From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4b20RL354Bz32pF for ; Tue, 20 May 2025 16:30:54 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4b20RG3qP8z2xMK for ; Tue, 20 May 2025 16:30:50 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4b20RD3XLwzlL; Tue, 20 May 2025 16:30:48 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1747758649; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=a/wtfOF7gtYF9wytccCHpxZ3WcOApgw2mHadmUmU1qU=; b=cxUCWo/E9XqGHDc3x/r3aMa2SzsGF3v+EVeVHgPF/u+uMthrJm3D2OKrNLCcVp/gdu3ekn JWt48VCo1rRza4Dg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1747758649; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=a/wtfOF7gtYF9wytccCHpxZ3WcOApgw2mHadmUmU1qU=; b=nTJdUO/UiU/lqsIireo8upcRi96ftBbkMGdhcm8AihHCouBMnFdDVbbp7LY6ZX7++H7oiM wuS5VmB18ZtrYmrg6l4efwRvHpwDrwaRH089uoSBy5e0BiVVFmmYVIJQsVBMuCI2Y1fJ8u rrKeomy2z/8jmAypg1B3d871q/emAsqFlvSHBM8M8FVQ9MEwohNa8WxxMPBhNPZxakuQZD 7GyeXpm/D6VWVaCNbsZhcvUq24S8n18HLW810XB3+TklchLC/HoYiuWD0CDqwtiry66/Xp MRiyao0paAJ1B8fwFvmsMTaGcJg3RbnU297wYHLjs/v9DZ2/z1D6IvvBTi+3wQ== From: "Jon Murphy" To: "Michael Tremer" Subject: Re[2]: [PATCH] RPZ: update code to include WEBGUI and additional languages Cc: "Bernhard Bitsch" , "IPFire: Development-List" Date: Tue, 20 May 2025 16:30:45 +0000 Message-Id: In-Reply-To: References: <20250206163522.2363178-1-jon.murphy@ipfire.org> <8b594873-86ca-46b9-bb4b-94fd6b0239b1@ipfire.org> <9A0DBDA4-75B0-40D2-AE06-78D9BA5EE7D3@ipfire.org> <89101199-33D1-40AC-8CCE-DD97583129F2@ipfire.org> <8703C3D8-C30C-4A56-9F30-7B90BB1E3027@ipfire.org> <502fa002-d6da-45d6-9b3e-d4130e59f50a@ipfire.org> <64617942-44E2-4E7B-A8AB-D5C22F94F68B@ipfire.org> <8D5093D0-A699-4C4E-AEA3-185AD323EF67@ipfire.org> <9221F825-15BB-484C-A921-118C7F3266AC@ipfire.org> Reply-To: "Jon Murphy" Precedence: list List-Id: List-Subscribe: , List-Unsubscribe: , List-Post: List-Help: Sender: Mail-Followup-To: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: quoted-printable Michael, Were you able to debug RPZ and get Unbound to download `.rpz` files? Jon ------ Original Message ------ >From "Michael Tremer" To "Jon Murphy" Cc "Bernhard Bitsch" ; "IPFire: Development-List"=20 Date 3/24/2025 9:43:37=E2=80=AFAM Subject Re: [PATCH] RPZ: update code to include WEBGUI and additional=20 languages >Yes, I don=E2=80=99t need any debugging of this... > >> On 24 Mar 2025, at 14:42, Jon Murphy wrote: >> >> Is there a: >> >> server: >> module-config: "respip validator iterator" >> >> In your RPZ set-up? >> >> >> ------ Original Message ------ >> From "Michael Tremer" >> To "Jon Murphy" >> Cc "Bernhard Bitsch" ; "IPFire: Development-List" <= development@lists.ipfire.org> >> Date 3/24/2025 9:40:15=E2=80=AFAM >> Subject Re: [PATCH] RPZ: update code to include WEBGUI and additional l= anguages >> >>> Because it is not doing it on my system... >>> >>>> On 24 Mar 2025, at 14:38, Jon Murphy wrote: >>>> >>>> Actually it did. >>>> >>>> Why do you think Unbound did not? >>>> >>>> >>>> ------ Original Message ------ >>>> From "Michael Tremer" >>>> To "Jon Murphy" >>>> Cc "Bernhard Bitsch" ; "IPFire: Development-List" = >>>> Date 3/24/2025 9:36:53=E2=80=AFAM >>>> Subject Re: [PATCH] RPZ: update code to include WEBGUI and additional = languages >>>> >>>>> Unbound did not put those there... >>>>> >>>>>> On 24 Mar 2025, at 14:33, Jon Murphy wrote: >>>>>> >>>>>> >>>>>> >>>>>> And where are these stored? >>>>>> >>>>>> In `/etc/unbound/zonefiles`: >>>>>> >>>>>> >>>>>> [root@ipfire ~] # ls -al /etc/unbound/zonefiles >>>>>> total 20664 >>>>>> drwxr-xr-x 2 nobody nobody 4096 Mar 24 04:40 . >>>>>> drwxr-xr-x 4 root root 4096 Mar 19 16:24 .. >>>>>> -rw-r--r-- 1 nobody nobody 3999087 Mar 23 15:11 adhocSB.rpz >>>>>> -rw-r--r-- 1 nobody nobody 1411 Mar 23 14:23 allow.rpz >>>>>> -rw-r--r-- 1 nobody nobody 25355 Mar 24 04:40 AmazonTrkrHZ.rpz >>>>>> -rw-r--r-- 1 nobody nobody 7241 Mar 24 04:40 AppleTrkrHZ.rpz >>>>>> -rw-r--r-- 1 nobody nobody 178 Mar 23 14:23 block.rpz >>>>>> -rw-r--r-- 1 nobody nobody 78496 Mar 24 04:40 DOHblockHZ.rpz >>>>>> -rw-r--r-- 1 nobody nobody 16983551 Mar 24 04:40 MxProPlusHZ.rpz >>>>>> -rw-r--r-- 1 nobody nobody 2893 Mar 24 04:40 tldHZ.rpz >>>>>> -rw-r--r-- 1 nobody nobody 29419 Mar 24 04:40 WinTrkrHZ.rpz >>>>>> [root@ipfire ~] # >>>>>> >>>>>> >>>>>> >>>>>> ------ Original Message ------ >>>>>> From "Michael Tremer" >>>>>> To "Bernhard Bitsch" >>>>>> Cc development@lists.ipfire.org >>>>>> Date 3/24/2025 9:25:40=E2=80=AFAM >>>>>> Subject Re: [PATCH] RPZ: update code to include WEBGUI and addition= al languages >>>>>> >>>>>>> Hello, >>>>>>> >>>>>>>> >>>>>>>> On 24 Mar 2025, at 13:33, Bernhard Bitsch wr= ote: >>>>>>>> Am 24.03.2025 um 11:17 schrieb Michael Tremer: >>>>>>>>> >>>>>>>>> >>>>>>>>> Hello Jon, >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> On 24 Mar 2025, at 00:00, Jon Murphy wr= ote: >>>>>>>>>> Michael, >>>>>>>>>> FYI - I was wrong Unbound RPZ is _not_ watching the serial num= ber, it is watching the "refresh", the number after the serial number. >>>>>>>>> >>>>>>>>> Refresh just tells the client how often to check for an update. >>>>>>>>> If that is actually being set by the list publisher, then we hav= e another problem here, because they could put some insanely low value ther= e and we would then DDoS their infrastructure. I think we should keep it li= ke we have it in other places that we control how often we want to check or = pull for updates. >>>>>>>>> >>>>>>>> You are right. But an extra update process wastes additional pro= cessor time. The update mechanism of unbound does the check for update ( ho= wever it is realized ) nevertheless. >>>>>>> >>>>>>> Yes, doing more things needs resources. But we are not seriously= considering whether an IPFire system has enough resources to perform the do= wnload of a text file, or are we? >>>>>>> >>>>>>>> >>>>>>>>>> I understand that you don=E2=80=99t speak C, but you got the in= formation from somewhere. Documentation maybe? Since that is out of date ve= ry often I like to consult the code. >>>>>>>>>> From testing. Downloading rpz files using rpz unbound, and watc= hing what happens. If the rpz file is setup for "once per day" refresh, the= n it only downloads one time. >>>>>>>>>> However that won=E2=80=99t solve our problem . . . and havin= g no cache. >>>>>>>>>> In `/etc/unbound/tuning.conf` there is `rrset-cache-size: 128m`= . Are you referring to a different cache. >>>>>>>>> >>>>>>>>> Naturally unbound is loading the zone into its memory which we g= enerally call cache. >>>>>>>>> When I say cache I am thinking about persistent data storage acr= oss multiple restarts of Unbound. If I am downloading 100 MiB of RPZ lists= (which is presumably still on the lower end) and I reboot my firewall, I do = not want to download the same data again. We can only ever download a list = *once* unless we are 100% certain that it has changed. Then we can downloa= d it once again. >>>>>>>> >>>>>>>> The RPZ lists are