[git.ipfire.org] IPFire 2.x development tree branch, next, updated. 1d8aa123c62be27eb2022a40d16c1acbb5acb0f4

public inbox for ipfire-scm@lists.ipfire.org
 help / color / mirror / Atom feed

* [git.ipfire.org] IPFire 2.x development tree branch, next, updated. 1d8aa123c62be27eb2022a40d16c1acbb5acb0f4
@ 2026-06-01 10:44 Michael Tremer
  0 siblings, 0 replies; only message in thread
From: Michael Tremer @ 2026-06-01 10:44 UTC (permalink / raw)
  To: ipfire-scm

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".

The branch, next has been updated
       via  1d8aa123c62be27eb2022a40d16c1acbb5acb0f4 (commit)
       via  23b5db334bacc6c3ec9ae55e67e142b4319c074e (commit)
       via  964500b0bb3df815a93f25b8618e8abf2a1f6d66 (commit)
       via  d4c3e2c78eb48c3d01435cb66673bf081edac2e7 (commit)
       via  7c9ed3a4f6910055d58899ddfbb10357180fced1 (commit)
      from  0ab11cbb2954f17f9fd9c02aef7b31a04450598a (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 1d8aa123c62be27eb2022a40d16c1acbb5acb0f4
Author: Michael Tremer <michael.tremer@ipfire.org>
Date:   Mon Jun 1 11:43:30 2026 +0100

    knot resolver: Respond to queries from source port < 1024
    
    Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

commit 23b5db334bacc6c3ec9ae55e67e142b4319c074e
Author: Michael Tremer <michael.tremer@ipfire.org>
Date:   Mon Jun 1 11:39:19 2026 +0100

    knot resolver: Automatically reload the custom RPZ
    
    This is required as the policy loader is unaware of the custom RPZ rules
    in the workers. Therefore they have to reload any configuration changes
    themselves.
    
    Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

commit 964500b0bb3df815a93f25b8618e8abf2a1f6d66
Author: Michael Tremer <michael.tremer@ipfire.org>
Date:   Mon Jun 1 11:32:12 2026 +0100

    knot resolver: Remove ruledb-based custom RPZ code
    
    Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

commit d4c3e2c78eb48c3d01435cb66673bf081edac2e7
Author: Michael Tremer <michael.tremer@ipfire.org>
Date:   Mon Jun 1 11:30:36 2026 +0100

    knot resolver: Load custom RPZs using the legacy engine
    
    The new ruledb engine does not support the PASS action which is why we
    will have to load this as a custom action into the workers. The extra
    overhead of this is minimal.
    
    Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

commit 7c9ed3a4f6910055d58899ddfbb10357180fced1
Author: Michael Tremer <michael.tremer@ipfire.org>
Date:   Mon Jun 1 10:56:28 2026 +0100

    knot resolver: Load the custom RPZ block list
    
    Fixes: #14000 - kresd: Implement custom block list
    Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

-----------------------------------------------------------------------

Summary of changes:
 config/knot-resolver/config.lua  | 95 ++++++++++++++++++++++++++++++++++++++++
 config/knot-resolver/config.yaml |  6 +++
 2 files changed, 101 insertions(+)

Difference in files:
diff --git a/config/knot-resolver/config.lua b/config/knot-resolver/config.lua
index 8786d8ff0..d563ed7f8 100644
--- a/config/knot-resolver/config.lua
+++ b/config/knot-resolver/config.lua
@@ -21,8 +21,10 @@
 local config = {}
 
 -- Load required Lua modules
+local bit = require("bit")
 local csv = require("csv")
 local ffi = require("ffi")
+local notify = require("cqueues.notify")
 
 -- Get access to the C interface
 local C = ffi.C
@@ -48,6 +50,37 @@ function config.load_settings(path)
 	return settings
 end
 
+--- Helper function which will call a function if a given file has been changed
+local function call_on_change(paths, callback)
+	for i, path in ipairs(paths) do
+		-- Split the path into parent directory and filename
+		local dir, file = string.match(path, "(.*)/([^/]+)")
+
+		-- If we could not split the path (e.g. because it doesn't contain a /)
+		-- we will assume the file is in the current working directory
+		if not dir and not file then
+			dir = "."
+			file = path
+		end
+
+		-- Create a new watcher for the directory
+		local watcher = notify.opendir(dir)
+
+		-- Wake up when the file has changed
+		watcher:add(file, bit.bxor(notify.CREATE, notify.MODIFY))
+
+		-- Register a function that will call the callback on any changes
+		worker.coroutine(function()
+			for _, name in watcher:changes() do
+				callback()
+			end
+		end)
+	end
+
+	-- Call the callback immediately to initialize the configuration
+	callback()
+end
+
 local function netmask_to_prefix(netmask)
 	-- Return nil on empty input
 	if not netmask then
@@ -489,4 +522,66 @@ function config.load_rpzs()
 	end
 end
 
+local __policy_pass = {}
+local __policy_deny = {}
+
+function config.load_rpz_workaround()
+	call_on_change({ "/var/ipfire/dns/custom_domains" }, function()
+		local names_pass = {}
+		local names_deny = {}
+
+		-- Clear any previous rules
+		if __policy_pass then
+			policy.del(__policy_pass.id)
+			__policy_pass = {}
+		end
+
+		if __policy_deny then
+			policy.del(__policy_deny.id)
+			__policy_deny = {}
+		end
+
+		local f = csv.open("/var/ipfire/dns/custom_domains", { separator = "," })
+		if f then
+			-- Append all entries
+			for fields in f:lines() do
+				local name, status = unpack(fields)
+
+				if status == "allowed" then
+					table.insert(names_pass, name)
+				elseif status == "blocked" then
+					table.insert(names_deny, name)
+				end
+			end
+
+			-- Add allowed names
+			if names_pass then
+				__policy_pass = policy.add(
+					policy.suffix(
+						policy.PASS,
+						policy.todnames(names_pass)
+					)
+				)
+			end
+
+			-- Add denied names
+			if names_deny then
+				__policy_deny = policy.add(
+					policy.suffix(
+						policy.DENY,
+						policy.todnames(names_deny)
+					)
+				)
+			end
+		end
+	end)
+end
+
+-- Clients should actually only send queries from port >= 1024, but
+-- there seem to be too many broken implementations out there that
+-- we have to relax this limit.
+function config.reset_min_udp_source_port()
+	C.the_network.min_udp_source_port = 0
+end
+
 return config
diff --git a/config/knot-resolver/config.yaml b/config/knot-resolver/config.yaml
index 1cee0df1e..7a2dd29fb 100644
--- a/config/knot-resolver/config.yaml
+++ b/config/knot-resolver/config.yaml
@@ -42,12 +42,18 @@ lua:
     -- Load config helpers
     local config = require("config")
 
+    -- Reset the minimum UDP source port
+    config.reset_min_udp_source_port()
+
     -- Load the settings
     local settings = config.load_settings("/var/ipfire/dns/settings")
 
     -- Load DHCP Leases Lookup
     config.load_leases()
 
+    -- Load custom RPZ allowlist workaround
+    config.load_rpz_workaround()
+
     -- Load Forwarders
     config.load_forwarders(settings)
 


hooks/post-receive
--
IPFire 2.x development tree


^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2026-06-01 10:44 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2026-06-01 10:44 [git.ipfire.org] IPFire 2.x development tree branch, next, updated. 1d8aa123c62be27eb2022a40d16c1acbb5acb0f4 Michael Tremer

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox