From patchwork Wed Aug 27 07:41:46 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: Chris Anton <chris.v.anton@gmail.com>
X-Patchwork-Id: 9015
Return-Path: <development+bounces-868-patchwork=ipfire.org@lists.ipfire.org>
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mail01.haj.ipfire.org", Issuer "R13" (verified OK))
	by web04.haj.ipfire.org (Postfix) with ESMTPS id 4cBc1S40VPz3wbG
	for <patchwork@web04.haj.ipfire.org>; Wed, 27 Aug 2025 07:42:04 +0000 (UTC)
Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org
 [IPv6:2001:678:b28::201])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange x25519)
	(Client CN "mail02.haj.ipfire.org", Issuer "E8" (verified OK))
	by mail01.ipfire.org (Postfix) with ESMTPS id 4cBc1S0d0Dz5R3
	for <patchwork@ipfire.org>; Wed, 27 Aug 2025 07:42:04 +0000 (UTC)
Authentication-Results: mail01.ipfire.org;
	dkim=pass header.d=gmail.com header.s=20230601 header.b=O5cQL9Zo;
	dmarc=pass (policy=none) header.from=gmail.com;
	arc=pass ("lists.ipfire.org:s=202003rsa:i=1");
	spf=softfail (mail01.ipfire.org: 2001:678:b28::201 is neither permitted nor
 denied by domain of
 "development+bounces-868-patchwork=ipfire.org@lists.ipfire.org")
 smtp.mailfrom="development+bounces-868-patchwork=ipfire.org@lists.ipfire.org"
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org;
	s=202003rsa; t=1756280524;
	h=from:from:sender:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:list-id:list-help:
	 list-unsubscribe:list-subscribe:list-post:dkim-signature;
	bh=HPVcWYn02e1ShlqC96vYfJgvWc5Xt/hEm0wnDjZ/vog=;
	b=k6tx0fdnaAVRDaBAT6VU8Z2LK3T6pdc1elp4o5N8N2ljus0358W/FCPZu2lxxdn/468a/n
	yxGhegqNTCjr3PMYsQ9kew0z8Wl59kC+njWBRiepTLW5O1ESy9bCkQPeZJAOkhVBcDIDZo
	GDBWtF6OYhRx5foDV3fTtuJFExq9j+lSq80KUvp2hWAwT294yzmujseN+GHaWBC3PxMK1L
	GQBRHBf/x2VlD5y3E+Y3FUZ3m1AU9XcWXoLcZ6iaIWZNpMhYB+SUiV4CaBTm2XGNmRlEOC
	xXVrkmo6P7V8Ed9qF/+3xTdA654UtSGR93SjCuWj8b9fsdZn+w5SIya5JeoEBg==
ARC-Authentication-Results: i=2;
	mail01.ipfire.org;
	dkim=pass header.d=gmail.com header.s=20230601 header.b=O5cQL9Zo;
	dmarc=pass (policy=none) header.from=gmail.com;
	arc=pass ("lists.ipfire.org:s=202003rsa:i=1");
	spf=softfail (mail01.ipfire.org: 2001:678:b28::201 is neither permitted nor
 denied by domain of
 "development+bounces-868-patchwork=ipfire.org@lists.ipfire.org")
 smtp.mailfrom="development+bounces-868-patchwork=ipfire.org@lists.ipfire.org"
ARC-Seal: i=2; s=202003rsa; d=ipfire.org; t=1756280524; a=rsa-sha256;
	cv=pass;
	b=pL9p518ODy6TOrK4mavsRdsUdu2xhwL8ZcI9GGe/Q3/8jGBzu1Y5MUajCZOBDIW4xN+5zi
	3lK0uxFYazbRYrt7Ft+qKDi0LmrRlxdye2Rl7krI5PyukmMOsipCVogvs//U3OF1B78uar
	YDQ6d1Vtdu/eoen61uJu5WjZWhh3C0qUMw+EmgV64susxkViB10wP6BjFOTdRYHHQpVDa+
	yypzPxejVmexebvsYK7Pmv/zfzv3HsQtzApCEJtS+oM1It2uj8V0ZwZQTzh8mQU731x1mR
	5GJgoQGXFxvC92p2G9UAbX0QgPi8TxsB14pb0o9RIdzvhGDzJNv3TQY/KzdjPQ==
Received: from mail02.haj.ipfire.org (localhost [IPv6:::1])
