I created a test version of a RPZ add-on and I am looking for feedback

jon · 2 December 2024 18:08

This is the update for that section:

    bad_lines=$( sed --regexp-extended  \
        '/^(\*\.)?([a-zA-Z0-9](([a-zA-Z0-9\-]){0,61}[a-zA-Z0-9])?\.)+([a-zA-Z]{2,}|xn--[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])$/d ;
         /^(\*\.)([a-z]{2,61}|xn--[a-z0-9]{1,60})$/d ;
         /^$/d ; /^;/d' "${theList}" )

The second line was missing. It looks for wildcard top level domains like *.zip

Thank you for posting the screenshot! That helped BIG TIME!

Thank you for spotting what I dropped (oops!). Nice find!

I’ll do some more testing and then build up a new version!

EDIT:
@gw-ipfire / @mumpitz - can you test the change above and let us know if it works?

mumpitz · 2 December 2024 23:03

Jon:

bad_lines=$( sed --regexp-extended  \
        '/^(\*\.)?([a-zA-Z0-9](([a-zA-Z0-9\-]){0,61}[a-zA-Z0-9])?\.)+([a-zA-Z]{2,}|xn--[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])$/d ;
         /^(\*\.)([a-z]{2,61}|xn--[a-z0-9]{1,60})$/d ;
         /^$/d ; /^;/d' "${theList}" )

Sorry to be such a klutz again, but what do I have to do? Reinstall the add-on?
I tried replacing the passage, but that alone didn’t solve anything.

bbitsch · 2 December 2024 23:18

I did the replacement. It works.

Can you try
/usr/sbin/rpz-make allowblock --no-reload
from a shell?

This is the problematic part, as far as I experienced.
Explicitly said, the save button stores the values ( the *.domain part also ) and calls rpz-make to generate the config for unbound. The validity check herin is faulty without the correction.

mumpitz · 2 December 2024 23:40

unbound: info: rpz: make config file “00-rpz.conf”
unbound: info: rpz: create zonefile for “allowlist”
unbound: error: rpz: invalid line(s) in /var/ipfire/dns/rpz/blocklist.
bad line(s): *.cisco.com

this is the answer from the shell

jon · 3 December 2024 00:37

No worries.

No, a reinstall is not needed.

so you went to /usr/sbin/rpz-make and changed the old:

to the new in your post?

can you do a:

grep -A4 "bad_lines=" /usr/sbin/rpz-make

and post the results?

jon · 3 December 2024 01:04

Bernhard, did this not work for you? What was problematic?

mumpitz · 3 December 2024 01:05

]# grep -A4 “bad_lines=” /usr/sbin/rpz-make
bad_lines=$( sed --regexp-extended
‘/^(a-zA-Z0-9?.)+([a-zA-Z]{2,}|xn–[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])$/d ;
/^(*.)([a-z]{2,61}|xn–[a-z0-9]{1,60})$/d ;
/^$/d ; /^;/d’ “${theList}” )

–
#bad_lines=$( echo “${bad_lines}” | tr -s ‘\r\n’ ’ ’ )
printf “%s\n” “bad line(s): ${bad_lines}”
exit 110
fi
}

also the video evidence

jon · 3 December 2024 01:06

this is the old code. something did not save properly.

How did you make the change? With nano or vi or something else?

mumpitz · 3 December 2024 01:17

ups, my fault, i use always nano, with vi I don’t even know how to end it and used to use ctrl+alt+f2
to continue

The fact that i always had two files open at the same time was a bit confusing, but no wonder if you copy/paste

/usr/sbin/rpz-make program

and add it after nano

it works now again, thanks!

#/usr/sbin/rpz-make allowblock --no-reload
unbound: info: rpz: make config file “00-rpz.conf”
unbound: info: rpz: create zonefile for “allowlist”
unbound: info: rpz: make config file “block.rpz.conf”
unbound: info: rpz: create zonefile for “blocklist”

bbitsch · 3 December 2024 07:40

I meant the badlines code line as problematic.
It (the old line) does another validation than rpz.cgi

jon · 12 December 2024 19:29

22 posts were split to a new topic: Add-on backup issue relate to WebGUI backup/restore

jon · 13 December 2024 03:43

A big bug fix!

rpz-beta-0.1.17-17.ipfire on 2024-12-09
rpz-make:

bug: corrected validation regex for wildcards like: *.domain.com

bug: remove old unneeded code

rpz-beta-0.1.17-17.ipfire.tar (40 KB)

mumpitz · 13 December 2024 12:42

update ran without errors and seems to be working

bbitsch · 13 December 2024 13:12

Source reviewed and acknowledged.

gw-ipfire · 13 December 2024 14:35

hi
i have instal rpz-beta-0.1.17-17.ipfire
bug: corrected validation regex for wildcards like: *.domain.com
work fine
is it possible to make a regex for wildcards like: * * ?

jon · 13 December 2024 23:01

There is no regex with the RPZ lists.

There is a single domain like:

example.com

or all of example.com subdomains like:

*.example.com

The above *.example.com would include:

www.example.com
wiki.example.com
blog.example.com

etc.

Those are the only two example items I’ve seen in the RPZ standard.

bbitsch · 14 December 2024 11:31

* * is no domain name. So it can’t be used in the allow or block list.

EDIT:
BTW, what should be the meaning of ‘* '?
Wild card ’ *’ matches for example ‘happy Xmas’.

sonic · 19 December 2024 14:55

I am struggling to install it.
For now I have placed the uncompressed files here:

/opt/pakfire/tmp/rpz-beta-0.1.17-17.ipfire/

I have copied ROOTFILES and renamed them

cp ROOTFILES /opt/pakfire/db/rootfiles/rpz

I am in the new folder:

[root@ipfire rpz-beta-0.1.17-17.ipfire]# ls -l
total 20
drwxr-xr-x 6 root root 4096 Dec 19 09:57 files
-rw-r--r-- 1 root root 1873 Dec  9 22:32 install.sh
-rw-r--r-- 1 root root  555 Dec  9 22:32 ROOTFILES
-rw-r--r-- 1 root root 2024 Dec  9 22:32 uninstall.sh
-rw-r--r-- 1 root root 2268 Dec  9 22:32 update.sh

but if I try to execute the .install.sh:

[root@ipfire rpz-beta-0.1.17-17.ipfire]# NAME=rpz ./install.sh
-bash: ./install.sh: Permission denied

[root@ipfire rpz-beta-0.1.17-17.ipfire]# sudo NAME=rpz ./install.sh
sudo: ./install.sh: command not found

Any hints?

LE: Had to set the -X flag on the file

bbitsch · 19 December 2024 15:20

There must be gone something wrong in uncompressing and/or moveing the files.
I just downloaded and the file permissions are set right.

sonic · 19 December 2024 15:25

I had to change the name from newFile (in that example), so… I don’t know what I did wrong.

It doesn’t show up in the IPFIRE menu like here: