* [git.ipfire.org] IPFire 2.x development tree branch, master, updated. d3b06186321fb4a1315bb0fa39645f12b97dfe43
@ 2026-04-09 10:13 Michael Tremer
0 siblings, 0 replies; only message in thread
From: Michael Tremer @ 2026-04-09 10:13 UTC (permalink / raw)
To: ipfire-scm
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain, Size: 19272 bytes --]
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".
The branch, master has been updated
via d3b06186321fb4a1315bb0fa39645f12b97dfe43 (commit)
via 4b6370ca43c3df9303ae067bad26a1ee56046004 (commit)
via e3c11ae3436b578432df0058eee229f262791254 (commit)
from bb27cc32ea7251674b2b1c1ea0db2faf74747014 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit d3b06186321fb4a1315bb0fa39645f12b97dfe43
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Thu Apr 9 11:07:28 2026 +0100
dnsbl.cgi: Add note that ACLs are optional
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit 4b6370ca43c3df9303ae067bad26a1ee56046004
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Thu Apr 9 11:07:11 2026 +0100
langs: de: Don't capitalize "ZURÜCK"
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit e3c11ae3436b578432df0058eee229f262791254
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Thu Apr 9 10:53:59 2026 +0100
unbound: Fix definiting access-control-tag:
Multiple lines referring to the same network will overwrite any previous
settings. Therefore we have to collect all tags and emit them in the
end.
Zones that should not have any restrictions won't have any tags assigned
whatsoever.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
-----------------------------------------------------------------------
Summary of changes:
doc/language_issues.en | 1 +
doc/language_issues.es | 1 +
doc/language_issues.fr | 1 +
doc/language_issues.it | 1 +
doc/language_issues.nl | 1 +
doc/language_issues.pl | 1 +
doc/language_issues.ru | 1 +
doc/language_issues.tr | 1 +
doc/language_issues.tw | 1 +
doc/language_issues.zh | 1 +
doc/language_missings | 9 +++++
html/cgi-bin/dnsbl.cgi | 8 ++++
langs/de/cgi-bin/de.pl | 3 +-
langs/en/cgi-bin/en.pl | 1 +
src/initscripts/system/unbound | 83 ++++++++++++++++++++++--------------------
15 files changed, 73 insertions(+), 41 deletions(-)
Difference in files:
diff --git a/doc/language_issues.en b/doc/language_issues.en
index 70377df36..109dc0f39 100644
--- a/doc/language_issues.en
+++ b/doc/language_issues.en
@@ -622,6 +622,7 @@ WARNING: untranslated string: dns title = Domain Name System
WARNING: untranslated string: dns tls hostname = TLS Hostname
WARNING: untranslated string: dns use isp assigned nameservers = Use ISP-assigned DNS servers
WARNING: untranslated string: dns use protocol for dns queries = Protocol for DNS queries
+WARNING: untranslated string: dnsbl acl explanation = By default, the blocking will apply to the entire network. You may configure only a few network zones, hosts or subnets where this category will be applied.
WARNING: untranslated string: dnsbl dns firewall = DNS Firewall
WARNING: untranslated string: dnsbl error domain specified twice = The domain cannot be allowed and blocked at the same time.
WARNING: untranslated string: dnsforward = DNS Forwarding
diff --git a/doc/language_issues.es b/doc/language_issues.es
index d44baf3a0..0038f162f 100644
--- a/doc/language_issues.es
+++ b/doc/language_issues.es
@@ -1022,6 +1022,7 @@ WARNING: untranslated string: Captive ACTIVATE = unknown string
WARNING: untranslated string: Captive clients = unknown string
WARNING: untranslated string: ca name must only contain characters and spaces = unknown string
WARNING: untranslated string: dns servers = DNS Servers
+WARNING: untranslated string: dnsbl acl explanation = By default, the blocking will apply to the entire network. You may configure only a few network zones, hosts or subnets where this category will be applied.
WARNING: untranslated string: dnsbl dns firewall = DNS Firewall
WARNING: untranslated string: dnsbl error domain specified twice = The domain cannot be allowed and blocked at the same time.