stored in files in persistent storage. Unbound = creates the internal cache from these. >>>>>>> >>>>>>> And where are these stored? >>>>>>> >>>>>>>> >>>>>>>>>> Maybe we need to implement both? >>>>>>>>>> Yes. There are very few AXFR list (I think only four were foun= d). And many more HTTPS rpz files. >>>>>>>>>> Jon >>>>>>>>>> ------ Original Message ------ >>>>>>>>>> From "Michael Tremer" >>>>>>>>>> To "Jon Murphy" >>>>>>>>>> Cc "IPFire: Development-List" >>>>>>>>>> Date 3/20/2025 11:26:43=E2=80=AFAM >>>>>>>>>> Subject Re: [PATCH] RPZ: update code to include WEBGUI and addi= tional languages >>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> Hello Jon, >>>>>>>>>>> Please don=E2=80=99t forget to Cc the list... >>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> On 19 Mar 2025, at 18:27, Jon Murphy = wrote: >>>>>>>>>>>> Michael, >>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> Where in the code is this implemented? I cannot find anythi= ng like this: >>>>>>>>>>>> >>>>>>>>>>>> Keep in mind I am not a "C" person. Maybe in this section?: >>>>>>>>>>>> https://git.ipfire.org/?p=3Dthirdparty/unbound.git;a=3Dblob;f= =3Dservices/authzone.c;hb=3D30b9cb5f813003d0a2b1c2e678652396615b1b7d#l5875 >>>>>>>>>>> >>>>>>>>>>> This where the AXFR response is being handled when doing a DN= S zone transfer. This code is not being called when performing a HTTP downl= oad. >>>>>>>>>>> I understand that you don=E2=80=99t speak C, but you got the i= nformation from somewhere. Documentation maybe? Since that is out of date v= ery often I like to consult the code. >>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> =E2=80=94 >>>>>>>>>>>> When I was just learning about RPZ I created a separate RPZ f= ile for testing. When I changed the SOA line with a new serial number, the= RPZ file download would happen in about 5 minutes. >>>>>>>>>>>> https://people.ipfire.org/~jon/sblack-adhoc.rpz >>>>>>>>>>> >>>>>>>>>>> It might well be that the file is not being reloaded if the d= ownload matches the content that unbound already has. That would of course= save some resources. >>>>>>>>>>> However that won=E2=80=99t solve our problem with redundant do= wnloads and having no cache. >>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> That is how I found out the SOA line is watched for a serial = number change. >>>>>>>>>>>> I=E2=80=99ll reconfirm my findings. >>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>>> The second reason is that we have a lot of firewalls out t= here. Not all of them will enable this feature and all of the lists, but ev= en if it is a good chunk, we will generate terabytes of traffic which put l= oad on the infrastructure and will cost money. It simply is not what we wan= t to do, regardless of self-hosting those lists and pulling them from somew= here else. >>>>>>>>>>>> >>>>>>>>>>>> So I understand, are you thinking of hosting RPZ AXFR (DNS z= one transfer) on IPFire infrastructure? >>>>>>>>>>> >>>>>>>>>>> No, I don=E2=80=99t think that we can generally do this. The= biggest problem is licensing as we cannot take anyones content and host it= ourselves. We would re-distribute those lists and that will only work with= permission of the publishers. I assume that would be too much work to actua= lly get some useful content out there. We might limit ourselves to only tho= se lists that are under a very permissive license. Nobody wants that. >>>>>>>>>>> From a technical point of view, DNS over TCP might not be very = nice in terms of forging the transfer and so we would need TLS as well=E2= =80=A6 It should work, but even if we would be able to encourage other peop= le to publish their lists I doubt they would implement DNS over TLS for aut= horitative DNS. That standard is in very early stages as well. >>>>>>>>>>> As far as I can see, those vendors who offer a list as a comme= rcial product are using DNS to distribute it (e.g. Spamhaus). Those people= who have made this all a hobby are throwing the lists onto GitHub and let t= hem handle the traffic. >>>>>>>>>>> Maybe we need to implement both? >>>>>>>>>>> -Michael >>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> Jon >>>>>>>>>>>> On 3/19/25 5:35 AM, Michael Tremer wrote: >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> Hello Jon, >>>>>>>>>>>>> Where in the code is this implemented? I cannot find anythin= g like this: >>>>>>>>>>>>> Unbound loads the entire file into memory and then starts pa= rsing it. The only special treatment there is is to check whether the first = line is a valid zone entry. It does not even have to be a SOA record. >>>>>>>>>>>>> https://git.ipfire.org/?p=3Dthirdparty/unbound.git;a=3Dblob;= f=3Dservices/authzone.c;hb=3D30b9cb5f813003d0a2b1c2e678652396615b1b7d#l1188 >>>>>>>>>>>>> I am also concerned that Unbound will not be able to support = an upstream proxy for any downloads. The caching situation is also unclear = for me, so I believe that we will be looking at writing a custom downloade= r that implements all these things. >>>>>>>>>>>>> -Michael >>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> On 19 Mar 2025, at 02:58, Jon Murphy wrote: >>>>>>>>>>>>>> Michael, >>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> The emphasis is on the repeated downloads of the same lis= t. That is >>>>>>>>>>>>>> >>>>>>>>>>>>>> =E2=80=8B> what cannot happen. >>>>>>>>>>>>>> The Unbound RPZ code, as installed within IPFire, watches f= or a change >>>>>>>>>>>>>> =E2=80=8Bin the SOA line of each RPZ file. This is an examp= le of the first few >>>>>>>>>>>>>> =E2=80=8Blines for every RPZ file. >>>>>>>>>>>>>> $TTL 300 >>>>>>>>>>>>>> @ SOA localhost. root.localhost. 1742298960 43200 3600 8640= 0 300 >>>>>>>>>>>>>> NS localhost. >>>>>>>>>>>>>> ; >>>>>>>>>>>>>> ; Title: HaGeZi's Pop-Up Ads DNS Blocklist >>>>>>>>>>>>>> ; Description: Blocks annoying and malicious pop-up ads. >>>>>>>>>>>>>> If the SOA serial number changes (e.g. the 1742298960), the= n Unbound RPZ >>>>>>>>>>>>>> =E2=80=8Bcode does its thing and downloads. Otherwise there = is no download. >>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> So there has to be a way to ensure that we won=E2=80=99t= download a list again >>>>>>>>>>>>>> >>>>>>>>>>>>>> =E2=80=8B> unless it has actually changed. >>>>>>>>>>>>>> This should do what you want but I may be missing your poin= t. >>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> DNS has a builtin functionality called AXFR. It simply do= es the job >>>>>>>>>>>>>> >>>>>>>>>>>>>> =E2=80=8B> for you. I was just wondering whether that was= not being used. >>>>>>>>>>>>>> I need to read about AXFR/IXFR and learn a little more. >>>>>>>>>>>>>> Jon >>>>>>>>>>>>>> On 3/17/25 5:35 AM, Michael Tremer wrote: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Good Morning Jon, >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> On 16 Mar 2025, at 17:00, Jon Murphy wrote: >>>>>>>>>>>>>>>> Michael, >>>>>>>>>>>>>>>> I was reading through you response again an I want to und= erstand this post: >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> I have also stated that we cannot download any lists ov= er HTTPS again and again and again. The implementation that we have here se= ems to exactly do that and therefore I think that my feedback has been dism= issed entirely. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> So if RPZ doesn't use HTTPS, what is it using? I am miss= ing a key point here. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> The emphasis is on the repeated downloads of the same lis= t. That is what cannot happen. >>>>>>>>>>>>>>> Although it might not affect a lot of people in our genera= l user-base, there are some that have a metered connection and will pay for = data by volume. Some of the lists I looked at are just under 20 MiB. There= fore we need to keep any traffic down to a minimum. The second reason is th= at we have a lot of firewalls out there. Not all of them will enable this f= eature and all of the lists, but even if it is a good chunk, we will genera= te terabytes of traffic which put load on the infrastructure and will cost= money. It simply is not what we want to do, regardless of self-hosting thos= e lists and pulling them from somewhere else. >>>>>>>>>>>>>>> So there has to be a way to ensure that we won=E2=80=99t d= ownload a list again unless it has actually changed. >>>>>>>>>>>>>>> DNS has a builtin functionality called AXFR. It simply doe= s the job for you. I was just wondering whether that was not being used. >>>>>>>>>>>>>>> HTTPS is an option because that is simply what we use else= where, but extra functionality will have to be built for it. >>>>>>>>>>>>>>> -Michael >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Jon >>>>>>>>>>>>>>>> On 2/13/25 3:34 PM, jon wrote: >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Michael, >>>>>>>>>>>>>>>>> I=E2=80=99ve read through your comments a few times and= I ended up with many more questions. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> What I rather mean is that it has never been added as= a topic on the agenda and it has not been pitched by yourself. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> To me the efforts to get new code accepted seem to have = changed and it seemed easier in the past. In the past I made the Core Team = aware via the Dev Mailing List and wrote a simple two or three paragraphs= of "What is it? / What is the value? / Here is the code" >>>>>>>>>>>>>>>>> So in an effort to move forward: How exactly is somethin= g presented to the Core Team? >>>>>>>>>>>>>>>>> Is there an example of a recent effort that was presente= d that I can see as a sample? (This type of info can also be added to the W= iki) >>>>>>>>>>>>>>>>> I understand you want it this way, but I don=E2=80=99t k= now what exactly is needed. Please be specific. >>>>>>>>>>>>>>>>> Jon >>>>>>>>>>>>>>>>> PS - I am not ignoring your other comments, I am just tr= ying to move forward and keep things simple. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> On Feb 8, 2025, at 1:27=E2=80=AFPM, Michael Tremer wrote: >>>>>>>>>>>>>>>>>> Hello Jon, >>>>>>>>>>>>>>>>>> Thanks for your reply. And good that you are copying ev= eryone into this conversation. >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> On 8 Feb 2025, at 18:41, jon = wrote: >>>>>>>>>>>>>>>>>>> Michael, >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> I think I have covered this all at lengths before th= at this project has been started as a separate effort >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> Yes, this has been a separate effort (a very public s= eparate effort). Yes, as you pointed this out early on with the "proof-of-c= oncept" and then my request for people to help test RPZ. Nothing was hidden= . >>>>>>>>>>>>>>>>>>> This was done because you (and maybe others) did not h= ave the time and I wanted to help and because I needed assistance with RPZ. = I tried my best to do this without bothering you. >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> I don=E2=80=99t that it is accurate that nobody wanted = to help on this. The list was always open - although not every email has b= een replied to swiftly it is also your responsibility to raise a question a= gain if it was missed. People here have open ears. >>>>>>>>>>>>>>>>>> It was also stated on this very list on in our document= ation that working on something without involving the core team is a risky= undertaking. Of course IPFire is free software and so everyone is free to f= ork if they wish to do so. >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> and as far as I am aware none of the other team membe= rs has been involved. This has not been discussed either on this list, on o= ur calls. >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> You were aware many steps along the way. See your ema= il on July 28, 2024, August 15, 2024, September 30, 2024, December 23, 2024= , and January 16. My attempts to get the team involved were met with "thing= s are busy" and sometimes silence. (Yes, I get it, people are busy.) >>>>>>>>>>>>>>>>>>> You and Adolf, Leo, Erik and Bernhard have been aware= since the beginning. You mention you were aware of the "proof-of-concept".= If you include those beginning posts, since Sep 2023. >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> Yes, I am aware of a proof-of-concept that I have been = running myself for a long time. I am also aware of the efforts that you ha= ve been taking. >>>>>>>>>>>>>>>>>> Yet I don=E2=80=99t think there has ever been any joint = effort, or am I seeing that wrong? >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> This has not been discussed . . . on our calls. >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> On the July 28th you stated: >>>>>>>>>>>>>>>>>>> "We have talked about RPZ many times on the monthly ca= ll since the URL filter feature is falling more and more out of fashion. I= think there is also many posts about this on the forum." >>>>>>>>>>>>>>>>>>> Please don=E2=80=99t insult me again by stating "you k= now what I mean". >>>>>>>>>>>>>>>>>>> And it has been discussed but not documented in the Mo= nthly Meeting notes. >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> I am not at all insulting you. I don=E2=80=99t want to = take this down to a personal level at all. This is a public mailing list a= nd people who read this don=E2=80=99t need to listen to an argument we are= having. They are here for the tech inside IPFire. >>>>>>>>>>>>>>>>>> When I wrote that it has not been discussed that does n= ot mean that we have not been touching on the topic. We have been talking a= bout lots of things on the calls, the weather, politics, how our pets are.= None of that makes it to the logs. What I rather mean is that it has never= been added as a topic on the agenda and it has not been pitched by yourself= . >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> Instead there has been a separate conversation on the = forum with the occasional dip here to the list. But that was not a regular = two-way conversation. >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> Regular conversation on the Dev Mailing list is many= times met with silence. I get it, people are busy. >>>>>>>>>>>>>>>>>>> And regular two-way conversation doesn=E2=80=99t happe= n on the list. At least not with me. I=E2=80=99d be happy to point out the= posts that were met with silence. >>>>>>>>>>>>>>>>>>> Again, I get it, people are busy. >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> And you think my emails are not being met with silence= ? This has nothing to do with this specific topic. This has something to do = with how occupied people are and how engaged they are on certain topics. N= ot everyone is involved in all the things and simply will ignore emails sim= ply based on their subject line. >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> But the "dip here to the list" were my attempts to ge= t a conversation started. As I said, many time met with silence. >>>>>>>>>>>>>>>>>>> The only place I was not met with silence was on the C= ommunity. You have a great group of people in the Community. It is a shame= you don=E2=80=99t want to have others help. It would reduce your workload. >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> You should stop making statements that are not true. W= ho doesn=E2=80=99t want anyone to help? >>>>>>>>>>>>>>>>>> Not having this conversation on a Saturday evening woul= d reduce my workload. At least it would free up time for something else. He= lping with the things that are already on the go would reduce the workload= of the entire team. Starting one thing at a time and finishing it is a lot= better to manage than starting a hundred things and not even finish one. I= can tell you that I already have a hundred things on the go. >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> Therefore, what am I supposed to do with this email? >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> To me it is beyond obvious=E2=80=A6 >>>>>>>>>>>>>>>>>>> If it isn=E2=80=99t what you want, then guide me with= how to do this the correct way. And be specific. I am trying to help. I am= trying to make things better. I am trying to do things the right way. >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> To me it isn=E2=80=99t. This is yet another project th= at has been dumped to the list like so many before and later on everyone ha= s left to have the team deal with the rest. >>>>>>>>>>>>>>>>>> It is a huge patch set. You explained what the vision i= s, but that is about it. There is no chance this will continue if this disa= greement isn=E2=80=99t solved first. I didn=E2=80=99t even look at the code= . >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> I don=E2=80=99t want to merge code that I don=E2=80= =99t agree with. >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> I asked multiple times if you "agreed with the concep= t" and again, met with silence. Yes I get it, people are busy. >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> Having support for RPZ? Yes, it was definitely on the= roadmap. That I agree with. >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> So many fundamental things that I have been raising h= ave either not been discussed or outright dismissed. >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> You mentioned this a in the past, but for some reason = you do not disclose what I dismissed. Why do you continue to make this har= der, wouldn=E2=80=99t it not be easier to tell me what I have dismissed? >>>>>>>>>>>>>>>>>>> I have sent multiple emails trying to answer your conc= erns and comments. On July 28, Aug 14, Aug 22, Aug 23, Sep 30, etc. >>>>>>>>>>>>>>>>>>> I=E2=80=99ve gone through all of the questions you ask= ed and I cannot find a "dismissed" item. >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> Maybe I need to be *more clear*. I feel humoured by th= is. >>>>>>>>>>>>>>>>>> It is late on a Saturday and I want my dinner soon, but = certainly I have stated that this should never be an add-on considering it = is supposed to replace URL Filter. We should never allow people to add the= ir own sources. I have also stated that we cannot download any lists over H= TTPS again and again and again. The implementation that we have here seems= to exactly do that and therefore I think that my feedback has been dismisse= d entirely. >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> I don=E2=80=99t want to merge code that has no future = inside IPFire as there is no constructive conversation with the maintainer= s of it. >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> The maintainers of Unbound and/or RPZ? >>>>>>>>>>>>>>>>>>> The maintainers of Hagezi list, the threatfox list, th= e urlhaus list, etc.? >>>>>>>>>>>>>>>>>>> What else? The maintainers or the RPZ scripts? That is = me. Let=E2=80=99s talk! >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> You. I don=E2=80=99t care much about the providers of= the lists. >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> See, this is where it gets confusing. There are hundr= eds of open source packages as part of IPFire. Pick the last five years of= items added to the IPFire build. You're telling me you have "constructive c= onversation with the maintainers" of all of the added packages? >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> They publish their software and they don=E2=80=99t car= e whether I am pulling it or not. They publish it with the commitment to ma= intain it - sometimes for better and sometimes for worse. >>>>>>>>>>>>>>>>>> You care about me pulling your code and I don=E2=80=99t = know whether you would commit to maintain this. >>>>>>>>>>>>>>>>>> These two are very different cases. >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> Pick the IP Blocklists list (i.e., 3CORESEC, ABUSECH, = DSHIELD, SPAMHAUS, etc.) or the Suricata lists (i.e.,Emergingthreats.net <= http://emergingthreats.net/>,Abuse.ch , etc.). So you=E2= =80=99ve have "constructive conversation with the maintainers"? >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> Yes, occasionally I have phone calls with a few of the= se providers. >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> Having been trying for a long time to make you aware= of this, nothing of this should come as a surprise. >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> Ha! Yes a surprise. In the beginning you seemed inter= ested as IPFire needed a replacement for URL Filter. You asked good questio= ns about the lists picked, asked for the value to the users, etc. And I ans= wered the best I could. >>>>>>>>>>>>>>>>>>> You even asked: =E2=80=9CWhy is this realised as an ad= d-on and not part of the core system?