projects / feed / packages.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Merge pull request #8518 from neheb/i
[feed/packages.git] / net / unbound / files / unbound.sh
1 #!/bin/sh
2 ##############################################################################
3 #
4 # This program is free software; you can redistribute it and/or modify
5 # it under the terms of the GNU General Public License version 2 as
6 # published by the Free Software Foundation.
7 #
8 # This program is distributed in the hope that it will be useful,
9 # but WITHOUT ANY WARRANTY; without even the implied warranty of
10 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 # GNU General Public License for more details.
12 #
13 # Copyright (C) 2016 Eric Luehrsen
14 #
15 ##############################################################################
16 #
17 # Unbound is a full featured recursive server with many options. The UCI
18 # provided tries to simplify and bundle options. This should make Unbound
19 # easier to deploy. Even light duty routers may resolve recursively instead of
20 # depending on a stub with the ISP. The UCI also attempts to replicate dnsmasq
21 # features as used in base LEDE/OpenWrt. If there is a desire for more
22 # detailed tuning, then manual conf file overrides are also made available.
23 #
24 ##############################################################################
25
26 UB_B_SLAAC6_MAC=0
27 UB_B_DNSSEC=0
28 UB_B_DNS64=0
29 UB_B_EXT_STATS=0
30 UB_B_GATE_NAME=0
31 UB_B_HIDE_BIND=1
32 UB_B_LOCL_BLCK=0
33 UB_B_LOCL_SERV=1
34 UB_B_MAN_CONF=0
35 UB_B_NTP_BOOT=1
36 UB_B_QUERY_MIN=0
37 UB_B_QRY_MINST=0
38 UB_B_AUTH_ROOT=0
39
40 UB_D_CONTROL=0
41 UB_D_DOMAIN_TYPE=static
42 UB_D_DHCP_LINK=none
43 UB_D_EXTRA_DNS=0
44 UB_D_LAN_FQDN=0
45 UB_D_PRIV_BLCK=1
46 UB_D_PROTOCOL=mixed
47 UB_D_RESOURCE=small
48 UB_D_RECURSION=passive
49 UB_D_VERBOSE=1
50 UB_D_WAN_FQDN=0
51
52 UB_IP_DNS64="64:ff9b::/96"
53
54 UB_N_EDNS_SIZE=1280
55 UB_N_RX_PORT=53
56 UB_N_ROOT_AGE=9
57
58 UB_TTL_MIN=120
59 UB_TXT_DOMAIN=lan
60 UB_TXT_HOSTNAME=thisrouter
61
62 ##############################################################################
63
64 # reset as a combo with UB_B_NTP_BOOT and some time stamp files
65 UB_B_READY=1
66
67 # keep track of assignments during inserted resource records
68 UB_LIST_NETW_ALL=""
69 UB_LIST_NETW_LAN=""
70 UB_LIST_NETW_WAN=""
71 UB_LIST_INSECURE=""
72 UB_LIST_ZONE_SERVERS=""
73 UB_LIST_ZONE_NAMES=""
74
75 ##############################################################################
76
77 . /lib/functions.sh
78 . /lib/functions/network.sh
79
80 . /usr/lib/unbound/defaults.sh
81 . /usr/lib/unbound/dnsmasq.sh
82 . /usr/lib/unbound/iptools.sh
83
84 ##############################################################################
85
86 bundle_all_networks() {
87 local cfg="$1"
88 local ifname ifdashname validip
89 local subnet subnets subnets4 subnets6
90
91 network_get_subnets subnets4 "$cfg"
92 network_get_subnets6 subnets6 "$cfg"
93 network_get_device ifname "$cfg"
94
95 ifdashname="${ifname//./-}"
96 subnets="$subnets4 $subnets6"
97
98
99 if [ -n "$subnets" ] ; then
100 for subnet in $subnets ; do
101 validip=$( valid_subnet_any $subnet )
102
103
104 if [ "$validip" = "ok" ] ; then
105 UB_LIST_NETW_ALL="$UB_LIST_NETW_ALL $ifdashname@$subnet"
106 fi
107 done
108 fi
109 }
110
111 ##############################################################################
112
113 bundle_lan_networks() {
114 local cfg="$1"
115 local interface ifsubnet ifname ifdashname ignore
116
117 config_get_bool ignore "$cfg" ignore 0
118 config_get interface "$cfg" interface ""
119 network_get_device ifname "$interface"
120 ifdashname="${ifname//./-}"
121
122
123 if [ "$ignore" -eq 0 -a -n "$ifdashname" -a -n "$UB_LIST_NETW_ALL" ] ; then
124 for ifsubnet in $UB_LIST_NETW_ALL ; do
125 case $ifsubnet in
126 "${ifdashname}"@*)
127 # Special GLA protection for local block; ULA protected as a catagory
128 UB_LIST_NETW_LAN="$UB_LIST_NETW_LAN $ifsubnet"
129 ;;
130 esac
131 done
132 fi
133 }
134
135 ##############################################################################
136
137 bundle_wan_networks() {
138 local ifsubnet
139
140
141 if [ -n "$UB_LIST_NETW_ALL" ] ; then
142 for ifsubnet in $UB_LIST_NETW_ALL ; do
143 case $UB_LIST_NETW_LAN in
144 *"${ifsubnet}"*)
145 # If LAN, then not WAN ...
146 ;;
147
148 *)
149 UB_LIST_NETW_WAN="$UB_LIST_NETW_WAN $ifsubnet"
150 ;;
151 esac
152 done
153 fi
154 }
155
156 ##############################################################################
157
158 bundle_resolv_conf_servers() {
159 local resolvers=$( awk '/nameserver/ { print $2 }' /tmp/resolv.conf.auto )
160 UB_LIST_ZONE_SERVERS="$UB_LIST_ZONE_SERVERS $resolvers"
161 }
162
163 ##############################################################################
164
165 bundle_zone_names() {
166 UB_LIST_ZONE_NAMES="$UB_LIST_ZONE_NAMES $1"
167 }
168
169 ##############################################################################
170
171 bundle_zone_servers() {
172 UB_LIST_ZONE_SERVERS="$UB_LIST_ZONE_SERVERS $1"
173 }
174
175 ##############################################################################
176
177 bundle_domain_insecure() {
178 UB_LIST_INSECURE="$UB_LIST_INSECURE $1"
179 }
180
181 ##############################################################################
182
183 unbound_mkdir() {
184 local filestuff
185
186
187 if [ "$UB_D_DHCP_LINK" = "odhcpd" ] ; then
188 local dhcp_origin=$( uci_get dhcp.@odhcpd[0].leasefile )
189 local dhcp_dir=$( dirname $dhcp_origin )
190
191
192 if [ ! -d "$dhcp_dir" ] ; then
193 # make sure odhcpd has a directory to write (not done itself, yet)
194 mkdir -p "$dhcp_dir"
195 fi
196 fi
197
198
199 if [ -f $UB_RKEY_FILE ] ; then
200 filestuff=$( cat $UB_RKEY_FILE )
201
202
203 case "$filestuff" in
204 *"state=2 [ VALID ]"*)
205 # Lets not lose RFC 5011 tracking if we don't have to
206 cp -p $UB_RKEY_FILE $UB_RKEY_FILE.keep
207 ;;
208 esac
209 fi
210
211
212 # Blind copy /etc/unbound to /var/lib/unbound
213 mkdir -p $UB_VARDIR
214 rm -f $UB_VARDIR/dhcp_*
215 touch $UB_TOTAL_CONF
216 cp -p /etc/unbound/* $UB_VARDIR/
217
218
219 if [ ! -f $UB_RHINT_FILE ] ; then
220 if [ -f /usr/share/dns/root.hints ] ; then
221 # Debian-like package dns-root-data
222 cp -p /usr/share/dns/root.hints $UB_RHINT_FILE
223
224 elif [ "$UB_B_READY" -eq 0 ] ; then
225 logger -t unbound -s "default root hints (built in root-servers.net)"
226 fi
227 fi
228
229
230 if [ ! -f $UB_RKEY_FILE ] ; then
231 if [ -f /usr/share/dns/root.key ] ; then
232 # Debian-like package dns-root-data
233 cp -p /usr/share/dns/root.key $UB_RKEY_FILE
234
235 elif [ -x $UB_ANCHOR ] ; then
236 $UB_ANCHOR -a $UB_RKEY_FILE
237
238 elif [ "$UB_B_READY" -eq 0 ] ; then
239 logger -t unbound -s "default trust anchor (built in root DS record)"
240 fi
241 fi
242
243
244 if [ -f $UB_RKEY_FILE.keep ] ; then
245 # root.key.keep is reused if newest
246 cp -u $UB_RKEY_FILE.keep $UB_RKEY_FILE
247 rm -f $UB_RKEY_FILE.keep
248 fi
249
250
251 if [ -f $UB_TLS_ETC_FILE ] ; then
252 # copy the cert bundle into jail
253 cp -p $UB_TLS_ETC_FILE $UB_TLS_FWD_FILE
254 fi
255
256
257 # Ensure access and prepare to jail
258 chown -R unbound:unbound $UB_VARDIR
259 chmod 755 $UB_VARDIR
260 chmod 644 $UB_VARDIR/*
261
262
263 if [ -f $UB_CTLKEY_FILE -o -f $UB_CTLPEM_FILE \
264 -o -f $UB_SRVKEY_FILE -o -f $UB_SRVPEM_FILE ] ; then
265 # Keys (some) exist already; do not create new ones
266 chmod 640 $UB_CTLKEY_FILE $UB_CTLPEM_FILE \
267 $UB_SRVKEY_FILE $UB_SRVPEM_FILE
268
269 elif [ -x /usr/sbin/unbound-control-setup ] ; then
270 case "$UB_D_CONTROL" in
271 [2-3])
272 # unbound-control-setup for encrypt opt. 2 and 3, but not 4 "static"
273 /usr/sbin/unbound-control-setup -d $UB_VARDIR
274
275 chown -R unbound:unbound $UB_CTLKEY_FILE $UB_CTLPEM_FILE \
276 $UB_SRVKEY_FILE $UB_SRVPEM_FILE
277
278 chmod 640 $UB_CTLKEY_FILE $UB_CTLPEM_FILE \
279 $UB_SRVKEY_FILE $UB_SRVPEM_FILE
280
281 cp -p $UB_CTLKEY_FILE /etc/unbound/unbound_control.key
282 cp -p $UB_CTLPEM_FILE /etc/unbound/unbound_control.pem
283 cp -p $UB_SRVKEY_FILE /etc/unbound/unbound_server.key
284 cp -p $UB_SRVPEM_FILE /etc/unbound/unbound_server.pem
285 ;;
286 esac
287 fi
288
289
290 if [ -f "$UB_TIME_FILE" ] ; then
291 # NTP is done so its like you actually had an RTC
292 UB_B_READY=1
293 UB_B_NTP_BOOT=0
294
