Thanks to visit codestin.com
Credit goes to github.com

Skip to content

unbound: merge extended blocklists into core (https://github.com/opnsense/core/issues/9136) #9301

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 12 commits into
base: master
Choose a base branch
from
Open

unbound: merge extended blocklists into core (https://github.com/opnsense/core/issues/9136) #9301

wants to merge 12 commits into from
+888 −442

Conversation

swhite2
Copy link
Member

@swhite2 swhite2 commented Oct 20, 2025
edited
Loading

TODO:

  • Discuss migration strategy, including post() usage to clean up config.
  • Improve domain tester policy matching for better traceability.

@swhite2 swhite2 self-assigned this Oct 20, 2025
fichtner
fichtner reviewed Oct 21, 2025
View reviewed changes
fichtner
fichtner approved these changes Oct 21, 2025
View reviewed changes
Copy link
Member

@fichtner fichtner left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looks good on the surface

@swhite2
Copy link
Member Author

swhite2 commented Oct 21, 2025

One thing to note here is that with many blocklists, the matching algorithm has quite a performance penalty due to the subnet coverage calculation. This doesn't necessarily have to be a problem, as it's properly locked and is only for pre-processing, but it's slower than before.

@swhite2
Copy link
Member Author

swhite2 commented Oct 23, 2025

Just to ease review a bit, the data path is as follows:

  • Input:
[blocklist:1]
description=default
rcode=NOERROR
address=0.0.0.0
source_nets=
cache_ttl=72000
excludes.default=.*localhost$
excludes.patterns=
includes.patterns=
includes.wildcards=

[blocklist:2]
description=<second>
rcode=NOERROR
address=0.0.0.0
source_nets=192.168.2.0/24,192.168.1.0/24
cache_ttl=72000
blocklists.<shortcode>=<URL> <-- only exists if one or more types set
blocklists.custom<loop.index>=<URL> <-- only exists if one or more lists set
excludes.default=.*localhost$
excludes.patterns=
includes.patterns=
includes.wildcards=
  • Output is a single JSON file with the following structure:
{
	"data": {
		"<domain>": [
			{"idx": <index into the first logical policy it should check},
			{"idx": ...}
			...
		],
	},
	"config": {
		"<idx>": {
			"passlist": <compiled passlist>,
			"source_nets": [
				"192.168.1.0/24",
				...
			]
			...
		}
	}
}
  • There may be multiple policies associated with a single domain, as source nets can differ, as well as the allowlist (passlist here) regex.
  • Config output is used directly in dnsbl_module.py and is returned when queried in test mode.
  • To keep the resulting output small, the indices are simple integers - we assume other blocklist handlers may be injected, therefore the index must be managed by the BlocklistParser class.
    • We first merge all configurations, separated by index
    • The handlers return their blocklists, which is an array of dictionaries, all of which may contain domains that overlap in the final blocklist.
    • _merge_items_with_config merges the blocklists together and decides in what order the policies are attached to the domains -> more specific subnets have priority, and in that set the bigger passlists also have priority.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@fichtner fichtner fichtner approved these changes

@AdSchellevis AdSchellevis Awaiting requested review from AdSchellevis

Assignees

@swhite2 swhite2

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@swhite2 @fichtner