From mboxrd@z Thu Jan  1 00:00:00 1970
From: Bernhard Bitsch <bbitsch@ipfire.org>
To: development@lists.ipfire.org
Subject:
 Re: [PATCH] RPZ: update code to include WEBGUI and additional languages
Date: Thu, 06 Feb 2025 20:35:45 +0100
Message-ID: <f9e02320-5327-43e5-8755-f00acb6b4b28@ipfire.org>
In-Reply-To: <20250206163522.2363178-1-jon.murphy@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============0209691955325930092=="
List-Id: <development.lists.ipfire.org>

--===============0209691955325930092==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Tested-by: Bernhard Bitsch <bbitsch(a)ipfire.org>

I am one of the first testers of this concept and addon.
Thx Jon for bringing up this topic and doing the work to make it running.

Some comments about this functionality:
- From time to time there are discussions about DNS filters like PiHole=20
in the community. It is a bit complicated to define the data path of DNS=20
requests going entirely through the PiHole device.
- One solution would be to integrate the filter into IPFire. Don't know=20
about the effort to do this.
- The RPZ mechanism is integrated in unbound, our standard DNS 'server'.=20
Unbound is built with RPZ support, yet.
- The lists for RPZ filtering are auto-updated using SOA records.
- The 'Hagezi lists' ( link in Jon's wiki article ) seem to be well=20
maintained and updated daily. It is necessary to examine these by a=20
greater amount of IPFire users. Especially we should determine the=20
amount of extra memory usage for the lists.
- Jon extends the functionality by local allow and block lists. It isn't=20
clear enough, yet, how these can effective integrated in the RPZ=20
mechanism. Is it sufficient to 'reload' the unbound configuration or is=20
it necessary to 'restart' unbound.



Am 06.02.2025 um 17:35 schrieb Jon Murphy:
> What is it?
> Response Policy Zone (RPZ) is a mechanism to define local policies in a
> standardized way and load those policies from external sources.
> Bottom line: RPZ allows admins to easily block access to websites via DNS l=
ookup.
>=20
> RPZ can block websites via categories.  Examples include: fake websites, an=
noying
> pop-up ads, newly registered domains, DoH bypass sites, bad "host" services,
> maliscious top level domains (e.g., *.zip, *.mov), piracy, gambling, pornog=
raphy,
> and more.  RPZ lists come from various RPZ providers and their available
> catagories.
>=20
> This RPZ add-on enables the RPZ functionality by adding a couple lines in a
> configuration file.  This add-on simply adds configuration files and adds
> scripts (config, metrics and sleep) to make RPZ easier for the admin to use.
>=20
> The RPZ scripts include additional languages: German, Spanish, French, Turk=
ish,
> and Italian.
>=20
> RPZ itself was release in 2010 and has been part of the IPFire build since =
~2015.
>=20
> Why is it needed?  What is its value?
>=20
>   - The RPZ concept places this filtering into IPFire, our internet access
> gateway, which is (should be) solely used as DNS source of the internal net=
work.
>=20
>   - As most sites use HTTPS it makes it difficult to filter traffic with URL
> Filter without also properly configuring conventional (non-transparent)
> mode on the proxy.  RPZ is a nice replacement for the URL Filter.
>=20
>   - No need to install and maintain an additional device like PiHole or AdB=
lock
> browser extensions on multiple user devices.
>=20
>   - This is an additional layer of protection for users. Less worry someone=
 will
> click on something that gets them into trouble. And, saying this with empha=
sis,
> the ability to do it in one place!
>=20
>   - Blocked sites save on unneeded traffic and can lessen the threat of mal=
ware
> in advertisements
>=20
>   - Logging allows the admin to see the site blocked and take actions
>=20
>   - RPZ will be used at the home, home-office (work from home), schools,
> ministerial, and at the office.  Device counts are small (2-6) to medium (~=
80)
> to mediam-large (200+).
>=20
>   - RPZ can block ads, popups, phishing, scammers, spyware, malware, annoyi=
ng
> popups, NSFW links, DOH servers, and the usual internet trash.
>=20
> ------------------------------
>=20
> Change Log for RPZ add-on
>=20
> rpz-1.0.0-18 on 2025-02-05
>   - Build for approval & release as IPFire add-on
>=20
> ---
>=20
> rpz-beta-0.1.18-18.ipfire on 2025-02-01
> rpz.cgi:
>   - new feature: added a mod key to force a unbound restart
>=20
> rpz-config and rpz-make:
>   - new feature: added action for unbound restart `rpz-config unbound-resta=
rt`
>=20
> rpz-metrics:
>   - simple reformatting
>   - rename far right column from "last update" to "last download"
>=20
> ---
>=20
> rpz-beta-0.1.17-17.ipfire on 2024-12-09
> rpz-make
>   - bug fix: corrected validation regex for wildcards like: `*.domain.com`
>=20
> ---
>=20
> rpz-beta-0.1.16-16.ipfire on 2024-11-18
> rpz-make
>   - new feature: updated validation regex
>   - bug fix: moved validation to beginning of process.  Now we validate bef=
ore
> creating config files.
>=20
> rpz.cgi:
>   - new feature: use CSS color variables of the main ipfire theme
>   - bug fix: empty zonefile remarks were stored as =E2=80=9Cundef=E2=80=9D =
and caused a warning
>   - bug fix: HTML textarea removes the first empty line in a custom list
>   - thank you Leo!
>=20
> ---
>=20
> rpz-beta-0.1.15-15.ipfire on 2024-11-04
> rpz.cgi:
>   - new feature: added new language file for Turkish (thank you Peppe)
>=20
> rpz-make
>   - bug fix: corrected empty allow/block list issue.  An empty allow/block =
list
> will now remove contents of allow/block.rpz files and remove unneeded
> allow/block.conf file.  (thank you iptom)
>=20
> ---
>=20
> rpz-beta-0.1.14-14.ipfire on  2024-10-29
> rpz-config:
>   - bug fix: correct missing rpz extension. `rpz-config list` displayed URL
> incorrectly (thank you Bernhard)
>=20
> rpz.cgi:
>   - bug fix: remove extra `"` in language files (thank you Bernhard)
>   - new feature: slightly dim "apply" button when not enabled
>=20
> ---
>=20
> rpz-beta-0.1.13-13.ipfire on 2024-10-27
>   - skipped
>=20
> ---
>=20
> rpz-beta-0.1.12-12.ipfire on 2024-10-21
> rpz.cgi:
>   - new feature: added new language file for French  (thank you gw-ipfire)
>=20
> ---
>=20
> rpz-beta-0.1.11-11.ipfire on 2024-10-18
> rpz.cgi:
> - new feature: added new language file for Italian (thank you umberto)
> - new feature: added new language file for Spanish (thank you Roberto)
>=20
> ---
>=20
> rpz-beta-0.1.10-10.ipfire on 2024-10-15
> rpz-make:
>   - bug fix: corrected validation error for a custom list entry (thank you =
siosios)
>     - e.g., `*.cloudflare-dns.com`
>=20
> install.sh:
>   - bug fix: add chown to correct user created files
>=20
> update.sh:
>   - bug fix: add chown to correct user created files (thank you siosios)
>=20
> ---
>=20
> rpz-beta-0.1.9-9.ipfire on 2024-10-08
> rpz.cgi:
>   - new feature: added new language file for German (thank you Leo)
>   - bug fix: add missing "rpz exitcode 110"
>   - bug fix: corrected missing RPZ menu item at menu > IPFire
>=20
> ---
>=20
> rpz-beta-0.1.8-8.ipfire on 2024-10-04
>   - skipped
>=20
> ---
>=20
> rpz-beta-0.1.7-7.ipfire on 2024-10-03
> All:
>   - new feature: includes beta version numbers for pakfire package,
> instead of only `rpz-1.0.0-1.ipfire`, for each release.
>=20
> rpz.cgi:
>   - new feature: added new WebGUI at `rpz.cgi`
>      - a BIG thank you to Leo Hofmann for all of his work creating the webg=
ui!!
>   - bug fix: corrected missing RPZ menu item at menu > IPFire
>=20
> rpz-make:
>   - new feature: validate entries in allowlist and blocklist
>   - new feature: add "no-reload" option for WebGUI
>=20
> rpz-metrics:
>   - new feature: info can be sorted by name, by hit count, by line count, by
> "enabled" list or all lists
>=20
> backups:
>   - bug fix: include all files in `/var/ipfire/dns/rpz` directory in backup
>=20
> update.sh:
>   - bug fix: corrected ownership for `/var/ipfire/dns/rpz` directory during=
 an
> update
>=20
> Build:
>   - bug fix: `block.rpz.conf` and `block.rpz` from build.  Files to be crea=
ted
> by `rpz-make`
>=20
> WebGUI and German language file
> Contribution-by: Leo-Andres Hofmann <hofmann(a)leo-andres.de>
>=20
> Spanish language file
> Contribution-by: Roberto Pe=C3=B1a
>=20
> Italian language file
> Contribution-by: Umberto Parma
>=20
> French language file
> Contribution-by: gw-ipfire
>=20
> Turkish language file
> Contribution-by: Peppe Tech
>=20
> Contribution-by: Bernhard Bitsch <bbitsch(a)ipfire.org>
> Contribution-by: Erik Kapfer <erik.kapfer(a)ipfire.org>
> Signed-off-by: Jon Murphy <jon.murphy(a)ipfire.org
> ---
>   config/backup/includes/rpz                 |   4 +
>   config/cfgroot/manualpages                 |   1 +
>   config/menu/EX-rpz.menu                    |   6 +
>   config/rootfiles/common/configroot         |   1 +
>   config/rootfiles/common/web-user-interface |   1 +
>   config/rootfiles/packages/rpz              |  20 +
>   config/rpz/00-rpz.conf                     |  10 +
>   config/rpz/rpz-config                      | 130 +++
>   config/rpz/rpz-functions                   |  85 ++
>   config/rpz/rpz-make                        | 203 +++++
>   config/rpz/rpz-metrics                     | 170 ++++
>   config/rpz/rpz-sleep                       |  58 ++
>   config/rpz/rpz.de.pl                       |  30 +
>   config/rpz/rpz.en.pl                       |  30 +
>   config/rpz/rpz.es.pl                       |  30 +
>   config/rpz/rpz.fr.pl                       |  30 +
>   config/rpz/rpz.it.pl                       |  30 +
>   config/rpz/rpz.tr.pl                       |  30 +
>   html/cgi-bin/rpz.cgi                       | 923 +++++++++++++++++++++
>   lfs/rpz                                    |  96 +++
>   make.sh                                    |   3 +-
>   src/paks/rpz/install.sh                    |  36 +
>   src/paks/rpz/uninstall.sh                  |  38 +
>   src/paks/rpz/update.sh                     |  52 ++
>   24 files changed, 2016 insertions(+), 1 deletion(-)
>   create mode 100644 config/backup/includes/rpz
>   create mode 100644 config/menu/EX-rpz.menu
>   create mode 100644 config/rootfiles/packages/rpz
>   create mode 100644 config/rpz/00-rpz.conf
>   create mode 100644 config/rpz/rpz-config
>   create mode 100644 config/rpz/rpz-functions
>   create mode 100644 config/rpz/rpz-make
>   create mode 100755 config/rpz/rpz-metrics
>   create mode 100755 config/rpz/rpz-sleep
>   create mode 100644 config/rpz/rpz.de.pl
>   create mode 100644 config/rpz/rpz.en.pl
>   create mode 100644 config/rpz/rpz.es.pl
>   create mode 100644 config/rpz/rpz.fr.pl
>   create mode 100644 config/rpz/rpz.it.pl
>   create mode 100644 config/rpz/rpz.tr.pl
>   create mode 100644 html/cgi-bin/rpz.cgi
>   create mode 100644 lfs/rpz
>   create mode 100644 src/paks/rpz/install.sh
>   create mode 100644 src/paks/rpz/uninstall.sh
>   create mode 100644 src/paks/rpz/update.sh
>=20
> diff --git a/config/backup/includes/rpz b/config/backup/includes/rpz
> new file mode 100644
> index 000000000..36513e494
> --- /dev/null
> +++ b/config/backup/includes/rpz
> @@ -0,0 +1,4 @@
> +/var/ipfire/dns/rpz/*
> +/etc/unbound/zonefiles/allow.rpz
> +/etc/unbound/zonefiles/block.rpz
> +/etc/unbound/local.d/*rpz.conf
> diff --git a/config/cfgroot/manualpages b/config/cfgroot/manualpages
> index 1f7e01efc..d3a48c633 100644
> --- a/config/cfgroot/manualpages
> +++ b/config/cfgroot/manualpages
> @@ -70,6 +70,7 @@ pakfire.cgi=3Dconfiguration/ipfire/pakfire
>   wlanap.cgi=3Daddons/wireless
>   tor.cgi=3Daddons/tor
>   samba.cgi=3Daddons/samba
> +rpz.cgi=3Daddons/rpz
>  =20
>   #	Logs menu
>   logs.cgi/summary.dat=3Dconfiguration/logs/summary
> diff --git a/config/menu/EX-rpz.menu b/config/menu/EX-rpz.menu
> new file mode 100644
> index 000000000..2f4daf410
> --- /dev/null
> +++ b/config/menu/EX-rpz.menu
> @@ -0,0 +1,6 @@
> +$subipfire->{'20.rpz'} =3D {
> +    'caption' =3D> $Lang::tr{'rpz'},
> +    'uri' =3D> '/cgi-bin/rpz.cgi',
> +    'title' =3D> "RPZ",
> +    'enabled' =3D> 1,
> +};
> diff --git a/config/rootfiles/common/configroot b/config/rootfiles/common/c=
onfigroot
> index 9839eee45..b30d6aae4 100644
> --- a/config/rootfiles/common/configroot
> +++ b/config/rootfiles/common/configroot
> @@ -120,6 +120,7 @@ var/ipfire/menu.d/70-log.menu
>   #var/ipfire/menu.d/EX-apcupsd.menu
>   #var/ipfire/menu.d/EX-guardian.menu
>   #var/ipfire/menu.d/EX-mympd.menu
> +#var/ipfire/menu.d/EX-rpz.menu
>   #var/ipfire/menu.d/EX-samba.menu
>   #var/ipfire/menu.d/EX-tor.menu
>   #var/ipfire/menu.d/EX-transmission.menu
> diff --git a/config/rootfiles/common/web-user-interface b/config/rootfiles/=
common/web-user-interface
> index 816241dae..e00464076 100644
> --- a/config/rootfiles/common/web-user-interface
> +++ b/config/rootfiles/common/web-user-interface
> @@ -69,6 +69,7 @@ srv/web/ipfire/cgi-bin/proxy.cgi
>   srv/web/ipfire/cgi-bin/qos.cgi
>   srv/web/ipfire/cgi-bin/remote.cgi
>   srv/web/ipfire/cgi-bin/routing.cgi
> +#srv/web/ipfire/cgi-bin/rpz.cgi
>   #srv/web/ipfire/cgi-bin/samba.cgi
>   srv/web/ipfire/cgi-bin/services.cgi
>   srv/web/ipfire/cgi-bin/shutdown.cgi