295 elif [ "$UB_B_NTP_BOOT" -eq 0 ] ; then
296 # time is considered okay on this device (ignore /etc/hotplug/ntpd/unbound)
297 date -Is > $UB_TIME_FILE
298 UB_B_READY=0
299 UB_B_NTP_BOOT=0
300
301 else
302 # DNSSEC-TIME will not reconcile
303 UB_B_READY=0
304 UB_B_NTP_BOOT=1
305 fi
306 }
307
308 ##############################################################################
309
310 unbound_control() {
311 echo "# $UB_CTRL_CONF generated by UCI $( date -Is )" > $UB_CTRL_CONF
312
313
314 if [ "$UB_D_CONTROL" -gt 1 ] ; then
315 if [ ! -f $UB_CTLKEY_FILE -o ! -f $UB_CTLPEM_FILE \
316 -o ! -f $UB_SRVKEY_FILE -o ! -f $UB_SRVPEM_FILE ] ; then
317 # Key files need to be present; if unbound-control-setup was found, then
318 # they might have been made during unbound_makedir() above.
319 UB_D_CONTROL=0
320 fi
321 fi
322
323
324 case "$UB_D_CONTROL" in
325 1)
326 {
327 # Local Host Only Unencrypted Remote Control
328 echo "remote-control:"
329 echo " control-enable: yes"
330 echo " control-use-cert: no"
331 echo " control-interface: 127.0.0.1"
332 echo " control-interface: ::1"
333 echo
334 } >> $UB_CTRL_CONF
335 ;;
336
337 2)
338 {
339 # Local Host Only Encrypted Remote Control
340 echo "remote-control:"
341 echo " control-enable: yes"
342 echo " control-use-cert: yes"
343 echo " control-interface: 127.0.0.1"
344 echo " control-interface: ::1"
345 echo " server-key-file: $UB_SRVKEY_FILE"
346 echo " server-cert-file: $UB_SRVPEM_FILE"
347 echo " control-key-file: $UB_CTLKEY_FILE"
348 echo " control-cert-file: $UB_CTLPEM_FILE"
349 echo
350 } >> $UB_CTRL_CONF
351 ;;
352
353 [3-4])
354 {
355 # Network Encrypted Remote Control
356 # (3) may auto setup and (4) must have static key/pem files
357 # TODO: add UCI list for interfaces to bind
358 echo "remote-control:"
359 echo " control-enable: yes"
360 echo " control-use-cert: yes"
361 echo " control-interface: 0.0.0.0"
362 echo " control-interface: ::0"
363 echo " server-key-file: $UB_SRVKEY_FILE"
364 echo " server-cert-file: $UB_SRVPEM_FILE"
365 echo " control-key-file: $UB_CTLKEY_FILE"
366 echo " control-cert-file: $UB_CTLPEM_FILE"
367 echo
368 } >> $UB_CTRL_CONF
369 ;;
370 esac
371 }
372
373 ##############################################################################
374
375 unbound_zone() {
376 local cfg=$1
377 local servers_ip=""
378 local servers_host=""
379 local zone_sym zone_name zone_type zone_enabled zone_file
380 local tls_upstream fallback
381 local server port tls_port tls_index tls_suffix url_dir
382
383 if [ ! -f "$UB_ZONE_CONF" ] ; then
384 echo "# $UB_ZONE_CONF generated by UCI $( date -Is )" > $UB_ZONE_CONF
385 fi
386
387
388 config_get_bool zone_enabled "$cfg" enabled 0
389
390
391 if [ "$zone_enabled" -eq 1 ] ; then
392 # these lists are built for each zone; empty to start
393 UB_LIST_ZONE_NAMES=""
394 UB_LIST_ZONE_SERVERS=""
395
396 config_get zone_type "$cfg" zone_type ""
397 config_get port "$cfg" port ""
398 config_get tls_index "$cfg" tls_index ""
399 config_get tls_port "$cfg" tls_port 853
400 config_get url_dir "$cfg" url_dir ""
401
402 config_get_bool resolv_conf "$cfg" resolv_conf 0
403 config_get_bool fallback "$cfg" fallback 1
404 config_get_bool tls_upstream "$cfg" tls_upstream 0
405
406 config_list_foreach "$cfg" zone_name bundle_zone_names
407 config_list_foreach "$cfg" server bundle_zone_servers
408
409 # string formating for Unbound syntax
410 tls_suffix="${tls_port:+@${tls_port}${tls_index:+#${tls_index}}}"
411 [ "$fallback" -eq 0 ] && fallback=no || fallback=yes
412 [ "$tls_upstream" -eq 0 ] && tls_upstream=no || tls_upstream=yes
413
414
415 if [ $resolv_conf -eq 1 ] ; then
416 bundle_resolv_conf_servers
417 fi
418
419 else
420 zone_type=skip
421 fi
422
423
424 case $zone_type in
425 auth_zone)
426 if [ "$UB_B_NTP_BOOT" -eq 0 -a -n "$UB_LIST_ZONE_NAMES" \
427 -a \( -n "$url_dir" -o -n "$UB_LIST_ZONE_SERVERS" \) ] ; then
428 # Note AXFR may have large downloads. If NTP restart is configured,
429 # then this can cause procd to force a process kill.
430 for zone_name in $UB_LIST_ZONE_NAMES ; do
431 if [ "$zone_name" = "." ] ; then
432 zone_sym=.
433 zone_name=root
434 zone_file=root.zone
435 else
436 zone_sym=$zone_name
437 zone_file=$zone_name.zone
438 zone_file=${zone_file//../.}
439 fi
440
441
442 {
443 # generate an auth-zone: with switches for prefetch cache
444 echo "auth-zone:"
445 echo " name: $zone_sym"
446 for server in $UB_LIST_ZONE_SERVERS ; do
447 echo " master: $server${port:+@${port}}"
448 done
449 if [ -n "$url_dir" ] ; then
450 echo " url: $url_dir$zone_file"
451 fi
452 echo " fallback-enabled: $fallback"
453 echo " for-downstream: no"
454 echo " for-upstream: yes"
455 echo " zonefile: $zone_file"
456 echo
457 } >> $UB_ZONE_CONF
458 done
459 fi
460 ;;
461
462 forward_zone)
463 if [ ! -f $UB_TLS_FWD_FILE -a "$tls_upstream" = "yes" ] ; then
464 logger -p 4 -t unbound -s \
465 "Forward-zone TLS benefits from authentication in package 'ca-bundle'"
466 fi
467
468
469 if [ -n "$UB_LIST_ZONE_NAMES" -a -n "$UB_LIST_ZONE_SERVERS" ] ; then
470 for server in $UB_LIST_ZONE_SERVERS ; do
471 if [ "$( valid_subnet_any $server )" = "not" ] ; then
472 case $server in
473 *@[0-9]*)
474 # unique Unbound option for server host name
475 servers_host="$servers_host $server"
476 ;;
477
478 *)
479 if [ "$tls_upstream" = "yes" ] ; then
480 servers_host="$servers_host $server${tls_port:+@${tls_port}}"
481 else
482 servers_host="$servers_host $server${port:+@${port}}"
483 fi
484 esac
485
486 else
487 case $server in
488 *[0-9]@[0-9]*)
489 # unique Unbound option for server address
490 servers_ip="$servers_ip $server"
491 ;;
492
493 *)
494 if [ "$tls_upstream" = "yes" ] ; then
495 servers_ip="$servers_ip $server$tls_suffix"
496 else
497 servers_ip="$servers_ip $server${port:+@${port}}"
498 fi
499 esac
500 fi
501 done
502
503
504 for zonename in $UB_LIST_ZONE_NAMES ; do
505 {
506 # generate a forward-zone with or without tls
507 echo "forward-zone:"
508 echo " name: $zonename"
509 for server in $servers_host ; do
510 echo " forward-host: $server"
511 done
512 for server in $servers_ip ; do
513 echo " forward-addr: $server"
514 done
515 echo " forward-first: $fallback"
516 echo " forward-tls-upstream: $tls_upstream"
517 echo
518 } >> $UB_ZONE_CONF
519 done
520 fi
521 ;;
522
523 stub_zone)
524 if [ -n "$UB_LIST_ZONE_NAMES" -a -n "$UB_LIST_ZONE_SERVERS" ] ; then
525 for zonename in $UB_LIST_ZONE_NAMES ; do
526 {
527 # generate a stub-zone: or ensure short cut to authority NS
528 echo "stub-zone:"
529 echo " name: $zonename"
530 for server in $UB_LIST_ZONE_SERVERS ; do
531 echo " stub-addr: $server${port:+@${port}}"
532 done
533 echo " stub-first: $fallback"
534 echo
535 } >> $UB_ZONE_CONF
536 done
537 fi
538 ;;
539 esac
540 }
541
542 ##############################################################################
543
544 unbound_conf() {
545 local rt_mem rt_conn rt_buff modulestring domain ifsubnet nsubnet
546
547 {
548 # server: for this whole function
549 echo "# $UB_CORE_CONF generated by UCI $( date -Is )"
550 echo "server:"
551 echo " username: unbound"
552 echo " chroot: $UB_VARDIR"
553 echo " directory: $UB_VARDIR"
554 echo " pidfile: $UB_PIDFILE"
555 } > $UB_CORE_CONF
556
557
558 if [ -f "$UB_TLS_FWD_FILE" ] ; then
559 # TLS cert bundle for upstream forwarder and https zone files
560 # This is loaded before drop to root, so pull from /etc/ssl
561 echo " tls-cert-bundle: $UB_TLS_FWD_FILE" >> $UB_CORE_CONF
562 fi
563
564
565 if [ -f "$UB_RHINT_FILE" ] ; then
566 # Optional hints if found
567 echo " root-hints: $UB_RHINT_FILE" >> $UB_CORE_CONF
568 fi
569
570
571 if [ "$UB_B_DNSSEC" -gt 0 -a -f "$UB_RKEY_FILE" ] ; then
572 {
573 echo " auto-trust-anchor-file: $UB_RKEY_FILE"
574 echo
575 } >> $UB_CORE_CONF
576
577 else
578 echo >> $UB_CORE_CONF
579 fi
580
581
582 {
583 # No threading
584 echo " num-threads: 1"
585 echo " msg-cache-slabs: 1"
586 echo " rrset-cache-slabs: 1"
587 echo " infra-cache-slabs: 1"
588 echo " key-cache-slabs: 1"
589 echo
590 # Logging
591 echo " use-syslog: yes"
592 echo " statistics-interval: 0"
593 echo " statistics-cumulative: no"
594 } >> $UB_CORE_CONF
595
596
597 if [ "$UB_D_VERBOSE" -ge 0 -a "$UB_D_VERBOSE" -le 5 ] ; then
598 echo " verbosity: $UB_D_VERBOSE" >> $UB_CORE_CONF
599 fi
600
601
602 if [ "$UB_B_EXT_STATS" -gt 0 ] ; then
603 {
604 # Log More
605 echo " extended-statistics: yes"
606 echo
607 } >> $UB_CORE_CONF
608
609 else
610 {
611 # Log Less
612 echo " extended-statistics: no"
613 echo
614 } >> $UB_CORE_CONF
615 fi
616
617
618 case "$UB_D_PROTOCOL" in
619 ip4_only)
620 {
621 echo " edns-buffer-size: $UB_N_EDNS_SIZE"
622 echo " port: $UB_N_RX_PORT"
623 echo " outgoing-port-permit: 10240-65535"
624 echo " interface: 0.0.0.0"
625 echo " outgoing-interface: 0.0.0.0"
626 echo " do-ip4: yes"
627 echo " do-ip6: no"
628 echo
629 } >> $UB_CORE_CONF
630 ;;
631
632 ip6_only)
633 {
634 echo " edns-buffer-size: $UB_N_EDNS_SIZE"
635 echo " port: $UB_N_RX_PORT"
636 echo " outgoing-port-permit: 10240-65535"
637 echo " interface: ::0"
638 echo " outgoing-interface: ::0"
639 echo " do-ip4: no"
640 echo " do-ip6: yes"
641 echo
642 } >> $UB_CORE_CONF
643 ;;
644
645 ip6_local)
646 {
647 echo " edns-buffer-size: $UB_N_EDNS_SIZE"
648 echo " port: $UB_N_RX_PORT"
649 echo " outgoing-port-permit: 10240-65535"
650 echo " interface: 0.0.0.0"
651 echo " interface: ::0"
652 echo " outgoing-interface: 0.0.0.0"
653 echo " do-ip4: yes"
654 echo " do-ip6: yes"
655 echo
656 } >> $UB_CORE_CONF
657 ;;
658
659 ip6_prefer)
660 {
661 echo " edns-buffer-size: $UB_N_EDNS_SIZE"
662 echo " port: $UB_N_RX_PORT"
663 echo " outgoing-port-permit: 10240-65535"
664 echo " interface: 0.0.0.0"
665 echo " interface: ::0"
666 echo " outgoing-interface: 0.0.0.0"
667 echo " outgoing-interface: ::0"
668 echo " do-ip4: yes"
669 echo " do-ip6: yes"
670 echo " prefer-ip6: yes"
671 echo
672 } >> $UB_CORE_CONF
673 ;;
674
675 mixed)
676 {
677 # Interface Wildcard (access contol handled by "option local_service")
678 echo " edns-buffer-size: $UB_N_EDNS_SIZE"
679 echo " port: $UB_N_RX_PORT"
680 echo " outgoing-port-permit: 10240-65535"
681 echo " interface: 0.0.0.0"
682 echo " interface: ::0"
683 echo " outgoing-interface: 0.0.0.0"
684 echo " outgoing-interface: ::0"
685 echo " do-ip4: yes"
686 echo " do-ip6: yes"
687 echo
688 } >> $UB_CORE_CONF
689 ;;
690
691 *)
692 if [ "$UB_B_READY" -eq 0 ] ; then
693 logger -t unbound -s "default protocol configuration"
694 fi
695
696
697 {
698 # outgoing-interface has useful defaults; incoming is localhost though
699 echo " edns-buffer-size: $UB_N_EDNS_SIZE"
700 echo " port: $UB_N_RX_PORT"
701 echo " outgoing-port-permit: 10240-65535"
702 echo " interface: 0.0.0.0"
703 echo " interface: ::0"
704 echo
705 } >> $UB_CORE_CONF
706 ;;
707 esac
708
709
710 case "$UB_D_RESOURCE" in
711 # Tiny - Unbound's recommended cheap hardware config
712 tiny) rt_mem=1 ; rt_conn=2 ; rt_buff=1 ;;
713 # Small - Half RRCACHE and open ports
714 small) rt_mem=8 ; rt_conn=10 ; rt_buff=2 ;;
715 # Medium - Nearly default but with some added balancintg
716 medium) rt_mem=16 ; rt_conn=15 ; rt_buff=4 ;;
717 # Large - Double medium
718 large) rt_mem=32 ; rt_conn=20 ; rt_buff=4 ;;
719 # Whatever unbound does
720 *) rt_mem=0 ; rt_conn=0 ;;
721 esac
722
723
724 if [ "$rt_mem" -gt 0 ] ; then
725 {
726 # Other harding and options for an embedded router
727 echo " harden-short-bufsize: yes"
