >>>>>>>>>>>>>>>>>>>>>>> +# IPFire.org - A linux based firewall # >>>>>>>>>>>>>>>>>>>>>>> +# Copyright (C) 2024-2025 IPFire Team # >>>>>>>>>>>>>>>>>>>>>>> +# # >>>>>>>>>>>>>>>>>>>>>>> +# This program is free software: you can redistri= bute it and/or modify # >>>>>>>>>>>>>>>>>>>>>>> +# it under the terms of the GNU General Public Li= cense as published by # >>>>>>>>>>>>>>>>>>>>>>> +# the Free Software Foundation, either version 3= of the License, or # >>>>>>>>>>>>>>>>>>>>>>> +# (at your option) any later version. # >>>>>>>>>>>>>>>>>>>>>>> +# # >>>>>>>>>>>>>>>>>>>>>>> +# This program is distributed in the hope that it = will be useful, # >>>>>>>>>>>>>>>>>>>>>>> +# but WITHOUT ANY WARRANTY; without even the impl= ied warranty of # >>>>>>>>>>>>>>>>>>>>>>> +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PUR= POSE. See the # >>>>>>>>>>>>>>>>>>>>>>> +# GNU General Public License for more details. # >>>>>>>>>>>>>>>>>>>>>>> +# # >>>>>>>>>>>>>>>>>>>>>>> +# You should have received a copy of the GNU Gene= ral Public License # >>>>>>>>>>>>>>>>>>>>>>> +# along with this program. If not, see . # >>>>>>>>>>>>>>>>>>>>>>> +# # >>>>>>>>>>>>>>>>>>>>>>> +#################################################= ############################## >>>>>>>>>>>>>>>>>>>>>>> + >>>>>>>>>>>>>>>>>>>>>>> +version=3D"2025-01-11 - v44" >>>>>>>>>>>>>>>>>>>>>>> + >>>>>>>>>>>>>>>>>>>>>>> +############### Functions ############### >>>>>>>>>>>>>>>>>>>>>>> + >>>>>>>>>>>>>>>>>>>>>>> +source /usr/sbin/rpz-functions >>>>>>>>>>>>>>>>>>>>>>> + >>>>>>>>>>>>>>>>>>>>>>> +############### Main ############### >>>>>>>>>>>>>>>>>>>>>>> + >>>>>>>>>>>>>>>>>>>>>>> +tagName=3D"unbound" >>>>>>>>>>>>>>>>>>>>>>> + >>>>>>>>>>>>>>>>>>>>>>> +rpzAction=3D"${1}" # input RPZ action >>>>>>>>>>>>>>>>>>>>>>> +rpzName=3D"${2}" # input RPZ name >>>>>>>>>>>>>>>>>>>>>>> +rpzURL=3D"${3}" # input RPZ URL >>>>>>>>>>>>>>>>>>>>>>> +rpzOption1=3D"${4}" # input RPZ option #1 >>>>>>>>>>>>>>>>>>>>>>> +rpzOption2=3D"${5}" # input RPZ option #2 >>>>>>>>>>>>>>>>>>>>>>> + >>>>>>>>>>>>>>>>>>>>>>> +rpzConfig=3D"/etc/unbound/local.d/${rpzName}.rpz.= conf" # output zone conf file >>>>>>>>>>>>>>>>>>>>>>> +rpzFile=3D"/etc/unbound/zonefiles/${rpzName}.rpz" = # output for RPZ file >>>>>>>>>>>>>>>>>>>>>>> + >>>>>>>>>>>>>>>>>>>>>>> +rpzLog=3D"yes" # log default is yes >>>>>>>>>>>>>>>>>>>>>>> +ucReload=3D"yes" # reload default is yes >>>>>>>>>>>>>>>>>>>>>>> + >>>>>>>>>>>>>>>>>>>>>>> +while [[ $# -gt 0 ]] ; do >>>>>>>>>>>>>>>>>>>>>>> + case "$1" in >>>>>>>>>>>>>>>>>>>>>>> + --no-log ) rpzLog=3D"no" ;; >>>>>>>>>>>>>>>>>>>>>>> + --no-reload ) ucReload=3D"no" ; checkConf=3D"no" = ;; >>>>>>>>>>>>>>>>>>>>>>> + esac >>>>>>>>>>>>>>>>>>>>>>> + shift # Shift after checking all the cases to ge= t next option >>>>>>>>>>>>>>>>>>>>>>> +done >>>>>>>>>>>>>>>>>>>>>>> + >>>>>>>>>>>>>>>>>>>>>>> +case "${rpzAction}" in >>>>>>>>>>>>>>>>>>>>>>> + # add new rpz list >>>>>>>>>>>>>>>>>>>>>>> + add ) >>>>>>>>>>>>>>>>>>>>>>> + check_name "${rpzName}" # is this a valid name? >>>>>>>>>>>>>>>>>>>>>>> + # does this config already exist? If yes, then e= xit >>>>>>>>>>>>>>>>>>>>>>> + if [[ -f "${rpzConfig}" ]] ; then >>>>>>>>>>>>>>>>>>>>>>> + msg_log "error: rpz: duplicate - ${rpzConfig} al= ready exists. exit" >>>>>>>>>>>>>>>>>>>>>>> + exit 104 >>>>>>>>>>>>>>>>>>>>>>> + fi >>>>>>>>>>>>>>>>>>>>>>> + >>>>>>>>>>>>>>>>>>>>>>> + # is this a valid URL? >>>>>>>>>>>>>>>>>>>>>>> + regex=3D'^https://[-[:alnum:]\+&@#/%?=3D~_|!:,.;= ]*[-[:alnum:]\+&@#/%=3D~_|]' >>>>>>>>>>>>>>>>>>>>>>> + if ! [[ "${rpzURL}" =3D~ $regex ]] ; then >>>>>>>>>>>>>>>>>>>>>>> + msg_log "error: rpz: the URL is not valid: \"${r= pzURL}\". exit." >>>>>>>>>>>>>>>>>>>>>>> + exit 105 >>>>>>>>>>>>>>>>>>>>>>> + fi >>>>>>>>>>>>>>>>>>>>>>> + >>>>>>>>>>>>>>>>>>>>>>> + # create the zone config file >>>>>>>>>>>>>>>>>>>>>>> + { >>>>>>>>>>>>>>>>>>>>>>> + echo "rpz:" >>>>>>>>>>>>>>>>>>>>>>> + echo " name: ${rpzName}.rpz" >>>>>>>>>>>>>>>>>>>>>>> + echo " zonefile: ${rpzFile}" >>>>>>>>>>>>>>>>>>>>>>> + echo " url: ${rpzURL}" >>>>>>>>>>>>>>>>>>>>>>> + echo " rpz-action-override: nxdomain" >>>>>>>>>>>>>>>>>>>>>>> + echo " rpz-log: ${rpzLog}" >>>>>>>>>>>>>>>>>>>>>>> + echo " rpz-log-name: ${rpzName}" >>>>>>>>>>>>>>>>>>>>>>> + echo " rpz-signal-nxdomain-ra: yes" >>>>>>>>>>>>>>>>>>>>>>> + } > "${rpzConfig}" >>>>>>>>>>>>>>>>>>>>>>> + >>>>>>>>>>>>>>>>>>>>>>> + # set-up zonefile >>>>>>>>>>>>>>>>>>>>>>> + # create an empty rpz file if it does not exist >>>>>>>>>>>>>>>>>>>>>>> + if [[ ! -f "${rpzFile}" ]] ; then >>>>>>>>>>>>>>>>>>>>>>> + touch "${rpzFile}" >>>>>>>>>>>>>>>>>>>>>>> + # unbound requires these settings for rpz files >>>>>>>>>>>>>>>>>>>>>>> + set_permissions "${rpzFile}" "${rpzConfig}" >>>>>>>>>>>>>>>>>>>>>>> + fi >>>>>>>>>>>>>>>>>>>>>>> + ;; >>>>>>>>>>>>>>>>>>>>>>> + >>>>>>>>>>>>>>>>>>>>>>> + # trash config file & rpz file >>>>>>>>>>>>>>>>>>>>>>> + remove ) >>>>>>>>>>>>>>>>>>>>>>> + if ! [[ -f "${rpzConfig}" ]] ; then >>>>>>>>>>>>>>>>>>>>>>> + msg_log "error: rpz: cannot remove ${rpzConfig}, = does not exist. exit" >>>>>>>>>>>>>>>>>>>>>>> + exit 106 >>>>>>>>>>>>>>>>>>>>>>> + fi >>>>>>>>>>>>>>>>>>>>>>> + >>>>>>>>>>>>>>>>>>>>>>> + msg_log "info: rpz: remove config file & rpz fil= e \"${rpzName}\"" >>>>>>>>>>>>>>>>>>>>>>> + rm "${rpzConfig}" >>>>>>>>>>>>>>>>>>>>>>> + rm "${rpzFile}" >>>>>>>>>>>>>>>>>>>>>>> + ;; >>>>>>>>>>>>>>>>>>>>>>> + >>>>>>>>>>>>>>>>>>>>>>> + reload ) >>>>>>>>>>>>>>>>>>>>>>> + check_unbound_conf "${checkConf}" >>>>>>>>>>>>>>>>>>>>>>> + ;; >>>>>>>>>>>>>>>>>>>>>>> + >>>>>>>>>>>>>>>>>>>>>>> + list ) >>>>>>>>>>>>>>>>>>>>>>> + awk -F':' '/^\s*name:/{ gsub(/[[:blank:]]|\.rpz/= , "",$2) ; NAME=3D$2 } \ >>>>>>>>>>>>>>>>>>>>>>> + /^\s*url:/{ gsub(/[[:blank:]]/, "") ; print NAME= "=3D"$2":"$3} ' \ >>>>>>>>>>>>>>>>>>>>>>> + /etc/unbound/local.d/*rpz.conf >>>>>>>>>>>>>>>>>>>>>>> + exit >>>>>>>>>>>>>>>>>>>>>>> + ;; >>>>>>>>>>>>>>>>>>>>>>> + >>>>>>>>>>>>>>>>>>>>>>> + unbound-restart ) >>>>>>>>>>>>>>>>>>>>>>> + check_unbound_conf "${checkConf}" >>>>>>>>>>>>>>>>>>>>>>> + unbound_restart >>>>>>>>>>>>>>>>>>>>>>> + exit >>>>>>>>>>>>>>>>>>>>>>> + ;; >>>>>>>>>>>>>>>>>>>>>>> + >>>>>>>>>>>>>>>>>>>>>>> + * ) >>>>>>>>>>>>>>>>>>>>>>> + msg_log "error: rpz: missing or incorrect parame= ter" >>>>>>>>>>>>>>>>>>>>>>> + printf "Usage: $(basename "$0") =