> diff --git a/config/rootfiles/packages/rpz b/config/rootfiles/packages/rpz
> new file mode 100644
> index 000000000..1c8663049
> --- /dev/null
> +++ b/config/rootfiles/packages/rpz
> @@ -0,0 +1,20 @@
> +etc/unbound/local.d/00-rpz.conf
> +etc/unbound/zonefiles
> +etc/unbound/zonefiles/allow.rpz
> +usr/sbin/rpz-config
> +usr/sbin/rpz-functions
> +usr/sbin/rpz-make
> +usr/sbin/rpz-metrics
> +usr/sbin/rpz-sleep
> +var/ipfire/addon-lang/rpz.de.pl
> +var/ipfire/addon-lang/rpz.en.pl
> +var/ipfire/addon-lang/rpz.es.pl
> +var/ipfire/addon-lang/rpz.fr.pl
> +var/ipfire/addon-lang/rpz.it.pl
> +var/ipfire/addon-lang/rpz.tr.pl
> +var/ipfire/backup/addons/includes/rpz
> +var/ipfire/dns/rpz
> +var/ipfire/dns/rpz/allowlist
> +var/ipfire/dns/rpz/blocklist
> +var/ipfire/menu.d/EX-rpz.menu
> +srv/web/ipfire/cgi-bin/rpz.cgi
> diff --git a/config/rpz/00-rpz.conf b/config/rpz/00-rpz.conf
> new file mode 100644
> index 000000000..f005a4f2e
> --- /dev/null
> +++ b/config/rpz/00-rpz.conf
> @@ -0,0 +1,10 @@
> +server:
> +    module-config: "respip validator iterator"
> +
> +rpz:
> +    name:                    allow.rpz
> +    zonefile:                /etc/unbound/zonefiles/allow.rpz
> +    rpz-action-override:     passthru
> +    rpz-log:                 yes
> +    rpz-log-name:            allow
> +    rpz-signal-nxdomain-ra:  yes
> diff --git a/config/rpz/rpz-config b/config/rpz/rpz-config
> new file mode 100644
> index 000000000..c72d50f9b
> --- /dev/null
> +++ b/config/rpz/rpz-config
> @@ -0,0 +1,130 @@
> +#!/bin/bash
> +##########################################################################=
#####
> +#                                                                         =
    #
> +#  IPFire.org - A linux based firewall                                    =
    #
> +#  Copyright (C) 2024-2025  IPFire Team  <info(a)ipfire.org>              =
      #
> +#                                                                         =
    #
> +#  This program is free software: you can redistribute it and/or modify   =
    #
> +#  it under the terms of the GNU General Public License as published by   =
    #
> +#  the Free Software Foundation, either version 3 of the License, or      =
    #
> +#  (at your option) any later version.                                    =
    #
> +#                                                                         =
    #
> +#  This program is distributed in the hope that it will be useful,        =
    #
> +#  but WITHOUT ANY WARRANTY; without even the implied warranty of         =
    #
> +#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the          =
    #
> +#  GNU General Public License for more details.                           =
    #
> +#                                                                         =
    #
> +#  You should have received a copy of the GNU General Public License      =
    #
> +#  along with this program.  If not, see <http://www.gnu.org/licenses/>.  =
    #
> +#                                                                         =
    #
> +##########################################################################=
#####
> +
> +version=3D"2025-01-11 - v44"
> +
> +###############     Functions     ###############
> +
> +source /usr/sbin/rpz-functions
> +
> +###############       Main        ###############
> +
> +tagName=3D"unbound"
> +
> +rpzAction=3D"${1}"                    #  input RPZ action
> +rpzName=3D"${2}"                      #  input RPZ name
> +rpzURL=3D"${3}"                       #  input RPZ URL
> +rpzOption1=3D"${4}"                   #  input RPZ option #1
> +rpzOption2=3D"${5}"                   #  input RPZ option #2
> +
> +rpzConfig=3D"/etc/unbound/local.d/${rpzName}.rpz.conf"    #  output zone c=
onf file
> +rpzFile=3D"/etc/unbound/zonefiles/${rpzName}.rpz"         #  output for RP=
Z file
> +
> +rpzLog=3D"yes"                        #  log default is yes
> +ucReload=3D"yes"                      #  reload default is yes
> +
> +while [[ $# -gt 0 ]] ; do
> +    case "$1" in
> +        --no-log )      rpzLog=3D"no"   ;;
> +        --no-reload )   ucReload=3D"no" ; checkConf=3D"no" ;;
> +    esac
> +    shift       # Shift after checking all the cases to get next option
> +done
> +
> +case "${rpzAction}" in
> +    #  add new rpz list
> +    add )
> +        check_name "${rpzName}"             #  is this a valid name?
> +        #  does this config already exist?  If yes, then exit
> +        if [[ -f "${rpzConfig}" ]] ; then
> +            msg_log "error: rpz: duplicate - ${rpzConfig} already exists. =
exit"
> +            exit 104
> +        fi
> +
> +        #  is this a valid URL?
> +        regex=3D'^https://[-[:alnum:]\+&@#/%?=3D~_|!:,.;]*[-[:alnum:]\+&@#=
/%=3D~_|]'
> +        if ! [[ "${rpzURL}" =3D~ $regex ]] ; then
> +            msg_log "error: rpz: the URL is not valid: \"${rpzURL}\". exit=
."
> +            exit 105
> +        fi
> +
> +        #  create the zone config file
> +        {
> +        echo "rpz:"
> +        echo "    name:                   ${rpzName}.rpz"
> +        echo "    zonefile:               ${rpzFile}"
> +        echo "    url:                    ${rpzURL}"
> +        echo "    rpz-action-override:    nxdomain"
> +        echo "    rpz-log:                ${rpzLog}"
> +        echo "    rpz-log-name:           ${rpzName}"
> +        echo "    rpz-signal-nxdomain-ra: yes"
> +        } > "${rpzConfig}"
> +
> +        #  set-up zonefile
> +        #    create an empty rpz file if it does not exist
> +        if [[ ! -f "${rpzFile}" ]] ; then
> +            touch "${rpzFile}"
> +            #  unbound requires these settings for rpz files
> +            set_permissions "${rpzFile}" "${rpzConfig}"
> +        fi
> +        ;;
> +
> +    #  trash config file & rpz file
> +    remove )
> +        if ! [[ -f "${rpzConfig}" ]] ; then
> +            msg_log "error: rpz: cannot remove ${rpzConfig}, does not exis=
t. exit"
> +            exit 106
> +        fi
> +
> +        msg_log "info: rpz: remove config file & rpz file \"${rpzName}\""
> +        rm "${rpzConfig}"
> +        rm "${rpzFile}"
> +        ;;
> +
> +    reload )
> +        check_unbound_conf "${checkConf}"
> +        ;;
> +
> +    list )
> +        awk -F':' '/^\s*name:/{ gsub(/[[:blank:]]|\.rpz/, "",$2) ; NAME=3D=
$2 } \
> +            /^\s*url:/{ gsub(/[[:blank:]]/, "") ; print NAME"=3D"$2":"$3} =
'  \
> +            /etc/unbound/local.d/*rpz.conf
> +        exit
> +        ;;
> +
> +    unbound-restart )
> +        check_unbound_conf "${checkConf}"
> +        unbound_restart
> +        exit
> +        ;;
> +
> +    * )
> +        msg_log "error: rpz: missing or incorrect parameter"
> +        printf "Usage:   $(basename "$0") <ACTION> <NAME> <URL> <OPTION> <=
OPTION>\n"
> +        printf "Version: ${version}\n"
> +        exit 108
> +        ;;
> +
> +esac
> +
> +unbound_control_reload "${ucReload}"
> +
> +exit
> diff --git a/config/rpz/rpz-functions b/config/rpz/rpz-functions
> new file mode 100644
> index 000000000..ace1d2690
> --- /dev/null
> +++ b/config/rpz/rpz-functions
> @@ -0,0 +1,85 @@
> +#!/bin/bash
> +##########################################################################=
#####
> +#                                                                         =
    #
> +#  IPFire.org - A linux based firewall                                    =
    #
> +#  Copyright (C) 2024  IPFire Team  <info(a)ipfire.org>                   =
      #
> +#                                                                         =
    #
> +#  This program is free software: you can redistribute it and/or modify   =
    #
> +#  it under the terms of the GNU General Public License as published by   =
    #
> +#  the Free Software Foundation, either version 3 of the License, or      =
    #
> +#  (at your option) any later version.                                    =
    #
> +#                                                                         =
    #
> +#  This program is distributed in the hope that it will be useful,        =
    #
> +#  but WITHOUT ANY WARRANTY; without even the implied warranty of         =
    #
> +#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the          =
    #
> +#  GNU General Public License for more details.                           =
    #
> +#                                                                         =
    #
> +#  You should have received a copy of the GNU General Public License      =
    #
> +#  along with this program.  If not, see <http://www.gnu.org/licenses/>.  =
    #
> +#                                                                         =
    #
> +##########################################################################=
#####
> +
> +version=3D"2024-12-10 - v02"
> +
> +###############     Functions     ###############
> +
> +msg_log () {
> +    logger --tag "${tagName}" "$*"
> +    if tty --silent ; then
> +        echo "${tagName}:" "$*"
> +    fi
> +}
> +
> +#  check for a valid name
> +check_name () {
> +    local theName=3D"${1}"
> +
> +    regex=3D'^[a-zA-Z0-9_]+$'             # no dash or plus, alpha numeric=
 only
> +    regex1=3D'^(allow|block)$'            # allow and block are reserved N=
AMEs
> +    if [[ ! "${theName}" =3D~ $regex ]] || [[ "${theName}" =3D~ $regex1 ]]=
 ; then
> +        msg_log "error: rpz: the NAME is not valid: \"${theName}\". exit."
> +        exit 101
> +    fi
> +}
> +
> +set_permissions () {
> +    chown nobody:nobody "$@"
> +    chmod 644 "$@"
> +}
> +
> +check_unbound_conf () {
> +    local thecheckConf=3D"${1:-yes}"      #   check config default is yes
> +
> +    #  check the above config files
> +    if [[ "${thecheckConf}" =3D=3D yes ]] ; then
> +        msg_log "info: rpz: check for errors with \"unbound-checkconf\""
> +
> +        if ! unbound-checkconf ; then
> +            msg_log "error: rpz: unbound-checkconf found invalid configura=
tion."
> +            msg_log \
> +              "error: rpz: In Terminal run the command \"unbound-checkconf=
\" for more information. exit."
> +            exit 102
> +        fi
> +    fi
> +}
> +
> +unbound_control_reload () {
> +    local theReload=3D"${1:-yes}"     #   reload default is yes
> +
> +    if [[ "${theReload}" =3D=3D yes ]] ; then
> +        #  reload due to the changes
> +        msg_log  "info: rpz: run \"unbound-control reload\""
> +
> +        if ! unbound-control reload ; then
> +            msg_log "error: rpz: unbound-control reload. exit."
> +            exit 109
> +        fi
> +    fi
> +}
> +
> +unbound_restart () {
> +    #  restart due to the changes
> +    msg_log  "info: rpz: run \"unbound restart\""
> +
> +    /usr/local/bin/unboundctrl restart
> +}
> diff --git a/config/rpz/rpz-make b/config/rpz/rpz-make
> new file mode 100644
> index 000000000..927d55170
> --- /dev/null
> +++ b/config/rpz/rpz-make
> @@ -0,0 +1,203 @@
> +#!/bin/bash
> +##########################################################################=
#####
> +#                                                                         =
    #
> +#  IPFire.org - A linux based firewall                                    =
    #
> +#  Copyright (C) 2024-2025  IPFire Team  <info(a)ipfire.org>              =
      #
> +#                                                                         =
    #
> +#  This program is free software: you can redistribute it and/or modify   =
    #
> +#  it under the terms of the GNU General Public License as published by   =
    #
> +#  the Free Software Foundation, either version 3 of the License, or      =
    #
> +#  (at your option) any later version.                                    =
    #
> +#                                                                         =
    #
> +#  This program is distributed in the hope that it will be useful,        =
    #
> +#  but WITHOUT ANY WARRANTY; without even the implied warranty of         =
    #
> +#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the          =
    #
> +#  GNU General Public License for more details.                           =
    #
> +#                                                                         =
    #
> +#  You should have received a copy of the GNU General Public License      =
    #
> +#  along with this program.  If not, see <http://www.gnu.org/licenses/>.  =
    #
> +#                                                                         =
    #
> +##########################################################################=
#####
> +
> +version=3D"2025-01-11 - v14"
> +
> +###############     Functions     ###############
> +
> +source /usr/sbin/rpz-functions
> +
> +#   create the config file for allow
> +make_allow_config () {
> +    local theLog=3D"${1:-yes}"                            #  log default ON
> +    local theConfig=3D"/etc/unbound/local.d/00-rpz.conf"  #  output zone c=
onf file
> +    local theList=3D"/var/ipfire/dns/rpz/allowlist"       #  input custom =
list of domains
> +
> +    msg_log "info: rpz: make config file \"00-rpz.conf\""
> +
> +    echo "server:
> +    module-config: \"respip validator iterator\"" > "${theConfig}"
> +
> +    #  does allow list exist?
> +    if [[ -s "${theList}" ]] && grep -q . "${theList}" ; then
> +
> +    echo "rpz:
> +    name:                   allow.rpz
> +    zonefile:               /etc/unbound/zonefiles/allow.rpz
> +    rpz-action-override:    passthru
> +    rpz-log:                ${theLog}
> +    rpz-log-name:           allow
> +    rpz-signal-nxdomain-ra: yes" >> "${theConfig}"
> +
> +    fi
> +
> +    #  set-up zonefile - unbound requires these settings for rpz files
> +    set_permissions "${theConfig}"
> +}
> +
> +#   create the config file for block
> +make_block_config () {
> +    local theLog=3D"${1:-yes}"                                #  log defau=
lt ON
> +    local theConfig=3D"/etc/unbound/local.d/block.rpz.conf"   #  output zo=
ne conf file
> +    local theList=3D"/var/ipfire/dns/rpz/blocklist"           #  input cus=
tom list of domains
> +
> +    msg_log "info: rpz: make config file \"block.rpz.conf\""
> +
> +    #  does block list exist?
> +    if [[ -s "${theList}" ]] && grep -q . "${theList}" ; then
> +
> +    echo "rpz:
> +    name:                   block.rpz
> +    zonefile:               /etc/unbound/zonefiles/block.rpz
> +    rpz-action-override:    nxdomain
> +    rpz-log:                ${theLog}
> +    rpz-log-name:           block
> +    rpz-signal-nxdomain-ra: yes" > "${theConfig}"
> +
> +        #  set-up zonefile - unbound requires these settings for rpz files
> +        set_permissions "${theConfig}"
> +    else
> +        #   no - trash the config file
> +        rm --verbose /etc/unbound/local.d/block.rpz.conf
> +    fi
> +}
> +
> +#   create an RPZ file for allow or block
> +make_rpz_file () {
> +    local theName=3D"${1}"        #   allow or block
> +    local theAction=3D'.'         # the default is nxdomain or block
> +    local actionList
> +
> +    local theList=3D"/var/ipfire/dns/rpz/${theName}list"         #  input =
custom list of domains
> +    local theZonefile=3D"/etc/unbound/zonefiles/${theName}.rpz"  #  output=
 file for RPZ
> +
> +    #  does a list exist?
> +    if [[ -s "${theList}" ]] && grep -q . "${theList}" ; then
> +
> +        # for allow set to passthru
> +        [[ "${theName}" =3D=3D allow ]] && theAction=3D'rpz-passthru.'
> +
> +        #  drop any extra "blanks" and add "CNAME <RPZ action>." to each l=
ine
> +        actionList=3D$( awk '{$1=3D$1};1' "${theList}" |
> +            sed "/^[^;].*[[:alnum:]]/ s|$|  CNAME   ${theAction}|" )
> +
> +        msg_log "info: rpz: create zonefile for \"${theName}list\""
> +
> +echo "; Name:             ${theName} list
> +; Last modified:    $(date "+%Y-%m-%d at %H.%M.%S %Z")
> +;
> +;   domains with actions list
> +;
> +${actionList}" > "${theZonefile}"
> +
> +        #  set-up zonefile - unbound requires these settings for rpz files
> +        set_permissions "${theZonefile}"
> +        #  set-up allow/block list files
> +        set_permissions "${theList}"
> +    else
> +        msg_log "info: rpz: the ${theList} is empty."
> +
> +        rm --verbose "${theZonefile}"   # trash the RPZ file
> +    fi
> +}
> +
> +#   check if allow/block list is valid
> +validate_list () {
> +    local theName=3D"${1}"        #   allow or block
> +    local theList=3D"/var/ipfire/dns/rpz/${theName}list"  #  input custom =
list of domains
> +
> +	#   remove good:
> +	#    - properly formated domain names with or without leading wildcard
> +	#    - properly formated top level domain (TLD) names with wildcard
> +	#    - blank lines and comment lines
> +	#   remaining lines are considered "bad"
> +    bad_lines=3D$( sed --regexp-extended  \
> +        '/^(\*\.)?([a-zA-Z0-9](([a-zA-Z0-9\-]){0,61}[a-zA-Z0-9])?\.)+([a-z=
A-Z]{2,}|xn--[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])$/d ;
> +         /^(\*\.)([a-z]{2,61}|xn--[a-z0-9]{1,60})$/d ;
> +         /^$/d ; /^;/d' "${theList}" )
> +
> +    if [[ ! -z "${bad_lines}" ]] ; then
> +        msg_log "error: rpz: invalid line(s) in ${theList}."
> +        printf "%s\n" "bad line(s): ${bad_lines}"
> +        exit 110
> +    fi
> +}
> +
> +
> +###############       Main        ###############
> +
> +tagName=3D"unbound"
> +
> +rpzName=3D"${1}"                      #  input RPZ name
> +
> +rpzLog=3D"yes"                        #  log default is yes
> +ucReload=3D"yes"                      #  reload default is yes
> +
> +while [[ $# -gt 0 ]] ; do
> +    case "$1" in
> +        --no-log )      rpzLog=3D"no"   ;;
> +        --no-reload )   ucReload=3D"no" ;  checkConf=3D"no" ;;
> +    esac
> +    shift       # Shift after checking all the cases to get next option
> +done
> +
> +case "${rpzName}" in
> +    #  make a new allow or block rpz file
> +
> +    allow )
> +        validate_list 'allow'           #   is the allowlist valid?
> +        make_allow_config "${rpzLog}"
> +        make_rpz_file 'allow'
> +        ;;
> +
> +    allowblock )
> +        validate_list 'allow'           #   is the list valid?
> +        make_allow_config "${rpzLog}"
> +        make_rpz_file 'allow'
> +        ;&
> +
> +    block )
> +        validate_list 'block'           #   is the blocklist valid?
> +        make_block_config "${rpzLog}"
> +        make_rpz_file 'block'
> +        ;;
> +
> +    reload )
> +        check_unbound_conf "${checkConf}"
> +        ;;
> +
> +    unbound-restart )
> +        check_unbound_conf "${checkConf}"
> +		unbound_restart
> +		exit
> +        ;;
> +
> +    * )
> +        msg_log "error: rpz: missing or incorrect parameter"
> +        printf "Usage:   $(basename "$0") <NAME> <OPTION> <OPTION>\n"
> +        printf "Version: ${version}\n"
> +        exit 108
> +        ;;
> +esac
> +
> +unbound_control_reload "${ucReload}"
> +
> +exit
> diff --git a/config/rpz/rpz-metrics b/config/rpz/rpz-metrics
> new file mode 100755
> index 000000000..4d43e1629
> --- /dev/null
> +++ b/config/rpz/rpz-metrics
> @@ -0,0 +1,170 @@
> +#!/bin/bash
> +##########################################################################=
#####
> +#                                                                         =
    #
> +#  IPFire.org - A linux based firewall                                    =
    #
> +#  Copyright (C) 2024  IPFire Team  <info(a)ipfire.org>                   =
      #
> +#                                                                         =
    #
> +#  This program is free software: you can redistribute it and/or modify   =
    #
> +#  it under the terms of the GNU General Public License as published by   =
    #
> +#  the Free Software Foundation, either version 3 of the License, or      =
    #
> +#  (at your option) any later version.                                    =
    #
> +#                                                                         =
    #
> +#  This program is distributed in the hope that it will be useful,        =
    #
> +#  but WITHOUT ANY WARRANTY; without even the implied warranty of         =
    #
> +#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the          =
    #
> +#  GNU General Public License for more details.                           =
    #
> +#                                                                         =
    #
> +#  You should have received a copy of the GNU General Public License      =
    #
> +#  along with this program.  If not, see <http://www.gnu.org/licenses/>.  =
    #
> +#                                                                         =
    #
> +##########################################################################=
#####
> +
> +version=3D"2025-01-20 - v25"
> +
> +###############       Main        ###############
> +
> +weeks=3D"2"                   #   default to two message logs
> +sortBy=3D"name"               #   default "by name"
> +rpzActive=3D"enabled"         #   default "enabled only"
> +
> +while [[ $# -gt 0 ]] ; do
> +    case "$1" in
> +        --by-names | --by-name | name )				sortBy=3D"name"   ;;
> +
> +        --by-hits | --by-hit | hits | hit )     	sortBy=3D"hit"    ;;
> +
> +        --by-lines | --by-line | lines | line )    	sortBy=3D"line"   ;;
> +
> +        --by-effect )								sortBy=3D"effect"   ;;
> +
> +        --enabled-only )            				rpzActive=3D"enabled" ;;
> +
> +        --active-all | --all | all )      			rpzActive=3D"all"     ;;
> +
> +        [0-9] | [0-9][0-9] )        				weeks=3D$1        ;;
> +    esac
> +    shift       # Shift after checking all the cases to get next option
> +done
> +
> +#  get the list of message logs for N weeks
> +messageLogs=3D$( find /var/log/messages* -type f | sort --version-sort |
> +    head -"${weeks}" )
> +
> +#  get the list of RPZ names & counts from the message log(s)
> +rpzNameCount=3D$( for logf in ${messageLogs} ; do
> +    zgrep --text --fixed-strings 'info: rpz: applied' "${logf}" |
> +      awk '$10 ~ /\[\w*]/ { print $10 }' ;
> +    done | sort | uniq --count )
> +
> +#  flip results and remove brackets `[` and `]`
> +rpzNameCount=3D$( echo "${rpzNameCount}" |
> +    awk '{ print $2, $1 }' |
> +    sed --regexp-extended 's|^\[(.*)\]|\1|' )
> +
> +#  grab only names
> +rpzNames=3D$( echo "${rpzNameCount}" | awk '{ print $1 }' )
> +
> +#  get list of RPZ files
> +rpzFileList=3D$( find /etc/unbound/zonefiles -type f -iname "*.rpz" )
> +
> +#  get basename of those files
> +rpzBaseNames=3D$( echo "${rpzFileList}" |
> +    sed 's|/etc/unbound/zonefiles/||g ; s|\.rpz||g ;' )
> +
> +#  add to rpzNames
> +rpzNames=3D"${rpzNames}"$'\n'"${rpzBaseNames}"
> +
> +#  drop duplicate names
> +rpzNames=3D$( echo "${rpzNames}" | sort --unique  )
> +
> +#  get line count for each RPZ
> +lineCount=3D$( echo "${rpzFileList}" | xargs wc -l )
> +
> +#  get comment line count and blank line count for each RPZ
> +commentCount=3D$( echo "${rpzFileList}" | xargs grep --count -e "^$" -e "^=
;" )
> +
> +#  get modified date each RPZ
> +modDateList=3D$( echo "${rpzFileList}" | xargs stat -c '%.10y  %n' )
> +
> +ucListAuthZones=3D$( unbound-control list_auth_zones )
> +
> +#  get width of RPZ names
> +pWidth=3D$( echo "${rpzNames}" | awk '{ print $1"   " }' | wc -L )
> +pFormat=3D"%-${pWidth}s %-8s %-8s %8s %12s %12s\n"
> +
> +#  print title line
> +printf "${pFormat}" "name" "hits" "active" "lines" " hits/line" "last down=
load"
> +printf -- "--------------"
> +
> +theResults=3D""
> +totalLines=3D0
> +totalHits=3D0
> +while read -r theName
> +do
> +    printf -- "--"        #   pretend progress bar
> +
> +    #  is this RPZ list active?
> +    theActive=3D"disabled"
> +    if grep --quiet "^${theName}\.rpz" <<< "${ucListAuthZones}"
> +    then
> +        theActive=3D"enabled"
> +    else
> +        [[ "${rpzActive}" =3D=3D enabled ]] && continue
> +    fi
> +
> +    #  get hit count
> +    theHits=3D"0"
> +    if output=3D$( grep "^${theName}\s" <<< "${rpzNameCount}" ) ; then
> +        theHits=3D$( echo "${output}" | awk '{ print $2 }' )
> +        totalHits=3D$(( totalHits + theHits ))
> +    fi
> +
> +    #  get line count
> +    theLines=3D"n/a"
> +    hitsPerLine=3D"0"
> +    if output=3D$( grep --fixed-strings "/${theName}.rpz" <<< "${lineCount=
}" ) ; then
> +        theLines=3D$( echo "${output}" | awk '{ print $1 }' )
> +        totalLines=3D$(( totalLines + theLines ))
> +
> +        if [[ "${theLines}" -gt 2 ]] ; then
> +            hitsPerLine=3D$(( 100 * theHits / theLines ))
> +        fi
> +    fi
> +
> +    #  get modification date
> +    theModDate=3D"n/a"
> +    if output=3D$( grep --fixed-strings "/${theName}.rpz" <<< "${modDateLi=
st}" ) ; then
> +        theModDate=3D$( echo "${output}" | awk '{ print $1 }' )
> +    fi
> +
> +    #  add to results list
> +    theResults+=3D"${theName} ${theHits} ${theActive} ${theLines} ${hitsPe=
rLine} ${theModDate}"$'\n'
> +
> +done <<< "${rpzNames}"
> +
> +case "${sortBy}" in
> +    #  sort by "active" then by "name"
> +    name) sortArg=3D(-k3,3r -k1,1)			;;
> +
> +    #  sort by "active" then by "hits" then by "name"
> +    hit)  sortArg=3D(-k3,3r -k2,2nr -k1,1)	;;
> +
> +    #  sort by "active" then by "lines" then by "name"
> +    line) sortArg=3D(-k3,3r -k4,4nr -k1,1)	;;
> +
> +    #  sort by "active" then by "effect" then by "name"
> +    effect) sortArg=3D(-k3,3r -k5,5nr -k1,1)	;;
> +esac
> +
> +printf -- "--------------\n"
> +#  remove blank lines, sort, print as columns
> +echo "${theResults}" |
> +    awk '!/^[[:space:]]*$/' |
> +    sort "${sortArg[@]}"    |
> +    awk --assign=3Dwidth=3D"${pWidth}" \
> +        '{ printf "%-*s %-8s %-8s %8s %10s %% %12s\n", width, $1, $2, $3, =
$4, $5, $6 }'
> +
> +printf "${pFormat}" "" "=3D=3D=3D=3D=3D=3D=3D" "" "=3D=3D=3D=3D=3D=3D=3D=
=3D" "" ""
> +printf "${pFormat}" "Totals -->" "${totalHits}" "" "${totalLines}" "" ""
> +
> +exit
> diff --git a/config/rpz/rpz-sleep b/config/rpz/rpz-sleep
> new file mode 100755
> index 000000000..dd3603599
> --- /dev/null
> +++ b/config/rpz/rpz-sleep
> @@ -0,0 +1,58 @@
> +#!/bin/bash
> +##########################################################################=
#####
> +#                                                                         =
    #
> +#  IPFire.org - A linux based firewall                                    =
    #
> +#  Copyright (C) 2024  IPFire Team  <info(a)ipfire.org>                   =
      #
> +#                                                                         =
    #
> +#  This program is free software: you can redistribute it and/or modify   =
    #
> +#  it under the terms of the GNU General Public License as published by   =
    #
> +#  the Free Software Foundation, either version 3 of the License, or      =
    #
> +#  (at your option) any later version.                                    =
    #
> +#                                                                         =
    #
> +#  This program is distributed in the hope that it will be useful,        =
    #
> +#  but WITHOUT ANY WARRANTY; without even the implied warranty of         =
    #
> +#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the          =
    #
> +#  GNU General Public License for more details.                           =
    #
> +#                                                                         =
    #
> +#  You should have received a copy of the GNU General Public License      =
    #
> +#  along with this program.  If not, see <http://www.gnu.org/licenses/>.  =
    #
> +#                                                                         =
    #
> +##########################################################################=
#####
> +
> +version=3D"2024-08-16"        # v05
> +
> +###############     Functions     ###############
> +
> +#   send message to message log
> +msg_log () {
> +    logger --tag "${tagName}" "$*"
> +    if tty --silent ; then
> +        echo "${tagName}:" "$*"
> +    fi
> +}
> +
> +###############       Main        ###############
> +
> +tagName=3D"unbound"
> +
> +sleepTime=3D"${1:-5m}"            #  default to sleep for 5m (5 minutes)
> +
> +zoneList=3D$( unbound-control list_auth_zones | awk '{print $1}' )
> +
> +for zone in ${zoneList} ; do
> +    printf "disable ${zone}\t"
> +    unbound-control rpz_disable "${zone}"
> +done
> +
> +msg_log "info: rpz: disabled all zones for ${sleepTime}"
> +
> +sleep "${sleepTime}"
> +
> +for zone in ${zoneList} ; do
> +    printf "enable ${zone}\t"
> +    unbound-control rpz_enable "${zone}"
> +done
> +
> +msg_log "info: rpz: enabled all zones"
> +
> +exit
> diff --git a/config/rpz/rpz.de.pl b/config/rpz/rpz.de.pl
> new file mode 100644
> index 000000000..3770c6bb0
> --- /dev/null
> +++ b/config/rpz/rpz.de.pl
> @@ -0,0 +1,30 @@
> +#  Added for Response Policy Zone (RPZ) add-on
> +%tr =3D (%tr,
> +'rpz' =3D> 'Response Policy Zones (RPZ)',
> +'rpz apply' =3D> '=C3=9Cbernehmen',
> +'rpz cl allow enable' =3D> 'Benutzerdefinierte Allowlist aktivieren:',
> +'rpz cl allow info' =3D> 'Zugelassene Domains (eine pro Zeile)<br>Beispiel=
: domain.com, *.domain.com',
> +'rpz cl allow' =3D> 'Benutzerdefinierte Allowlist',
> +'rpz cl block enable' =3D> 'Benutzerdefinierte Blocklist aktivieren:',
> +'rpz cl block info' =3D> 'Gesperrte Domains (eine pro Zeile)<br>Beispiel: =
domain.com, *.domain.com',
> +'rpz cl block' =3D> 'Benutzerdefinierte Blocklist',
> +'rpz cl' =3D> 'Benutzerdefinierte Listen',
> +'rpz exitcode 101' =3D> 'Der Name enth=C3=A4lt unzul=C3=A4ssige Zeichen',
> +'rpz exitcode 102' =3D> 'unbound-checkconf hat eine fehlerhafte Konfigurat=
ion ermittelt. F=C3=BChren Sie das Kommando unbound-checkconf auf der Konsole=
 aus, um weitere Informationen zu erhalten.',
> +'rpz exitcode 103' =3D> 'Die benutzerdefinierte Allow-/Blocklist ist leer',
> +'rpz exitcode 104' =3D> 'Ein Eintrag mit identischem Namen existiert berei=
ts',
> +'rpz exitcode 105' =3D> 'Die URL ist ung=C3=BCltig',
> +'rpz exitcode 106' =3D> 'Eintrag kann nicht entfernt werden, der Name exis=
tiert nicht',
> +'rpz exitcode 107' =3D> 'Der Name ist ung=C3=BCltig - nur "allow" oder "bl=
ock" m=C3=B6glich',
> +'rpz exitcode 108' =3D> 'Fehlende oder inkorrekte Parameter',
> +'rpz exitcode 109' =3D> 'unbound-control reload ist fehlgeschlagen',
> +'rpz exitcode 110' =3D> 'Die benutzerdefinierte Allow-/Blocklist enth=C3=
=A4lt unzul=C3=A4ssige Eintr=C3=A4ge',
> +'rpz exitcode 201' =3D> 'Die Anmerkung enth=C3=A4lt unzul=C3=A4ssige Zeich=
en',
> +'rpz exitcode 202' =3D> 'Ung=C3=BCltiger Eintrag in der benutzerdefinierte=
n Allowlist, Zeile ',
> +'rpz exitcode 203' =3D> 'Ung=C3=BCltiger Eintrag in der benutzerdefinierte=
n Blocklist, Zeile ',
> +'rpz exitcode 204' =3D> 'Ausgew=C3=A4hlter Eintrag existiert nicht: ',
> +'rpz zf editor' =3D> 'Zonendatei-Eintrag bearbeiten',
> +'rpz zf imported' =3D> '(importiert aus rpz-config)',
> +'rpz zf remark info' =3D> 'Erlaubte Zeichen sind a-z, A-Z, 0-9 und Unterst=
riche',
> +'rpz zf' =3D> 'Zonendateien',
> +);
> diff --git a/config/rpz/rpz.en.pl b/config/rpz/rpz.en.pl
> new file mode 100644
> index 000000000..0720a8940
> --- /dev/null
> +++ b/config/rpz/rpz.en.pl
> @@ -0,0 +1,30 @@
> +#  Added for Response Policy Zone (RPZ) add-on
> +%tr =3D (%tr,
> +'rpz' =3D> 'Response Policy Zones (RPZ)',
> +'rpz apply' =3D> 'Apply',
> +'rpz cl allow enable' =3D> 'Enable custom allowlist:',
> +'rpz cl allow info' =3D> 'Allowed domains (one per line)<br>Example: domai=
n.com, *.domain.com',
> +'rpz cl allow' =3D> 'Custom allowlist',
> +'rpz cl block enable' =3D> 'Enable custom blocklist:',
> +'rpz cl block info' =3D> 'Blocked domains (one per line)<br>Example: domai=
n.com, *.domain.com',
> +'rpz cl block' =3D> 'Custom blocklist',
> +'rpz cl' =3D> 'Custom lists',
> +'rpz exitcode 101' =3D> 'the NAME is not valid',
> +'rpz exitcode 102' =3D> 'unbound-checkconf found invalid configuration. In=
 the Terminal run the command unbound-checkconf for more information',
> +'rpz exitcode 103' =3D> 'the allow/block list is empty',
> +'rpz exitcode 104' =3D> 'duplicate - NAME already exists',
> +'rpz exitcode 105' =3D> 'the URL is not valid',
> +'rpz exitcode 106' =3D> 'cannot remove the NAME does not exist',
> +'rpz exitcode 107' =3D> 'the NAME is not valid - "allow" or "block" only',
> +'rpz exitcode 108' =3D> 'missing or incorrect parameter',
> +'rpz exitcode 109' =3D> 'unbound-control reload failed',
> +'rpz exitcode 110' =3D> 'custom Allowlist/Blocklist contains invalid entri=
es',
> +'rpz exitcode 201' =3D> 'the REMARK is not valid',
> +'rpz exitcode 202' =3D> 'invalid entry in allowlist, line ',
> +'rpz exitcode 203' =3D> 'invalid entry in blocklist, line ',
> +'rpz exitcode 204' =3D> 'Selected entry does not exist: ',
> +'rpz zf editor' =3D> 'Edit zonefiles entry',
> +'rpz zf imported' =3D> '(imported from rpz-config)',
> +'rpz zf remark info' =3D> 'Valid characters are a-z, A-Z, 0-9 and undersco=
re.',
> +'rpz zf' =3D> 'Zonefiles',
> +);
> diff --git a/config/rpz/rpz.es.pl b/config/rpz/rpz.es.pl
> new file mode 100644
> index 000000000..98628e4aa
> --- /dev/null
> +++ b/config/rpz/rpz.es.pl
> @@ -0,0 +1,30 @@
> +#  Added for Response Policy Zone (RPZ) add-on
> +%tr =3D (%tr,
> +'rpz' =3D> 'Zonas de pol=C3=ADtica de respuesta (RPZ)',
> +'rpz apply' =3D> 'Aplicar',
> +'rpz cl allow enable' =3D> 'Habilitar la lista blanca personalizada:',
> +'rpz cl allow info' =3D> 'Dominio permitido (uno por l=C3=ADnea)<br>Ejempl=
o: domain.com, *.domain.com',
> +'rpz cl allow' =3D> 'Lista blanca personalizada',
> +'rpz cl block enable' =3D> 'Habilitar la lista negra personalizada:',
> +'rpz cl block info' =3D> 'Dominio bloqueado (uno por l=C3=ADnea)<br>Ejempl=
o: domain.com, *.domain.com',
> +'rpz cl block' =3D> 'Lista negra personalizada',
> +'rpz cl' =3D> 'Lista personalizada',
> +'rpz exitcode 101' =3D> 'El NOMBRE no es v=C3=A1lido',
> +'rpz exitcode 102' =3D> 'unbound-checkconf ha encontrado una configuraci=
=C3=B3n no v=C3=A1lida. Desde Terminal, ejecute el comando unbound-checkconf =
para mayor informaci=C3=B3n',
> +'rpz exitcode 103' =3D> 'La lista de permitidos/bloqueados est=C3=A1 vac=
=C3=ADa',
> +'rpz exitcode 104' =3D> 'duplicado - NOMBRE ya existe',
> +'rpz exitcode 105' =3D> 'la URL no es v=C3=A1lida',
> +'rpz exitcode 106' =3D> 'no es posible eliminar el NOMBRE que no existe',
> +'rpz exitcode 107' =3D> 'el NOMBRE no es v=C3=A1lido - s=C3=B3lo "permitir=
" o "bloquear"',
> +'rpz exitcode 108' =3D> 'par=C3=A1metro faltante o incorrecto',
> +'rpz exitcode 109' =3D> 'Error al recargar unbound-control',
> +'rpz exitcode 110' =3D> 'la Lista blanca/Lista negra personalizada contien=
e entradas no v=C3=A1lidas',
> +'rpz exitcode 201' =3D> 'el COMENTARIO no es v=C3=A1lido',
> +'rpz exitcode 202' =3D> 'entrada no v=C3=A1lida en la lista blanca, l=C3=
=ADnea ',
> +'rpz exitcode 203' =3D> 'entrada no v=C3=A1lida en la lista negra, l=C3=AD=
nea ',
> +'rpz exitcode 204' =3D> 'La entrada seleccionada no existe: ',
> +'rpz zf editor' =3D> 'Editar la entrada de archivos de zona',
> +'rpz zf imported' =3D> '(importado de rpz-config)',
> +'rpz zf remark info' =3D> 'Los caracteres v=C3=A1lidos son a-z, A-Z, 0-9 y=
 gui=C3=B3n bajo',