WARNING: untranslated string: download report = Download Report
diff --git a/doc/language_issues.fr b/doc/language_issues.fr
index 142caa588..a00b1c646 100644
--- a/doc/language_issues.fr
+++ b/doc/language_issues.fr
@@ -1003,6 +1003,7 @@ WARNING: untranslated string: ca name must only contain characters and spaces =
WARNING: untranslated string: configuration file = Configuration File
WARNING: untranslated string: core notice 3 = available.
WARNING: untranslated string: data transfer = Data Transfer
+WARNING: untranslated string: dnsbl acl explanation = By default, the blocking will apply to the entire network. You may configure only a few network zones, hosts or subnets where this category will be applied.
WARNING: untranslated string: dnsbl dns firewall = DNS Firewall
WARNING: untranslated string: dnsbl error domain specified twice = The domain cannot be allowed and blocked at the same time.
WARNING: untranslated string: done = Done
diff --git a/doc/language_issues.it b/doc/language_issues.it
index ed649b021..fd5542e1f 100644
--- a/doc/language_issues.it
+++ b/doc/language_issues.it
@@ -1047,6 +1047,7 @@ WARNING: untranslated string: dns recursor mode = Recursor Mode
WARNING: untranslated string: dns tls hostname = TLS Hostname
WARNING: untranslated string: dns use isp assigned nameservers = Use ISP-assigned DNS servers
WARNING: untranslated string: dns use protocol for dns queries = Protocol for DNS queries
+WARNING: untranslated string: dnsbl acl explanation = By default, the blocking will apply to the entire network. You may configure only a few network zones, hosts or subnets where this category will be applied.
WARNING: untranslated string: dnsbl dns firewall = DNS Firewall
WARNING: untranslated string: dnsbl error domain specified twice = The domain cannot be allowed and blocked at the same time.
WARNING: untranslated string: dnsforward dnssec disabled = DNSSEC Validation is disabled
diff --git a/doc/language_issues.nl b/doc/language_issues.nl
index 03f163ee7..94750b660 100644
--- a/doc/language_issues.nl
+++ b/doc/language_issues.nl
@@ -1046,6 +1046,7 @@ WARNING: untranslated string: dns recursor mode = Recursor Mode
WARNING: untranslated string: dns tls hostname = TLS Hostname
WARNING: untranslated string: dns use isp assigned nameservers = Use ISP-assigned DNS servers
WARNING: untranslated string: dns use protocol for dns queries = Protocol for DNS queries
+WARNING: untranslated string: dnsbl acl explanation = By default, the blocking will apply to the entire network. You may configure only a few network zones, hosts or subnets where this category will be applied.
WARNING: untranslated string: dnsbl dns firewall = DNS Firewall
WARNING: untranslated string: dnsbl error domain specified twice = The domain cannot be allowed and blocked at the same time.
WARNING: untranslated string: dnsforward dnssec disabled = DNSSEC Validation is disabled
diff --git a/doc/language_issues.pl b/doc/language_issues.pl
index 6fbda032d..a0556cf95 100644
--- a/doc/language_issues.pl
+++ b/doc/language_issues.pl
@@ -1002,6 +1002,7 @@ WARNING: untranslated string: dns recursor mode = Recursor Mode
WARNING: untranslated string: dns tls hostname = TLS Hostname
WARNING: untranslated string: dns use isp assigned nameservers = Use ISP-assigned DNS servers
WARNING: untranslated string: dns use protocol for dns queries = Protocol for DNS queries
+WARNING: untranslated string: dnsbl acl explanation = By default, the blocking will apply to the entire network. You may configure only a few network zones, hosts or subnets where this category will be applied.
WARNING: untranslated string: dnsbl dns firewall = DNS Firewall
WARNING: untranslated string: dnsbl error domain specified twice = The domain cannot be allowed and blocked at the same time.
WARNING: untranslated string: dnsforward = DNS Forwarding
diff --git a/doc/language_issues.ru b/doc/language_issues.ru
index 261b917d9..6d233a776 100644
--- a/doc/language_issues.ru
+++ b/doc/language_issues.ru
@@ -1000,6 +1000,7 @@ WARNING: untranslated string: dns recursor mode = Recursor Mode
WARNING: untranslated string: dns tls hostname = TLS Hostname
WARNING: untranslated string: dns use isp assigned nameservers = Use ISP-assigned DNS servers
WARNING: untranslated string: dns use protocol for dns queries = Protocol for DNS queries
+WARNING: untranslated string: dnsbl acl explanation = By default, the blocking will apply to the entire network. You may configure only a few network zones, hosts or subnets where this category will be applied.
