Home | Docs | Forums | Lists | Bugs | Planet | Store | GMN | Get Gentoo!
View Bug Activity | Format For Printing | XML | Clone This Bug
BFilter is an advert filtering proxy that uses heuristic ad-detection algorithms rather than blocklists to remove image and flash adverts, popups and webbugs. It also uses a Javascript engine to remove Javascript generated adverts and popups. Unlike most proxies it supports persistent connections and pipeling for HTTP/1.1 connections. (However it doesn't support CONNECT method used for HTTPS.) I've made a patch that implements privilege dropping for chrooting and changing users and groups. This is used in the default configuration for security. I've also hashed together a man page aswell. I presume it would go into net-proxy along with privoxy. Files that should be attached here will include bfilter-0.9.4.ebuild, bfilter-init.d, bfilter-conf.d, bfilter.8 and bfilter-0.9.4-droppriv.patch.
Created an attachment (id=67006) [edit] bfilter-0.9.4.ebuild The ebuild. Uses a local "gui" USE flag which I've tested but expect nobody to actually use.
Created an attachment (id=67008) [edit] bfilter.8 Man page for bfilter.
Created an attachment (id=67009) [edit] bfilter-init.d The init script.
Created an attachment (id=67010) [edit] bfilter-conf.d Configuration settings. This is secure by default as I'm paranoid...
Created an attachment (id=67013) [edit] bfilter-0.9.4-droppriv.patch The privilege dropping patch for chrooting and changing users and groups. The parent process exits if user, group or chroot directory do not exist and subsequent child processes which handle the proxy requests exit if the chroot directory no longer exists. To allow for an empty chroot directory you need to call gethostbyname for a non-local host (i.e. not in /etc/hosts) before chrooting. This is run by each child started but as bfilter supports persistent connections and pipelining it's not really a worry. I've defaulted it to slashdot.org but you might want it to be forums.gentoo.org for popularity!
Created an attachment (id=67058) [edit] bfilter.8 Tweaks to the man page fixing a spelling mistake, adding long options and correcting the section number. Also dithering regarding having the chroot configuration by default. The default setting is to bind to 127.0.0.1 only so only local users would be using the proxy. Other proxies in Gentoo are generally not chrooted by default. Not chrooting would save two milliseconds for a local DNS server or approximately 50 milliseconds for a remote DNS server from startup time for each child started to handle requests. If the developer that decides to maintain this doesn't wany to chroot by default, remove the /var/empty directory creation in the ebuild.
Created an attachment (id=67063) [edit] bfilter-0.9.4-droppriv.patch Tweak to the privilege dropping patch. If chroot is not set then the parent process can also change to the unprivileged user. That should be it for now, no more changes I promise.
First, congratulations for this pretty well written ebuild! All I had to do was to replace gui useflag with gtk (no need to invent yet another useflag) and move the pkg_preinst function after src_install. However, upstream appears to be dead (more than a year since last release) and HTTPS isn't supported (as you already observed). Also, the popularity of this package isn't impressive (just a few downloads per month). Is this package really useful for you? If you say so, I will submit it to the tree , but I doubt you'll find another gentooer who would use this package.
BFilter isn't well advertised IYKWIM and I'd only found it while doing a search for proxies prior to (re)writing one for myself. Upstream are still developing it and commits are currently being made to CVS (though without anything useful like comments for each commit). The GUI interface is not really useful in Linux. To explain, the GUI can't be used with the proxy started by init as the GUI starts its own completely seperate proxy. Users would have an always open window which allows editing of their local configuration files only. I'd decided to disable it by default with the undocumented USE flag (with the advantage that gtkmm would not be an additional dependancy for GTK users). I'm currently using bfilter in preference to privoxy or wwwoffle for filtering though the lack of CONNECT (HTTPS) support is a wee bit inconvenient I'd agree. To cut this ramble short I don't mind if bfilter is not added to Gentoo, anyone else can use this bug as a reference and reopen it if they do start using bfilter (showing I'm not alone in the Gentoo world).
Main problem was upstream being dead, so I'll submit it to the tree. My changes are: - replaced gui useflag with X - seems the best replacement - double quote ${D} strings - add info messages to die calls - correct useflag? ( dep ) atom - you must use parentheses Please send your patch and man page to upstream for inclusion in future versions.