> +'rpz zf' =3D> 'Archivos de zona',
> +);
> diff --git a/config/rpz/rpz.fr.pl b/config/rpz/rpz.fr.pl
> new file mode 100644
> index 000000000..f35f3c2d0
> --- /dev/null
> +++ b/config/rpz/rpz.fr.pl
> @@ -0,0 +1,30 @@
> +#  Added for Response Policy Zone (RPZ) add-on
> +%tr =3D (%tr,
> +'rpz' =3D> 'Response Policy Zones (RPZ)',
> +'rpz apply' =3D> 'Appliquer',
> +'rpz cl allow enable' =3D> 'Activer la liste d\'autorisations personnalis=
=C3=A9e:',
> +'rpz cl allow info' =3D> 'Domaines autoris=C3=A9s (un par ligne)<br>Exampl=
e: domain.com, *.domain.com',
> +'rpz cl allow' =3D> 'Liste d\'autorisations personnalis=C3=A9e',
> +'rpz cl block enable' =3D> 'Activer la liste de blocage personnalis=C3=A9e=
:',
> +'rpz cl block info' =3D> 'Domaines bloqu=C3=A9s (un par ligne)<br>Example:=
 domain.com, *.domain.com',
> +'rpz cl block' =3D> 'liste de blocage personnalis=C3=A9',
> +'rpz cl' =3D> 'Listes personnalis=C3=A9es',
> +'rpz exitcode 101' =3D> 'le NOM n\'est pas valide',
> +'rpz exitcode 102' =3D> 'unbound-checkconf configuration non valide trouv=
=C3=A9e. Dans le terminal, ex=C3=A9cutez la commande unbound-checkconf pour p=
lus d\'informations',
> +'rpz exitcode 103' =3D> 'la liste autoriser/bloquer est vide',
> +'rpz exitcode 104' =3D> 'le NOM existe d=C3=A9j=C3=A0',
> +'rpz exitcode 105' =3D> 'L\'URL n\'est pas valide',
> +'rpz exitcode 106' =3D> 'impossible de supprimer le NOM n\'existe pas',
> +'rpz exitcode 107' =3D> 'le NOM n\'est pas valide - =C2=AB autoriser =C2=
=BB ou =C2=AB bloquer =C2=BB seulement',
> +'rpz exitcode 108' =3D> 'param=C3=A8tre manquant ou incorrect',
> +'rpz exitcode 109' =3D> 'unbound-control rechargement =C3=A9chou=C3=A9',
> +'rpz exitcode 110' =3D> 'la liste autoriser/bloquer contient des entr=C3=
=A9es non valides',
> +'rpz exitcode 201' =3D> 'la REMARQUE n\'est pas valable',
> +'rpz exitcode 202' =3D> 'entr=C3=A9e non valide dans la liste d\'autorisat=
ion, ligne ',
> +'rpz exitcode 203' =3D> 'entr=C3=A9e non valide dans la liste de blocs, li=
gne ',
> +'rpz exitcode 204' =3D> 'L\'entr=C3=A9e s=C3=A9lectionn=C3=A9e n\'existe p=
as: ',
> +'rpz zf editor' =3D> 'Modifier l\'entr=C3=A9e Fichiers Zone',
> +'rpz zf imported' =3D> '(import=C3=A9 de rpz-config)',
> +'rpz zf remark info' =3D> 'Les caract=C3=A8res valides sont a-z, A-Z, 0-9 =
et soulignement.',
> +'rpz zf' =3D> 'Fichiers Zone',
> +);
> diff --git a/config/rpz/rpz.it.pl b/config/rpz/rpz.it.pl
> new file mode 100644
> index 000000000..ee81605c9
> --- /dev/null
> +++ b/config/rpz/rpz.it.pl
> @@ -0,0 +1,30 @@
> +#  Added for Response Policy Zone (RPZ) add-on
> +%tr =3D (%tr,
> +'rpz' =3D> 'Response Policy Zones (RPZ)',
> +'rpz apply' =3D> 'Applica',
> +'rpz cl allow enable' =3D> 'Abilita la Whitelist personalizzata:',
> +'rpz cl allow info' =3D> 'Domini consentiti (uno per riga)<br>Esempio: dom=
ain.com, *.domain.com',
> +'rpz cl allow' =3D> 'Whitelist personalizzata',
> +'rpz cl block enable' =3D> 'Abilita la Blacklist personalizzata:',
> +'rpz cl block info' =3D> 'Domini bloccati (uno per riga)<br>Esempio: domai=
n.com, *.domain.com',
> +'rpz cl block' =3D> 'Blacklist personalizzata',
> +'rpz cl' =3D> 'Liste personalizzate',
> +'rpz exitcode 101' =3D> 'il NOME non =C3=A8 valido',
> +'rpz exitcode 102' =3D> 'unbound-checkconf ha trovato una configurazione n=
on valida. Dal Terminale esegui il comando unbound-checkconf per maggiori inf=
ormazioni',
> +'rpz exitcode 103' =3D> 'l\'elenco consentiti/bloccati =C3=A8 vuoto',
> +'rpz exitcode 104' =3D> 'duplicato - NAME esiste di gi=C3=A0',
> +'rpz exitcode 105' =3D> 'l\'URL non =C3=A8 valido',
> +'rpz exitcode 106' =3D> 'non =C3=A8 possibile rimuovere il NOME non esiste=
',
> +'rpz exitcode 107' =3D> 'il NOME non =C3=A8 valido - solo "consenti" o "bl=
occa"',
> +'rpz exitcode 108' =3D> 'parametro mancante o non corretto',
> +'rpz exitcode 109' =3D> 'ricaricamento del controllo non associato non riu=
scito',
> +'rpz exitcode 110' =3D> 'la Whitelist/Blacklist personalizzata contiene vo=
ci non valide',
> +'rpz exitcode 201' =3D> 'l"OSSERVAZIONE non =C3=A8 valida',
> +'rpz exitcode 202' =3D> 'voce non valida nella Whitelist, riga ',
> +'rpz exitcode 203' =3D> 'voce non valida nella Blacklist, riga ',
> +'rpz exitcode 204' =3D> 'La voce selezionata non esiste: ',
> +'rpz zf editor' =3D> 'Modifica la voce dei file di zona',
> +'rpz zf imported' =3D> '(importato da rpz-config)',
> +'rpz zf remark info' =3D> 'I caratteri validi sono a-z, A-Z, 0-9 e trattin=
o basso',
> +'rpz zf' =3D> 'Zonefiles',
> +);
> diff --git a/config/rpz/rpz.tr.pl b/config/rpz/rpz.tr.pl
> new file mode 100644
> index 000000000..00226e192
> --- /dev/null
> +++ b/config/rpz/rpz.tr.pl
> @@ -0,0 +1,30 @@
> +#  I=EF=BF=BDin eklendi Ayriyeten Response Policy Zone (RPZ)
> +%tr =3D (%tr,
> +'rpz' =3D> 'Response Policy Zones (RPZ)',
> +'rpz apply' =3D> 'Uygulamak',
> +'rpz cl allow enable' =3D> '=EF=BF=BDzel Etkinlestir allowlist:',
> +'rpz cl allow info' =3D> 'Izin verilmis domains (satir basina bir)<br>=EF=
=BF=BDrnegin: domain.com, *.domain.com',
> +'rpz cl allow' =3D> 'Etkinlestir allowlist',
> +'rpz cl block enable' =3D> '=EF=BF=BDzel Etkinlestir blocklist:',
> +'rpz cl block info' =3D> 'Engellenmis domains (satir basina bir)<br>=EF=BF=
=BDrnegin: domain.com, *.domain.com',
> +'rpz cl block' =3D> 'Engellenmis blocklist',
> +'rpz cl' =3D> 'Engellenmis lists',
> +'rpz exitcode 101' =3D> 'NAME ge=EF=BF=BDerli degil',
> +'rpz exitcode 102' =3D> 'unbound-checkconf ge=EF=BF=BDersiz yapilandirma b=
ulundu. Terminalde daha fazla bilgi i=EF=BF=BDin Unbound-checkConf komutunu =
=EF=BF=BDalistirin',
> +'rpz exitcode 103' =3D> 'allow/block liste bos',
> +'rpz exitcode 104' =3D> 'kopyalamak - NAME zaten var',
> +'rpz exitcode 105' =3D> 'URL ge=EF=BF=BDerli degil',
> +'rpz exitcode 106' =3D> '=EF=BF=BDikarilamiyor NAME yok',
> +'rpz exitcode 107' =3D> 'NAME ge=EF=BF=BDerli degil - "allow" veya "block"=
 yalniz',
> +'rpz exitcode 108' =3D> 'Parametre eksik veya yanlis',
> +'rpz exitcode 109' =3D> 'unbound-control basarisiz',
> +'rpz exitcode 110' =3D> 'Engellenmis Allowlist/Blocklist ge=EF=BF=BDersiz =
girisler i=EF=BF=BDerir',
> +'rpz exitcode 201' =3D> 'REMARK ge=EF=BF=BDerli degil',
> +'rpz exitcode 202' =3D> 'Ge=EF=BF=BDersiz giris allowlist, line ',
> +'rpz exitcode 203' =3D> 'Ge=EF=BF=BDersiz giris blocklist, line ',
> +'rpz exitcode 204' =3D> 'Se=EF=BF=BDilen giris yok: ',
> +'rpz zf editor' =3D> 'yazimlamak zonefiles giris',
> +'rpz zf imported' =3D> '(ithal edildi rpz-config)',
> +'rpz zf remark info' =3D> 'Ge=EF=BF=BDerli karakterler a-z, A-Z, 0-9ve alt=
=EF=BF=BDst.',
> +'rpz zf' =3D> 'Zonefiles',
> +);
> diff --git a/html/cgi-bin/rpz.cgi b/html/cgi-bin/rpz.cgi
> new file mode 100644
> index 000000000..a821c92ac
> --- /dev/null
> +++ b/html/cgi-bin/rpz.cgi
> @@ -0,0 +1,923 @@
> +#!/usr/bin/perl
> +##########################################################################=
#####
> +#                                                                         =
    #
> +# IPFire.org - A linux based firewall                                     =
    #
> +# Copyright (C) 2005-2024  IPFire Team  <info(a)ipfire.org>               =
      #
> +#                                                                         =
    #
> +# This program is free software: you can redistribute it and/or modify    =
    #
> +# it under the terms of the GNU General Public License as published by    =
    #
> +# the Free Software Foundation, either version 3 of the License, or       =
    #
> +# (at your option) any later version.                                     =
    #
> +#                                                                         =
    #
> +# This program is distributed in the hope that it will be useful,         =
    #
> +# but WITHOUT ANY WARRANTY; without even the implied warranty of          =
    #
> +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the           =
    #
> +# GNU General Public License for more details.                            =
    #
> +#                                                                         =
    #
> +# You should have received a copy of the GNU General Public License       =
    #
> +# along with this program.  If not, see <http://www.gnu.org/licenses/>.   =
    #
> +#                                                                         =
    #
> +##########################################################################=
#####
> +
> +use strict;
> +use Scalar::Util qw(looks_like_number);
> +
> +# debugging
> +#use warnings;
> +#use CGI::Carp 'fatalsToBrowser';
> +#use Data::Dumper;
> +
> +require '/var/ipfire/general-functions.pl';
> +require "${General::swroot}/lang.pl";
> +require "${General::swroot}/header.pl";
> +
> +###--- Extra HTML ---###
> +my $extraHead =3D <<END
> +<style>
> +	/* alternating row background */
> +	.tbl tr:nth-child(2n+2) {
> +		background-color: var(--color-light-grey);
> +	}
> +	.tbl tr:nth-child(2n+3) {
> +		background-color: var(--color-grey);
> +	}
> +	/* text styles */
> +	.tbl th:not(:last-child) {
> +		text-align: left;
> +	}
> +	div.right {
> +		text-align: right;
> +		margin-top: 0.5em;
> +	}
> +	/* customlist input */
> +	textarea.domainlist {
> +		margin: 0.5em 0;
> +		resize: vertical;
> +		min-height: 10em;
> +		overflow: auto;
> +		white-space: pre;
> +	}
> +	button[type=3Dsubmit]:disabled {
> +		opacity: 0.6;
> +	}
> +</style>
> +END
> +;
> +###--- End of extra HTML ---###
> +
> +
> +### Settings ###
> +
> +# Request DNS service reload after configuration change
> +my $RPZ_RELOAD_FLAG =3D "${General::swroot}/dns/rpz/reload.flag";
> +
> +# Configuration file for all available zonefiles
> +# Format: index, name (unique), enabled (on/off), URL, remark
> +my $ZONEFILES_CONF =3D "${General::swroot}/dns/rpz/zonefiles.conf";
> +
> +# Configuration file for custom lists
> +# IDs: 0=3Dallowlist, 1=3Dblocklist, 2=3Doptions (allow/block enabled)
> +my $CUSTOMLISTS_CONF =3D "${General::swroot}/dns/rpz/customlists.conf";
> +
> +# Export custom lists to rpz-config
> +my $RPZ_ALLOWLIST =3D "${General::swroot}/dns/rpz/allowlist";
> +my $RPZ_BLOCKLIST =3D "${General::swroot}/dns/rpz/blocklist";
> +
> +
> +### Preparation ###
> +
> +# Create missing config files
> +unless(-f $ZONEFILES_CONF) { &General::system('touch', "$ZONEFILES_CONF");=
 }
> +unless(-f $CUSTOMLISTS_CONF) { &General::system('touch', "$CUSTOMLISTS_CON=
F"); }
> +
> +
> +## Global gui data
> +my $errormessage =3D "";
> +
> +## Global configuration data
> +my %zonefiles =3D ();
> +my %customlists =3D ();
> +&_zonefiles_load();
> +&_customlists_load();
> +
> +## Global CGI form data
> +my %cgiparams =3D ();
> +&Header::getcgihash(\%cgiparams);
> +
> +my $action =3D $cgiparams{'ACTION'} // 'NONE';
> +my $action_key =3D $cgiparams{'KEY'} // ''; # entry being edited, empty =
=3D none/new
> +
> +
> +###--- Process form actions ---###
> +
> +# Zonefiles action: Check whether the requested entry exists
> +if((substr($action, 0, 3) eq 'ZF_') && ($action_key)) {
> +	unless(defined $zonefiles{$action_key}) {
> +		$errormessage =3D &_rpz_error_tr(204, $action_key);
> +		$action =3D 'NONE';
> +	}
> +}
> +
> +## Perform actions
> +if($action eq 'ZF_SAVE') {				## Save new or modified zonefiles entry
> +	if(&_action_zf_save()) {
> +		$action =3D 'NONE'; # success, return to main page
> +		&_http_prg_redirect();
> +	} else {
> +		$action =3D 'ZF_EDIT'; # error occured, keep editing
> +	}
> +
> +} elsif($action eq 'ZF_TOGGLE') {		## Toggle on/off
> +	if(&_action_zf_toggle()) {
> +		$action =3D 'NONE';
> +		&_http_prg_redirect();
> +	}
> +
> +} elsif($action eq 'ZF_REMOVE') {		## Remove entry
> +	if(&_action_zf_remove()) {
> +		$action =3D 'NONE';
> +		&_http_prg_redirect();
> +	}
> +
> +} elsif($action eq 'CL_SAVE') {			## Save custom lists
> +	if(&_action_cl_save()) {
> +		$action =3D 'NONE';
> +		&_http_prg_redirect();
> +	}
> +
> +} elsif($action eq 'RPZ_RELOAD') {		## Reload dns configuration
> +	if(&_action_rpz_reload()) {
> +		$action =3D 'NONE';
> +		&_http_prg_redirect();
> +	}
> +
> +} elsif($action eq 'UNB_RESTART') {		## Restart unbound service
> +	if(&_action_unb_restart()) {
> +		$action =3D 'NONE';
> +		&_http_prg_redirect();
> +	}
> +
> +}
> +
> +
> +###--- Start GUI ---###
> +
> +## Start http output
> +&Header::showhttpheaders();
> +
> +# Start HTML
> +&Header::openpage($Lang::tr{'rpz'}, 1, $extraHead);
> +&Header::openbigbox('100%', 'left', '');
> +
> +# Show error messages
> +if($errormessage) {
> +	&_print_message($errormessage);
> +}
> +
> +# Handle zonefile add/edit mode
> +if($action eq "ZF_EDIT") {
> +	&_print_zonefile_editor();
> +
> +	# Finalize page and exit cleanly
> +	&Header::closebigbox();
> +	&Header::closepage();
> +	exit(0);
> +}
> +
> +# Show gui elements
> +&_print_zonefiles();
> +&_print_customlists();
> +&_print_gui_extras();
> +
> +&Header::closebigbox();
> +&Header::closepage();
> +
> +###--- End of GUI ---###
> +
> +
> +###--- Internal configuration file functions ---###
> +
> +# Load all available zonefiles from rpz-config and the internal configurat=
ion
> +sub _zonefiles_load {
> +	# Clean start
> +	%zonefiles =3D ();
> +
> +	# Source 1: Get the currently enabled zonefiles from rpz-config (expected=
 format [name]=3D[URL])
> +	my @enabled_files =3D &General::system_output('/usr/sbin/rpz-config', 'li=
st');
> +
> +	foreach my $row (@enabled_files) {
> +		chomp($row);
> +
> +		# Use regex instead of split() to skip non-matching lines
> +		next unless($row =3D~ /^(\w+)=3D(.+)$/);
> +		my ($name, $url) =3D ($1, $2);
> +
> +		# Unique names are already guaranteed by rpz-config
> +		if(&_rpz_validate_zonefile($name, $url, '', 0) =3D=3D 0) {
> +			# Populate global data hash, mark all found entries as enabled
> +			my %entry =3D ('enabled' =3D> 'on',
> +				'url' =3D> $url,
> +				'remark' =3D> $Lang::tr{'rpz zf imported'});
> +
> +			$zonefiles{$name} =3D \%entry;
> +		}
> +	}
> +
> +	# Source 2: Get additional data and disabled entries from configuration f=
ile
> +	my %configured_files =3D ();
> +	&General::readhasharray($ZONEFILES_CONF, \%configured_files);
> +
> +	foreach my $row (values (%configured_files)) {
> +		my ($name, $enabled, $url, $remark) =3D @$row;
> +		$remark //=3D "";
> +
> +		next unless($name);
> +
> +		# Check whether this row belongs to an entry already imported from rpz-c=
onfig
> +		if(defined $zonefiles{$name}) {
> +			# Existing entry, only merge additional data
> +			$zonefiles{$name}{'remark'} =3D $remark;
> +		} else {
> +			# Skip entry if it is marked as enabled but not found by rpz-config. It=
 was then deleted manually
> +			if($enabled ne 'on') {
> +				# Populate global data hash
> +				my %entry =3D ('enabled' =3D> 'off',
> +					'url' =3D> $url // "",
> +					'remark' =3D> $remark);
> +
> +				$zonefiles{$name} =3D \%entry;
> +			}
> +		}
> +	}
> +}
> +
> +# Save internal zonefiles configuration
> +sub _zonefiles_save_conf {
> +	my $index =3D 0;
> +	my %export =3D ();
> +
> +	# Loop trough all zonefiles and create "hasharray" type export
> +	foreach my $name (keys %zonefiles) {
> +		my @entry =3D ($name,
> +			$zonefiles{$name}{'enabled'},
> +			$zonefiles{$name}{'url'},
> +			$zonefiles{$name}{'remark'});
> +
> +		$export{$index++} =3D \@entry;
> +	}
> +
> +	&General::writehasharray($ZONEFILES_CONF, \%export);
> +}
> +
> +# Load custom lists from rpz-config and the internal configuration
> +sub _customlists_load {
> +	# Clean start
> +	%customlists =3D ();
> +
> +	# Load configuration file
> +	my %lists_conf =3D ();
> +	&General::readhasharray($CUSTOMLISTS_CONF, \%lists_conf);
> +
> +	# Get list options, enabled by default to start import
> +	$customlists{'allow'}{'enabled'} =3D $lists_conf{2}[0] // 'on';
> +	$customlists{'block'}{'enabled'} =3D $lists_conf{2}[1] // 'on';
> +
> +	# Import enabled list from rpz-config, otherwise retrieve stored or empty=
 list from configuration file
> +	if($customlists{'allow'}{'enabled'} eq 'on') {
> +		&_customlist_import('allow', $RPZ_ALLOWLIST);
> +	} else {
> +		$customlists{'allow'}{'list'} =3D $lists_conf{0} // [];
> +	}
> +	if($customlists{'block'}{'enabled'} eq 'on') {
> +		&_customlist_import('block', $RPZ_BLOCKLIST);
> +	} else {
> +		$customlists{'block'}{'list'} =3D $lists_conf{1} // [];
> +	}
> +}
> +
> +# Save internal custom lists configuration
> +sub _customlists_save_conf {
> +	my %export =3D ();
> +
> +	# Match IDs with import function
> +	$export{0} =3D $customlists{'allow'}{'list'};
> +	$export{1} =3D $customlists{'block'}{'list'};
> +	$export{2} =3D [$customlists{'allow'}{'enabled'}, $customlists{'block'}{'=
enabled'}];
> +
> +	&General::writehasharray($CUSTOMLISTS_CONF, \%export);
> +}
> +
> +# Import a custom list from plain file, returns empty list if file is miss=
ing
> +sub _customlist_import {
> +	my ($listname, $filename) =3D @_;
> +	my @list =3D ();
> +
> +	# File exists, load and check all lines
> +	if(-f $filename) {
> +		open(my $FH, '<', $filename) or die "Can't read $filename: $!";
> +		while(my $line =3D <$FH>) {
> +			chomp($line);
> +			push(@list, $line);
> +		}
> +		close($FH);
> +
> +		# Clean up imported data
> +		&_rpz_validate_customlist(\@list, 1);
> +	}
> +
> +	$customlists{$listname}{'list'} =3D \@list;
> +}
> +
> +# Export a custom list to plain file or clear file if list is disabled
> +sub _customlist_export {
> +	my ($listname, $filename) =3D @_;
> +	return unless(defined $customlists{$listname});
> +
> +	# Write enabled domain list to file, otherwise save empty file
> +	open(my $FH, '>', $filename) or die "Can't write $filename: $!";
> +
> +	if($customlists{$listname}{'enabled'} eq 'on') {
> +		foreach my $line (@{$customlists{$listname}{'list'}}) {
> +			print $FH "$line\n";
> +		}
> +	} else {
> +		print $FH "; Note: This list is currently disabled by $ENV{'SCRIPT_NAME'=
}\n";
> +	}
> +
> +	close($FH);
> +}
> +
> +
> +###--- Internal gui functions ---###
> +
> +# Show simple message box
> +sub _print_message {
> +	my ($message, $title) =3D @_;
> +	$title ||=3D $Lang::tr{'error messages'};
> +
> +	&Header::openbox('100%', 'left', $title);
> +	print "<span>$message</span>";
> +	&Header::closebox();
> +}
> +
> +# Show all zone files and related gui elements
> +sub _print_zonefiles {
> +	&Header::openbox('100%', 'left', $Lang::tr{'rpz zf'});
> +
> +	print <<END
> +<table class=3D"tbl" width=3D"100%">
> +	<tr>
> +		<th>$Lang::tr{'name'}</th>
> +		<th>URL</th>
> +		<th>$Lang::tr{'remark'}</th>
> +		<th colspan=3D"3">$Lang::tr{'action'}</th>
> +	</tr>
> +END
> +;
> +
> +	# Sort zonefiles by name and loop trough all entries
> +	foreach my $name (sort keys %zonefiles) {
> +
> +		# Toggle button label translation
> +		my $toggle_tr =3D ($zonefiles{$name}{'enabled'} eq 'on') ? $Lang::tr{'cl=
ick to disable'} : $Lang::tr{'click to enable'};
> +
> +		print <<END
> +	<tr>
> +		<td>$name</td>
> +		<td>$zonefiles{$name}{'url'}</td>
> +		<td>$zonefiles{$name}{'remark'}</td>
> +
> +		<td align=3D"center" width=3D"5%">
> +			<form method=3D"post" action=3D"$ENV{'SCRIPT_NAME'}">
> +				<input type=3D"hidden" name=3D"KEY" value=3D"$name">
> +				<input type=3D"hidden" name=3D"ACTION" value=3D"ZF_TOGGLE">
> +				<input type=3D"image" src=3D"/images/$zonefiles{$name}{'enabled'}.gif"=
 title=3D"$toggle_tr" alt=3D"$toggle_tr">
> +			</form>
> +		</td>
> +		<td align=3D"center" width=3D"5%">
> +			<form method=3D"post" action=3D"$ENV{'SCRIPT_NAME'}">
> +				<input type=3D"hidden" name=3D"KEY" value=3D"$name">
> +				<input type=3D"hidden" name=3D"ACTION" value=3D"ZF_EDIT">
> +				<input type=3D"image" src=3D"/images/edit.gif" title=3D"$Lang::tr{'edi=
t'}" alt=3D"$Lang::tr{'edit'}">
> +			</form>
> +		</td>
> +		<td align=3D"center" width=3D"5%">
> +			<form method=3D"post" action=3D"$ENV{'SCRIPT_NAME'}">
> +				<input type=3D"hidden" name=3D"KEY" value=3D"$name">
> +				<input type=3D"hidden" name=3D"ACTION" value=3D"ZF_REMOVE">
> +				<input type=3D"image" src=3D"/images/delete.gif" title=3D"$Lang::tr{'r=
emove'}" alt=3D"$Lang::tr{'remove'}">
> +			</form>
> +		</td>
> +	</tr>
> +END
> +;
> +	}
> +
> +	# Disable reload button if not needed
> +	my $reload_state =3D &_rpz_needs_reload() ? "" : " disabled";
> +
> +	print <<END
> +</table>
> +
> +<div class=3D"right">
> +	<form method=3D"post" action=3D"$ENV{'SCRIPT_NAME'}">
> +		<input type=3D"hidden" name=3D"KEY" value=3D"">
> +		<button type=3D"submit" name=3D"ACTION" value=3D"ZF_EDIT">$Lang::tr{'add=
'}</button>
> +		<button type=3D"submit" name=3D"ACTION" value=3D"RPZ_RELOAD" class=3D"co=
mmit"$reload_state>$Lang::tr{'rpz apply'}</button>
> +	</form>
> +</div>
> +END
> +;
> +
> +	&Header::closebox();
> +}
> +
> +# Show zonefiles entry editor
> +sub _print_zonefile_editor {
> +
> +	# Key specified: Edit existing entry
> +	if(($action_key) && (defined $zonefiles{$action_key})) {
> +		# Load data to be edited, but don't override already present values (all=
ows user to edit after error)
> +		$cgiparams{'ZF_NAME'} //=3D $action_key;
> +		$cgiparams{'ZF_URL'} //=3D $zonefiles{$action_key}{'url'};
> +		$cgiparams{'ZF_REMARK'} //=3D $zonefiles{$action_key}{'remark'};
> +	}
> +
> +	# Fallback to empty form
> +	$cgiparams{'ZF_NAME'} //=3D "";
> +	$cgiparams{'ZF_URL'} //=3D "";
> +	$cgiparams{'ZF_REMARK'} //=3D "";
> +
> +	&Header::openbox('100%', 'left', $Lang::tr{'rpz zf editor'});
> +
> +	print <<END
> +<form method=3D"post" action=3D"$ENV{'SCRIPT_NAME'}">
> +<input type=3D"hidden" name=3D"KEY" value=3D"$action_key">
> +<table width=3D"100%">
> +	<tr>
> +		<td width=3D"20%">$Lang::tr{'name'}:&nbsp;<img src=3D"/blob.gif" alt=3D"=
*"></td>
> +		<td><input type=3D"text" name=3D"ZF_NAME" value=3D"$cgiparams{'ZF_NAME'}=
" size=3D"40" maxlength=3D"32" title=3D"$Lang::tr{'rpz zf remark info'}" patt=
ern=3D"[a-zA-Z0-9_]{1,32}" required></td>
> +	</tr>
> +	<tr>
> +		<td width=3D"20%">URL:&nbsp;<img src=3D"/blob.gif" alt=3D"*"></td>
> +		<td><input type=3D"url" name=3D"ZF_URL" value=3D"$cgiparams{'ZF_URL'}" s=
ize=3D"40" maxlength=3D"128" required></td>
> +	</tr>
> +	<tr>
> +		<td width=3D"20%">$Lang::tr{'remark'}:</td>
> +		<td><input type=3D"text" name=3D"ZF_REMARK" value=3D"$cgiparams{'ZF_REMA=
RK'}" size=3D"40" maxlength=3D"32"></td>
> +	</tr>
> +	<tr>
> +		<td colspan=3D"2"><hr></td>
> +	</tr>
> +	<tr>
> +		<td width=3D"55%"><img src=3D"/blob.gif" alt=3D"*">&nbsp;$Lang::tr{'requ=
ired field'}</td>
> +		<td align=3D"right"><button type=3D"submit" name=3D"ACTION" value=3D"ZF_=
SAVE">$Lang::tr{'save'}</button></td>
> +	</tr>
> +</table>
> +</form>
> +
> +<div class=3D"right">
> +	<form method=3D"post" action=3D"$ENV{'SCRIPT_NAME'}">
> +		<button type=3D"submit" name=3D"ACTION" value=3D"NONE">$Lang::tr{'back'}=
</button>
> +	</form>
> +</div>
> +END
> +;
> +
> +	&Header::closebox();
> +}
> +
> +# Show custom allow/block files and related gui elements
> +sub _print_customlists {
> +
> +	# Load lists from config, unless they are currently being edited
> +	if($action ne 'CL_SAVE') {
> +		$cgiparams{'ALLOW_LIST'} =3D join("\n", @{$customlists{'allow'}{'list'}}=
);
> +		$cgiparams{'BLOCK_LIST'} =3D join("\n", @{$customlists{'block'}{'list'}}=
);
> +
> +		$cgiparams{'ALLOW_ENABLED'} =3D ($customlists{'allow'}{'enabled'} eq 'on=
') ? 'on' : undef;
> +		$cgiparams{'BLOCK_ENABLED'} =3D ($customlists{'block'}{'enabled'} eq 'on=
') ? 'on' : undef;
> +	}
> +
> +	# Fallback to empty form
> +	$cgiparams{'ALLOW_LIST'} //=3D "";
> +	$cgiparams{'BLOCK_LIST'} //=3D "";
> +
> +	# HTML checkboxes, unchecked =3D no or undef value in POST data
> +	my %checked =3D ();
> +	$checked{'ALLOW_ENABLED'} =3D (defined $cgiparams{'ALLOW_ENABLED'}) ? " c=
hecked" : "";
> +	$checked{'BLOCK_ENABLED'} =3D (defined $cgiparams{'BLOCK_ENABLED'}) ? " c=
hecked" : "";
> +
> +	# Disable reload button if not needed
> +	my $reload_state =3D &_rpz_needs_reload() ? "" : " disabled";
> +
> +	&Header::openbox('100%', 'left', $Lang::tr{'rpz cl'});
> +
> +	print <<END
> +<form method=3D"post" action=3D"$ENV{'SCRIPT_NAME'}">
> +<table width=3D"100%">
> +	<tr>
> +		<td colspan=3D"2"><b>$Lang::tr{'rpz cl allow'}</b><br>$Lang::tr{'rpz cl =
allow info'}</td>
> +		<td colspan=3D"2"><b>$Lang::tr{'rpz cl block'}</b><br>$Lang::tr{'rpz cl =
block info'}</td>
> +	</tr>
> +	<tr>
> +		<td colspan=3D"2"><textarea name=3D"ALLOW_LIST" class=3D"domainlist" col=
s=3D"45">
> +$cgiparams{'ALLOW_LIST'}</textarea></td>
> +		<td colspan=3D"2"><textarea name=3D"BLOCK_LIST" class=3D"domainlist" col=
s=3D"45">
> +$cgiparams{'BLOCK_LIST'}</textarea></td>
> +	</tr>
> +	<tr>
> +		<td><label for=3D"allow_enabled">$Lang::tr{'rpz cl allow enable'}</label=
></td>
> +		<td width=3D"15%"><input type=3D"checkbox" name=3D"ALLOW_ENABLED" id=3D"=
allow_enabled"$checked{'ALLOW_ENABLED'}></td>
> +		<td><label for=3D"block_enabled">$Lang::tr{'rpz cl block enable'}</label=
></td>
> +		<td width=3D"15%"><input type=3D"checkbox" name=3D"BLOCK_ENABLED" id=3D"=
block_enabled"$checked{'BLOCK_ENABLED'}></td>
> +	</tr>
> +	<tr>
> +		<td colspan=3D"4"><hr></td>
> +	</tr>
> +	<tr>
> +		<td align=3D"right" colspan=3D"4">
> +			<button type=3D"submit" name=3D"ACTION" value=3D"CL_SAVE">$Lang::tr{'sa=
ve'}</button>
> +			<button type=3D"submit" name=3D"ACTION" value=3D"RPZ_RELOAD" class=3D"c=
ommit"$reload_state>$Lang::tr{'rpz apply'}</button>
> +		</td>
> +</table>
> +</form>
> +END
> +;
> +
> +	&Header::closebox();
> +}
> +
> +# Output javascript and extra gui elements
> +sub _print_gui_extras {
> +
> +	# Apply/Restart button modifier key handler
> +	if(&_rpz_needs_reload()) {
> +		print <<END
> +<script>
> +	// Commit modifier key handler
> +	(function(jq, document) {
> +		var keyEventsOn =3D false;	// Keyboard events attached
> +		var keyModify =3D false;		// Modifier key pressed
> +		var mouseHover =3D false;		// Mouse over commit button
> +		var btnModified =3D false;	// Button modified to "Restart"
> +
> +		// Document-level key events, enable only while cursor is over button
> +		function attachKeyEvents() {
> +			if(keyEventsOn) {
> +				return;
> +			}
> +			keyEventsOn =3D true;
> +
> +			jq(document).on("keydown.rpz", function(event) {
> +				if((!keyModify) && event.shiftKey) {
> +					keyModify =3D true;
> +					handleModify();
> +				}
> +			});
> +			jq(document).on("keyup.rpz", function(event) {
> +				if(keyModify && (!event.shiftKey)) {
> +					keyModify =3D false;
> +					handleModify();
> +				}
> +			});
> +		}
> +		function removeKeyEvents() {
> +			keyModify =3D false;
> +			if(keyEventsOn) {
> +				jq(document).off("keydown.rpz keyup.rpz");
> +				keyEventsOn =3D false;
> +			}
> +		}
> +
> +		// Attach mouse hover events to commit buttons
> +		function attachMouseEvents() {
> +			jq("button.commit").on("mouseenter", function(event) {
> +				if(!mouseHover) {
> +					mouseHover =3D true;
> +					attachKeyEvents();
> +					// Handle already pressed key
> +					keyModify =3D !!(event.shiftKey);
> +					handleModify();
> +				}
> +			});
> +
> +			// Cursor moved away: Disable key listener to minimize events
> +			jq("button.commit").on("mouseleave", function() {
> +				if(mouseHover) {
> +					mouseHover =3D false;
> +					removeKeyEvents();
> +					handleModify();
> +				}
> +			});
> +		}
> +
> +		// Modify commit button
> +		function handleModify() {
> +			let modify =3D mouseHover && keyModify;
> +			if(btnModified !=3D modify) {
> +				if(modify) {
> +					jq("button.commit").text("$Lang::tr{'restart'}").val("UNB_RESTART");
> +				} else {
> +					jq("button.commit").text("$Lang::tr{'rpz apply'}").val("RPZ_RELOAD");
> +				}
> +				btnModified =3D modify;
> +			}
> +		}
> +
> +		// jQuery DOM ready
> +		jq(function() {
> +			attachMouseEvents();
> +		});
> +	})(jQuery, document);
> +</script>
> +END
> +;
> +	} # End of modifier key handler
> +
> +}
> +
> +
> +###--- Internal action processing functions ---###
> +
> +# Toggle zonefile on/off
> +sub _action_zf_toggle {
> +	return unless(defined $zonefiles{$action_key});
> +
> +	my $result =3D 0;
> +	my $enabled =3D $zonefiles{$action_key}{'enabled'};
> +
> +	# Perform toggle action
> +	if($enabled eq 'on') {
> +		$enabled =3D 'off';
> +		$result =3D &General::system('/usr/sbin/rpz-config', 'remove', $action_k=
ey, '--no-reload');
> +	} else {
> +		$enabled =3D 'on';
> +		$result =3D &General::system('/usr/sbin/rpz-config', 'add', $action_key,=
 $zonefiles{$action_key}{'url'}, '--no-reload');
> +	}
> +
> +	# Check for errors, request service reload on success
> +	return unless &_rpz_check_result($result, 1);
> +
> +	# Save changes
> +	$zonefiles{$action_key}{'enabled'} =3D $enabled;
> +	&_zonefiles_save_conf();
> +
> +	return 1;
> +}
> +
> +# Remove zonefile
> +sub _action_zf_remove {
> +	return unless(defined $zonefiles{$action_key});
> +
> +	# Remove from rpz-config if currently active
> +	if($zonefiles{$action_key}{'enabled'} eq 'on') {
> +		my $result =3D &General::system('/usr/sbin/rpz-config', 'remove', $actio=
n_key, '--no-reload');
> +
> +		# Check for errors, request service reload on success
> +		return unless &_rpz_check_result($result, 1);
> +	}
> +
> +	# Remove from data hash and save changes
> +	delete $zonefiles{$action_key};
> +	&_zonefiles_save_conf();
> +
> +	# Clear action_key, as the entry is now removed entirely
> +	$action_key =3D "";
> +
> +	return 1;
> +}
> +
> +# Create or update zonefile entry
> +# Returns undef if gui needs to stay in editor mode
> +sub _action_zf_save {
> +	my $result =3D 0;
> +
> +	my $name =3D $cgiparams{'ZF_NAME'} // "";
> +	my $url =3D $cgiparams{'ZF_URL'} // "";
> +	my $remark =3D $cgiparams{'ZF_REMARK'} // "";
> +	my $enabled =3D 'on'; # Enable new entries by default
> +
> +	# Note on variables:
> +	# name =3D unique key, will be used to address the entry
> +	# action_key =3D name of the entry being edited, empty for new entry
> +
> +	# Only check for unique name if it changed
> +	# (this also checks new entries because the action_key is empty in this c=
ase)
> +	$result =3D &_rpz_validate_zonefile($name, $url, $remark, (lc($name) ne l=
c($action_key)));
> +	return unless &_rpz_check_result($result, 0);
> +
> +	# Edit existing entry: Determine what was changed
> +	if(($action_key) && (defined $zonefiles{$action_key})) {
> +		# Name und URL remain unchanged, only save remark and finish
> +		if(($name eq $action_key) && ($url eq $zonefiles{$action_key}{'url'})) {
> +			$zonefiles{$action_key}{'remark'} =3D $remark;
> +			&_zonefiles_save_conf();
> +
> +			return 1;
> +		}
> +
> +		# Entry was changed and needs to be recreated, preserve status
> +		$enabled =3D $zonefiles{$action_key}{'enabled'};
> +
> +		# Remove from rpz-config
> +		return unless &_action_zf_remove();
> +	}
> +
> +	# Add new entry to rpz-config
> +	if($enabled eq 'on') {
> +		$result =3D &General::system('/usr/sbin/rpz-config', 'add', $name, $url,=
 '--no-reload');
> +
> +		# Check for errors, request service reload on success
> +		return unless &_rpz_check_result($result, 1);
> +	}
> +
> +	# Add to global data hash and save changes
> +	my %entry =3D ('enabled' =3D> $enabled,
> +		'url' =3D> $url,
> +		'remark' =3D> $remark);
> +
> +	$zonefiles{$name} =3D \%entry;
> +	&_zonefiles_save_conf();
> +
> +	return 1;
> +}
> +
> +# Save custom lists
> +sub _action_cl_save {
> +	return unless((defined $cgiparams{'ALLOW_LIST'}) && (defined $cgiparams{'=
BLOCK_LIST'}));
> +
> +	my $result =3D 0;
> +
> +	my @allowlist =3D split(/\R/, $cgiparams{'ALLOW_LIST'});
> +	my @blocklist =3D split(/\R/, $cgiparams{'BLOCK_LIST'});
> +
> +	# Validate lists
> +	$result =3D &_rpz_validate_customlist(\@allowlist);
> +	if($result !=3D 0) {
> +		$errormessage =3D &_rpz_error_tr(202, $result);
> +		return;
> +	}
> +	$result =3D &_rpz_validate_customlist(\@blocklist);
> +	if($result !=3D 0) {
> +		$errormessage =3D &_rpz_error_tr(203, $result);
> +		return;
> +	}
> +
> +	# Add to global data hash and save changes
> +	$customlists{'allow'}{'list'} =3D \@allowlist;
> +	$customlists{'block'}{'list'} =3D \@blocklist;
> +	$customlists{'allow'}{'enabled'} =3D (defined $cgiparams{'ALLOW_ENABLED'}=
) ? 'on' : 'off';
> +	$customlists{'block'}{'enabled'} =3D (defined $cgiparams{'BLOCK_ENABLED'}=
) ? 'on' : 'off';
> +
> +	&_customlists_save_conf();
> +	&_customlist_export('allow', $RPZ_ALLOWLIST);
> +	&_customlist_export('block', $RPZ_BLOCKLIST);
> +
> +	# Make new lists, request service reload on success
> +	$result =3D &General::system('/usr/sbin/rpz-make', 'allowblock', '--no-re=
load');
> +	return unless &_rpz_check_result($result, 1);
> +
> +	return 1;
> +}
> +
> +# Trigger rpz-config reload
> +sub _action_rpz_reload {
> +	return 1 unless &_rpz_needs_reload();
> +
> +	# Immediately clear flag to prevent multiple reloads
> +	if(-f $RPZ_RELOAD_FLAG) {
> +		unlink($RPZ_RELOAD_FLAG) or die "Can't remove $RPZ_RELOAD_FLAG: $!";
> +	}
> +
> +	# Perform reload, recreate reload flag on error to enable retry
> +	my $result =3D &General::system('/usr/sbin/rpz-config', 'reload');
> +	if(not &_rpz_check_result($result, 0)) {
> +		&General::system('touch', "$RPZ_RELOAD_FLAG");
> +		return;
> +	}
> +
> +	return 1;
> +}
> +
> +# Trigger unbound restart
> +sub _action_unb_restart {
> +	return 1 unless &_rpz_needs_reload();
> +
> +	# Immediately clear flag to prevent multiple restarts
> +	if(-f $RPZ_RELOAD_FLAG) {
> +		unlink($RPZ_RELOAD_FLAG) or die "Can't remove $RPZ_RELOAD_FLAG: $!";
> +	}
> +
> +	# Perform restart, unboundctrl always exits zero
> +	&General::system('/usr/local/bin/unboundctrl', 'restart');
> +
> +	return 1;
> +}
> +
> +
> +###--- Internal rpz-config functions ---###
> +
> +# Translate rpz-config exitcodes and messages
> +# 100-199: rpz-config, 200-299: webgui
> +sub _rpz_error_tr {
> +	my ($error, $append) =3D @_;
> +	$append //=3D '';
> +
> +	# Translate numeric exit codes
> +	if(looks_like_number($error)) {
> +		if(defined $Lang::tr{"rpz exitcode $error"}) {
> +			$error =3D $Lang::tr{"rpz exitcode $error"};
> +		}
> +	}
> +
> +	return "RPZ $Lang::tr{'error'}: $error" . &Header::escape($append);
> +}
> +
> +# Check result of rpz-config system call, request reload on success
> +sub _rpz_check_result {
> +	my ($result, $request_reload) =3D @_;
> +	$request_reload //=3D 0;
> +
> +	# exitcode 0 =3D success
> +	if($result !=3D 0) {
> +		$errormessage =3D &_rpz_error_tr($result);
> +		return;
> +	}
> +
> +	# Set reload flag
> +	if($request_reload) {
> +		&General::system('touch', "$RPZ_RELOAD_FLAG");
> +	}
> +
> +	return 1;
> +}
> +
> +# Test whether reload flag is set
> +sub _rpz_needs_reload {
> +	return (-f $RPZ_RELOAD_FLAG);
> +}
> +
> +# Validate a zonefile entry, returns rpz-config exitcode on failure. Use _=
rpz_check_result to verify.
