From: Michael Tremer Date: Mon, 1 Jun 2026 10:30:36 +0000 (+0100) Subject: knot resolver: Load custom RPZs using the legacy engine X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d4c3e2c78eb48c3d01435cb66673bf081edac2e7;p=ipfire-2.x.git knot resolver: Load custom RPZs using the legacy engine The new ruledb engine does not support the PASS action which is why we will have to load this as a custom action into the workers. The extra overhead of this is minimal. Signed-off-by: Michael Tremer --- diff --git a/config/knot-resolver/config.lua b/config/knot-resolver/config.lua index 39c483321..31f97c073 100644 --- a/config/knot-resolver/config.lua +++ b/config/knot-resolver/config.lua @@ -559,4 +559,58 @@ function config.load_rpzs() end end +local __policy_pass = {} +local __policy_deny = {} + +function config.load_rpz_workaround() + local names_pass = {} + local names_deny = {} + + -- Clear any previous rules + if __policy_pass then + policy.del(__policy_pass.id) + __policy_pass = {} + end + + if __policy_deny then + policy.del(__policy_deny.id) + __policy_deny = {} + end + + local f = csv.open("/var/ipfire/dns/custom_domains", { separator = "," }) + if f then + -- Append all entries + for fields in f:lines() do + local name, status = unpack(fields) + local redirect + + if status == "allowed" then + table.insert(names_pass, name) + elseif status == "blocked" then + table.insert(names_deny, name) + end + end + + -- Add allowed names + if names_pass then + __policy_pass = policy.add( + policy.suffix( + policy.PASS, + policy.todnames(names_pass) + ) + ) + end + + -- Add denied names + if names_deny then + __policy_deny = policy.add( + policy.suffix( + policy.DENY, + policy.todnames(names_deny) + ) + ) + end + end +end + return config diff --git a/config/knot-resolver/config.yaml b/config/knot-resolver/config.yaml index 1cee0df1e..989319ceb 100644 --- a/config/knot-resolver/config.yaml +++ b/config/knot-resolver/config.yaml @@ -48,6 +48,9 @@ lua: -- Load DHCP Leases Lookup config.load_leases() + -- Load custom RPZ allowlist workaround + config.load_rpz_workaround() + -- Load Forwarders config.load_forwarders(settings)