728 echo " harden-large-queries: yes"
729 echo " harden-glue: yes"
730 echo " use-caps-for-id: no"
731 echo
732 # Set memory sizing parameters
733 echo " msg-buffer-size: $(($rt_buff*8192))"
734 echo " outgoing-range: $(($rt_conn*32))"
735 echo " num-queries-per-thread: $(($rt_conn*16))"
736 echo " outgoing-num-tcp: $(($rt_conn))"
737 echo " incoming-num-tcp: $(($rt_conn))"
738 echo " rrset-cache-size: $(($rt_mem*256))k"
739 echo " msg-cache-size: $(($rt_mem*128))k"
740 echo " key-cache-size: $(($rt_mem*128))k"
741 echo " neg-cache-size: $(($rt_mem*64))k"
742 echo " infra-cache-numhosts: $(($rt_mem*256))"
743 echo
744 } >> $UB_CORE_CONF
745
746 elif [ "$UB_B_READY" -eq 0 ] ; then
747 logger -t unbound -s "default memory configuration"
748 fi
749
750
751 # Assembly of module-config: options is tricky; order matters
752 modulestring="iterator"
753
754
755 if [ "$UB_B_DNSSEC" -gt 0 ] ; then
756 if [ "$UB_B_NTP_BOOT" -gt 0 ] ; then
757 # DNSSEC chicken and egg with getting NTP time
758 echo " val-override-date: -1" >> $UB_CORE_CONF
759 fi
760
761
762 {
763 echo " harden-dnssec-stripped: yes"
764 echo " val-clean-additional: yes"
765 echo " ignore-cd-flag: yes"
766 } >> $UB_CORE_CONF
767
768
769 modulestring="validator $modulestring"
770 fi
771
772
773 if [ "$UB_B_DNS64" -gt 0 ] ; then
774 echo " dns64-prefix: $UB_IP_DNS64" >> $UB_CORE_CONF
775
776 modulestring="dns64 $modulestring"
777 fi
778
779
780 {
781 # Print final module string
782 echo " module-config: \"$modulestring\""
783 echo
784 } >> $UB_CORE_CONF
785
786
787 case "$UB_D_RECURSION" in
788 passive)
789 {
790 # Some query privacy but "strict" will break some servers
791 if [ "$UB_B_QRY_MINST" -gt 0 \
792 -a "$UB_B_QUERY_MIN" -gt 0 ] ; then
793 echo " qname-minimisation: yes"
794 echo " qname-minimisation-strict: yes"
795 elif [ "$UB_B_QUERY_MIN" -gt 0 ] ; then
796 echo " qname-minimisation: yes"
797 else
798 echo " qname-minimisation: no"
799 fi
800 # Use DNSSEC to quickly understand NXDOMAIN ranges
801 if [ "$UB_B_DNSSEC" -gt 0 ] ; then
802 echo " aggressive-nsec: yes"
803 echo " prefetch-key: no"
804 fi
805 # On demand fetching
806 echo " prefetch: no"
807 echo " target-fetch-policy: \"0 0 0 0 0\""
808 echo
809 } >> $UB_CORE_CONF
810 ;;
811
812 aggressive)
813 {
814 # Some query privacy but "strict" will break some servers
815 if [ "$UB_B_QRY_MINST" -gt 0 \
816 -a "$UB_B_QUERY_MIN" -gt 0 ] ; then
817 echo " qname-minimisation: yes"
818 echo " qname-minimisation-strict: yes"
819 elif [ "$UB_B_QUERY_MIN" -gt 0 ] ; then
820 echo " qname-minimisation: yes"
821 else
822 echo " qname-minimisation: no"
823 fi
824 # Use DNSSEC to quickly understand NXDOMAIN ranges
825 if [ "$UB_B_DNSSEC" -gt 0 ] ; then
826 echo " aggressive-nsec: yes"
827 echo " prefetch-key: yes"
828 fi
829 # Prefetch what can be
830 echo " prefetch: yes"
831 echo " target-fetch-policy: \"3 2 1 0 0\""
832 echo
833 } >> $UB_CORE_CONF
834 ;;
835
836 *)
837 if [ "$UB_B_READY" -eq 0 ] ; then
838 logger -t unbound -s "default recursion configuration"
839 fi
840 ;;
841 esac
842
843
844 {
845 # Reload records more than 20 hours old
846 # DNSSEC 5 minute bogus cool down before retry
847 # Adaptive infrastructure info kept for 15 minutes
848 echo " cache-min-ttl: $UB_TTL_MIN"
849 echo " cache-max-ttl: 72000"
850 echo " val-bogus-ttl: 300"
851 echo " infra-host-ttl: 900"
852 echo
853 } >> $UB_CORE_CONF
854
855
856 if [ "$UB_B_HIDE_BIND" -gt 0 ] ; then
857 {
858 # Block server id and version DNS TXT records
859 echo " hide-identity: yes"
860 echo " hide-version: yes"
861 echo
862 } >> $UB_CORE_CONF
863 fi
864
865
866 if [ "$UB_D_PRIV_BLCK" -gt 0 ] ; then
867 {
868 # Remove _upstream_ or global reponses with private addresses.