WARNING: untranslated string: dnsbl dns firewall = DNS Firewall
WARNING: untranslated string: dnsbl error domain specified twice = The domain cannot be allowed and blocked at the same time.
WARNING: untranslated string: dnsforward = DNS Forwarding
diff --git a/doc/language_issues.tr b/doc/language_issues.tr
index 856be4dde..622d52bb5 100644
--- a/doc/language_issues.tr
+++ b/doc/language_issues.tr
@@ -1028,6 +1028,7 @@ WARNING: untranslated string: dns recursor mode = Recursor Mode
WARNING: untranslated string: dns tls hostname = TLS Hostname
WARNING: untranslated string: dns use isp assigned nameservers = Use ISP-assigned DNS servers
WARNING: untranslated string: dns use protocol for dns queries = Protocol for DNS queries
+WARNING: untranslated string: dnsbl acl explanation = By default, the blocking will apply to the entire network. You may configure only a few network zones, hosts or subnets where this category will be applied.
WARNING: untranslated string: dnsbl dns firewall = DNS Firewall
WARNING: untranslated string: dnsbl error domain specified twice = The domain cannot be allowed and blocked at the same time.
WARNING: untranslated string: dnsforward dnssec disabled = DNSSEC Validation is disabled
diff --git a/doc/language_issues.tw b/doc/language_issues.tw
index c6299c27e..cf7d0163e 100644
--- a/doc/language_issues.tw
+++ b/doc/language_issues.tw
@@ -1030,6 +1030,7 @@ WARNING: untranslated string: Captive wrong type = Uploaded file has wrong filet
WARNING: untranslated string: aliases default interface = - Default Interface -
WARNING: untranslated string: ca name must only contain characters and spaces = unknown string
WARNING: untranslated string: dns servers = DNS Servers
+WARNING: untranslated string: dnsbl acl explanation = By default, the blocking will apply to the entire network. You may configure only a few network zones, hosts or subnets where this category will be applied.
WARNING: untranslated string: dnsbl dns firewall = DNS Firewall
WARNING: untranslated string: dnsbl error domain specified twice = The domain cannot be allowed and blocked at the same time.
WARNING: untranslated string: download report = Download Report
diff --git a/doc/language_issues.zh b/doc/language_issues.zh
index c6299c27e..cf7d0163e 100644
--- a/doc/language_issues.zh
+++ b/doc/language_issues.zh
@@ -1030,6 +1030,7 @@ WARNING: untranslated string: Captive wrong type = Uploaded file has wrong filet
WARNING: untranslated string: aliases default interface = - Default Interface -
WARNING: untranslated string: ca name must only contain characters and spaces = unknown string
WARNING: untranslated string: dns servers = DNS Servers
+WARNING: untranslated string: dnsbl acl explanation = By default, the blocking will apply to the entire network. You may configure only a few network zones, hosts or subnets where this category will be applied.
WARNING: untranslated string: dnsbl dns firewall = DNS Firewall
WARNING: untranslated string: dnsbl error domain specified twice = The domain cannot be allowed and blocked at the same time.
WARNING: untranslated string: download report = Download Report
diff --git a/doc/language_missings b/doc/language_missings
index 9fafee2d2..a505fdd5d 100644
--- a/doc/language_missings
+++ b/doc/language_missings
@@ -161,6 +161,7 @@
< AES-256-GCM
< CHACHA20-POLY1305
< dnsbl acl
+< dnsbl acl explanation
< dnsbl custom block and allow list
< dnsbl custom source
< dnsbl dns firewall
@@ -267,6 +268,7 @@
< configuration file
< data transfer
< dnsbl acl
+< dnsbl acl explanation
< dnsbl custom block and allow list
< dnsbl custom source
< dnsbl dns firewall
@@ -586,6 +588,7 @@
< Disabled
< disconnected
< dnsbl acl
+< dnsbl acl explanation
< dnsbl custom block and allow list
< dnsbl custom source
< dnsbl dns firewall
@@ -1286,6 +1289,7 @@
< Disabled
< disconnected
< dnsbl acl
+< dnsbl acl explanation
< dnsbl custom block and allow list
< dnsbl custom source
< dnsbl dns firewall
@@ -2051,6 +2055,7 @@
< disconnected
< dnat address
< dnsbl acl
+< dnsbl acl explanation
< dnsbl custom block and allow list
< dnsbl custom source
< dnsbl dns firewall
@@ -3224,6 +3229,7 @@
< disk access
< dnat address
< dnsbl acl
+< dnsbl acl explanation
< dnsbl custom block and allow list
< dnsbl custom source
< dnsbl dns firewall
@@ -4261,6 +4267,7 @@
< Disabled
< disconnected
< dnsbl acl
+< dnsbl acl explanation
< dnsbl custom block and allow list
< dnsbl custom source
< dnsbl dns firewall
@@ -4708,6 +4715,7 @@
< Captive wrong type
< CHACHA20-POLY1305
< dnsbl acl
+< dnsbl acl explanation
< dnsbl custom block and allow list
< dnsbl custom source
< dnsbl dns firewall
@@ -4822,6 +4830,7 @@
< Captive wrong type
< CHACHA20-POLY1305
< dnsbl acl
+< dnsbl acl explanation
< dnsbl custom block and allow list
< dnsbl custom source
< dnsbl dns firewall
diff --git a/html/cgi-bin/dnsbl.cgi b/html/cgi-bin/dnsbl.cgi
index 16e6dded2..9b4e8dcab 100644
--- a/html/cgi-bin/dnsbl.cgi
+++ b/html/cgi-bin/dnsbl.cgi
@@ -400,6 +400,14 @@ print <<END;
</td>
</tr>
+ <tr>
+ <td colspan="2">
+ <p>
+ $Lang::tr{'dnsbl acl explanation'}
+ </p>
+ </td>
+ </tr>
+
<tr>
<td>
$Lang::tr{"network zone"}
diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
index 623ec4ef6..d7f8148f3 100644
--- a/langs/de/cgi-bin/de.pl
+++ b/langs/de/cgi-bin/de.pl
@@ -457,7 +457,7 @@
'available' => 'verfügbar',
'average' => 'Durchschnitt',
'avoid dod' => 'Benutzen Sie diese Option nicht mit Dial on Demand! Wird hauptsächlich verwendet, wenn Ihr IPFire sich hinter einem Router befindet. Ihre ROTE IP muss sich innerhalb eines der drei reservierten Netzwerkbereiche befinden z.B. 10/8, 172.16/12, 192.168/16.',
-'back' => 'ZURÜCK',
+'back' => 'Zurück',
'backup' => 'Datensicherung',
'backup config floppy' => 'Backup-Konfiguration - Diskette',
'backup configuration' => 'Backup-Konfiguration:',
@@ -859,6 +859,7 @@
'dns use isp assigned nameservers' => 'Vom ISP zugewiesene DNS-Server verwenden',
'dns use protocol for dns queries' => 'Für DNS-Anfragen zu verwendendes Protokoll',
'dnsbl acl' => 'Zugriffskontrolle',
+'dnsbl acl explanation' => 'Standardmäßig wird die Blockierung auf das gesamte Netzwerk angewendet. Sie können optional nur bestimmte Netzwerkzonen, Hosts oder Subnetze konfigurieren, für die diese Kategorie gelten soll.',
'dnsbl custom block and allow list' => 'Individuelle Block- und Freigabeliste',
'dnsbl custom source' => 'Benutzerdefinierte Quelle',
'dnsbl dns firewall' => 'DNS-Firewall',
diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
index 2c49106d1..1685a7032 100644
--- a/langs/en/cgi-bin/en.pl
+++ b/langs/en/cgi-bin/en.pl
@@ -908,6 +908,7 @@
'dns use isp assigned nameservers' => 'Use ISP-assigned DNS servers',
'dns use protocol for dns queries' => 'Protocol for DNS queries',
'dnsbl acl' => 'Access Control',
+'dnsbl acl explanation' => 'By default, the blocking will apply to the entire network. You may configure only a few network zones, hosts or subnets where this category will be applied.',
'dnsbl custom block and allow list' => 'Custom Block And Allow List',
'dnsbl custom source' => 'Custom source',
'dnsbl dns firewall' => 'DNS Firewall',
diff --git a/src/initscripts/system/unbound b/src/initscripts/system/unbound
index 7020cd7b6..cc658432a 100644
--- a/src/initscripts/system/unbound
+++ b/src/initscripts/system/unbound
@@ -233,8 +233,11 @@ write_dnsbl_zones() {
return 0
fi
+ # Collect all networks
+ local -A networks=()
+
while IFS=$'\t' read -r name zone primary; do
- while IFS=$',' read -r _zone enabled comment enabled_zones custom_acl rest; do
+ while IFS=$',' read -r _zone enabled comment enabled_zones custom_acls rest; do
# Skip if we are looking at the wrong list
[ "${zone}" = "${_zone}" ] || continue
@@ -246,25 +249,45 @@ write_dnsbl_zones() {
return 1
fi
+ # Nothing more to do if there are no ACLs set
+ if [ -z "${enabled_zones}" -a -z "${custom_acls}" ]; then
+ continue
+ fi
+
# Limit to specific zones
if [ -n "${enabled_zones}" ]; then
IFS='|' read -r -a enabled_zones <<< "${enabled_zones}"
- if ! write_dnsbl_acl "${zone}" "${enabled_zones[@]}"; then
+ if ! add_dnsbl_acl "${zone}" "${enabled_zones[@]}"; then
return 1
fi
fi
# Add any custom ACL
- if [ -n "${custom_acl}" ]; then
- IFS='|' read -r -a custom_acl <<< "${custom_acl}"
+ if [ -n "${custom_acls}" ]; then
+ IFS='|' read -r -a custom_acl <<< "${custom_acls}"
- if ! write_dnsbl_custom_acl "${zone}" "${custom_acl[@]}"; then
- return 1
- fi
+ local custom_acl
+ for custom_acl in ${custom_acls[@]}; do
+ networks["${custom_acl}"]+=" ${zone}"
+ done
fi
done < /var/ipfire/dns/dnsbl
done <<< "$(jq -r '.[] | [.name, .zone, .primary] | @tsv' /var/ipfire/dns/dnsbl.json)"
+
+ # Emit all ACLs
+ if [ -n "${networks[*]}" ]; then
+ local network
+
+ echo "# Write the ACL"
+ echo "server:"
+
+ for network in "${!networks[@]}"; do
+ echo " access-control-tag: ${network} \"${networks[${network}]:1}\""
+ done
+ fi
+
+ return 0
}
write_custom_zone() {
@@ -325,18 +348,22 @@ rpz:
rpz-log: yes
rpz-log-name: ${zone}
- # Tags
- tags: "${zone}"
-
EOF
+
+ # If any ACLs are defined, add the tag
+ if [ -n "${enabled_zones}" -o -n "${custom_acls}" ]; then
+ echo " # Tags"
+ echo " tags: ${zone}"
+ echo
+ fi
+
+ return 0
}
-write_dnsbl_acl() {
+add_dnsbl_acl() {
local tag="${1}"
shift
- echo "server:"
-
local zone
for zone in $@; do
case "${zone}" in
@@ -380,34 +407,9 @@ write_dnsbl_acl() {
;;
esac
- # Add the ACL tag
- if [ -n "${network}" ]; then
- echo " access-control-tag: ${network} \"${tag}\""
- fi
- done
-
- echo # empty line
-}
-
-write_dnsbl_custom_acl() {
- local tag="${1}"
- shift
-
- # Do nothing if there are no hosts listed
- if [ $# -eq 0 ]; then
- return 0
- fi
-
- local acl
-
- echo "server:"
-
- # List all ACLs
- for acl in $@; do
- echo " access-control-tag: ${acl} \"${tag}\""
+ # Append to the network slot
+ networks["${network}"]+=" ${tag}"
done
-
- echo # empty line
}
write_dnsbl_conf() {
@@ -429,6 +431,7 @@ rpz:
# Log all matches
rpz-log: yes
rpz-log-name: custom
+
EOF
fi
hooks/post-receive
--
IPFire 2.x development tree
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2026-04-09 10:13 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2026-04-09 10:13 [git.ipfire.org] IPFire 2.x development tree branch, master, updated. d3b06186321fb4a1315bb0fa39645f12b97dfe43 Michael Tremer
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox