Configure Getopt::Long with better options

Fix some postfix 'if' statements too.

.gitmodules

@@ -1,15 +1,10 @@
-[submodule "repos/StevenBlack-hosts"]
+[submodule "StevenBlack-hosts"]
 	path = repos/StevenBlack-hosts
 	url = https://github.com/StevenBlack/hosts.git
 	branch = master
 	shallow = true
-[submodule "repos/EnergizedProtection-block"]
-	path = repos/EnergizedProtection-block
-	url = https://github.com/EnergizedProtection/block.git
-	branch = master
-	shallow = true
-[submodule "repos/AdroitAdorKhan-EnergizedProtection"]
-	path = repos/AdroitAdorKhan-EnergizedProtection
+[submodule "AdroitAdorKhan-EnergizedProtection"]
+	path = repos-noupdates/AdroitAdorKhan-EnergizedProtection
 	url = https://github.com/AdroitAdorKhan/EnergizedProtection.git
 	branch = master
 	shallow = true

CHANGELOG.md

@@ -0,0 +1,30 @@
+# Changelog
+
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [Unreleased]
+
+## [0.2.0] - 2023-06-19
+
+### Added
+- dnsmasq: Add 'bogus-priv', 'domain-needed' options
+- dnsmasq: Add IPv6 upstream DNS servers
+- Add support for allowlists
+
+### Changed
+- Use `::` instead of `::1` as the blocked IPv6 address
+- Strip `#` comments, whitespace from \*.domains
+
+### Fixed
+- Prevent AdroitAdorKhan-EnergizedProtection updates (current repo has a broken
+  list)
+- Fix `block.list` permissions on first generation.
+
+### Removed
+- Removed in-repo custom ad domains list
+
+## [0.1.0] - 2022-11-12
+Initial published version

allowlists/.gitignore

@@ -0,0 +1,6 @@
+# Ignore everything in this directory
+*
+# Except this file
+!.gitignore
+# ... And some others
+!/allowlist.domains.example

allowlists/allowlist.domains.example

@@ -0,0 +1,8 @@
+# Omit these domains from the blocklist.
+#
+# Must be in a file called *.domains in this directory.
+# Comments are allowed. One domain per line.
+#
+# Examples:
+# domain1.example.com
+# domain2.example.com

dnsmasq.d/01-you-dont-need-pihole.conf

@@ -11,21 +11,27 @@
 # You may NOT use this software for commercial purposes.
 ###############################################################################
 
-# Do not load /etc/hosts as a dataset for replies. (By default dnsmasq performs
-# an implicit "addn-hosts=/etc/hosts"; this prevents it.)
-no-hosts
-
 # Add our block lists
 addn-hosts=/etc/you-dont-need-pihole/local.list
 addn-hosts=/etc/you-dont-need-pihole/custom.list
 addn-hosts=/etc/you-dont-need-pihole/block.list
 
-# Return answers to DNS queries from /etc/hosts.
-#localise-queries
+# Never forward addresses in the non-routed address spaces.
+bogus-priv
 
 # In-memory cache size.
 cache-size=10000
 
+# Never forward plain names (without a dot or domain part)
+domain-needed
+
+# Do not load /etc/hosts as a dataset for replies. (By default dnsmasq performs
+# an implicit "addn-hosts=/etc/hosts"; this prevents it.)
+no-hosts
+
+# Return answers to DNS queries from /etc/hosts.
+#localise-queries
+
 # Don't log queries - only startup/shutdown messages. (Un-comment this option
 # for debugging.)
 #log-queries
@@ -44,5 +50,7 @@ no-resolv
 
 # For non-blocked DNS queries, telephone the request thru Google's global DNS
 # server.
+server=2001:4860:4860::8888
+server=2001:4860:4860::8844
 server=8.8.8.8
 server=8.8.4.4

lists/.gitignore

@@ -3,5 +3,5 @@
 # Except this file
 !.gitignore
 # ... And some others
+!/*.example
 !/AdroitAdorKhan-core.hosts
-!/custom-ad-domains.domains

lists/AdroitAdorKhan-core.hosts

@@ -1 +1 @@
-../repos/AdroitAdorKhan-EnergizedProtection/core/hosts
+../repos-noupdates/AdroitAdorKhan-EnergizedProtection/core/hosts

lists/custom-ad-domains.domains

@@ -1,12 +0,0 @@
-1.nbryb.com
-100.nbryb.com
-50.nbryb.com
-anawkward.com
-cpa-optimizer.best
-mob-track.com
-notorietycheerypositively.com
-play.nbryb.com
-roastclap.com
-syndication.realsrv.com
-tripsbooth.com
-www.myemailtracking.com

lists/custom-ad-domains.domains.example

@@ -0,0 +1,8 @@
+# Add these custom domains for the blocklist.
+#
+# Must be in a file called *.domains in this directory.
+# Comments are allowed. One domain per line.
+#
+# Examples:
+# domain1.example.com
+# domain2.example.com

make-block.pl

@@ -1,5 +1,4 @@
 #!/usr/bin/perl
-# vi: et sts=4 sw=4 ts=4
 
 ###############################################################################
 # You Don't Need Pi-hole
@@ -14,41 +13,30 @@
 # You may NOT use this software for commercial purposes.
 ###############################################################################
 
-use strict;
+use 5.012;
 use warnings;
 
-use Getopt::Long qw/ GetOptions :config no_ignore_case /;
+use Getopt::Long qw/ GetOptions :config bundling no_getopt_compat no_ignore_case /;
 use FindBin qw//;
 
 my %domains;
 my $dupes = 0;
 my $skip = 0;
+my $removed_allowed = 0;
 sub add_domain_list {
     my $file = shift;
-
-    open my $fni, '<', $file
-        or die "Failed to open file $file for reading: $!";
-
-    foreach my $line (<$fni>) {
-        chomp $line;
-        $line =~ s/^\s+|\s+$//;
+    foreach my $line (read_stripped($file)) {
         my $domain = lc $line;
-        ++$dupes if defined $domains{$domain};
+        if (defined $domains{$domain}) {
+            ++$dupes;
+        }
         $domains{$domain} = 1;
     }
 }
 
 sub add_host_file {
     my $file = shift;
-
-    open my $fni, '<', $file
-        or die "Failed to open file $file for reading: $!";
-
-    foreach my $line (<$fni>) {
-        chomp $line;
-        # strip whitespace and comments
-        $line =~ s/^\s+|\s+$|\s*#.*$//;
-        next unless $line;
+    foreach my $line (read_stripped($file)) {
         my @parts = split /\s+/, $line;
         die "Malformed line in $file: $line; @parts"
             unless @parts > 1;
@@ -61,35 +49,60 @@ sub add_host_file {
             next;
         }
         my $domain = lc $parts[1];
-        ++$dupes if defined $domains{$domain};
+        if (defined $domains{$domain}) {
+            ++$dupes;
+        }
         $domains{$domain} = 1;
     }
 }
 
+sub read_stripped {
+    my $file = shift;
+
+    open my $fni, '<', $file
+        or die "Failed to open file $file for reading: $!";
+
+    map {
+        chomp;
+        # Strip whitespace and comments
+        s/^\s+|\s+$|\s*#.*$//;
+        $_ || ()
+    } <$fni>;
+}
+
 MAIN: {
     my $out;
-    my $block_ip = '0.0.0.0 ::1';
+    my $block_ip = '0.0.0.0 ::';
     my $workdir = $FindBin::RealBin;
 
-    unless (&GetOptions(
-        'out=s' => \$out,
-        'O=s' => \$out,
-        'i=s' => \$block_ip,
-        'block-ip=s' => \$block_ip,
+    unless (GetOptions(
+        'out|O=s' => \$out,
+        'block-ip|i=s' => \$block_ip,
     )) {
         exit 2;
     }
 
     my @domain_lists = glob "$workdir/lists/*.domains";
     my @hosts_lists = glob "$workdir/lists/*.hosts";
+    my @allow_lists = glob "$workdir/allowlists/*.domains";
 
     foreach my $listfile (@domain_lists) {
-        &add_domain_list($listfile);
+        add_domain_list($listfile);
     }
     foreach my $hostfile (@hosts_lists) {
-        &add_host_file($hostfile);
+        add_host_file($hostfile);
     }
 
+    # Apply allowlists
+    my @allow_domains;
+    foreach my $allowlist (@allow_lists) {
+        push @allow_domains, read_stripped($allowlist);
+    }
+    my $before = %domains;
+    delete %domains{@allow_domains};
+    # Count number removed
+    $removed_allowed = $before - %domains;
+
     my $written = 0;
     my $fho = \*STDOUT;
     if (defined $out && length $out) {
@@ -105,9 +118,16 @@ MAIN: {
         } @block_ip;
     } sort keys %domains;
 
-    printf STDERR "%d domains written to %s from\n", $written, $out;
+    printf STDERR "%d domains written to %s from\n", $written, $out // 'STDOUT';
     printf STDERR " - %d .domains files\n", (scalar @domain_lists);
     printf STDERR " - %d .hosts files\n", (scalar @hosts_lists);
-    printf STDERR "(%d duplicates)\n", $dupes if $dupes;
-    printf STDERR "(%d skipped)\n", $skip if $skip;
+    if ($dupes) {
+        say STDERR "($dupes duplicates)";
+    }
+    if ($removed_allowed) {
+        say STDERR "($removed_allowed domains removed via allowlist)";
+    }
+    if ($skip) {
+        say STDERR "($skip skipped)";
+    }
 }

repos-noupdates/AdroitAdorKhan-EnergizedProtection

@@ -0,0 +1 @@
+Subproject commit d34e794936f3bcd23b5df198c13b57f088041f9c

repos/AdroitAdorKhan-EnergizedProtection

@@ -1 +0,0 @@
-Subproject commit 112ded65a22583512bb814abaf9292122d713965

update.sh

@@ -1,5 +1,4 @@
 #!/bin/bash
-# vi: et sts=4 sw=4 ts=4
 
 ###############################################################################
 # You Don't Need Pi-hole
@@ -14,20 +13,17 @@
 # You may NOT use this software for commercial purposes.
 ###############################################################################
 
-set -e
-
 WORKDIR=${0%/*}
 CFG=$WORKDIR/update.cfg
 
 # Config defaults
 BACKUPSUFFIX=
 BLOCKLIST=$WORKDIR/block.list
-LIST_DIR=$WORKDIR/lists
 OUT=()
 URL=()
 DNSMASQ_RESTART_COMMAND=()
 if [[ -f $CFG ]]; then
-    . "$CFG"
+    . "$CFG" || exit
 fi
 
 TEMP_DIR=$(mktemp -d -t "${0##*/}.XXXXXX")
@@ -36,7 +32,38 @@ cleanup() {
 }
 trap 'cleanup' EXIT
 
-(cd "$WORKDIR" && git submodule update --init --remote)
+copy_perms() {
+    local -r FROM=$1 TO=$2
+    chmod --reference="$FROM" -- "$TO" || exit
+    if [[ $UID -eq 0 ]]; then
+        chown --reference="$FROM" -- "$TO" || exit
+    fi
+}
+
+replace_with() {
+    local -r ORIG=$1 NEW=$2
+    if ! diff -q -- "$ORIG" "$NEW" &>/dev/null; then
+        # There's a change
+        if [[ -f $ORIG ]]; then
+            copy_perms "$ORIG" "$NEW"
+            if [[ -n $BACKUPSUFFIX ]]; then
+                mv -- "$ORIG" "$ORIG$BACKUPSUFFIX" || exit
+            fi
+        else
+            mkdir -p -- "${ORIG%/*}" || exit
+        fi
+        mv -- "$NEW" "$ORIG" || exit
+    else
+        printf 'File "%s" not modified\n' \
+            "$ORIG" \
+            >&2
+    fi
+}
+
+(cd "$WORKDIR" &&
+    git submodule update --init 'repos-noupdates/*' &&
+    git submodule update --init --remote 'repos/*'
+) || exit
 
 for (( I = 0 ; I < ${#OUT[@]} ; ++I )); do
     MY_URL=${URL[$I]}
@@ -52,45 +79,31 @@ for (( I = 0 ; I < ${#OUT[@]} ; ++I )); do
 
     TEMP_OUT=$(mktemp -p "$TEMP_DIR")
 
-    if [[ -f $MY_OUT ]]; then
-        cp -a -- "$MY_OUT" "$TEMP_OUT"
-    fi
-
     wget \
         -O "$TEMP_OUT" \
-        "$MY_URL"
-
-    if [[ -f $MY_OUT ]]; then
-        chmod --reference="$MY_OUT" "$TEMP_OUT"
-        if [[ -n $BACKUPSUFFIX ]]; then
-            mv -- "$MY_OUT" "$MY_OUT$BACKUPSUFFIX"
-        fi
-    fi
-
-    mkdir -p -- "${MY_OUT%/*}"
-    mv -- "$TEMP_OUT" "$MY_OUT"
-
-    # If the old one is the same, don't keep it around
-    if [[ -n $BACKUPSUFFIX && -f $MY_OUT$BACKUPSUFFIX ]]; then
-        if diff -q "$MY_OUT" "$MY_OUT$BACKUPSUFFIX"; then
-            rm -f -- "$MY_OUT$BACKUPSUFFIX"
-        fi
-    fi
+        "$MY_URL" || exit
 
+    replace_with "$MY_OUT" "$TEMP_OUT"
 done
 
-if [[ -n $BACKUPSUFFIX && -f $BLOCKLIST ]]; then
-    mv -- "$BLOCKLIST" "$BLOCKLIST$BACKUPSUFFIX"
-fi
-"$WORKDIR/make-block.pl" --out="$BLOCKLIST"
+TEMP_BLOCKLIST=$(mktemp -p "$TEMP_DIR")
+"$WORKDIR/make-block.pl" --out="$TEMP_BLOCKLIST" || exit
 
-# If the old one is the same the same, don't keep it around
-if [[ -n $BACKUPSUFFIX && -f $BLOCKLIST$BACKUPSUFFIX ]]; then
-    if diff -q "$BLOCKLIST" "$BLOCKLIST$BACKUPSUFFIX"; then
-        rm -f -- "$BLOCKLIST$BACKUPSUFFIX"
-    fi
+# Blocklist generation succeeded, install it!
+
+if [[ ! -e $BLOCKLIST ]]; then
+    (
+    # First time:
+    # Create an empty blocklist with -rw-r--r-- permissions.
+    # Prevents file not being readable; disregard permissions coming from
+    # whatever file permissions 'mktemp' sets.
+    umask 0022
+    touch -- "$BLOCKLIST"
+    ) || exit
 fi
 
+replace_with "$BLOCKLIST" "$TEMP_BLOCKLIST"
+
 if [[ ${#DNSMASQ_RESTART_COMMAND[@]} -gt 0 ]]; then
-    "${DNSMASQ_RESTART_COMMAND[@]}"
+    "${DNSMASQ_RESTART_COMMAND[@]}" || exit
 fi