869 # Unbounds own "local zone" and "forward zone" may still use these.
870 # RFC1918, RFC3927, RFC4291, RFC6598, RFC6890
871 echo " private-address: 10.0.0.0/8"
872 echo " private-address: 100.64.0.0/10"
873 echo " private-address: 169.254.0.0/16"
874 echo " private-address: 172.16.0.0/12"
875 echo " private-address: 192.168.0.0/16"
876 echo " private-address: fc00::/7"
877 echo " private-address: fe80::/10"
878 echo
879 } >> $UB_CORE_CONF
880 fi
881
882
883 if [ -n "$UB_LIST_NETW_LAN" -a "$UB_D_PRIV_BLCK" -gt 1 ] ; then
884 {
885 for ifsubnet in $UB_LIST_NETW_LAN ; do
886 case $ifsubnet in
887 *@[1-9][0-9a-f][0-9a-f][0-9a-f]:*:[0-9a-f]*)
888 # Remove global DNS responses with your local network IP6 GLA
889 echo " private-address: ${ifsubnet#*@}"
890 ;;
891 esac
892 done
893 echo
894 } >> $UB_CORE_CONF
895 fi
896
897
898 if [ "$UB_B_LOCL_BLCK" -gt 0 ] ; then
899 {
900 # Remove DNS reponses from upstream with loopback IP
901 # Black hole DNS method for ad blocking, so consider...
902 echo " private-address: 127.0.0.0/8"
903 echo " private-address: ::1/128"
904 echo
905 } >> $UB_CORE_CONF
906 fi
907
908
909 if [ -n "$UB_LIST_INSECURE" ] ; then
910 {
911 for domain in $UB_LIST_INSECURE ; do
912 # Except and accept domains without (DNSSEC); work around broken domains
913 echo " domain-insecure: $domain"
914 done
915 echo
916 } >> $UB_CORE_CONF
917 fi
918
919
920 if [ "$UB_B_LOCL_SERV" -gt 0 -a -n "$UB_LIST_NETW_ALL" ] ; then
921 {
922 for ifsubnet in $UB_LIST_NETW_ALL ; do
923 # Only respond to queries from subnets which have an interface.
924 # Prevent DNS amplification attacks by not responding to the universe.
925 echo " access-control: ${ifsubnet#*@} allow"
926 done
927 echo " access-control: 127.0.0.0/8 allow"
928 echo " access-control: ::1/128 allow"
929 echo " access-control: fe80::/10 allow"
930 echo
931 } >> $UB_CORE_CONF
932
933 else
934 {
935 echo " access-control: 0.0.0.0/0 allow"
936 echo " access-control: ::0/0 allow"
937 echo
938 } >> $UB_CORE_CONF
939 fi
940 }
941
942 ##############################################################################
943
944 unbound_hostname() {
945 local ifsubnet ifarpa ifaddr ifname iffqdn
946 local ulaprefix hostfqdn name names namerec ptrrec
947 local zonetype=0
948
949 echo "# $UB_HOST_CONF generated by UCI $( date -Is )" > $UB_HOST_CONF
950
951
952 if [ "$UB_D_DHCP_LINK" = "dnsmasq" ] ; then
953 {
954 echo "# Local zone is handled by dnsmasq"
955 echo
956 } >> $UB_HOST_CONF
957
958 elif [ -n "$UB_TXT_DOMAIN" \
959 -a \( "$UB_D_WAN_FQDN" -gt 0 -o "$UB_D_LAN_FQDN" -gt 0 \) ] ; then
960 case "$UB_D_DOMAIN_TYPE" in
961 deny|inform_deny|refuse|static)
962 {
963 # type static means only this router has your domain
964 echo " domain-insecure: $UB_TXT_DOMAIN"
965 echo " private-domain: $UB_TXT_DOMAIN"
966 echo " local-zone: $UB_TXT_DOMAIN $UB_D_DOMAIN_TYPE"
967 echo " local-data: \"$UB_TXT_DOMAIN. $UB_XSOA\""
968 echo " local-data: \"$UB_TXT_DOMAIN. $UB_XNS\""
969 echo " local-data: '$UB_TXT_DOMAIN. $UB_XTXT'"
970 echo