> +# unique =3D check for unique name
> +sub _rpz_validate_zonefile {
> +	my ($name, $url, $remark, $unique) =3D @_;
> +	$unique //=3D 1;
> +
> +	unless($name =3D~ /^[a-zA-Z0-9_]{1,32}$/) {
> +		return 101;
> +	}
> +	unless($url =3D~ /^[\w+\.:;\/\\&@#%?=3D\-~|!]{1,128}$/) {
> +		return 105;
> +	}
> +	unless($remark =3D~ /^[\w \-()\.:;*\/\\?!&=3D]{0,32}$/) {
> +		return 201;
> +	}
> +
> +	# Check against already existing names
> +	if($unique) {
> +		foreach my $existing (keys %zonefiles) {
> +			if(lc($name) eq lc($existing)) {
> +				return 104;
> +			}
> +		}
> +	}
> +
> +	return 0;
> +}
> +
> +# Validate a custom list, returns number of rejected line on failure. Chec=
k for non-zero results.
> +# listref =3D array reference, cleanup =3D remove invalid entries instead =
of returning an error
> +sub _rpz_validate_customlist {
> +	my ($listref, $cleanup) =3D @_;
> +	$cleanup //=3D 0;
> +
> +	foreach my $index (reverse 0..$#{$listref}) {
> +		my $row =3D @$listref[$index];
> +		next unless($row); # Skip/allow empty lines
> +
> +		# Reject/remove everything besides wildcard domains and remarks
> +		if((not &General::validwildcarddomainname($row)) && (not $row =3D~ /^;[\=
w \-()\.:;*\/\\?!&=3D]*$/)) {
> +			unless($cleanup) {
> +				# +1 for user friendly line number and to ensure non-zero exitcode
> +				return $index + 1;
> +			}
> +
> +			# Remove current row
> +			splice(@$listref, $index, 1);
> +		}
> +	}
> +
> +	return 0;
> +}
> +
> +
> +###--- Internal misc functions ---###
> +
> +# Send HTTP 303 redirect headers for post/request/get pattern
> +# (Must be sent before calling &Header::showhttpheaders())
> +sub _http_prg_redirect {
> +	my $location =3D "https://$ENV{'SERVER_NAME'}:$ENV{'SERVER_PORT'}$ENV{'SC=
RIPT_NAME'}";
> +	print "Status: 303 See Other\n";
> +	print "Location: $location\n";
> +}
> diff --git a/lfs/rpz b/lfs/rpz
> new file mode 100644
> index 000000000..7ddbc38e5
> --- /dev/null
> +++ b/lfs/rpz
> @@ -0,0 +1,96 @@
> +##########################################################################=
#####
> +#                                                                         =
    #
> +# IPFire.org - A linux based firewall                                     =
    #
> +# Copyright (C) 2024  IPFire Team  <info(a)ipfire.org>                    =
      #
> +#                                                                         =
    #
> +# This program is free software: you can redistribute it and/or modify    =
    #
> +# it under the terms of the GNU General Public License as published by    =
    #
> +# the Free Software Foundation, either version 3 of the License, or       =
    #
> +# (at your option) any later version.                                     =
    #
> +#                                                                         =
    #
> +# This program is distributed in the hope that it will be useful,         =
    #
> +# but WITHOUT ANY WARRANTY; without even the implied warranty of          =
    #
> +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the           =
    #
> +# GNU General Public License for more details.                            =
    #
> +#                                                                         =
    #
> +# You should have received a copy of the GNU General Public License       =
    #
> +# along with this program.  If not, see <http://www.gnu.org/licenses/>.   =
    #
> +#                                                                         =
    #
> +##########################################################################=
#####
> +
> +##########################################################################=
#####
> +#  Definitions
> +##########################################################################=
#####
> +
> +include Config
> +
> +SUMMARY    =3D response policy zone - RPZ reputation system for unbound DNS
> +
> +VER        =3D 1.0.0
> +
> +THISAPP    =3D rpz-$(VER)
> +DIR_APP    =3D $(DIR_SRC)/$(THISAPP)
> +TARGET     =3D $(DIR_INFO)/$(THISAPP)
> +
> +PROG       =3D rpz
> +PAK_VER    =3D 18
> +
> +DEPS       =3D
> +
> +SERVICES   =3D
> +
> +##########################################################################=
#####
> +# Top-level Rules
> +##########################################################################=
#####
> +
> +install : $(TARGET)
> +
> +check :
> +
> +download :
> +
> +b2 :
> +
> +dist:
> +	@$(PAK)
> +
> +##########################################################################=
#####
> +# Installation Details
> +##########################################################################=
#####
> +
> +$(TARGET) :
> +	@$(PREBUILD)
> +	@rm -rf $(DIR_APP)
> +
> +	#  RPZ scripts
> +	install --verbose --mode=3D755 \
> +	  $(DIR_CONF)/rpz/{rpz-config,rpz-metrics,rpz-sleep,rpz-make,rpz-function=
s} \
> +	  --target-directory=3D/usr/sbin
> +
> +	#  RPZ config files
> +	mkdir -pv /etc/unbound/local.d
> +	install --verbose --mode=3D644 --owner=3Dnobody --group=3Dnobody \
> +	  $(DIR_CONF)/rpz/00-rpz.conf \
> +	  --target-directory=3D/etc/unbound/local.d
> +	chown --verbose --recursive nobody:nobody /etc/unbound/local.d
> +
> +	#  RPZ custom list files for allow and block
> +	mkdir -pv /var/ipfire/dns/rpz
> +	touch /var/ipfire/dns/rpz/{allowlist,blocklist}
> +	chown --verbose --recursive nobody:nobody /var/ipfire/dns/rpz
> +
> +	#  RPZ zone files
> +	#   create empty RPZ config file to avoid a unbound config error
> +	mkdir -pv /etc/unbound/zonefiles
> +	touch /etc/unbound/zonefiles/allow.rpz
> +	chown --verbose --recursive nobody:nobody /etc/unbound/zonefiles
> +
> +	# Install addon-specific language-files
> +	install --verbose --mode=3D004 $(DIR_CONF)/rpz/rpz.*.pl \
> +	  --target-directory=3D/var/ipfire/addon-lang
> +
> +	# Install backup definition
> +	cp -vf $(DIR_CONF)/backup/includes/rpz /var/ipfire/backup/addons/includes=
/rpz
> +
> +	@rm -rf $(DIR_APP)
> +	@$(POSTBUILD)
> diff --git a/make.sh b/make.sh
> index 827ea9e77..a77535b13 100755
> --- a/make.sh
> +++ b/make.sh
> @@ -390,7 +390,7 @@ prepareenv() {
>   		if [ "${free_space}" -lt "${required_space}" ]; then
>   			# Add any consumed space
>   			while read -r consumed_space path; do
> -				(( free_space +=3D consumed_space / 1024 / 1024 ))
> +				(( free_space +=3D consumed_space / 1024 / 1024 ))
>   			done <<< "$(du --summarize --bytes "${BUILD_DIR}" "${IMAGES_DIR}" "${L=
OG_DIR}" 2>/dev/null)"
>   		fi
>  =20
> @@ -2087,6 +2087,7 @@ build_system() {
>   	lfsmake2 btrfs-progs
>   	lfsmake2 inotify-tools
>   	lfsmake2 grub-btrfs
> +	lfsmake2 rpz
>  =20
>   	lfsmake2 linux
>   	lfsmake2 rtl8812au
> diff --git a/src/paks/rpz/install.sh b/src/paks/rpz/install.sh
> new file mode 100644
> index 000000000..ef99bf742
> --- /dev/null
> +++ b/src/paks/rpz/install.sh
> @@ -0,0 +1,36 @@
> +#!/bin/bash
> +##########################################################################=
#####
> +#                                                                         =
    #
> +#  IPFire.org - A linux based firewall                                    =
    #
> +#  Copyright (C) 2024  IPFire Team  <info(a)ipfire.org>                   =
      #
> +#                                                                         =
    #
> +#  This program is free software: you can redistribute it and/or modify   =
    #
> +#  it under the terms of the GNU General Public License as published by   =
    #
> +#  the Free Software Foundation, either version 3 of the License, or      =
    #
> +#  (at your option) any later version.                                    =
    #
> +#                                                                         =
    #
> +#  This program is distributed in the hope that it will be useful,        =
    #
> +#  but WITHOUT ANY WARRANTY; without even the implied warranty of         =
    #
> +#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the          =
    #
> +#  GNU General Public License for more details.                           =
    #
> +#                                                                         =
    #
> +#  You should have received a copy of the GNU General Public License      =
    #
> +#  along with this program.  If not, see <http://www.gnu.org/licenses/>.  =
    #
> +#                                                                         =
    #
> +##########################################################################=
#####
> +#
> +. /opt/pakfire/lib/functions.sh
> +extract_files
> +restore_backup ${NAME}
> +
> +#	fix user created files
> +chown --verbose --recursive nobody:nobody \
> +	/var/ipfire/dns/rpz    \
> +	/etc/unbound/zonefiles \
> +	/etc/unbound/local.d
> +
> +# Update Language cache
> +/usr/local/bin/update-lang-cache
> +
> +#  restart unbound to load config file
> +/etc/init.d/unbound restart
> diff --git a/src/paks/rpz/uninstall.sh b/src/paks/rpz/uninstall.sh
> new file mode 100644
> index 000000000..e11427df3
> --- /dev/null
> +++ b/src/paks/rpz/uninstall.sh
> @@ -0,0 +1,38 @@
> +#!/bin/bash
> +##########################################################################=
#####
> +#                                                                         =
    #
> +#  IPFire.org - A linux based firewall                                    =
    #
> +#  Copyright (C) 2024  IPFire Team  <info(a)ipfire.org>                   =
      #
> +#                                                                         =
    #
> +#  This program is free software: you can redistribute it and/or modify   =
    #
> +#  it under the terms of the GNU General Public License as published by   =
    #
> +#  the Free Software Foundation, either version 3 of the License, or      =
    #
> +#  (at your option) any later version.                                    =
    #
> +#                                                                         =
    #
> +#  This program is distributed in the hope that it will be useful,        =
    #
> +#  but WITHOUT ANY WARRANTY; without even the implied warranty of         =
    #
> +#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the          =
    #
> +#  GNU General Public License for more details.                           =
    #
> +#                                                                         =
    #
> +#  You should have received a copy of the GNU General Public License      =
    #
> +#  along with this program.  If not, see <http://www.gnu.org/licenses/>.  =
    #
> +#                                                                         =
    #
> +##########################################################################=
#####
> +#
> +. /opt/pakfire/lib/functions.sh
> +
> +#  stop unbound to delete RPZ conf file
> +/etc/init.d/unbound stop
> +
> +make_backup ${NAME}
> +remove_files
> +
> +#  delete rpz config files.  Otherwise unbound will throw error:
> +#    "[1723428668] unbound-control[17117:0] error: connect: Connection ref=
used for 127.0.0.1 port 8953"
> +/bin/rm --verbose --force /etc/unbound/local.d/*.rpz.conf
> +
> +# Update Language cache
> +/usr/local/bin/update-lang-cache
> +
> +#  start unbound to load unbound config file
> +/etc/init.d/unbound start
> diff --git a/src/paks/rpz/update.sh b/src/paks/rpz/update.sh
> new file mode 100644
> index 000000000..9bc340bc6
> --- /dev/null
> +++ b/src/paks/rpz/update.sh
> @@ -0,0 +1,52 @@
> +#!/bin/bash
> +##########################################################################=
#####
> +#                                                                         =
    #
> +#  IPFire.org - A linux based firewall                                    =
    #
> +#  Copyright (C) 2024  IPFire Team  <info(a)ipfire.org>                   =
      #
> +#                                                                         =
    #
> +#  This program is free software: you can redistribute it and/or modify   =
    #
> +#  it under the terms of the GNU General Public License as published by   =
    #
> +#  the Free Software Foundation, either version 3 of the License, or      =
    #
> +#  (at your option) any later version.                                    =
    #
> +#                                                                         =
    #
> +#  This program is distributed in the hope that it will be useful,        =
    #
> +#  but WITHOUT ANY WARRANTY; without even the implied warranty of         =
    #
> +#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the          =
    #
> +#  GNU General Public License for more details.                           =
    #
> +#                                                                         =
    #
> +#  You should have received a copy of the GNU General Public License      =
    #
> +#  along with this program.  If not, see <http://www.gnu.org/licenses/>.  =
    #
> +#                                                                         =
    #
> +##########################################################################=
#####
> +#
> +. /opt/pakfire/lib/functions.sh
> +
> +#  from update.sh
> +extract_backup_includes
> +
> +#  stop unbound to delete RPZ conf file
> +/etc/init.d/unbound stop
> +
> +#  from uninstall.sh
> +make_backup ${NAME}
> +remove_files
> +
> +#  delete rpz config files.  Otherwise unbound will throw error:
> +#    "unbound-control[nn:0] error: connect: Connection refused for 127.0.0=
.1 port 8953"
> +/bin/rm --verbose --force /etc/unbound/local.d/*.rpz.conf
> +
> +#  from install.sh
> +extract_files
> +restore_backup ${NAME}
> +
> +#	fix user created files
> +chown --verbose --recursive nobody:nobody \
> +	/var/ipfire/dns/rpz    \
> +	/etc/unbound/zonefiles \
> +	/etc/unbound/local.d
> +
> +# Update Language cache
> +/usr/local/bin/update-lang-cache
> +
> +#  restart unbound to load config files
> +/etc/init.d/unbound start


--===============0209691955325930092==--