	by mail02.haj.ipfire.org (Postfix) with ESMTP id 4cBc1R6zsYz30HY
	for <patchwork@ipfire.org>; Wed, 27 Aug 2025 07:42:03 +0000 (UTC)
X-Original-To: development@lists.ipfire.org
Received: from mail01.ipfire.org (mail01.haj.ipfire.org
 [IPv6:2001:678:b28::25])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange x25519)
	(Client CN "mail01.haj.ipfire.org", Issuer "R13" (verified OK))
	by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4cBc1P1KTfz2xLt
	for <development@lists.ipfire.org>; Wed, 27 Aug 2025 07:42:01 +0000 (UTC)
Received: from mail-yb1-xb35.google.com (mail-yb1-xb35.google.com
 [IPv6:2607:f8b0:4864:20::b35])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange x25519 server-signature RSA-PSS (4096 bits) server-digest
 SHA256
	 client-signature RSA-PSS (2048 bits) client-digest SHA256)
	(Client CN "smtp.gmail.com", Issuer "WR4" (verified OK))
	by mail01.ipfire.org (Postfix) with ESMTPS id 4cBc1M4WYlz2N
	for <development@lists.ipfire.org>; Wed, 27 Aug 2025 07:41:59 +0000 (UTC)
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;
 d=lists.ipfire.org;
	s=202003rsa; t=1756280520;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:dkim-signature;
	bh=HPVcWYn02e1ShlqC96vYfJgvWc5Xt/hEm0wnDjZ/vog=;
	b=guZG378dvw/cSftNvOmX/zFmP2D/Qh2+s0RI+y+uvvTAzoh345L+T8xWresQYG70n3sZD8
	D9QQvcwtVhNlJJ8Uc9Vhdsiw2Jx+fYASswzfM6EChFnOLrlPmkZ/FhAkD+ab495RrBTXpv
	BEEMAVgeQxpJjteiov0/KX1pnCfz/O9jXPd+hR657Gk0Hcjcs1UDy/j0Nj8wfmaOs2zYhX
	eOfaGw2mJ8xteTP/Y7ILQJf7V5x/Kf7KrhcDyDcmypQOMrJJtM5nJay+O5/KXvFvNoqN2L
	jTKLe3SWBd6jPBRQlBENhqoDPQHo+bKAgq/xuVibQSiPejLm9De8hP+OppqaxA==
ARC-Authentication-Results: i=1;
	mail01.ipfire.org;
	dkim=pass header.d=gmail.com header.s=20230601 header.b=O5cQL9Zo;
	dmarc=pass (policy=none) header.from=gmail.com;
	spf=pass (mail01.ipfire.org: domain of chris.v.anton@gmail.com designates
 2607:f8b0:4864:20::b35 as permitted sender)
 smtp.mailfrom=chris.v.anton@gmail.com
ARC-Seal: i=1; s=202003rsa; d=lists.ipfire.org; t=1756280520; a=rsa-sha256;
	cv=none;
	b=BRCGeHbbU6gn/9huoDpJf9If1xy52ENEQqM7RpEAr31xxCNS2h6A1kUxD8440zmQ4Y56oM
	Wzqpvs3fIDORMc182W81P7WE+uzWPpMeIPMeG2p7JkcYY5TXcuwUzUxidgsD3qgLxX2MOe
	cVNwnSjIuF6OlrnebjY9jTwEfk4zzQlrO2VZ/432iuD0Hy4VEROzHn3BYMW8Poc9gf0nyk
	cX1O8P9v68pR5/5LRhfyeTOgdObNvxwt2WCTtTfubXBJzoZMCtkn2lSSc7d7TGXM/Clvje
	wjpmURdhw/+RwxTeVQP9LF+3X75UhFV4e6xWBjO1WX6hbllaEhj4pdvygaCHMg==
Received: by mail-yb1-xb35.google.com with SMTP id
 3f1490d57ef6-e96c48e7101so2665392276.2
        for <development@lists.ipfire.org>;
 Wed, 27 Aug 2025 00:41:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1756280518; x=1756885318;
 darn=lists.ipfire.org;
        h=content-transfer-encoding:to:subject:message-id:date:from
         :mime-version:from:to:cc:subject:date:message-id:reply-to;
        bh=HPVcWYn02e1ShlqC96vYfJgvWc5Xt/hEm0wnDjZ/vog=;
        b=O5cQL9Zo80jXR6pwn7hxeMMzl4v1/pgbLMpr0XLscNjR0udGhqQjEE64fo+qH0Afw2
