* [git.ipfire.org] IPFire 2.x development tree branch, next, updated. 104323f5a4b8dc34e12b526b1def73fd49488488
@ 2026-01-09 11:53 Michael Tremer
0 siblings, 0 replies; only message in thread
From: Michael Tremer @ 2026-01-09 11:53 UTC (permalink / raw)
To: ipfire-scm
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".
The branch, next has been updated
via 104323f5a4b8dc34e12b526b1def73fd49488488 (commit)
via 9eb8751487d23dd354a105c28bdbbb0398fe6e85 (commit)
via db6ad2943bac730c16e185b3146134a52149d662 (commit)
via f0b43241a501f7c545e3cb15f6989e945c60b3e2 (commit)
from 415a10ae5647a8e2ce6fbb210dafda67a182c4bb (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 104323f5a4b8dc34e12b526b1def73fd49488488
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Fri Jan 9 11:52:53 2026 +0000
core200: Ship ids-ruleset-sources
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit 9eb8751487d23dd354a105c28bdbbb0398fe6e85
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Wed Jan 7 11:43:12 2026 +0000
suricata: Add IPFire DNSBL to the rule sources
Although this is not the primary use-case, there is a lot of value by
adding the DNSBL to Suricata for secondary filtering. Anything that is
trying to circumvent any local policy will be caught at the edge of the
network and therfore we will even be able to block access to any listed
domains when people are using a private resolver.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit db6ad2943bac730c16e185b3146134a52149d662
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Fri Jan 9 11:51:47 2026 +0000
core200: Ship ids-functions.pl
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit f0b43241a501f7c545e3cb15f6989e945c60b3e2
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Wed Jan 7 11:37:18 2026 +0000
ids-functions.pl: Implement extracting any data from tarballs
Suricata rulesets are distributed as tarballs. Besides the rules, those
tarballs may contain additional data like datasets and so on. This data
was not extracted before.
For the IPFire DNSBL we are shipping any domains as a separate file
which is being parsed by Suricata as a dataset. Obviously these files
need to be extracted to be read by Suricata.
This patch extracts any data files in the first place and later copies
them into the rules directory.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
-----------------------------------------------------------------------
Summary of changes:
config/cfgroot/ids-functions.pl | 44 +++++++++++++++++++++-
config/rootfiles/core/200/filelists/files | 1 +
.../131 => core/200}/filelists/ids-ruleset-sources | 0
config/suricata/ruleset-sources | 9 +++++
4 files changed, 52 insertions(+), 2 deletions(-)
copy config/rootfiles/{oldcore/131 => core/200}/filelists/ids-ruleset-sources (100%)
Difference in files:
diff --git a/config/cfgroot/ids-functions.pl b/config/cfgroot/ids-functions.pl
index 14212930e..bede5fca0 100644
--- a/config/cfgroot/ids-functions.pl
+++ b/config/cfgroot/ids-functions.pl
@@ -22,6 +22,8 @@
############################################################################
use strict;
+use File::Copy;
+use File::Spec;
package IDS;
@@ -391,7 +393,7 @@ sub extractruleset ($) {
my $destination;
# Splitt the packed file into chunks.
- my $file = fileparse($packed_file);
+ my ($file, $path) = fileparse($packed_file);
