unbound: merge extended blocklists into core (https://github.com/opnsense/core/issues/9136) #9301
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
fichtner
reviewed
Oct 21, 2025
src/opnsense/mvc/app/controllers/OPNsense/Unbound/forms/dnsbl.xml
Outdated
Show resolved
Hide resolved
|
One thing to note here is that with many blocklists, the matching algorithm has quite a performance penalty due to the subnet coverage calculation. This doesn't necessarily have to be a problem, as it's properly locked and is only for pre-processing, but it's slower than before. |
0e8b7b5 to
db13acb
Compare
|
Just to ease review a bit, the data path is as follows:
|
AdSchellevis
added a commit
that referenced
this pull request
Oct 25, 2025
part 1: simplify blocklist handling.
Introduce blocklists_iter() in BaseBlocklistHandler class which yields domain information per policy, which can then be reordered easily using the calculated priorities using source_nets in get_policies().
To prevent people from using overlapping nets or different protocol families in the same policy, we validate the input. Overlapping nets will lead to possible race conditions while matching as we cannot assume the first match found is actually the relevant one anymore.
Our output data should match the expected format below:
```
{
"data": {
"<domain>": [
{"idx": <index into the first logical policy it should check},
{"idx": ...}
...
],
},
"config": {
"<idx>": {
"passlist": <compiled passlist>,
"source_nets": [
"192.168.1.0/24",
...
]
...
}
}
}
```
This part only concers the parser with backwards compatibility (to keep QFeeds functional during the process)
In the blocklist.conf template we changed the sequence index to use UUID's, which basically does the same thing as the index number, but is slightly better to track (used in the dnsbl.json output file as well).
AdSchellevis
added a commit
that referenced
this pull request
Oct 26, 2025
part 1: simplify blocklist handling.
Introduce blocklists_iter() in BaseBlocklistHandler class which yields domain information per policy, which can then be reordered easily using the calculated priorities using source_nets in get_policies().
To prevent people from using overlapping nets or different protocol families in the same policy, we validate the input. Overlapping nets will lead to possible race conditions while matching as we cannot assume the first match found is actually the relevant one anymore.
Our output data should match the expected format below:
```
{
"data": {
"<domain>": [
{"idx": <index into the first logical policy it should check},
{"idx": ...}
...
],
},
"config": {
"<idx>": {
"passlist": <compiled passlist>,
"source_nets": [
"192.168.1.0/24",
...
]
...
}
}
}
```
This part only concers the parser with backwards compatibility (to keep QFeeds functional during the process)
In the blocklist.conf template we changed the sequence index to use UUID's, which basically does the same thing as the index number, but is slightly better to track (used in the dnsbl.json output file as well).
12582c4 to
93f754e
Compare
AdSchellevis
added a commit
that referenced
this pull request
Oct 26, 2025
Reorganize some parts so we can split this up more easily into separate components and fix one minor passlist regex issue.
AdSchellevis
added a commit
that referenced
this pull request
Oct 26, 2025
Setup new unbound-dnsbl module which should replace dnsbl_module.py and tester (work in progress). In its current state this should contain all relevant classes and functions currently used in dnsbl_module.py with rudimentary unit tests.
AdSchellevis
added a commit
that referenced
this pull request
Oct 27, 2025
move dnsbl_module into unbound-dnsbl directory and use library functions.
AdSchellevis
added a commit
that referenced
this pull request
Oct 27, 2025
move dnsbl_module into unbound-dnsbl directory and use library functions.
12665a3 to
6c2f240
Compare
AdSchellevis
added a commit
that referenced
this pull request
Oct 27, 2025
As getNodeContent() returns descriptive values as well (starting with %), there is no guarantee $bl->$key exists in the migration, check before calling applyDefault()
AdSchellevis
added a commit
that referenced
this pull request
Oct 27, 2025
fix some scoping issues when dnsbl_module is used from unbound.
AdSchellevis
added a commit
that referenced
this pull request
Oct 27, 2025
use /usr/local/opnsense/scripts/unbound-dnsbl/dnsbl_match.py for the tester.
…bnet coverage calculation
…ks in dynamic tooltips
part 1: simplify blocklist handling.
Introduce blocklists_iter() in BaseBlocklistHandler class which yields domain information per policy, which can then be reordered easily using the calculated priorities using source_nets in get_policies().
To prevent people from using overlapping nets or different protocol families in the same policy, we validate the input. Overlapping nets will lead to possible race conditions while matching as we cannot assume the first match found is actually the relevant one anymore.
Our output data should match the expected format below:
```
{
"data": {
"<domain>": [
{"idx": <index into the first logical policy it should check},
{"idx": ...}
...
],
},
"config": {
"<idx>": {
"passlist": <compiled passlist>,
"source_nets": [
"192.168.1.0/24",
...
]
...
}
}
}
```
This part only concers the parser with backwards compatibility (to keep QFeeds functional during the process)
In the blocklist.conf template we changed the sequence index to use UUID's, which basically does the same thing as the index number, but is slightly better to track (used in the dnsbl.json output file as well).
Reorganize some parts so we can split this up more easily into separate components and fix one minor passlist regex issue.
Setup new unbound-dnsbl module which should replace dnsbl_module.py and tester (work in progress). In its current state this should contain all relevant classes and functions currently used in dnsbl_module.py with rudimentary unit tests.
move dnsbl_module into unbound-dnsbl directory and use library functions.
As getNodeContent() returns descriptive values as well (starting with %), there is no guarantee $bl->$key exists in the migration, check before calling applyDefault()
fix some scoping issues when dnsbl_module is used from unbound.
use /usr/local/opnsense/scripts/unbound-dnsbl/dnsbl_match.py for the tester.
98a6670 to
a9114f0
Compare
|
My changes are in, but can use an extra pair of eyes on the current state. |
fichtner
reviewed
Oct 28, 2025
| foreach ($dirs as $dir) { | ||
| mwexecf('/bin/mkdir -p %s', "/var/unbound{$dir}"); | ||
| } | ||
| /* deploy python module (without test suite) */ |
There was a problem hiding this comment.
Suggested change
| /* deploy python module (without test suite) */ | |
| /* deploy python module (without test suite) */ |
fichtner
reviewed
Oct 28, 2025
| ); | ||
| if (count($sizes) > 1) { | ||
| $messages->appendMessage(new Message( | ||
| gettext("All offered networks should be equally sized to avoid overlaps"), |
There was a problem hiding this comment.
Suggested change
| gettext("All offered networks should be equally sized to avoid overlaps"), | |
| gettext('All offered networks should be equally sized to avoid overlaps.'), |
Mostly about missing dot in sentence.
fichtner
reviewed
Oct 28, 2025
| } | ||
| if (count($ipproto) > 1) { | ||
| $messages->appendMessage(new Message( | ||
| gettext("All offered networks should use the same IP protocol"), |
There was a problem hiding this comment.
Suggested change
| gettext("All offered networks should use the same IP protocol"), | |
| gettext('All offered networks should use the same IP protocol.'), |
|
Apart from the extra review, points of interest here are:
|
fichtner
reviewed
Oct 28, 2025
| foreach (new RecursiveIteratorIterator(new RecursiveDirectoryIterator($basedir)) as $filename) { | ||
| $target = "/var/unbound/unbound-dnsbl/".substr($filename, strlen($basedir)); | ||
| if (str_ends_with($filename, '.py') && is_dir(dirname($target))) { | ||
| @copy($filename, $target); |
There was a problem hiding this comment.
I don't think we're making sure to clean /var/unbound/unbound-dnsbl so our future selves will be happy?
fichtner
approved these changes
Oct 28, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
TODO:
post()usage to clean up config.