         7WGkElt5Xm1webuaCiQLvBhe+71p/f/4fjqsQMUIUjzQstyNEFrb9wFOL0NdpsQnhD4W
         bSASjOR4JOOUbDlYs6kuRo06rYm1i+i/DJ4Ae7PH/4FXZuIRaM2F9tEFus6BAP45Ak1w
         YTPb96o3Z4n8F6gqhCXE0AvaY8Yr0QE+dha2HQMtF57FxHrztZdz7ucH7M6ncCY8vAA5
         DInEFBXzAC2MOo6AK7qIAlFGIviG7EXMqThXBiflABzzd0sHJ4UiLZpe8Kk5i0jR88fl
         vQSQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1756280518; x=1756885318;
        h=content-transfer-encoding:to:subject:message-id:date:from
         :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=HPVcWYn02e1ShlqC96vYfJgvWc5Xt/hEm0wnDjZ/vog=;
        b=s3X6/jsRioUNmRlbsDB7eYLCl4JySCGENJx0l/F3DcPIZYBN9UjpO++HRTvop9h1EA
         QokS8tluvpgKYdu5v08sBOg/9wcws9ELFaDG02Y/JnhqhQaJiFSYezIfQ+QhMa+zV/eR
         kdpZJQhi+DhSlr59bzmwwdtmgqJQV/G3Jk/l21yzd95sI8O8e/Nhv5tMWruQJZNKOBsC
         d6r/bmufXwk6zz/3khWaUhOcjueYSqcexTFUrM65Jm3d5dSqgAxEdQ7tm8G/LG5ow3Jy
         dp+s52qF6AHJEp1LkoB5PqPBLoWa8Qq4I3QJFqzDnxlKnt691rqzCAY2xRQzbm8PW4mV
         MIRw==
X-Gm-Message-State: AOJu0Yytq2orwTZDORjZK1/GeBJr+cHMkJMWnf2FfiS1L2K1ZHyJ2eQf
	WvsIOCTK6qUIM8Jej/omIHHojCd58GO/XKDPL61AT+/EllL3JMf7ZX7i2Qgg+QjhoKRJqzI4Fmg
	qU6v8uA1cLTmw5W7BlUk98N94d75efIpPjkEGRx4=
X-Gm-Gg: ASbGnct7ntVmGyxgyAME0rQFiwq42aGGVAmXQgusRaVL0/evuo4P4RcLZtD+xXSjt6v
	t65AcmYKz0Bn46fe+Z+fyj/PMVei6iv/pxVr1rhQggshy7Z3UM1GUVPiyGaHyDa3QrhvPYfvei0
	X1H2cmRcQVt7kcynCrgh2SyQkel1C1Z7ZUFuU2daJht9wpkY+3206CdaFizgASdMDXm7SS9/nAu
	ZgTN1SQu8yN8Jjv6Zs=
X-Google-Smtp-Source: 
 AGHT+IESJCfK+3FBU00qzVkp7lk/lNw49apMsz7a1B0YxpEcmdskFyjVU2V7Hes0boLTLjmVxajYHhvqgzuwZxZSo1I=
X-Received: by 2002:a05:690c:6803:b0:71f:b944:1033 with SMTP id
 00721157ae682-71fdc43970emr220270107b3.48.1756280517647; Wed, 27 Aug 2025
 00:41:57 -0700 (PDT)
Precedence: list
List-Id: <development.lists.ipfire.org>
List-Subscribe: <https://lists.ipfire.org/>,
 <mailto:development+subscribe@lists.ipfire.org?subject=subscribe>
List-Unsubscribe: <https://lists.ipfire.org/>,
 <mailto:development+unsubscribe@lists.ipfire.org?subject=unsubscribe>
List-Post: <mailto:development@lists.ipfire.org>
List-Help: <mailto:development+help@lists.ipfire.org?subject=help>
Sender: <development@lists.ipfire.org>
Mail-Followup-To: <development@lists.ipfire.org>
MIME-Version: 1.0
From: Chris Anton <chris.v.anton@gmail.com>
Date: Wed, 27 Aug 2025 02:41:46 -0500
X-Gm-Features: Ac12FXyO2TwyK_IVLnCg-JwmdTyMAnVffvxOyYC8Xutw0v6ePtjQ-3J_vcc9vkE
Message-ID: 
 <CAJ2Zu3Cn3Y3M7kqBuhiGmpSrcZ_u1VCOMk1tN1ed1w760e=gJw@mail.gmail.com>
Subject: [PATCH] ddns: add Cloudflare (v4) provider using API token
To: development@lists.ipfire.org
X-Rspamd-Server: mail01.haj.ipfire.org
X-Rspamd-Queue-Id: 4cBc1S0d0Dz5R3
X-Rspamd-Action: no action
X-Spamd-Result: default: False [-11.39 / 11.00];
	BAYES_HAM(-2.92)[99.67%];
	FROM_INTERNAL_BULK_SENDERS(-2.00)[2001:678:b28::201];
	R_DKIM_ALLOW(-1.66)[gmail.com:s=20230601];
	NEURAL_HAM(-1.00)[-1.000];
	ARC_ALLOW(-1.00)[lists.ipfire.org:s=202003rsa:i=1];
	DKIM_REPUTATION(-0.93)[-0.93239032289607];
	DMARC_POLICY_ALLOW_WITH_FAILURES(-0.50)[];
	RCVD_DKIM_ARC_DNSWL_MED(-0.50)[];
	IP_REPUTATION_HAM(-0.38)[asn: 204867(-0.11), country: DE(0.00),
 ip: 2001:678:b28::(-0.27)];
	RCVD_IN_DNSWL_MED(-0.20)[2001:678:b28::25:received];
	MAILLIST(-0.18)[generic];
	MIME_GOOD(-0.10)[text/plain];
	HAS_LIST_UNSUB(-0.01)[];
	MX_GOOD(-0.01)[];
	RCVD_COUNT_THREE(0.00)[4];
	FUZZY_RATELIMITED(0.00)[rspamd.com];
	MIME_TRACE(0.00)[0:+];
	RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::b35:received];
	RCPT_COUNT_ONE(0.00)[1];
	DWL_DNSWL_NONE(0.00)[gmail.com:dkim];
	FREEMAIL_FROM(0.00)[gmail.com];
	RCVD_TLS_LAST(0.00)[];
	DKIM_TRACE(0.00)[gmail.com:+];
	DMARC_POLICY_ALLOW(0.00)[gmail.com,none];
	R_SPF_SOFTFAIL(0.00)[~all:c];
	TO_DN_NONE(0.00)[];
	FROM_NEQ_ENVFROM(0.00)[chrisvanton@gmail.com,development@lists.ipfire.org];
	FROM_HAS_DN(0.00)[];
	TAGGED_FROM(0.00)[bounces-868-patchwork=ipfire.org];
	MID_RHS_MATCH_FROMTLD(0.00)[];
	ASN(0.00)[asn:204867, ipnet:2001:678:b28::/48, country:DE];
	ARC_SIGNED(0.00)[ipfire.org:s=202003rsa:i=2];
	FORGED_RECIPIENTS_MAILLIST(0.00)[];
	MISSING_XM_UA(0.00)[];
	FORGED_SENDER_MAILLIST(0.00)[]

From 563f089d0820bd61ad4aecac248d5cc1f2adfc81 Mon Sep 17 00:00:00 2001
From: faithinchaos21 <45313722+faithinchaos21@users.noreply.github.com>
Date: Wed, 27 Aug 2025 01:22:46 -0500
Subject: [PATCH] ddns: add Cloudflare (v4) provider using API token
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This adds a provider “cloudflare.com-v4” that updates an A record
via Cloudflare’s v4 API using a Bearer token. The token is accepted
from either ‘token’ or legacy ‘password’ for UI compatibility.

Tested on IPFire 2.29 / Core 196:
- no-op if A already matches WAN IP
- successful update when WAN IP changes
- logs include CFv4 breadcrumbs for troubleshooting

Signed-off-by: Chris Anton <chris.v.anton@gmail.com>
---
 src/ddns/providers.py | 121 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 121 insertions(+)

headers=headers, method="PUT"
+            )
+            with urllib.request.urlopen(req, timeout=20) as r:
+                upd = json.loads(r.read().decode())
+        except Exception as e:
+            raise DDNSUpdateError(f"Failed to send update request to
Cloudflare: {e}")
+
+        if not upd.get("success"):
+            raise DDNSUpdateError(f"Cloudflare API error on update:
{upd.get('errors')}")
+
+        logger.info("CFv4: update ok for %s -> %s", self.hostname, current_ip)
+        return
+

 class DDNSProtocolDynDNS2(object):
  """

diff --git a/src/ddns/providers.py b/src/ddns/providers.py
index 59f9665..df0f3a9 100644
--- a/src/ddns/providers.py
+++ b/src/ddns/providers.py
@@ -341,6 +341,127 @@ def have_address(self, proto):

  return False

+class DDNSProviderCloudflareV4(DDNSProvider):
+    """
+    Cloudflare v4 API using a Bearer Token.
+    Put the API Token in the 'token' OR 'password' field of the DDNS entry.
+    Optional in ddns.conf:
+      proxied = false|true   (default false; keep false for WireGuard)
+      ttl     = 1|60|120...  (default 1 = 'automatic')
+    """
+    handle    = "cloudflare.com-v4"
+    name      = "Cloudflare (v4)"
+    website   = "https://www.cloudflare.com/"
+    protocols = ("ipv4",)
+    supports_token_auth = True
+    holdoff_failure_days = 0
+
+    def _bool(self, key, default=False):
+        v = str(self.get(key, default)).strip().lower()
+        return v in ("1", "true", "yes", "on")
+
+    def update(self):
+        import json, urllib.request, urllib.error
+
+        tok = self.get("token") or self.get("password")
+        if not tok:
+            raise DDNSConfigurationError("API Token (password/token)
is missing.")
+
+        proxied = self._bool("proxied", False)
+        try:
+            ttl = int(self.get("ttl", 1))
+        except Exception:
+            ttl = 1
+
+        headers = {
+            "Authorization": "Bearer {0}".format(tok),
+            "Content-Type": "application/json",
+            "User-Agent": "IPFireDDNSUpdater/CFv4",
+        }
+
+        # --- find zone ---
+        parts = self.hostname.split(".")
+        if len(parts) < 2:
+            raise DDNSRequestError("Hostname '{0}' is not a valid
domain.".format(self.hostname))
+
+        zone_id = None
+        zone_name = None
+        for i in range(len(parts) - 1):
+            candidate = ".".join(parts[i:])
+            url =
f"https://api.cloudflare.com/client/v4/zones?name={candidate}"
+            try:
+                req = urllib.request.Request(url, headers=headers,
method="GET")
+                with urllib.request.urlopen(req, timeout=20) as r:
+                    data = json.loads(r.read().decode())
+            except Exception as e:
+                raise DDNSUpdateError(f"Failed to query Cloudflare
zones API: {e}")
+
+            if data.get("success") and data.get("result"):
+                zone_id = data["result"][0]["id"]
+                zone_name = candidate
+                break
+
+        if not zone_id:
+            raise DDNSRequestError(f"Could not find a Cloudflare Zone
for '{self.hostname}'.")
+
+        logger.info("CFv4: zone=%s id=%s", zone_name, zone_id)
+
+        # --- get record ---
+        rec_url =
f"https://api.cloudflare.com/client/v4/zones/{zone_id}/dns_records?type=A&name={self.hostname}"
+        try:
+            req = urllib.request.Request(rec_url, headers=headers,
method="GET")
+            with urllib.request.urlopen(req, timeout=20) as r:
+                rec_data = json.loads(r.read().decode())
+        except Exception as e:
+            raise DDNSUpdateError(f"Failed to query Cloudflare DNS
records API: {e}")
+
+        if not rec_data.get("success"):
+            errs = rec_data.get("errors") or []
+            if any("Authentication error" in (e.get("message", "") or
"") for e in errs):
+                raise DDNSAuthenticationError("Invalid API Token.")
+            raise DDNSUpdateError(f"Cloudflare API error finding
record: {errs}")
+
+        results = rec_data.get("result") or []
+        if not results:
+            raise DDNSRequestError(f"No A record found for
'{self.hostname}' in zone '{zone_name}'.")
+
+        record_id = results[0]["id"]
+        stored_ip = results[0]["content"]
+        logger.info("CFv4: record_id=%s stored_ip=%s", record_id, stored_ip)
+
+        # --- compare IPs ---
+        current_ip = self.get_address("ipv4")
+        logger.info("CFv4: current_ip=%s vs stored_ip=%s",
current_ip, stored_ip)
+        if current_ip == stored_ip:
+            logger.info("CFv4: no update needed")
+            return
+
+        # --- update ---
+        upd_url =
f"https://api.cloudflare.com/client/v4/zones/{zone_id}/dns_records/{record_id}"
+        payload = {
+            "type": "A",
+            "name": self.hostname,
+            "content": current_ip,
+            "ttl": ttl,
+            "proxied": proxied,
+        }
+        logger.info("CFv4: updating %s -> %s (proxied=%s ttl=%s)",
self.hostname, current_ip, proxied, ttl)
+
+        try:
+            req = urllib.request.Request(
+                upd_url, data=json.dumps(payload).encode(),