# Handle msg-id.map file.
if ("$file" eq "sid-msg.map") {
@@ -447,6 +449,13 @@ sub extractruleset ($) {
# Set extract destination to temporaray rules_dir.
$destination = "$tmp_rules_directory/$rulesfilename";
+
+ # Extract any datasets in the datasets/ sub-directory
+ } elsif ($path eq "datasets/") {
+ $destination = "$tmp_rules_directory/$path/$file";
+
+ # Ensure the directory exists
+ mkdir("$tmp_rules_directory/$path") unless (-d "$tmp_rules_directory/$path");
} else {
# Skip all other files.
return;
@@ -514,6 +523,7 @@ sub process_ruleset(@) {
# Array to store the extracted rulefile from the temporary rules directory.
my @extracted_rulefiles;
+ my @extracted_datafiles;
# Get names of the extracted raw rulefiles.
opendir(DIR, $tmp_rules_directory) or die "Could not read from $tmp_rules_directory. $!\n";
@@ -522,7 +532,11 @@ sub process_ruleset(@) {
next if $file =~ /^\.\.?$/;
# Add file to the array of extracted files.
- push(@extracted_rulefiles, $file);
+ if ($file =~ m/\.rules$/) {
+ push(@extracted_rulefiles, $file);
+ } else {
+ push(@extracted_datafiles, $file),
+ }
}
# Close directory handle.
@@ -619,6 +633,32 @@ sub process_ruleset(@) {
close(TMP_RULEFILE);
}
}
+
+ # Copy all extracted data files
+ foreach my $datafile (@extracted_datafiles) {
+ my $src = File::Spec->catfile($tmp_rules_directory, $datafile);
+ my $dst = File::Spec->catfile($rulespath, $datafile);
+
+ # If we found a directory, we will descend into it
+ if (-d $src) {
+ # Find all files that need to be copied
+ opendir(DIR, $src);
+ while (my $file = readdir(DIR)) {
+ next if ($file eq "." || $file eq "..");
+
+ push(@extracted_datafiles, "$datafile/$file");
+ }
+ closedir(DIR);
+
+ # Create the destination
+ mkdir($dst) unless (-d $dst);
+
+ next;
+ }
+
+ # Copy the content
+ File::Copy::copy($src, $dst) or die "Failed to copy datafile $src -> $dst: $!\n";
+ }
}
#
diff --git a/config/rootfiles/core/200/filelists/files b/config/rootfiles/core/200/filelists/files
index d0eed9f2e..0dd177c9a 100644
--- a/config/rootfiles/core/200/filelists/files
+++ b/config/rootfiles/core/200/filelists/files
@@ -4,4 +4,5 @@ srv/web/ipfire/cgi-bin/dns.cgi
srv/web/ipfire/cgi-bin/ovpnmain.cgi
usr/local/bin/filesystem-cleanup
var/ipfire/backup/exclude
+var/ipfire/ids-functions.pl
var/ipfire/urlfilter/autoupdate/autoupdate.urls
diff --git a/config/rootfiles/core/200/filelists/ids-ruleset-sources b/config/rootfiles/core/200/filelists/ids-ruleset-sources
new file mode 120000
index 000000000..a226ada39
--- /dev/null
+++ b/config/rootfiles/core/200/filelists/ids-ruleset-sources
@@ -0,0 +1 @@
+../../../common/ids-ruleset-sources
\ No newline at end of file
diff --git a/config/suricata/ruleset-sources b/config/suricata/ruleset-sources
index b843d3e49..3ccb205a7 100644
--- a/config/suricata/ruleset-sources
+++ b/config/suricata/ruleset-sources
@@ -141,4 +141,13 @@ our %Providers = (
dl_url => "https://raw.githubusercontent.com/travisbgreen/hunting-rules/master/hunting.rules",
dl_type => "plain",
},
+
+ ipfire_dnsbl => {
+ summary => "IPFire DNSBL - Domain Blocklist",
+ website => "https://www.ipfire.org/dnsbl/",
+ tr_string => "ipfire dnsbl",
+ requires_subscription => "False",
+ dl_url => "https://dnsbl.ipfire.org/lists/suricata.tar.gz",
+ dl_type => "archive",
+ },
);
hooks/post-receive
--
IPFire 2.x development tree
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2026-01-09 11:53 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2026-01-09 11:53 [git.ipfire.org] IPFire 2.x development tree branch, next, updated. 104323f5a4b8dc34e12b526b1def73fd49488488 Michael Tremer
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox