projects / feed / packages.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
usbmuxd: Update to latest git
[feed/packages.git] / net / unbound / files / unbound.sh
1 #!/bin/sh
2 ##############################################################################
3 #
4 # This program is free software; you can redistribute it and/or modify
5 # it under the terms of the GNU General Public License version 2 as
6 # published by the Free Software Foundation.
7 #
8 # This program is distributed in the hope that it will be useful,
9 # but WITHOUT ANY WARRANTY; without even the implied warranty of
10 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 # GNU General Public License for more details.
12 #
13 # Copyright (C) 2016 Eric Luehrsen
14 #
15 ##############################################################################
16 #
17 # Unbound is a full featured recursive server with many options. The UCI
18 # provided tries to simplify and bundle options. This should make Unbound
19 # easier to deploy. Even light duty routers may resolve recursively instead of
20 # depending on a stub with the ISP. The UCI also attempts to replicate dnsmasq
21 # features as used in base LEDE/OpenWrt. If there is a desire for more
22 # detailed tuning, then manual conf file overrides are also made available.
23 #
24 ##############################################################################
25
26 UB_B_SLAAC6_MAC=0
27 UB_B_DNSSEC=0
28 UB_B_DNS64=0
29 UB_B_EXT_STATS=0
30 UB_B_GATE_NAME=0
31 UB_B_HIDE_BIND=1
32 UB_B_LOCL_BLCK=0
33 UB_B_LOCL_SERV=1
34 UB_B_MAN_CONF=0
35 UB_B_NTP_BOOT=1
36 UB_B_QUERY_MIN=0
37 UB_B_QRY_MINST=0
38 UB_B_AUTH_ROOT=0
39
40 UB_D_CONTROL=0
41 UB_D_DOMAIN_TYPE=static
42 UB_D_DHCP_LINK=none
43 UB_D_EXTRA_DNS=0
44 UB_D_LAN_FQDN=0
45 UB_D_PRIV_BLCK=1
46 UB_D_PROTOCOL=mixed
47 UB_D_RESOURCE=small
48 UB_D_RECURSION=passive
49 UB_D_VERBOSE=1
50 UB_D_WAN_FQDN=0
51
52 UB_IP_DNS64="64:ff9b::/96"
53
54 UB_N_EDNS_SIZE=1280
55 UB_N_RX_PORT=53
56 UB_N_ROOT_AGE=9
57
58 UB_TTL_MIN=120
59 UB_TXT_DOMAIN=lan
60 UB_TXT_HOSTNAME=thisrouter
61
62 ##############################################################################
63
64 # reset as a combo with UB_B_NTP_BOOT and some time stamp files
65 UB_B_READY=1
66
67 # keep track of assignments during inserted resource records
68 UB_LIST_NETW_ALL=""
69 UB_LIST_NETW_LAN=""
70 UB_LIST_NETW_WAN=""
71 UB_LIST_INSECURE=""
72 UB_LIST_ZONE_SERVERS=""
73 UB_LIST_ZONE_NAMES=""
74
75 ##############################################################################
76
77 . /lib/functions.sh
78 . /lib/functions/network.sh
79
80 . /usr/lib/unbound/defaults.sh
81 . /usr/lib/unbound/dnsmasq.sh
82 . /usr/lib/unbound/iptools.sh
83
84 ##############################################################################
85
86 bundle_all_networks() {
87 local cfg="$1"
88 local ifname ifdashname validip
89 local subnet subnets subnets4 subnets6
90
91 network_get_subnets subnets4 "$cfg"
92 network_get_subnets6 subnets6 "$cfg"
93 network_get_device ifname "$cfg"
94
95 ifdashname="${ifname//./-}"
96 subnets="$subnets4 $subnets6"
97
98
99 if [ -n "$subnets" ] ; then
100 for subnet in $subnets ; do
101 validip=$( valid_subnet_any $subnet )
102
103
104 if [ "$validip" = "ok" ] ; then
105 UB_LIST_NETW_ALL="$UB_LIST_NETW_ALL $ifdashname@$subnet"
106 fi
107 done
108 fi
109 }
110
111 ##############################################################################
112
113 bundle_lan_networks() {
114 local cfg="$1"
115 local ifsubnet ifname ifdashname ignore
116
117 config_get_bool ignore "$cfg" ignore 0
118 network_get_device ifname "$cfg"
119 ifdashname="${ifname//./-}"
120
121
122 if [ "$ignore" -eq 0 -a -n "$ifdashname" -a -n "$UB_LIST_NETW_ALL" ] ; then
123 for ifsubnet in $UB_LIST_NETW_ALL ; do
124 case $ifsubnet in
125 "${ifdashname}"@*)
126 # Special GLA protection for local block; ULA protected as a catagory
127 UB_LIST_NETW_LAN="$UB_LIST_NETW_LAN $ifsubnet"
128 ;;
129 esac
130 done
131 fi
132 }
133
134 ##############################################################################
135
136 bundle_wan_networks() {
137 local ifsubnet
138
139
140 if [ -n "$UB_LIST_NETW_ALL" ] ; then
141 for ifsubnet in $UB_LIST_NETW_ALL ; do
142 case $UB_LIST_NETW_LAN in
143 *"${ifsubnet}"*)
144 # If LAN, then not WAN ...
145 ;;
146
147 *)
148 UB_LIST_NETW_WAN="$UB_LIST_NETW_WAN $ifsubnet"
149 ;;
150 esac
151 done
152 fi
153 }
154
155 ##############################################################################
156
157 bundle_resolv_conf_servers() {
158 local resolvers=$( awk '/nameserver/ { print $2 }' /tmp/resolv.conf.auto )
159 UB_LIST_ZONE_SERVERS="$UB_LIST_ZONE_SERVERS $resolvers"
160 }
161
162 ##############################################################################
163
164 bundle_zone_names() {
165 UB_LIST_ZONE_NAMES="$UB_LIST_ZONE_NAMES $1"
166 }
167
168 ##############################################################################
169
170 bundle_zone_servers() {
171 UB_LIST_ZONE_SERVERS="$UB_LIST_ZONE_SERVERS $1"
172 }
173
174 ##############################################################################
175
176 bundle_domain_insecure() {
177 UB_LIST_INSECURE="$UB_LIST_INSECURE $1"
178 }
179
180 ##############################################################################
181
182 unbound_mkdir() {
183 local filestuff
184
185
186 if [ "$UB_D_DHCP_LINK" = "odhcpd" ] ; then
187 local dhcp_origin=$( uci_get dhcp.@odhcpd[0].leasefile )
188 local dhcp_dir=$( dirname $dhcp_origin )
189
190
191 if [ ! -d "$dhcp_dir" ] ; then
192 # make sure odhcpd has a directory to write (not done itself, yet)
193 mkdir -p "$dhcp_dir"
194 fi
195 fi
196
197
198 if [ -f $UB_RKEY_FILE ] ; then
199 filestuff=$( cat $UB_RKEY_FILE )
200
201
202 case "$filestuff" in
203 *"state=2 [ VALID ]"*)
204 # Lets not lose RFC 5011 tracking if we don't have to
205 cp -p $UB_RKEY_FILE $UB_RKEY_FILE.keep
206 ;;
207 esac
208 fi
209
210
211 # Blind copy /etc/unbound to /var/lib/unbound
212 mkdir -p $UB_VARDIR
213 rm -f $UB_VARDIR/dhcp_*
214 touch $UB_TOTAL_CONF
215 cp -p /etc/unbound/* $UB_VARDIR/
216
217
218 if [ ! -f $UB_RHINT_FILE ] ; then
219 if [ -f /usr/share/dns/root.hints ] ; then
220 # Debian-like package dns-root-data
221 cp -p /usr/share/dns/root.hints $UB_RHINT_FILE
222
223 elif [ "$UB_B_READY" -eq 0 ] ; then
224 logger -t unbound -s "default root hints (built in root-servers.net)"
225 fi
226 fi
227
228
229 if [ ! -f $UB_RKEY_FILE ] ; then
230 if [ -f /usr/share/dns/root.key ] ; then
231 # Debian-like package dns-root-data
232 cp -p /usr/share/dns/root.key $UB_RKEY_FILE
233
234 elif [ -x $UB_ANCHOR ] ; then
235 $UB_ANCHOR -a $UB_RKEY_FILE
236
237 elif [ "$UB_B_READY" -eq 0 ] ; then
238 logger -t unbound -s "default trust anchor (built in root DS record)"
239 fi
240 fi
241
242
243 if [ -f $UB_RKEY_FILE.keep ] ; then
244 # root.key.keep is reused if newest
245 cp -u $UB_RKEY_FILE.keep $UB_RKEY_FILE
246 rm -f $UB_RKEY_FILE.keep
247 fi
248
249
250 if [ -f $UB_TLS_ETC_FILE ] ; then
251 # copy the cert bundle into jail
252 cp -p $UB_TLS_ETC_FILE $UB_TLS_FWD_FILE
253 fi
254
255
256 # Ensure access and prepare to jail
257 chown -R unbound:unbound $UB_VARDIR
258 chmod 755 $UB_VARDIR
259 chmod 644 $UB_VARDIR/*
260
261
262 if [ -f $UB_CTLKEY_FILE -o -f $UB_CTLPEM_FILE \
263 -o -f $UB_SRVKEY_FILE -o -f $UB_SRVPEM_FILE ] ; then
264 # Keys (some) exist already; do not create new ones
265 chmod 640 $UB_CTLKEY_FILE $UB_CTLPEM_FILE \
266 $UB_SRVKEY_FILE $UB_SRVPEM_FILE
267
268 elif [ -x /usr/sbin/unbound-control-setup ] ; then
269 case "$UB_D_CONTROL" in
270 [2-3])
271 # unbound-control-setup for encrypt opt. 2 and 3, but not 4 "static"
272 /usr/sbin/unbound-control-setup -d $UB_VARDIR
273
274 chown -R unbound:unbound $UB_CTLKEY_FILE $UB_CTLPEM_FILE \
275 $UB_SRVKEY_FILE $UB_SRVPEM_FILE
276
277 chmod 640 $UB_CTLKEY_FILE $UB_CTLPEM_FILE \
278 $UB_SRVKEY_FILE $UB_SRVPEM_FILE
279
280 cp -p $UB_CTLKEY_FILE /etc/unbound/unbound_control.key
281 cp -p $UB_CTLPEM_FILE /etc/unbound/unbound_control.pem
282 cp -p $UB_SRVKEY_FILE /etc/unbound/unbound_server.key
283 cp -p $UB_SRVPEM_FILE /etc/unbound/unbound_server.pem
284 ;;
285 esac
286 fi
287
288
289 if [ -f "$UB_TIME_FILE" ] ; then
290 # NTP is done so its like you actually had an RTC
291 UB_B_READY=1
292 UB_B_NTP_BOOT=0
293
294 elif [ "$UB_B_NTP_BOOT" -eq 0 ] ; then
295 # time is considered okay on this device (ignore /etc/hotplug/ntpd/unbound)
296 date -Is > $UB_TIME_FILE
297 UB_B_READY=0
298 UB_B_NTP_BOOT=0
299
300 else
301 # DNSSEC-TIME will not reconcile
302 UB_B_READY=0
303 UB_B_NTP_BOOT=1
304 fi
305 }
306
307 ##############################################################################
308
309 unbound_control() {
310 echo "# $UB_CTRL_CONF generated by UCI $( date -Is )" > $UB_CTRL_CONF
311
312
313 if [ "$UB_D_CONTROL" -gt 1 ] ; then
314 if [ ! -f $UB_CTLKEY_FILE -o ! -f $UB_CTLPEM_FILE \
315 -o ! -f $UB_SRVKEY_FILE -o ! -f $UB_SRVPEM_FILE ] ; then
316 # Key files need to be present; if unbound-control-setup was found, then
317 # they might have been made during unbound_makedir() above.
318 UB_D_CONTROL=0
319 fi
320 fi
321
322
323 case "$UB_D_CONTROL" in
324 1)
325 {
326 # Local Host Only Unencrypted Remote Control
327 echo "remote-control:"
328 echo " control-enable: yes"
329 echo " control-use-cert: no"
330 echo " control-interface: 127.0.0.1"
331 echo " control-interface: ::1"
332 echo
333 } >> $UB_CTRL_CONF
334 ;;
335
336 2)
337 {
338 # Local Host Only Encrypted Remote Control
339 echo "remote-control:"
340 echo " control-enable: yes"
341 echo " control-use-cert: yes"
342 echo " control-interface: 127.0.0.1"
343 echo " control-interface: ::1"
344 echo " server-key-file: $UB_SRVKEY_FILE"
345 echo " server-cert-file: $UB_SRVPEM_FILE"
346 echo " control-key-file: $UB_CTLKEY_FILE"
347 echo " control-cert-file: $UB_CTLPEM_FILE"
348 echo
349 } >> $UB_CTRL_CONF
350 ;;
351
352 [3-4])
353 {
354 # Network Encrypted Remote Control
355 # (3) may auto setup and (4) must have static key/pem files
356 # TODO: add UCI list for interfaces to bind
357 echo "remote-control:"
358 echo " control-enable: yes"
359 echo " control-use-cert: yes"
360 echo " control-interface: 0.0.0.0"
361 echo " control-interface: ::0"
362 echo " server-key-file: $UB_SRVKEY_FILE"
363 echo " server-cert-file: $UB_SRVPEM_FILE"
364 echo " control-key-file: $UB_CTLKEY_FILE"
365 echo " control-cert-file: $UB_CTLPEM_FILE"
366 echo
367 } >> $UB_CTRL_CONF
368 ;;
369 esac
370 }
371
372 ##############################################################################
373
374 unbound_zone() {
375 local cfg=$1
376 local servers_ip=""
377 local servers_host=""
378 local zone_sym zone_name zone_type zone_enabled zone_file
379 local tls_upstream fallback
380 local server port tls_port tls_index tls_suffix url_dir
381
382 if [ ! -f "$UB_ZONE_CONF" ] ; then
383 echo "# $UB_ZONE_CONF generated by UCI $( date -Is )" > $UB_ZONE_CONF
384 fi
385
386
387 config_get_bool zone_enabled "$cfg" enabled 0
388
389
390 if [ "$zone_enabled" -eq 1 ] ; then
391 # these lists are built for each zone; empty to start
392 UB_LIST_ZONE_NAMES=""
393 UB_LIST_ZONE_SERVERS=""
394
395 config_get zone_type "$cfg" zone_type ""
396 config_get port "$cfg" port ""
397 config_get tls_index "$cfg" tls_index ""
398 config_get tls_port "$cfg" tls_port 853
399 config_get url_dir "$cfg" url_dir ""
400
401 config_get_bool resolv_conf "$cfg" resolv_conf 0
402 config_get_bool fallback "$cfg" fallback 1
403 config_get_bool tls_upstream "$cfg" tls_upstream 0
404
405 config_list_foreach "$cfg" zone_name bundle_zone_names
406 config_list_foreach "$cfg" server bundle_zone_servers
407
408 # string formating for Unbound syntax
409 tls_suffix="${tls_port:+@${tls_port}${tls_index:+#${tls_index}}}"
410 [ "$fallback" -eq 0 ] && fallback=no || fallback=yes
411 [ "$tls_upstream" -eq 0 ] && tls_upstream=no || tls_upstream=yes
412
413
414 if [ $resolv_conf -eq 1 ] ; then
415 bundle_resolv_conf_servers
416 fi
417
418 else
419 zone_type=skip
420 fi
421
422
423 case $zone_type in
424 auth_zone)
425 if [ "$UB_B_NTP_BOOT" -eq 0 -a -n "$UB_LIST_ZONE_NAMES" \
426 -a \( -n "$url_dir" -o -n "$UB_LIST_ZONE_SERVERS" \) ] ; then
427 # Note AXFR may have large downloads. If NTP restart is configured,
428 # then this can cause procd to force a process kill.
429 for zone_name in $UB_LIST_ZONE_NAMES ; do
430 if [ "$zone_name" = "." ] ; then
431 zone_sym=.
432 zone_name=root
433 zone_file=root.zone
434 else
435 zone_sym=$zone_name
436 zone_file=$zone_name.zone
437 zone_file=${zone_file//../.}
438 fi
439
440
441 {
442 # generate an auth-zone: with switches for prefetch cache
443 echo "auth-zone:"
444 echo " name: $zone_sym"
445 for server in $UB_LIST_ZONE_SERVERS ; do
446 echo " master: $server${port:+@${port}}"
447 done
448 if [ -n "$url_dir" ] ; then
449 echo " url: $url_dir$zone_file"
450 fi
451 echo " fallback-enabled: $fallback"
452 echo " for-downstream: no"
453 echo " for-upstream: yes"
454 echo " zonefile: $zone_file"
455 echo
456 } >> $UB_ZONE_CONF
457 done
458 fi
459 ;;
460
461 forward_zone)
462 if [ ! -f $UB_TLS_FWD_FILE -a "$tls_upstream" = "yes" ] ; then
463 logger -p 4 -t unbound -s \
464 "Forward-zone TLS benefits from authentication in package 'ca-bundle'"
465 fi
466
467
468 if [ -n "$UB_LIST_ZONE_NAMES" -a -n "$UB_LIST_ZONE_SERVERS" ] ; then
469 for server in $UB_LIST_ZONE_SERVERS ; do
470 if [ "$( valid_subnet_any $server )" = "not" ] ; then
471 case $server in
472 *@[0-9]*)
473 # unique Unbound option for server host name
474 servers_host="$servers_host $server"
475 ;;
476
477 *)
478 if [ "$tls_upstream" = "yes" ] ; then
479 servers_host="$servers_host $server${tls_port:+@${tls_port}}"
480 else
481 servers_host="$servers_host $server${port:+@${port}}"
482 fi
483 esac
484
485 else
486 case $server in
487 *[0-9]@[0-9]*)
488 # unique Unbound option for server address
489 servers_ip="$servers_ip $server"
490 ;;
491
492 *)
493 if [ "$tls_upstream" = "yes" ] ; then
494 servers_ip="$servers_ip $server$tls_suffix"
495 else
496 servers_ip="$servers_ip $server${port:+@${port}}"
497 fi
498 esac
499 fi
500 done
501
502
503 for zonename in $UB_LIST_ZONE_NAMES ; do
504 {
505 # generate a forward-zone with or without tls
506 echo "forward-zone:"
507 echo " name: $zonename"
508 for server in $servers_host ; do
509 echo " forward-host: $server"
510 done
511 for server in $servers_ip ; do
512 echo " forward-addr: $server"
513 done
514 echo " forward-first: $fallback"
515 echo " forward-tls-upstream: $tls_upstream"
516 echo
517 } >> $UB_ZONE_CONF
518 done
519 fi
520 ;;
521
522 stub_zone)
523 if [ -n "$UB_LIST_ZONE_NAMES" -a -n "$UB_LIST_ZONE_SERVERS" ] ; then
524 for zonename in $UB_LIST_ZONE_NAMES ; do
525 {
526 # generate a stub-zone: or ensure short cut to authority NS
527 echo "stub-zone:"
528 echo " name: $zonename"
529 for server in $UB_LIST_ZONE_SERVERS ; do
530 echo " stub-addr: $server${port:+@${port}}"
531 done
532 echo " stub-first: $fallback"
533 echo
534 } >> $UB_ZONE_CONF
535 done
536 fi
537 ;;
538 esac
539 }
540
541 ##############################################################################
542
543 unbound_conf() {
544 local rt_mem rt_conn rt_buff modulestring domain ifsubnet nsubnet
545
546 {
547 # server: for this whole function
548 echo "# $UB_CORE_CONF generated by UCI $( date -Is )"
549 echo "server:"
550 echo " username: unbound"
551 echo " chroot: $UB_VARDIR"
552 echo " directory: $UB_VARDIR"
553 echo " pidfile: $UB_PIDFILE"
554 } > $UB_CORE_CONF
555
556
557 if [ -f "$UB_TLS_FWD_FILE" ] ; then
558 # TLS cert bundle for upstream forwarder and https zone files
559 # This is loaded before drop to root, so pull from /etc/ssl
560 echo " tls-cert-bundle: $UB_TLS_FWD_FILE" >> $UB_CORE_CONF
561 fi
562
563
564 if [ -f "$UB_RHINT_FILE" ] ; then
565 # Optional hints if found
566 echo " root-hints: $UB_RHINT_FILE" >> $UB_CORE_CONF
567 fi
568
569
570 if [ "$UB_B_DNSSEC" -gt 0 -a -f "$UB_RKEY_FILE" ] ; then
571 {
572 echo " auto-trust-anchor-file: $UB_RKEY_FILE"
573 echo
574 } >> $UB_CORE_CONF
575
576 else
577 echo >> $UB_CORE_CONF
578 fi
579
580
581 {
582 # No threading
583 echo " num-threads: 1"
584 echo " msg-cache-slabs: 1"
585 echo " rrset-cache-slabs: 1"
586 echo " infra-cache-slabs: 1"
587 echo " key-cache-slabs: 1"
588 echo
589 # Logging
590 echo " use-syslog: yes"
591 echo " statistics-interval: 0"
592 echo " statistics-cumulative: no"
593 } >> $UB_CORE_CONF
594
595
596 if [ "$UB_D_VERBOSE" -ge 0 -a "$UB_D_VERBOSE" -le 5 ] ; then
597 echo " verbosity: $UB_D_VERBOSE" >> $UB_CORE_CONF
598 fi
599
600
601 if [ "$UB_B_EXT_STATS" -gt 0 ] ; then
602 {
603 # Log More
604 echo " extended-statistics: yes"
605 echo
606 } >> $UB_CORE_CONF
607
608 else
609 {
610 # Log Less
611 echo " extended-statistics: no"
612 echo
613 } >> $UB_CORE_CONF
614 fi
615
616
617 case "$UB_D_PROTOCOL" in
618 ip4_only)
619 {
620 echo " edns-buffer-size: $UB_N_EDNS_SIZE"
621 echo " port: $UB_N_RX_PORT"
622 echo " outgoing-port-permit: 10240-65535"
623 echo " interface: 0.0.0.0"
624 echo " outgoing-interface: 0.0.0.0"
625 echo " do-ip4: yes"
626 echo " do-ip6: no"
627 echo
628 } >> $UB_CORE_CONF
629 ;;
630
631 ip6_only)
632 {
633 echo " edns-buffer-size: $UB_N_EDNS_SIZE"
634 echo " port: $UB_N_RX_PORT"
635 echo " outgoing-port-permit: 10240-65535"
636 echo " interface: ::0"
637 echo " outgoing-interface: ::0"
638 echo " do-ip4: no"
639 echo " do-ip6: yes"
640 echo
641 } >> $UB_CORE_CONF
642 ;;
643
644 ip6_local)
645 {
646 echo " edns-buffer-size: $UB_N_EDNS_SIZE"
647 echo " port: $UB_N_RX_PORT"
648 echo " outgoing-port-permit: 10240-65535"
649 echo " interface: 0.0.0.0"
650 echo " interface: ::0"
651 echo " outgoing-interface: 0.0.0.0"
652 echo " do-ip4: yes"
653 echo " do-ip6: yes"
654 echo
655 } >> $UB_CORE_CONF
656 ;;
657
658 ip6_prefer)
659 {
660 echo " edns-buffer-size: $UB_N_EDNS_SIZE"
661 echo " port: $UB_N_RX_PORT"
662 echo " outgoing-port-permit: 10240-65535"
663 echo " interface: 0.0.0.0"
664 echo " interface: ::0"
665 echo " outgoing-interface: 0.0.0.0"
666 echo " outgoing-interface: ::0"
667 echo " do-ip4: yes"
668 echo " do-ip6: yes"
669 echo " prefer-ip6: yes"
670 echo
671 } >> $UB_CORE_CONF
672 ;;
673
674 mixed)
675 {
676 # Interface Wildcard (access contol handled by "option local_service")
677 echo " edns-buffer-size: $UB_N_EDNS_SIZE"
678 echo " port: $UB_N_RX_PORT"
679 echo " outgoing-port-permit: 10240-65535"
680 echo " interface: 0.0.0.0"
681 echo " interface: ::0"
682 echo " outgoing-interface: 0.0.0.0"
683 echo " outgoing-interface: ::0"
684 echo " do-ip4: yes"
685 echo " do-ip6: yes"
686 echo
687 } >> $UB_CORE_CONF
688 ;;
689
690 *)
691 if [ "$UB_B_READY" -eq 0 ] ; then
692 logger -t unbound -s "default protocol configuration"
693 fi
694
695
696 {
697 # outgoing-interface has useful defaults; incoming is localhost though
698 echo " edns-buffer-size: $UB_N_EDNS_SIZE"
699 echo " port: $UB_N_RX_PORT"
700 echo " outgoing-port-permit: 10240-65535"
701 echo " interface: 0.0.0.0"
702 echo " interface: ::0"
703 echo
704 } >> $UB_CORE_CONF
705 ;;
706 esac
707
708
709 case "$UB_D_RESOURCE" in
710 # Tiny - Unbound's recommended cheap hardware config
711 tiny) rt_mem=1 ; rt_conn=2 ; rt_buff=1 ;;
712 # Small - Half RRCACHE and open ports
713 small) rt_mem=8 ; rt_conn=10 ; rt_buff=2 ;;
714 # Medium - Nearly default but with some added balancintg
715 medium) rt_mem=16 ; rt_conn=15 ; rt_buff=4 ;;
716 # Large - Double medium
717 large) rt_mem=32 ; rt_conn=20 ; rt_buff=4 ;;
718 # Whatever unbound does
719 *) rt_mem=0 ; rt_conn=0 ;;
720 esac
721
722
723 if [ "$rt_mem" -gt 0 ] ; then
724 {
725 # Other harding and options for an embedded router
726 echo " harden-short-bufsize: yes"
727 echo " harden-large-queries: yes"
728 echo " harden-glue: yes"
729 echo " use-caps-for-id: no"
730 echo
731 # Set memory sizing parameters
732 echo " msg-buffer-size: $(($rt_buff*8192))"
733 echo " outgoing-range: $(($rt_conn*32))"
734 echo " num-queries-per-thread: $(($rt_conn*16))"
735 echo " outgoing-num-tcp: $(($rt_conn))"
736 echo " incoming-num-tcp: $(($rt_conn))"
737 echo " rrset-cache-size: $(($rt_mem*256))k"
738 echo " msg-cache-size: $(($rt_mem*128))k"
739 echo " key-cache-size: $(($rt_mem*128))k"
740 echo " neg-cache-size: $(($rt_mem*64))k"
741 echo " infra-cache-numhosts: $(($rt_mem*256))"
742 echo
743 } >> $UB_CORE_CONF
744
745 elif [ "$UB_B_READY" -eq 0 ] ; then
746 logger -t unbound -s "default memory configuration"
747 fi
748
749
750 # Assembly of module-config: options is tricky; order matters
751 modulestring="iterator"
752
753
754 if [ "$UB_B_DNSSEC" -gt 0 ] ; then
755 if [ "$UB_B_NTP_BOOT" -gt 0 ] ; then
756 # DNSSEC chicken and egg with getting NTP time
757 echo " val-override-date: -1" >> $UB_CORE_CONF
758 fi
759
760
761 {
762 echo " harden-dnssec-stripped: yes"
763 echo " val-clean-additional: yes"
764 echo " ignore-cd-flag: yes"
765 } >> $UB_CORE_CONF
766
767
768 modulestring="validator $modulestring"
769 fi
770
771
772 if [ "$UB_B_DNS64" -gt 0 ] ; then
773 echo " dns64-prefix: $UB_IP_DNS64" >> $UB_CORE_CONF
774
775 modulestring="dns64 $modulestring"
776 fi
777
778
779 {
780 # Print final module string
781 echo " module-config: \"$modulestring\""
782 echo
783 } >> $UB_CORE_CONF
784
785
786 case "$UB_D_RECURSION" in
787 passive)
788 {
789 # Some query privacy but "strict" will break some servers
790 if [ "$UB_B_QRY_MINST" -gt 0 \
791 -a "$UB_B_QUERY_MIN" -gt 0 ] ; then
792 echo " qname-minimisation: yes"
793 echo " qname-minimisation-strict: yes"
794 elif [ "$UB_B_QUERY_MIN" -gt 0 ] ; then
795 echo " qname-minimisation: yes"
796 else
797 echo " qname-minimisation: no"
798 fi
799 # Use DNSSEC to quickly understand NXDOMAIN ranges
800 if [ "$UB_B_DNSSEC" -gt 0 ] ; then
801 echo " aggressive-nsec: yes"
802 echo " prefetch-key: no"
803 fi
804 # On demand fetching
805 echo " prefetch: no"
806 echo " target-fetch-policy: \"0 0 0 0 0\""
807 echo
808 } >> $UB_CORE_CONF
809 ;;
810
811 aggressive)
812 {
813 # Some query privacy but "strict" will break some servers
814 if [ "$UB_B_QRY_MINST" -gt 0 \
815 -a "$UB_B_QUERY_MIN" -gt 0 ] ; then
816 echo " qname-minimisation: yes"
817 echo " qname-minimisation-strict: yes"
818 elif [ "$UB_B_QUERY_MIN" -gt 0 ] ; then
819 echo " qname-minimisation: yes"
820 else
821 echo " qname-minimisation: no"
822 fi
823 # Use DNSSEC to quickly understand NXDOMAIN ranges
824 if [ "$UB_B_DNSSEC" -gt 0 ] ; then
825 echo " aggressive-nsec: yes"
826 echo " prefetch-key: yes"
827 fi
828 # Prefetch what can be
829 echo " prefetch: yes"
830 echo " target-fetch-policy: \"3 2 1 0 0\""
831 echo
832 } >> $UB_CORE_CONF
833 ;;
834
835 *)
836 if [ "$UB_B_READY" -eq 0 ] ; then
837 logger -t unbound -s "default recursion configuration"
838 fi
839 ;;
840 esac
841
842
843 {
844 # Reload records more than 20 hours old
845 # DNSSEC 5 minute bogus cool down before retry
846 # Adaptive infrastructure info kept for 15 minutes
847 echo " cache-min-ttl: $UB_TTL_MIN"
848 echo " cache-max-ttl: 72000"
849 echo " val-bogus-ttl: 300"
850 echo " infra-host-ttl: 900"
851 echo
852 } >> $UB_CORE_CONF
853
854
855 if [ "$UB_B_HIDE_BIND" -gt 0 ] ; then
856 {
857 # Block server id and version DNS TXT records
858 echo " hide-identity: yes"
859 echo " hide-version: yes"
860 echo
861 } >> $UB_CORE_CONF
862 fi
863
864
865 if [ "$UB_D_PRIV_BLCK" -gt 0 ] ; then
866 {
867 # Remove _upstream_ or global reponses with private addresses.
868 # Unbounds own "local zone" and "forward zone" may still use these.
869 # RFC1918, RFC3927, RFC4291, RFC6598, RFC6890
870 echo " private-address: 10.0.0.0/8"
871 echo " private-address: 100.64.0.0/10"
872 echo " private-address: 169.254.0.0/16"
873 echo " private-address: 172.16.0.0/12"
874 echo " private-address: 192.168.0.0/16"
875 echo " private-address: fc00::/7"
876 echo " private-address: fe80::/10"
877 echo
878 } >> $UB_CORE_CONF
879 fi
880
881
882 if [ -n "$UB_LIST_NETW_LAN" -a "$UB_D_PRIV_BLCK" -gt 1 ] ; then
883 {
884 for ifsubnet in $UB_LIST_NETW_LAN ; do
885 case $ifsubnet in
886 *@[1-9][0-9a-f][0-9a-f][0-9a-f]:*:[0-9a-f]*)
887 # Remove global DNS responses with your local network IP6 GLA
888 echo " private-address: ${ifsubnet#*@}"
889 ;;
890 esac
891 done
892 echo
893 } >> $UB_CORE_CONF
894 fi
895
896
897 if [ "$UB_B_LOCL_BLCK" -gt 0 ] ; then
898 {
899 # Remove DNS reponses from upstream with loopback IP
900 # Black hole DNS method for ad blocking, so consider...
901 echo " private-address: 127.0.0.0/8"
902 echo " private-address: ::1/128"
903 echo
904 } >> $UB_CORE_CONF
905 fi
906
907
908 if [ -n "$UB_LIST_INSECURE" ] ; then
909 {
910 for domain in $UB_LIST_INSECURE ; do
911 # Except and accept domains without (DNSSEC); work around broken domains
912 echo " domain-insecure: $domain"
913 done
914 echo
915 } >> $UB_CORE_CONF
916 fi
917
918
919 if [ "$UB_B_LOCL_SERV" -gt 0 -a -n "$UB_LIST_NETW_ALL" ] ; then
920 {
921 for ifsubnet in $UB_LIST_NETW_ALL ; do
922 # Only respond to queries from subnets which have an interface.
923 # Prevent DNS amplification attacks by not responding to the universe.
924 echo " access-control: ${ifsubnet#*@} allow"
925 done
926 echo " access-control: 127.0.0.0/8 allow"
927 echo " access-control: ::1/128 allow"
928 echo " access-control: fe80::/10 allow"
929 echo
930 } >> $UB_CORE_CONF
931
932 else
933 {
934 echo " access-control: 0.0.0.0/0 allow"
935 echo " access-control: ::0/0 allow"
936 echo
937 } >> $UB_CORE_CONF
938 fi
939 }
940
941 ##############################################################################
942
943 unbound_hostname() {
944 local ifsubnet ifarpa ifaddr ifname iffqdn
945 local ulaprefix hostfqdn name names namerec ptrrec
946 local zonetype=0
947
948 echo "# $UB_HOST_CONF generated by UCI $( date -Is )" > $UB_HOST_CONF
949
950
951 if [ "$UB_D_DHCP_LINK" = "dnsmasq" ] ; then
952 {
953 echo "# Local zone is handled by dnsmasq"
954 echo
955 } >> $UB_HOST_CONF
956
957 elif [ -n "$UB_TXT_DOMAIN" \
958 -a \( "$UB_D_WAN_FQDN" -gt 0 -o "$UB_D_LAN_FQDN" -gt 0 \) ] ; then
959 case "$UB_D_DOMAIN_TYPE" in
960 deny|inform_deny|refuse|static)
961 {
962 # type static means only this router has your domain
963 echo " domain-insecure: $UB_TXT_DOMAIN"
964 echo " private-domain: $UB_TXT_DOMAIN"
965 echo " local-zone: $UB_TXT_DOMAIN $UB_D_DOMAIN_TYPE"
966 echo " local-data: \"$UB_TXT_DOMAIN. $UB_XSOA\""
967 echo " local-data: \"$UB_TXT_DOMAIN. $UB_XNS\""
968 echo " local-data: '$UB_TXT_DOMAIN. $UB_XTXT'"
969 echo
970 # avoid upstream involvement in RFC6762
971 echo " domain-insecure: local"
972 echo " private-domain: local"
973 echo " local-zone: local $UB_D_DOMAIN_TYPE"
974 echo " local-data: \"local. $UB_XSOA\""
975 echo " local-data: \"local. $UB_XNS\""
976 echo " local-data: 'local. $UB_LTXT'"
977 echo
978 } >> $UB_HOST_CONF
979 zonetype=2
980 ;;
981
982 transparent|typetransparent)
983 {
984 # transparent will permit forward-zone: or stub-zone: clauses
985 echo " private-domain: $UB_TXT_DOMAIN"
986 echo " local-zone: $UB_TXT_DOMAIN $UB_D_DOMAIN_TYPE"
987 echo
988 } >> $UB_HOST_CONF
989 zonetype=1
990 ;;
991 esac
992
993
994 {
995 # Hostname as TLD works, but not transparent through recursion (singular)
996 echo " domain-insecure: $UB_TXT_HOSTNAME"
997 echo " private-domain: $UB_TXT_HOSTNAME"
998 echo " local-zone: $UB_TXT_HOSTNAME static"
999 echo " local-data: \"$UB_TXT_HOSTNAME. $UB_XSOA\""
1000 echo " local-data: \"$UB_TXT_HOSTNAME. $UB_XNS\""
1001 echo " local-data: '$UB_TXT_HOSTNAME. $UB_XTXT'"
1002 echo
1003 } >> $UB_HOST_CONF
1004
1005
1006 if [ -n "$UB_LIST_NETW_WAN" ] ; then
1007 for ifsubnet in $UB_LIST_NETW_WAN ; do
1008 ifaddr=${ifsubnet#*@}
1009 ifaddr=${ifaddr%/*}
1010 ifarpa=$( host_ptr_any "$ifaddr" )
1011
1012
1013 if [ -n "$ifarpa" ] ; then
1014 if [ "$UB_D_WAN_FQDN" -gt 0 ] ; then
1015 {
1016 # Create a static zone for WAN host record only (singular)
1017 echo " domain-insecure: $ifarpa"
1018 echo " private-address: $ifaddr"
1019 echo " local-zone: $ifarpa static"
1020 echo " local-data: \"$ifarpa. $UB_XSOA\""
1021 echo " local-data: \"$ifarpa. $UB_XNS\""
1022 echo " local-data: '$ifarpa. $UB_MTXT'"
1023 echo
1024 } >> $UB_HOST_CONF
1025
1026 elif [ "$zonetype" -gt 0 ] ; then
1027 {
1028 echo " local-zone: $ifarpa transparent"
1029 echo
1030 } >> $UB_HOST_CONF
1031 fi
1032 fi
1033 done
1034 fi
1035
1036
1037 if [ -n "$UB_LIST_NETW_LAN" ] ; then
1038 for ifsubnet in $UB_LIST_NETW_LAN ; do
1039 ifarpa=$( domain_ptr_any "${ifsubnet#*@}" )
1040
1041
1042 if [ -n "$ifarpa" ] ; then
1043 if [ "$zonetype" -eq 2 ] ; then
1044 {
1045 # Do NOT forward queries with your ip6.arpa or in-addr.arpa
1046 echo " domain-insecure: $ifarpa"
1047 echo " local-zone: $ifarpa static"
1048 echo " local-data: \"$ifarpa. $UB_XSOA\""
1049 echo " local-data: \"$ifarpa. $UB_XNS\""
1050 echo " local-data: '$ifarpa. $UB_XTXT'"
1051 echo
1052 } >> $UB_HOST_CONF
1053
1054 elif [ "$zonetype" -eq 1 -a "$UB_D_PRIV_BLCK" -eq 0 ] ; then
1055 {
1056 echo " local-zone: $ifarpa transparent"
1057 echo
1058 } >> $UB_HOST_CONF
1059 fi
1060 fi
1061 done
1062 fi
1063
1064
1065 ulaprefix=$( uci_get network.@globals[0].ula_prefix )
1066 ulaprefix=${ulaprefix%%:/*}
1067 hostfqdn="$UB_TXT_HOSTNAME.$UB_TXT_DOMAIN"
1068
1069
1070 if [ -z "$ulaprefix" ] ; then
1071 # Nonsense so this option isn't globbed below
1072 ulaprefix="fdno:such:addr::"
1073 fi
1074
1075
1076 if [ "$UB_LIST_NETW_LAN" -a "$UB_D_LAN_FQDN" -gt 0 ] ; then
1077 for ifsubnet in $UB_LIST_NETW_LAN ; do
1078 ifaddr=${ifsubnet#*@}
1079 ifaddr=${ifaddr%/*}
1080 ifname=${ifsubnet%@*}
1081 iffqdn="$ifname.$hostfqdn"
1082
1083
1084 if [ "$UB_D_LAN_FQDN" -eq 4 ] ; then
1085 names="$iffqdn $hostfqdn $UB_TXT_HOSTNAME"
1086 ptrrec=" local-data-ptr: \"$ifaddr 300 $iffqdn\""
1087 echo "$ptrrec" >> $UB_HOST_CONF
1088
1089 elif [ "$UB_D_LAN_FQDN" -eq 3 ] ; then
1090 names="$hostfqdn $UB_TXT_HOSTNAME"
1091 ptrrec=" local-data-ptr: \"$ifaddr 300 $hostfqdn\""
1092 echo "$ptrrec" >> $UB_HOST_CONF
1093
1094 else
1095 names="$UB_TXT_HOSTNAME"
1096 ptrrec=" local-data-ptr: \"$ifaddr 300 $UB_TXT_HOSTNAME\""
1097 echo "$ptrrec" >> $UB_HOST_CONF
1098 fi
1099
1100
1101 for name in $names ; do
1102 case $ifaddr in
1103 "${ulaprefix}"*)
1104 # IP6 ULA only is assigned for OPTION 1
1105 namerec=" local-data: \"$name. 300 IN AAAA $ifaddr\""
1106 echo "$namerec" >> $UB_HOST_CONF
1107 ;;
1108
1109 [1-9]*.*[0-9])
1110 namerec=" local-data: \"$name. 300 IN A $ifaddr\""
1111 echo "$namerec" >> $UB_HOST_CONF
1112 ;;
1113
1114 *)
1115 if [ "$UB_D_LAN_FQDN" -gt 1 ] ; then
1116 # IP6 GLA is assigned for higher options
1117 namerec=" local-data: \"$name. 300 IN AAAA $ifaddr\""
1118 echo "$namerec" >> $UB_HOST_CONF
1119 fi
1120 ;;
1121 esac
1122 done
1123 echo >> $UB_HOST_CONF
1124 done
1125 fi
1126
1127
1128 if [ -n "$UB_LIST_NETW_WAN" -a "$UB_D_WAN_FQDN" -gt 0 ] ; then
1129 for ifsubnet in $UB_LIST_NETW_WAN ; do
1130 ifaddr=${ifsubnet#*@}
1131 ifaddr=${ifaddr%/*}
1132 ifname=${ifsubnet%@*}
1133 iffqdn="$ifname.$hostfqdn"
1134
1135
1136 if [ "$UB_D_WAN_FQDN" -eq 4 ] ; then
1137 names="$iffqdn $hostfqdn $UB_TXT_HOSTNAME"
1138 ptrrec=" local-data-ptr: \"$ifaddr 300 $iffqdn\""
1139 echo "$ptrrec" >> $UB_HOST_CONF
1140
1141 elif [ "$UB_D_WAN_FQDN" -eq 3 ] ; then
1142 names="$hostfqdn $UB_TXT_HOSTNAME"
1143 ptrrec=" local-data-ptr: \"$ifaddr 300 $hostfqdn\""
1144 echo "$ptrrec" >> $UB_HOST_CONF
1145
1146 else
1147 names="$UB_TXT_HOSTNAME"
1148 ptrrec=" local-data-ptr: \"$ifaddr 300 $UB_TXT_HOSTNAME\""
1149 echo "$ptrrec" >> $UB_HOST_CONF
1150 fi
1151
1152
1153 for name in $names ; do
1154 case $ifaddr in
1155 "${ulaprefix}"*)
1156 # IP6 ULA only is assigned for OPTION 1
1157 namerec=" local-data: \"$name. 300 IN AAAA $ifaddr\""
1158 echo "$namerec" >> $UB_HOST_CONF
1159 ;;
1160
1161 [1-9]*.*[0-9])
1162 namerec=" local-data: \"$name. 300 IN A $ifaddr\""
1163 echo "$namerec" >> $UB_HOST_CONF
1164 ;;
1165
1166 *)
1167 if [ "$UB_D_WAN_FQDN" -gt 1 ] ; then
1168 # IP6 GLA is assigned for higher options
1169 namerec=" local-data: \"$name. 300 IN AAAA $ifaddr\""
1170 echo "$namerec" >> $UB_HOST_CONF
1171 fi
1172 ;;
1173 esac
1174 done
1175 echo >> $UB_HOST_CONF
1176 done
1177 fi
1178 fi # end if uci valid
1179 }
1180
1181 ##############################################################################
1182
1183 unbound_uci() {
1184 local cfg="$1"
1185 local dnsmasqpath hostnm
1186
1187 hostnm=$( uci_get system.@system[0].hostname | awk '{print tolower($0)}' )
1188 UB_TXT_HOSTNAME=${hostnm:-thisrouter}
1189
1190 config_get_bool UB_B_SLAAC6_MAC "$cfg" dhcp4_slaac6 0
1191 config_get_bool UB_B_DNS64 "$cfg" dns64 0
1192 config_get_bool UB_B_EXT_STATS "$cfg" extended_stats 0
1193 config_get_bool UB_B_HIDE_BIND "$cfg" hide_binddata 1
1194 config_get_bool UB_B_LOCL_SERV "$cfg" localservice 1
1195 config_get_bool UB_B_MAN_CONF "$cfg" manual_conf 0
1196 config_get_bool UB_B_QUERY_MIN "$cfg" query_minimize 0
1197 config_get_bool UB_B_QRY_MINST "$cfg" query_min_strict 0
1198 config_get_bool UB_B_AUTH_ROOT "$cfg" prefetch_root 0
1199 config_get_bool UB_B_LOCL_BLCK "$cfg" rebind_localhost 0
1200 config_get_bool UB_B_DNSSEC "$cfg" validator 0
1201 config_get_bool UB_B_NTP_BOOT "$cfg" validator_ntp 1
1202
1203 config_get UB_IP_DNS64 "$cfg" dns64_prefix "64:ff9b::/96"
1204
1205 config_get UB_N_EDNS_SIZE "$cfg" edns_size 1280
1206 config_get UB_N_RX_PORT "$cfg" listen_port 53
1207 config_get UB_N_ROOT_AGE "$cfg" root_age 9
1208
1209 config_get UB_D_CONTROL "$cfg" unbound_control 0
1210 config_get UB_D_DOMAIN_TYPE "$cfg" domain_type static
1211 config_get UB_D_DHCP_LINK "$cfg" dhcp_link none
1212 config_get UB_D_EXTRA_DNS "$cfg" add_extra_dns 0
1213 config_get UB_D_LAN_FQDN "$cfg" add_local_fqdn 0
1214 config_get UB_D_PRIV_BLCK "$cfg" rebind_protection 1
1215 config_get UB_D_PROTOCOL "$cfg" protocol mixed
1216 config_get UB_D_RECURSION "$cfg" recursion passive
1217 config_get UB_D_RESOURCE "$cfg" resource small
1218 config_get UB_D_VERBOSE "$cfg" verbosity 1
1219 config_get UB_D_WAN_FQDN "$cfg" add_wan_fqdn 0
1220
1221 config_get UB_TTL_MIN "$cfg" ttl_min 120
1222 config_get UB_TXT_DOMAIN "$cfg" domain lan
1223
1224 config_list_foreach "$cfg" domain_insecure bundle_domain_insecure
1225
1226
1227 if [ "$UB_D_DHCP_LINK" = "none" ] ; then
1228 config_get_bool UB_B_DNSMASQ "$cfg" dnsmasq_link_dns 0
1229
1230
1231 if [ "$UB_B_DNSMASQ" -gt 0 ] ; then
1232 UB_D_DHCP_LINK=dnsmasq
1233
1234
1235 if [ "$UB_B_READY" -eq 0 ] ; then
1236 logger -t unbound -s "Please use 'dhcp_link' selector instead"
1237 fi
1238 fi
1239 fi
1240
1241
1242 if [ "$UB_D_DHCP_LINK" = "dnsmasq" ] ; then
1243 if [ ! -x /usr/sbin/dnsmasq -o ! -x /etc/init.d/dnsmasq ] ; then
1244 UB_D_DHCP_LINK=none
1245 else
1246 /etc/init.d/dnsmasq enabled || UB_D_DHCP_LINK=none
1247 fi
1248
1249
1250 if [ "$UB_B_READY" -eq 0 -a "$UB_D_DHCP_LINK" = "none" ] ; then
1251 logger -t unbound -s "cannot forward to dnsmasq"
1252 fi
1253 fi
1254
1255
1256 if [ "$UB_D_DHCP_LINK" = "odhcpd" ] ; then
1257 if [ ! -x /usr/sbin/odhcpd -o ! -x /etc/init.d/odhcpd ] ; then
1258 UB_D_DHCP_LINK=none
1259 else
1260 /etc/init.d/odhcpd enabled || UB_D_DHCP_LINK=none
1261 fi
1262
1263
1264 if [ "$UB_B_READY" -eq 0 -a "$UB_D_DHCP_LINK" = "none" ] ; then
1265 logger -t unbound -s "cannot receive records from odhcpd"
1266 fi
1267 fi
1268
1269
1270 if [ "$UB_N_EDNS_SIZE" -lt 512 \
1271 -o 4096 -lt "$UB_N_EDNS_SIZE" ] ; then
1272 logger -t unbound -s "edns_size exceeds range, using default"
1273 UB_N_EDNS_SIZE=1280
1274 fi
1275
1276
1277 if [ "$UB_N_RX_PORT" -ne 53 \
1278 -a \( "$UB_N_RX_PORT" -lt 1024 -o 10240 -lt "$UB_N_RX_PORT" \) ] ; then
1279 logger -t unbound -s "privileged port or in 5 digits, using default"
1280 UB_N_RX_PORT=53
1281 fi
1282
1283
1284 if [ "$UB_TTL_MIN" -gt 1800 ] ; then
1285 logger -t unbound -s "ttl_min could have had awful side effects, using 300"
1286 UB_TTL_MIN=300
1287 fi
1288 }
1289
1290 ##############################################################################
1291
1292 unbound_include() {
1293 local adb_enabled
1294 local adb_files=$( ls $UB_VARDIR/adb_list.* 2>/dev/null )
1295
1296 echo "# $UB_TOTAL_CONF generated by UCI $( date -Is )" > $UB_TOTAL_CONF
1297
1298
1299 if [ -f "$UB_CORE_CONF" ] ; then
1300 # Yes this all looks busy, but it is in TMPFS. Working on separate files
1301 # and piecing together is easier. UCI order is less constrained.
1302 cat $UB_CORE_CONF >> $UB_TOTAL_CONF
1303 rm $UB_CORE_CONF
1304 fi
1305
1306
1307 if [ -f "$UB_HOST_CONF" ] ; then
1308 # UCI definitions of local host or local subnet
1309 cat $UB_HOST_CONF >> $UB_TOTAL_CONF
1310 rm $UB_HOST_CONF
1311 fi
1312
1313
1314 if [ -f $UB_SRVMASQ_CONF ] ; then
1315 # UCI found link to dnsmasq
1316 cat $UB_SRVMASQ_CONF >> $UB_TOTAL_CONF
1317 rm $UB_SRVMASQ_CONF
1318 fi
1319
1320
1321 if [ -f "$UB_DHCP_CONF" ] ; then
1322 {
1323 # Seed DHCP records because dhcp scripts trigger externally
1324 # Incremental Unbound restarts may drop unbound-control records
1325 echo "include: $UB_DHCP_CONF"
1326 echo
1327 }>> $UB_TOTAL_CONF
1328 fi
1329
1330
1331 if [ -z "$adb_files" \
1332 -o ! -x /usr/bin/adblock.sh -o ! -x /etc/init.d/adblock ] ; then
1333 adb_enabled=0
1334
1335 elif /etc/init.d/adblock enabled ; then
1336 adb_enabled=1
1337 {
1338 # Pull in your selected openwrt/pacakges/net/adblock generated lists
1339 echo "include: $UB_VARDIR/adb_list.*"
1340 echo
1341 } >> $UB_TOTAL_CONF
1342
1343 else
1344 adb_enabled=0
1345 fi
1346
1347
1348 if [ -f $UB_SRV_CONF ] ; then
1349 {
1350 # Pull your own "server:" options here
1351 echo "include: $UB_SRV_CONF"
1352 echo
1353 }>> $UB_TOTAL_CONF
1354 fi
1355
1356
1357 if [ -f "$UB_ZONE_CONF" ] ; then
1358 # UCI defined forward, stub, and auth zones
1359 cat $UB_ZONE_CONF >> $UB_TOTAL_CONF
1360 rm $UB_ZONE_CONF
1361 fi
1362
1363
1364 if [ -f "$UB_CTRL_CONF" ] ; then
1365 # UCI defined control application connection
1366 cat $UB_CTRL_CONF >> $UB_TOTAL_CONF
1367 rm $UB_CTRL_CONF
1368 fi
1369
1370
1371 if [ -f "$UB_EXTMASQ_CONF" ] ; then
1372 # UCI found link to dnsmasq
1373 cat $UB_EXTMASQ_CONF >> $UB_TOTAL_CONF
1374 rm $UB_EXTMASQ_CONF
1375 fi
1376
1377
1378 if [ -f "$UB_EXT_CONF" ] ; then
1379 {
1380 # Pull your own extend feature clauses here
1381 echo "include: $UB_EXT_CONF"
1382 echo
1383 } >> $UB_TOTAL_CONF
1384 fi
1385 }
1386
1387 ##############################################################################
1388
1389 resolv_setup() {
1390 if [ "$UB_N_RX_PORT" != "53" ] ; then
1391 return
1392
1393 elif [ -x /etc/init.d/dnsmasq ] \
1394 && /etc/init.d/dnsmasq enabled \
1395 && nslookup localhost 127.0.0.1#53 >/dev/null 2>&1 ; then
1396 # unbound is configured for port 53, but dnsmasq is enabled and a resolver
1397 # listens on localhost:53, lets assume dnsmasq manages the resolver file.
1398 # TODO:
1399 # really check if dnsmasq runs a local (main) resolver in stead of using
1400 # nslookup that times out when no resolver listens on localhost:53.
1401 return
1402 fi
1403
1404
1405 # unbound is designated to listen on 127.0.0.1#53,
1406 # set resolver file to local.
1407 rm -f /tmp/resolv.conf
1408
1409 {
1410 echo "# /tmp/resolv.conf generated by Unbound UCI $( date -Is )"
1411 echo "nameserver 127.0.0.1"
1412 echo "nameserver ::1"
1413 echo "search $UB_TXT_DOMAIN."
1414 } > /tmp/resolv.conf
1415 }
1416
1417 ##############################################################################
1418
1419 unbound_start() {
1420 config_load unbound
1421 config_foreach unbound_uci unbound
1422 unbound_mkdir
1423
1424
1425 if [ "$UB_B_MAN_CONF" -eq 0 ] ; then
1426 # iterate zones before we load other UCI
1427 # forward-zone: auth-zone: and stub-zone:
1428 config_foreach unbound_zone zone
1429 # associate potential DNS RR with interfaces
1430 config_load network
1431 config_foreach bundle_all_networks interface
1432 config_load dhcp
1433 config_foreach bundle_lan_networks dhcp
1434 bundle_wan_networks
1435 # server:
1436 unbound_conf
1437 unbound_hostname
1438 # control:
1439 unbound_control
1440 # dnsmasq
1441 dnsmasq_link
1442 # merge
1443 unbound_include
1444 fi
1445
1446
1447 resolv_setup
1448 }
1449
1450 ##############################################################################
1451
Mirror of packages feed