=E2=80=9D from your Jul 28, 2024 email= . >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> Ah, so, why is the patch creating an add-on? Not that= I am saying that what I say is law, but it has not been challenged either.= If my input is being ignored, why should I put this to the top of my list o= f priorities? I am not disappointed about this, just trying to be very good = with my time. >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> And on January 16, 2025 I wrote a message looking for = help. And you were kind to respond quickly. So in three weeks time, since= the kind response, something has changed. You went from supportive to "this= ". >>>>>>>>>>>>>>>>>>> So yes, I am surprised. >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> Well, maybe I should not have replied to that email. I= t was clear that you were on some path that was not right, but you were not = interested before in finding the right path from the beginning. >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> Please consider if that can be changed and if there i= s a path forward with this. >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> Be more specific, what has to change? What exactly di= d I dismiss? >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> Dismissal is just my assumption. I don=E2=80=99t know= what you actually did with my feedback. I can only see the end product that = does not seem contain much of it. Repeatedly I have been pointing out that = we should think before we build. I am sure a lot of hours have now gone in= to some code that simply does not satisfy me. And I am not not talking abou= t the code itself, what it does is what I don=E2=80=99t think is right for= us. >>>>>>>>>>>>>>>>>> The process is very clear for me that we should first o= f all think whether we want a certain feature now. Then there should be a c= lear roadmap for everyone to follow; tasks can be split-up as we go and hop= efully then have something that is maintainable, interesting for our users= and even would do us proud. This is how this should work. >>>>>>>>>>>>>>>>>> So, what has to change? I don=E2=80=99t think with shou= ting at each other, throwing patches around and making me generally unhappy = is a good start. >>>>>>>>>>>>>>>>>> -Michael >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> Jon >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> On Feb 6, 2025, at 2:13=E2=80=AFPM, Michael Tremer <= michael.tremer@ipfire.org> wrote: >>>>>>>>>>>>>>>>>>>> Hello Jon, >>>>>>>>>>>>>>>>>>>> Well, here we are again with another patch regarding= this feature. >>>>>>>>>>>>>>>>>>>> I cannot quite see from your email what the question= is, but if this is a request to have this merged into IPFire, I am once aga= in sorry to disappoint you. >>>>>>>>>>>>>>>>>>>> I think I have covered this all at lengths before tha= t this project has been started as a separate effort and as far as I am awa= re none of the other team members has been involved. This has not been disc= ussed either on this list, on our calls. Instead there has been a separate= conversation on the forum with the occasional dip here to the list. But tha= t was not a regular two-way conversation. Therefore, what am I supposed to= do with this email? >>>>>>>>>>>>>>>>>>>> I don=E2=80=99t want to merge code that I don=E2=80= =99t agree with. So many fundamental things that I have been raising have e= ither not been discussed or outright dismissed. >>>>>>>>>>>>>>>>>>>> I don=E2=80=99t want to merge code that has no future = inside IPFire as there is no constructive conversation with the maintainer= s of it. >>>>>>>>>>>>>>>>>>>> Having been trying for a long time to make you aware= of this, nothing of this should come as a surprise. >>>>>>>>>>>>>>>>>>>> Please consider if that can be changed and if there i= s a path forward with this. >>>>>>>>>>>>>>>>>>>> All the best, >>>>>>>>>>>>>>>>>>>> -Michael >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> On 6 Feb 2025, at 16:35, Jon Murphy wrote: >>>>>>>>>>>>>>>>>>>>> What is it? >>>>>>>>>>>>>>>>>>>>> Response Policy Zone (RPZ) is a mechanism to define= local policies in a >>>>>>>>>>>>>>>>>>>>> standardized way and load those policies from extern= al sources. >>>>>>>>>>>>>>>>>>>>> Bottom line: RPZ allows admins to easily block acces= s to websites via DNS lookup. >>>>>>>>>>>>>>>>>>>>> RPZ can block websites via categories. Examples incl= ude: fake websites, annoying >>>>>>>>>>>>>>>>>>>>> pop-up ads, newly registered domains, DoH bypass sit= es, bad "host" services, >>>>>>>>>>>>>>>>>>>>> maliscious top level domains (e.g., *.zip, *.mov), p= iracy, gambling, pornography, >>>>>>>>>>>>>>>>>>>>> and more. RPZ lists come from various RPZ providers= and their available >>>>>>>>>>>>>>>>>>>>> catagories. >>>>>>>>>>>>>>>>>>>>> This RPZ add-on enables the RPZ functionality by add= ing a couple lines in a >>>>>>>>>>>>>>>>>>>>> configuration file. This add-on simply adds configur= ation files and adds >>>>>>>>>>>>>>>>>>>>> scripts (config, metrics and sleep) to make RPZ easi= er for the admin to use. >>>>>>>>>>>>>>>>>>>>> The RPZ scripts include additional languages: German= , Spanish, French, Turkish, >>>>>>>>>>>>>>>>>>>>> and Italian. >>>>>>>>>>>>>>>>>>>>> RPZ itself was release in 2010 and has been part of= the IPFire build since ~2015. >>>>>>>>>>>>>>>>>>>>> Why is it needed? What is its value? >>>>>>>>>>>>>>>>>>>>> - The RPZ concept places this filtering into IPFire, = our internet access >>>>>>>>>>>>>>>>>>>>> gateway, which is (should be) solely used as DNS sou= rce of the internal network. >>>>>>>>>>>>>>>>>>>>> - As most sites use HTTPS it makes it difficult to f= ilter traffic with URL >>>>>>>>>>>>>>>>>>>>> Filter without also properly configuring conventiona= l (non-transparent) >>>>>>>>>>>>>>>>>>>>> mode on the proxy. RPZ is a nice replacement for the = URL Filter. >>>>>>>>>>>>>>>>>>>>> - No need to install and maintain an additional devi= ce like PiHole or AdBlock >>>>>>>>>>>>>>>>>>>>> browser extensions on multiple user devices. >>>>>>>>>>>>>>>>>>>>> - This is an additional layer of protection for user= s. Less worry someone will >>>>>>>>>>>>>>>>>>>>> click on something that gets them into trouble. And, = saying this with emphasis, >>>>>>>>>>>>>>>>>>>>> the ability to do it in one place! >>>>>>>>>>>>>>>>>>>>> - Blocked sites save on unneeded traffic and can les= sen the threat of malware >>>>>>>>>>>>>>>>>>>>> in advertisements >>>>>>>>>>>>>>>>>>>>> - Logging allows the admin to see the site blocked a= nd take actions >>>>>>>>>>>>>>>>>>>>> - RPZ will be used at the home, home-office (work fr= om home), schools, >>>>>>>>>>>>>>>>>>>>> ministerial, and at the office. Device counts are sm= all (2-6) to medium (~80) >>>>>>>>>>>>>>>>>>>>> to mediam-large (200+). >>>>>>>>>>>>>>>>>>>>> - RPZ can block ads, popups, phishing, scammers, spy= ware, malware, annoying >>>>>>>>>>>>>>>>>>>>> popups, NSFW links, DOH servers, and the usual inter= net trash. >>>>>>>>>>>>>>>>>>>>> ------------------------------ >>>>>>>>>>>>>>>>>>>>> Change Log for RPZ add-on >>>>>>>>>>>>>>>>>>>>> rpz-1.0.0-18 on 2025-02-05 >>>>>>>>>>>>>>>>>>>>> - Build for approval & release as IPFire add-on >>>>>>>>>>>>>>>>>>>>> --- >>>>>>>>>>>>>>>>>>>>> rpz-beta-0.1.18-18.ipfire on 2025-02-01 >>>>>>>>>>>>>>>>>>>>> rpz.cgi: >>>>>>>>>>>>>>>>>>>>> - new feature: added a mod key to force a unbound re= start >>>>>>>>>>>>>>>>>>>>> rpz-config and rpz-make: >>>>>>>>>>>>>>>>>>>>> - new feature: added action for unbound restart `rpz= -config unbound-restart` >>>>>>>>>>>>>>>>>>>>> rpz-metrics: >>>>>>>>>>>>>>>>>>>>> - simple reformatting >>>>>>>>>>>>>>>>>>>>> - rename far right column from "last update" to "las= t download" >>>>>>>>>>>>>>>>>>>>> --- >>>>>>>>>>>>>>>>>>>>> rpz-beta-0.1.17-17.ipfire on 2024-12-09 >>>>>>>>>>>>>>>>>>>>> rpz-make >>>>>>>>>>>>>>>>>>>>> - bug fix: corrected validation regex for wildcards= like: `*.domain.com` >>>>>>>>>>>>>>>>>>>>> --- >>>>>>>>>>>>>>>>>>>>> rpz-beta-0.1.16-16.ipfire on 2024-11-18 >>>>>>>>>>>>>>>>>>>>> rpz-make >>>>>>>>>>>>>>>>>>>>> - new feature: updated validation regex >>>>>>>>>>>>>>>>>>>>> - bug fix: moved validation to beginning of process. = Now we validate before >>>>>>>>>>>>>>>>>>>>> creating config files. >>>>>>>>>>>>>>>>>>>>> rpz.cgi: >>>>>>>>>>>>>>>>>>>>> - new feature: use CSS color variables of the main i= pfire theme >>>>>>>>>>>>>>>>>>>>> - bug fix: empty zonefile remarks were stored as =E2= =80=9Cundef=E2=80=9D and caused a warning >>>>>>>>>>>>>>>>>>>>> - bug fix: HTML textarea removes the first empty lin= e in a custom list >>>>>>>>>>>>>>>>>>>>> - thank you Leo! >>>>>>>>>>>>>>>>>>>>> --- >>>>>>>>>>>>>>>>>>>>> rpz-beta-0.1.15-15.ipfire on 2024-11-04 >>>>>>>>>>>>>>>>>>>>> rpz.cgi: >>>>>>>>>>>>>>>>>>>>> - new feature: added new language file for Turkish (= thank you Peppe) >>>>>>>>>>>>>>>>>>>>> rpz-make >>>>>>>>>>>>>>>>>>>>> - bug fix: corrected empty allow/block list issue. A= n empty allow/block list >>>>>>>>>>>>>>>>>>>>> will now remove contents of allow/block.rpz files an= d remove unneeded >>>>>>>>>>>>>>>>>>>>> allow/block.conf file. (thank you iptom) >>>>>>>>>>>>>>>>>>>>> --- >>>>>>>>>>>>>>>>>>>>> rpz-beta-0.1.14-14.ipfire on 2024-10-29 >>>>>>>>>>>>>>>>>>>>> rpz-config: >>>>>>>>>>>>>>>>>>>>> - bug fix: correct missing rpz extension. `rpz-confi= g list` displayed URL >>>>>>>>>>>>>>>>>>>>> incorrectly (thank you Bernhard) >>>>>>>>>>>>>>>>>>>>> rpz.cgi: >>>>>>>>>>>>>>>>>>>>> - bug fix: remove extra `"` in language files (thank = you Bernhard) >>>>>>>>>>>>>>>>>>>>> - new feature: slightly dim "apply" button when not= enabled >>>>>>>>>>>>>>>>>>>>> --- >>>>>>>>>>>>>>>>>>>>> rpz-beta-0.1.13-13.ipfire on 2024-10-27 >>>>>>>>>>>>>>>>>>>>> - skipped >>>>>>>>>>>>>>>>>>>>> --- >>>>>>>>>>>>>>>>>>>>> rpz-beta-0.1.12-12.ipfire on 2024-10-21 >>>>>>>>>>>>>>>>>>>>> rpz.cgi: >>>>>>>>>>>>>>>>>>>>> - new feature: added new language file for French (t= hank you gw-ipfire) >>>>>>>>>>>>>>>>>>>>> --- >>>>>>>>>>>>>>>>>>>>> rpz-beta-0.1.11-11.ipfire on 2024-10-18 >>>>>>>>>>>>>>>>>>>>> rpz.cgi: >>>>>>>>>>>>>>>>>>>>> - new feature: added new language file for Italian (= thank you umberto) >>>>>>>>>>>>>>>>>>>>> - new feature: added new language file for Spanish (= thank you Roberto) >>>>>>>>>>>>>>>>>>>>> --- >>>>>>>>>>>>>>>>>>>>> rpz-beta-0.1.10-10.ipfire on 2024-10-15 >>>>>>>>>>>>>>>>>>>>> rpz-make: >>>>>>>>>>>>>>>>>>>>> - bug fix: corrected validation error for a custom l= ist entry (thank you siosios) >>>>>>>>>>>>>>>>>>>>> - e.g., `*.cloudflare-dns.com` >>>>>>>>>>>>>>>>>>>>> install.sh: >>>>>>>>>>>>>>>>>>>>> - bug fix: add chown to correct user created files >>>>>>>>>>>>>>>>>>>>> update.sh: >>>>>>>>>>>>>>>>>>>>> - bug fix: add chown to correct user created files (= thank you siosios) >>>>>>>>>>>>>>>>>>>>> --- >>>>>>>>>>>>>>>>>>>>> rpz-beta-0.1.9-9.ipfire on 2024-10-08 >>>>>>>>>>>>>>>>>>>>> rpz.cgi: >>>>>>>>>>>>>>>>>>>>> - new feature: added new language file for German (t= hank you Leo) >>>>>>>>>>>>>>>>>>>>> - bug fix: add missing "rpz exitcode 110" >>>>>>>>>>>>>>>>>>>>> - bug fix: corrected missing RPZ menu item at menu > = IPFire >>>>>>>>>>>>>>>>>>>>> --- >>>>>>>>>>>>>>>>>>>>> rpz-beta-0.1.8-8.ipfire on 2024-10-04 >>>>>>>>>>>>>>>>>>>>> - skipped >>>>>>>>>>>>>>>>>>>>> --- >>>>>>>>>>>>>>>>>>>>> rpz-beta-0.1.7-7.ipfire on 2024-10-03 >>>>>>>>>>>>>>>>>>>>> All: >>>>>>>>>>>>>>>>>>>>> - new feature: includes beta version numbers for pak= fire package, >>>>>>>>>>>>>>>>>>>>> instead of only `rpz-1.0.0-1.ipfire`, for each relea= se. >>>>>>>>>>>>>>>>>>>>> rpz.cgi: >>>>>>>>>>>>>>>>>>>>> - new feature: added new WebGUI at `rpz.cgi` >>>>>>>>>>>>>>>>>>>>> - a BIG thank you to Leo Hofmann for all of his work = creating the webgui!! >>>>>>>>>>>>>>>>>>>>> - bug fix: corrected missing RPZ menu item at menu > = IPFire >>>>>>>>>>>>>>>>>>>>> rpz-make: >>>>>>>>>>>>>>>>>>>>> - new feature: validate entries in allowlist and blo= cklist >>>>>>>>>>>>>>>>>>>>> - new feature: add "no-reload" option for WebGUI >>>>>>>>>>>>>>>>>>>>> rpz-metrics: >>>>>>>>>>>>>>>>>>>>> - new feature: info can be sorted by name, by hit co= unt, by line count, by >>>>>>>>>>>>>>>>>>>>> "enabled" list or all lists >>>>>>>>>>>>>>>>>>>>> backups: >>>>>>>>>>>>>>>>>>>>> - bug fix: include all files in `/var/ipfire/dns/rpz= ` directory in backup >>>>>>>>>>>>>>>>>>>>> update.sh: >>>>>>>>>>>>>>>>>>>>> - bug fix: corrected ownership for `/var/ipfire/dns/= rpz` directory during an >>>>>>>>>>>>>>>>>>>>> update >>>>>>>>>>>>>>>>>>>>> Build: >>>>>>>>>>>>>>>>>>>>> - bug fix: `block.rpz.conf` and `block.rpz` from bui= ld. Files to be created >>>>>>>>>>>>>>>>>>>>> by `rpz-make` >>>>>>>>>>>>>>>>>>>>> WebGUI and German language file >>>>>>>>>>>>>>>>>>>>> Contribution-by: Leo-Andres Hofmann >>>>>>>>>>>>>>>>>>>>> Spanish language file >>>>>>>>>>>>>>>>>>>>> Contribution-by: Roberto Pe=C3=B1a >>>>>>>>>>>>>>>>>>>>> Italian language file >>>>>>>>>>>>>>>>>>>>> Contribution-by: Umberto Parma >>>>>>>>>>>>>>>>>>>>> French language file >>>>>>>>>>>>>>>>>>>>> Contribution-by: gw-ipfire >>>>>>>>>>>>>>>>>>>>> Turkish language file >>>>>>>>>>>>>>>>>>>>> Contribution-by: Peppe Tech >>>>>>>>>>>>>>>>>>>>> Contribution-by: Bernhard Bitsch >>>>>>>>>>>>>>>>>>>>> Contribution-by: Erik Kapfer >>>>>>>>>>>>>>>>>>>>> Signed-off-by: Jon Murphy >>>>>>>>>>>>>>>>>>>> --- >>>>>>>>>>>>>>>>>>>>> config/backup/includes/rpz | 4 + >>>>>>>>>>>>>>>>>>>>> config/cfgroot/manualpages | 1 + >>>>>>>>>>>>>>>>>>>>> config/menu/EX-rpz.menu | 6 + >>>>>>>>>>>>>>>>>>>>> config/rootfiles/common/configroot | 1 + >>>>>>>>>>>>>>>>>>>>> config/rootfiles/common/web-user-interface | 1 + >>>>>>>>>>>>>>>>>>>>> config/rootfiles/packages/rpz | 20 + >>>>>>>>>>>>>>>>>>>>> config/rpz/00-rpz.conf | 10 + >>>>>>>>>>>>>>>>>>>>> config/rpz/rpz-config | 130 +++ >>>>>>>>>>>>>>>>>>>>> config/rpz/rpz-functions | 85 ++ >>>>>>>>>>>>>>>>>>>>> config/rpz/rpz-make | 203 +++++ >>>>>>>>>>>>>>>>>>>>> config/rpz/rpz-metrics | 170 ++++ >>>>>>>>>>>>>>>>>>>>> config/rpz/rpz-sleep | 58 ++ >>>>>>>>>>>>>>>>>>>>> config/rpz/rpz.de.pl | 30 + >>>>>>>>>>>>>>>>>>>>> config/rpz/rpz.en.pl | 30 + >>>>>>>>>>>>>>>>>>>>> config/rpz/rpz.es.pl | 30 + >>>>>>>>>>>>>>>>>>>>> config/rpz/rpz.fr.pl | 30 + >>>>>>>>>>>>>>>>>>>>> config/rpz/rpz.it.pl | 30 + >>>>>>>>>>>>>>>>>>>>> config/rpz/rpz.tr.pl | 30 + >>>>>>>>>>>>>>>>>>>>> html/cgi-bin/rpz.cgi | 923 +++++++++++++++++++++ >>>>>>>>>>>>>>>>>>>>> lfs/rpz | 96 +++ >>>>>>>>>>>>>>>>>>>>> make.sh | 3 +- >>>>>>>>>>>>>>>>>>>>> src/paks/rpz/install.sh | 36 + >>>>>>>>>>>>>>>>>>>>> src/paks/rpz/uninstall.sh | 38 + >>>>>>>>>>>>>>>>>>>>> src/paks/rpz/update.sh | 52 ++ >>>>>>>>>>>>>>>>>>>>> 24 files changed, 2016 insertions(+), 1 deletion(-) >>>>>>>>>>>>>>>>>>>>> create mode 100644 config/backup/includes/rpz >>>>>>>>>>>>>>>>>>>>> create mode 100644 config/menu/EX-rpz.menu >>>>>>>>>>>>>>>>>>>>> create mode 100644 config/rootfiles/packages/rpz >>>>>>>>>>>>>>>>>>>>> create mode 100644 config/rpz/00-rpz.conf >>>>>>>>>>>>>>>>>>>>> create mode 100644 config/rpz/rpz-config >>>>>>>>>>>>>>>>>>>>> create mode 100644 config/rpz/rpz-functions >>>>>>>>>>>>>>>>>>>>> create mode 100644 config/rpz/rpz-make >>>>>>>>>>>>>>>>>>>>> create mode 100755 config/rpz/rpz-metrics >>>>>>>>>>>>>>>>>>>>> create mode 100755 config/rpz/rpz-sleep >>>>>>>>>>>>>>>>>>>>> create mode 100644 config/rpz/rpz.de.pl >>>>>>>>>>>>>>>>>>>>> create mode 100644 config/rpz/rpz.en.pl >>>>>>>>>>>>>>>>>>>>> create mode 100644 config/rpz/rpz.es.pl >>>>>>>>>>>>>>>>>>>>> create mode 100644 config/rpz/rpz.fr.pl >>>>>>>>>>>>>>>>>>>>> create mode 100644 config/rpz/rpz.it.pl >>>>>>>>>>>>>>>>>>>>> create mode 100644 config/rpz/rpz.tr.pl >>>>>>>>>>>>>>>>>>>>> create mode 100644 html/cgi-bin/rpz.cgi >>>>>>>>>>>>>>>>>>>>> create mode 100644 lfs/rpz >>>>>>>>>>>>>>>>>>>>> create mode 100644 src/paks/rpz/install.sh >>>>>>>>>>>>>>>>>>>>> create mode 100644 src/paks/rpz/uninstall.sh >>>>>>>>>>>>>>>>>>>>> create mode 100644 src/paks/rpz/update.sh >>>>>>>>>>>>>>>>>>>>> diff --git a/config/backup/includes/rpz b/config/bac= kup/includes/rpz >>>>>>>>>>>>>>>>>>>>> new file mode 100644 >>>>>>>>>>>>>>>>>>>>> index 000000000..36513e494 >>>>>>>>>>>>>>>>>>>>> --- /dev/null >>>>>>>>>>>>>>>>>>>>> +++ b/config/backup/includes/rpz >>>>>>>>>>>>>>>>>>>>> @@ -0,0 +1,4 @@ >>>>>>>>>>>>>>>>>>>>> +/var/ipfire/dns/rpz/* >>>>>>>>>>>>>>>>>>>>> +/etc/unbound/zonefiles/allow.rpz >>>>>>>>>>>>>>>>>>>>> +/etc/unbound/zonefiles/block.rpz >>>>>>>>>>>>>>>>>>>>> +/etc/unbound/local.d/*rpz.conf >>>>>>>>>>>>>>>>>>>>> diff --git a/config/cfgroot/manualpages b/config/cfg= root/manualpages >>>>>>>>>>>>>>>>>>>>> index 1f7e01efc..d3a48c633 100644 >>>>>>>>>>>>>>>>>>>>> --- a/config/cfgroot/manualpages >>>>>>>>>>>>>>>>>>>>> +++ b/config/cfgroot/manualpages >>>>>>>>>>>>>>>>>>>>> @@ -70,6 +70,7 @@ pakfire.cgi=3Dconfiguration/ipfire= /pakfire >>>>>>>>>>>>>>>>>>>>> wlanap.cgi=3Daddons/wireless >>>>>>>>>>>>>>>>>>>>> tor.cgi=3Daddons/tor >>>>>>>>>>>>>>>>>>>>> samba.cgi=3Daddons/samba >>>>>>>>>>>>>>>>>>>>> +rpz.cgi=3Daddons/rpz >>>>>>>>>>>>>>>>>>>>> # Logs menu >>>>>>>>>>>>>>>>>>>>> logs.cgi/summary.dat=3Dconfiguration/logs/summary >>>>>>>>>>>>>>>>>>>>> diff --git a/config/menu/EX-rpz.menu b/config/menu/E= X-rpz.menu >>>>>>>>>>>>>>>>>>>>> new file mode 100644 >>>>>>>>>>>>>>>>>>>>> index 000000000..2f4daf410 >>>>>>>>>>>>>>>>>>>>> --- /dev/null >>>>>>>>>>>>>>>>>>>>> +++ b/config/menu/EX-rpz.menu >>>>>>>>>>>>>>>>>>>>> @@ -0,0 +1,6 @@ >>>>>>>>>>>>>>>>>>>>> +$subipfire->{'20.rpz'} =3D { >>>>>>>>>>>>>>>>>>>>> + 'caption' =3D> $Lang::tr{'rpz'}, >>>>>>>>>>>>>>>>>>>>> + 'uri' =3D> '/cgi-bin/rpz.cgi', >>>>>>>>>>>>>>>>>>>>> + 'title' =3D> "RPZ", >>>>>>>>>>>>>>>>>>>>> + 'enabled' =3D> 1, >>>>>>>>>>>>>>>>>>>>> +}; >>>>>>>>>>>>>>>>>>>>> diff --git a/config/rootfiles/common/configroot b/co= nfig/rootfiles/common/configroot >>>>>>>>>>>>>>>>>>>>> index 9839eee45..b30d6aae4 100644 >>>>>>>>>>>>>>>>>>>>> --- a/config/rootfiles/common/configroot >>>>>>>>>>>>>>>>>>>>> +++ b/config/rootfiles/common/configroot >>>>>>>>>>>>>>>>>>>>> @@ -120,6 +120,7 @@ var/ipfire/menu.d/70-log.menu >>>>>>>>>>>>>>>>>>>>> #var/ipfire/menu.d/EX-apcupsd.menu >>>>>>>>>>>>>>>>>>>>> #var/ipfire/menu.d/EX-guardian.menu >>>>>>>>>>>>>>>>>>>>> #var/ipfire/menu.d/EX-mympd.menu >>>>>>>>>>>>>>>>>>>>> +#var/ipfire/menu.d/EX-rpz.menu >>>>>>>>>>>>>>>>>>>>> #var/ipfire/menu.d/EX-samba.menu >>>>>>>>>>>>>>>>>>>>> #var/ipfire/menu.d/EX-tor.menu >>>>>>>>>>>>>>>>>>>>> #var/ipfire/menu.d/EX-transmission.menu >>>>>>>>>>>>>>>>>>>>> diff --git a/config/rootfiles/common/web-user-interf= ace b/config/rootfiles/common/web-user-interface >>>>>>>>>>>>>>>>>>>>> index 816241dae..e00464076 100644 >>>>>>>>>>>>>>>>>>>>> --- a/config/rootfiles/common/web-user-interface >>>>>>>>>>>>>>>>>>>>> +++ b/config/rootfiles/common/web-user-interface >>>>>>>>>>>>>>>>>>>>> @@ -69,6 +69,7 @@ srv/web/ipfire/cgi-bin/proxy.cgi >>>>>>>>>>>>>>>>>>>>> srv/web/ipfire/cgi-bin/qos.cgi >>>>>>>>>>>>>>>>>>>>> srv/web/ipfire/cgi-bin/remote.cgi >>>>>>>>>>>>>>>>>>>>> srv/web/ipfire/cgi-bin/routing.cgi >>>>>>>>>>>>>>>>>>>>> +#srv/web/ipfire/cgi-bin/rpz.cgi >>>>>>>>>>>>>>>>>>>>> #srv/web/ipfire/cgi-bin/samba.cgi >>>>>>>>>>>>>>>>>>>>> srv/web/ipfire/cgi-bin/services.cgi >>>>>>>>>>>>>>>>>>>>> srv/web/ipfire/cgi-bin/shutdown.cgi >>>>>>>>>>>>>>>>>>>>> diff --git a/config/rootfiles/packages/rpz b/config/= rootfiles/packages/rpz >>>>>>>>>>>>>>>>>>>>> new file mode 100644 >>>>>>>>>>>>>>>>>>>>> index 000000000..1c8663049 >>>>>>>>>>>>>>>>>>>>> --- /dev/null >>>>>>>>>>>>>>>>>>>>> +++ b/config/rootfiles/packages/rpz >>>>>>>>>>>>>>>>>>>>> @@ -0,0 +1,20 @@ >>>>>>>>>>>>>>>>>>>>> +etc/unbound/local.d/00-rpz.conf >>>>>>>>>>>>>>>>>>>>> +etc/unbound/zonefiles >>>>>>>>>>>>>>>>>>>>> +etc/unbound/zonefiles/allow.rpz >>>>>>>>>>>>>>>>>>>>> +usr/sbin/rpz-config >>>>>>>>>>>>>>>>>>>>> +usr/sbin/rpz-functions >>>>>>>>>>>>>>>>>>>>> +usr/sbin/rpz-make >>>>>>>>>>>>>>>>>>>>> +usr/sbin/rpz-metrics >>>>>>>>>>>>>>>>>>>>> +usr/sbin/rpz-sleep >>>>>>>>>>>>>>>>>>>>> +var/ipfire/addon-lang/rpz.de.pl >>>>>>>>>>>>>>>>>>>>> +var/ipfire/addon-lang/rpz.en.pl >>>>>>>>>>>>>>>>>>>>> +var/ipfire/addon-lang/rpz.es.pl >>>>>>>>>>>>>>>>>>>>> +var/ipfire/addon-lang/rpz.fr.pl >>>>>>>>>>>>>>>>>>>>> +var/ipfire/addon-lang/rpz.it.pl >>>>>>>>>>>>>>>>>>>>> +var/ipfire/addon-lang/rpz.tr.pl >>>>>>>>>>>>>>>>>>>>> +var/ipfire/backup/addons/includes/rpz >>>>>>>>>>>>>>>>>>>>> +var/ipfire/dns/rpz >>>>>>>>>>>>>>>>>>>>> +var/ipfire/dns/rpz/allowlist >>>>>>>>>>>>>>>>>>>>> +var/ipfire/dns/rpz/blocklist >>>>>>>>>>>>>>>>>>>>> +var/ipfire/menu.d/EX-rpz.menu >>>>>>>>>>>>>>>>>>>>> +srv/web/ipfire/cgi-bin/rpz.cgi >>>>>>>>>>>>>>>>>>>>> diff --git a/config/rpz/00-rpz.conf b/config/rpz/00-= rpz.conf >>>>>>>>>>>>>>>>>>>>> new file mode 100644 >>>>>>>>>>>>>>>>>>>>> index 000000000..f005a4f2e >>>>>>>>>>>>>>>>>>>>> --- /dev/null >>>>>>>>>>>>>>>>>>>>> +++ b/config/rpz/00-rpz.conf >>>>>>>>>>>>>>>>>>>>> @@ -0,0 +1,10 @@ >>>>>>>>>>>>>>>>>>>>> +server: >>>>>>>>>>>>>>>>>>>>> + module-config: "respip validator iterator" >>>>>>>>>>>>>>>>>>>>> + >>>>>>>>>>>>>>>>>>>>> +rpz: >>>>>>>>>>>>>>>>>>>>> + name: allow.rpz >>>>>>>>>>>>>>>>>>>>> + zonefile: /etc/unbound/zonefiles/allow.rpz >>>>>>>>>>>>>>>>>>>>> + rpz-action-override: passthru >>>>>>>>>>>>>>>>>>>>> + rpz-log: yes >>>>>>>>>>>>>>>>>>>>> + rpz-log-name: allow >>>>>>>>>>>>>>>>>>>>> + rpz-signal-nxdomain-ra: yes >>>>>>>>>>>>>>>>>>>>> diff --git a/config/rpz/rpz-config b/config/rpz/rpz-= config >>>>>>>>>>>>>>>>>>>>> new file mode 100644 >>>>>>>>>>>>>>>>>>>>> index 000000000..c72d50f9b >>>>>>>>>>>>>>>>>>>>> --- /dev/null >>>>>>>>>>>>>>>>>>>>> +++ b/config/rpz/rpz-config >>>>>>>>>>>>>>>>>>>>> @@ -0,0 +1,130 @@ >>>>>>>>>>>>>>>>>>>>> +#!