2.0
Add HTTPS filtering via e2guardian SSL MITM

Previously, drakguard only filtered HTTP traffic (port 80). HTTPS
connections bypassed e2guardian entirely, making blacklists, whitelists
and the total internet block ineffective against the vast majority of
modern web traffic.

This commit extends parental control to HTTPS by implementing SSL MITM
inspection through e2guardian, following the procedure documented at
https://github.com/e2guardian/e2guardian/wiki/MITM---Filtering-HTTPS

== SSL certificate infrastructure ==

New function generate_ssl_ca() creates the following key material under
/etc/e2guardian/private/ on first activation:
  - private_root.pem   RSA key for the root CA
  - my_rootCA.crt      Self-signed CA certificate (PEM)
  - my_rootCA.der      CA certificate in DER format (for Android)
  - private_cert.pem   Separate RSA key for upstream SSL connections
  - generatedcerts/    Directory for per-site forged certificates,
                       writable by the e2guardian user

Generation is idempotent: existing files are never overwritten.

New function install_ca_certificate() registers my_rootCA.crt in the
system trust store (update-ca-trust) and in the NSS database for
Firefox (certutil). New function remove_ca_certificate() reverses this
on disable so the MITM certificate is no longer trusted system-wide.

== e2guardian configuration ==

write_e2guardian() now sets the following directives in e2guardian.conf:
  enablessl = on
  transparenthttpsport = 8443
  cacertificatepath, caprivatekeypath, certprivatekeypath
  generatedcertpath

And in e2guardianf1.conf:
  sslmitm = on

Two issues with the default e2guardianf1.conf are corrected at
activation time:
  - The demo storyboard (examplef1.story) is commented out so that
    e2guardian uses the production group1.story instead.
  - The LISTDIR macro is repointed from lists/example.group to
    lists/ so that __LISTDIR__ substitutions resolve correctly.

== Blanket HTTPS block ==

When net_control is active, two additional mechanisms ensure that ** in
bannedsitelist blocks HTTPS as well as HTTP:
  - block_internet_ssl_e2guardian() activates ** in bannedsslsitelist.
  - enable_ssl_mitm_all_sites() uncomments the sslcheckblanketblock
    function in group1.story, which covers TH-mode connections
    (tunnelled HTTPS without MITM) not handled by checkrequest.
Both are reversed by their disable counterparts.

== Network redirection ==

Shorewall now redirects HTTPS (port 443) to e2guardian port 8443 via a
REDIRECT fw rule in rules.drakx, mirroring the existing HTTP redirect.
The e2guardian user is exempted from this redirect via ACCEPT+ fw net
tcp https, preventing the infinite redirect loop that would otherwise
exhaust all worker threads.

iptables time-control rules now reference the correct Shorewall chain
names fw-net and net-fw (previously fw2net and net2fw, which do not
exist in current Shorewall versions).

The exempt_e2guardian_from_https_redirect() function, which manually
manipulated iptables OUTPUT rules, has been removed: Shorewall handles
the exemption natively through the ACCEPT+ mechanism.

use strict and use diagnostics, accidentally removed during refactoring,
have been restored.

1.9
- translations updates

1.8
- translations updates

1.7
- translations updates

1.6
- translations updates

1.5
- moves from dansguardian to e2guardian
- translations updates

1.4
- new drakguard icon by Animtim (mga#18225)
- translations updates

1.3
- translations updates

1.2
- translations updates
- add missing spaces (mga#2583)

1.1
- force label wrapping (mga#12358)
- translations updates

1.0
- switch from gtk2 to gtk3
- translations updates

0.7.14
- only use transparent proxy with squid <3.2 (mga#10513)

0.7.13
- fix acl enabled test (mga#9195)

0.7.12
- allow urpmi to work when parental controls enabled (mga#7775)

0.7.11
- allow for ext4 when enabling acl (mga#9195)

0.7,10
- Use --kerneltz option to select local time zone (mga#6400)

0.7.9:
- handle kernel having *_FS_POSIX_ACL=y (mga#9195)
- ignore comments in /etc/fstab (mga#9195)
- translations updates

0.7.8:
- Clean for mageia
- Add new icons

0.7.7:
- translation updates

0.7.6:
- translation updates

0.7.5:
- properly check if ACL support is enabled (#43335).

0.7.4:
- Added patch from Tiago Marques <tiago.marques@caixamagica.pt> to support
  application blocking, msec integration, white-black lists and UI improvements
  (#43335).

0.7.3:
- properly detecting dansguardian control level (#50700).

0.7.2:
- translations updates

0.7.1:
- translations updates

0.7:
- translations updates

0.6:
- translations updates

0.5:
- time control settings (using "time" iptables module)

0.4:
- fix whitelisting websites, by using a site list, and not an url list
- add wait message when applying configuration
- hide inactive time control pane (the "time" netfilter module does
  not work out of the box in current kernel)

0.3:
- really quit gui when needed (like when packages instalaltion is
  cancelled, #39557)
- allow to add/remove users from users whitelist

0.2:
- adapt dansguardian language to system locale
- use scrolled window for user lists
- use stock icons for add/remove buttons
- do not allow to enter an url twice in blacklist/whitelist
- strip protocol when adding an url to blacklist/whitelist
- reload shorewall config if it has just been installed
- do not write conf if disabled
- do not write shorewall conf if shorewall disabled
- ask only one time to install packages (suggested by pterjan)
- rename icons (mostly for MCC)

0.1:
- initial release