/bin/bash >>>>>>>>>>>>>>>>>>>>> +###################################################= ############################ >>>>>>>>>>>>>>>>>>>>> +# # >>>>>>>>>>>>>>>>>>>>> +# IPFire.org - A linux based firewall # >>>>>>>>>>>>>>>>>>>>> +# Copyright (C) 2024-2025 IPFire Team # >>>>>>>>>>>>>>>>>>>>> +# # >>>>>>>>>>>>>>>>>>>>> +# This program is free software: you can redistribu= te it and/or modify # >>>>>>>>>>>>>>>>>>>>> +# it under the terms of the GNU General Public Lice= nse as published by # >>>>>>>>>>>>>>>>>>>>> +# the Free Software Foundation, either version 3 of = the License, or # >>>>>>>>>>>>>>>>>>>>> +# (at your option) any later version. # >>>>>>>>>>>>>>>>>>>>> +# # >>>>>>>>>>>>>>>>>>>>> +# This program is distributed in the hope that it w= ill be useful, # >>>>>>>>>>>>>>>>>>>>> +# but WITHOUT ANY WARRANTY; without even the implie= d warranty of # >>>>>>>>>>>>>>>>>>>>> +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPO= SE. See the # >>>>>>>>>>>>>>>>>>>>> +# GNU General Public License for more details. # >>>>>>>>>>>>>>>>>>>>> +# # >>>>>>>>>>>>>>>>>>>>> +# You should have received a copy of the GNU Genera= l Public License # >>>>>>>>>>>>>>>>>>>>> +# along with this program. If not, see . # >>>>>>>>>>>>>>>>>>>>> +# # >>>>>>>>>>>>>>>>>>>>> +###################################################= ############################ >>>>>>>>>>>>>>>>>>>>> + >>>>>>>>>>>>>>>>>>>>> +version=3D"2025-01-11 - v44" >>>>>>>>>>>>>>>>>>>>> + >>>>>>>>>>>>>>>>>>>>> +############### Functions ############### >>>>>>>>>>>>>>>>>>>>> + >>>>>>>>>>>>>>>>>>>>> +source /usr/sbin/rpz-functions >>>>>>>>>>>>>>>>>>>>> + >>>>>>>>>>>>>>>>>>>>> +############### Main ############### >>>>>>>>>>>>>>>>>>>>> + >>>>>>>>>>>>>>>>>>>>> +tagName=3D"unbound" >>>>>>>>>>>>>>>>>>>>> + >>>>>>>>>>>>>>>>>>>>> +rpzAction=3D"${1}" # input RPZ action >>>>>>>>>>>>>>>>>>>>> +rpzName=3D"${2}" # input RPZ name >>>>>>>>>>>>>>>>>>>>> +rpzURL=3D"${3}" # input RPZ URL >>>>>>>>>>>>>>>>>>>>> +rpzOption1=3D"${4}" # input RPZ option #1 >>>>>>>>>>>>>>>>>>>>> +rpzOption2=3D"${5}" # input RPZ option #2 >>>>>>>>>>>>>>>>>>>>> + >>>>>>>>>>>>>>>>>>>>> +rpzConfig=3D"/etc/unbound/local.d/${rpzName}.rpz.co= nf" # output zone conf file >>>>>>>>>>>>>>>>>>>>> +rpzFile=3D"/etc/unbound/zonefiles/${rpzName}.rpz" # = output for RPZ file >>>>>>>>>>>>>>>>>>>>> + >>>>>>>>>>>>>>>>>>>>> +rpzLog=3D"yes" # log default is yes >>>>>>>>>>>>>>>>>>>>> +ucReload=3D"yes" # reload default is yes >>>>>>>>>>>>>>>>>>>>> + >>>>>>>>>>>>>>>>>>>>> +while [[ $# -gt 0 ]] ; do >>>>>>>>>>>>>>>>>>>>> + case "$1" in >>>>>>>>>>>>>>>>>>>>> + --no-log ) rpzLog=3D"no" ;; >>>>>>>>>>>>>>>>>>>>> + --no-reload ) ucReload=3D"no" ; checkConf=3D"no" ;= ; >>>>>>>>>>>>>>>>>>>>> + esac >>>>>>>>>>>>>>>>>>>>> + shift # Shift after checking all the cases to get= next option >>>>>>>>>>>>>>>>>>>>> +done >>>>>>>>>>>>>>>>>>>>> + >>>>>>>>>>>>>>>>>>>>> +case "${rpzAction}" in >>>>>>>>>>>>>>>>>>>>> + # add new rpz list >>>>>>>>>>>>>>>>>>>>> + add ) >>>>>>>>>>>>>>>>>>>>> + check_name "${rpzName}" # is this a valid name? >>>>>>>>>>>>>>>>>>>>> + # does this config already exist? If yes, then exi= t >>>>>>>>>>>>>>>>>>>>> + if [[ -f "${rpzConfig}" ]] ; then >>>>>>>>>>>>>>>>>>>>> + msg_log "error: rpz: duplicate - ${rpzConfig} alre= ady exists. exit" >>>>>>>>>>>>>>>>>>>>> + exit 104 >>>>>>>>>>>>>>>>>>>>> + fi >>>>>>>>>>>>>>>>>>>>> + >>>>>>>>>>>>>>>>>>>>> + # is this a valid URL? >>>>>>>>>>>>>>>>>>>>> + regex=3D'^https://[-[:alnum:]\+&@#/%?=3D~_|!:,.;]*= [-[:alnum:]\+&@#/%=3D~_|]' >>>>>>>>>>>>>>>>>>>>> + if ! [[ "${rpzURL}" =3D~ $regex ]] ; then >>>>>>>>>>>>>>>>>>>>> + msg_log "error: rpz: the URL is not valid: \"${rpz= URL}\". exit." >>>>>>>>>>>>>>>>>>>>> + exit 105 >>>>>>>>>>>>>>>>>>>>> + fi >>>>>>>>>>>>>>>>>>>>> + >>>>>>>>>>>>>>>>>>>>> + # create the zone config file >>>>>>>>>>>>>>>>>>>>> + { >>>>>>>>>>>>>>>>>>>>> + echo "rpz:" >>>>>>>>>>>>>>>>>>>>> + echo " name: ${rpzName}.rpz" >>>>>>>>>>>>>>>>>>>>> + echo " zonefile: ${rpzFile}" >>>>>>>>>>>>>>>>>>>>> + echo " url: ${rpzURL}" >>>>>>>>>>>>>>>>>>>>> + echo " rpz-action-override: nxdomain" >>>>>>>>>>>>>>>>>>>>> + echo " rpz-log: ${rpzLog}" >>>>>>>>>>>>>>>>>>>>> + echo " rpz-log-name: ${rpzName}" >>>>>>>>>>>>>>>>>>>>> + echo " rpz-signal-nxdomain-ra: yes" >>>>>>>>>>>>>>>>>>>>> + } > "${rpzConfig}" >>>>>>>>>>>>>>>>>>>>> + >>>>>>>>>>>>>>>>>>>>> + # set-up zonefile >>>>>>>>>>>>>>>>>>>>> + # create an empty rpz file if it does not exist >>>>>>>>>>>>>>>>>>>>> + if [[ ! -f "${rpzFile}" ]] ; then >>>>>>>>>>>>>>>>>>>>> + touch "${rpzFile}" >>>>>>>>>>>>>>>>>>>>> + # unbound requires these settings for rpz files >>>>>>>>>>>>>>>>>>>>> + set_permissions "${rpzFile}" "${rpzConfig}" >>>>>>>>>>>>>>>>>>>>> + fi >>>>>>>>>>>>>>>>>>>>> + ;; >>>>>>>>>>>>>>>>>>>>> + >>>>>>>>>>>>>>>>>>>>> + # trash config file & rpz file >>>>>>>>>>>>>>>>>>>>> + remove ) >>>>>>>>>>>>>>>>>>>>> + if ! [[ -f "${rpzConfig}" ]] ; then >>>>>>>>>>>>>>>>>>>>> + msg_log "error: rpz: cannot remove ${rpzConfig}, d= oes not exist. exit" >>>>>>>>>>>>>>>>>>>>> + exit 106 >>>>>>>>>>>>>>>>>>>>> + fi >>>>>>>>>>>>>>>>>>>>> + >>>>>>>>>>>>>>>>>>>>> + msg_log "info: rpz: remove config file & rpz file= \"${rpzName}\"" >>>>>>>>>>>>>>>>>>>>> + rm "${rpzConfig}" >>>>>>>>>>>>>>>>>>>>> + rm "${rpzFile}" >>>>>>>>>>>>>>>>>>>>> + ;; >>>>>>>>>>>>>>>>>>>>> + >>>>>>>>>>>>>>>>>>>>> + reload ) >>>>>>>>>>>>>>>>>>>>> + check_unbound_conf "${checkConf}" >>>>>>>>>>>>>>>>>>>>> + ;; >>>>>>>>>>>>>>>>>>>>> + >>>>>>>>>>>>>>>>>>>>> + list ) >>>>>>>>>>>>>>>>>>>>> + awk -F':' '/^\s*name:/{ gsub(/[[:blank:]]|\.rpz/,= "",$2) ; NAME=3D$2 } \ >>>>>>>>>>>>>>>>>>>>> + /^\s*url:/{ gsub(/[[:blank:]]/, "") ; print NAME"= =3D"$2":"$3} ' \ >>>>>>>>>>>>>>>>>>>>> + /etc/unbound/local.d/*rpz.conf >>>>>>>>>>>>>>>>>>>>> + exit >>>>>>>>>>>>>>>>>>>>> + ;; >>>>>>>>>>>>>>>>>>>>> + >>>>>>>>>>>>>>>>>>>>> + unbound-restart ) >>>>>>>>>>>>>>>>>>>>> + check_unbound_conf "${checkConf}" >>>>>>>>>>>>>>>>>>>>> + unbound_restart >>>>>>>>>>>>>>>>>>>>> + exit >>>>>>>>>>>>>>>>>>>>> + ;; >>>>>>>>>>>>>>>>>>>>> + >>>>>>>>>>>>>>>>>>>>> + * ) >>>>>>>>>>>>>>>>>>>>> + msg_log "error: rpz: missing or incorrect paramete= r" >>>>>>>>>>>>>>>>>>>>> + printf "Usage: $(basename "$0")