971 # avoid upstream involvement in RFC6762
972 echo " domain-insecure: local"
973 echo " private-domain: local"
974 echo " local-zone: local $UB_D_DOMAIN_TYPE"
975 echo " local-data: \"local. $UB_XSOA\""
976 echo " local-data: \"local. $UB_XNS\""
977 echo " local-data: 'local. $UB_LTXT'"
978 echo
979 } >> $UB_HOST_CONF
980 zonetype=2
981 ;;
982
983 transparent|typetransparent)
984 {
985 # transparent will permit forward-zone: or stub-zone: clauses
986 echo " private-domain: $UB_TXT_DOMAIN"
987 echo " local-zone: $UB_TXT_DOMAIN $UB_D_DOMAIN_TYPE"
988 echo
989 } >> $UB_HOST_CONF
990 zonetype=1
991 ;;
992 esac
993
994
995 {
996 # Hostname as TLD works, but not transparent through recursion (singular)
997 echo " domain-insecure: $UB_TXT_HOSTNAME"
998 echo " private-domain: $UB_TXT_HOSTNAME"
999 echo " local-zone: $UB_TXT_HOSTNAME static"
1000 echo " local-data: \"$UB_TXT_HOSTNAME. $UB_XSOA\""
1001 echo " local-data: \"$UB_TXT_HOSTNAME. $UB_XNS\""
1002 echo " local-data: '$UB_TXT_HOSTNAME. $UB_XTXT'"
1003 echo
1004 } >> $UB_HOST_CONF
1005
1006
1007 if [ -n "$UB_LIST_NETW_WAN" ] ; then
1008 for ifsubnet in $UB_LIST_NETW_WAN ; do
1009 ifaddr=${ifsubnet#*@}
1010 ifaddr=${ifaddr%/*}
1011 ifarpa=$( host_ptr_any "$ifaddr" )
1012
1013
1014 if [ -n "$ifarpa" ] ; then
1015 if [ "$UB_D_WAN_FQDN" -gt 0 ] ; then
1016 {
1017 # Create a static zone for WAN host record only (singular)
1018 echo " domain-insecure: $ifarpa"
1019 echo " private-address: $ifaddr"
1020 echo " local-zone: $ifarpa static"
1021 echo " local-data: \"$ifarpa. $UB_XSOA\""
1022 echo " local-data: \"$ifarpa. $UB_XNS\""
1023 echo " local-data: '$ifarpa. $UB_MTXT'"
1024 echo
1025 } >> $UB_HOST_CONF
1026
1027 elif [ "$zonetype" -gt 0 ] ; then
1028 {
1029 echo " local-zone: $ifarpa transparent"
1030 echo
1031 } >> $UB_HOST_CONF
1032 fi
1033 fi
1034 done
1035 fi
1036
1037
1038 if [ -n "$UB_LIST_NETW_LAN" ] ; then
1039 for ifsubnet in $UB_LIST_NETW_LAN ; do
1040 ifarpa=$( domain_ptr_any "${ifsubnet#*@}" )
1041
1042
1043 if [ -n "$ifarpa" ] ; then
1044 if [ "$zonetype" -eq 2 ] ; then
1045 {
1046 # Do NOT forward queries with your ip6.arpa or in-addr.arpa
1047 echo " domain-insecure: $ifarpa"
1048 echo " local-zone: $ifarpa static"
1049 echo " local-data: \"$ifarpa. $UB_XSOA\""
1050 echo " local-data: \"$ifarpa. $UB_XNS\""
1051 echo " local-data: '$ifarpa. $UB_XTXT'"
1052 echo
1053 } >> $UB_HOST_CONF
1054
1055 elif [ "$zonetype" -eq 1 -a "$UB_D_PRIV_BLCK" -eq 0 ] ; then
1056 {
1057 echo " local-zone: $ifarpa transparent"
1058 echo
1059 } >> $UB_HOST_CONF
1060 fi
1061 fi
1062 done
1063 fi
1064
1065
1066 ulaprefix=$( uci_get network.@globals[0].ula_prefix )
1067 ulaprefix=${ulaprefix%%:/*}
1068 hostfqdn="$UB_TXT_HOSTNAME.$UB_TXT_DOMAIN"
1069
1070
1071 if [ -z "$ulaprefix" ] ; then
1072 # Nonsense so this option isn't globbed below
1073 ulaprefix="fdno:such:addr::"
1074 fi
1075
1076
1077 if [ "$UB_LIST_NETW_LAN" -a "$UB_D_LAN_FQDN" -gt 0 ] ; then
1078 for ifsubnet in $UB_LIST_NETW_LAN ; do
1079 ifaddr=${ifsubnet#*@}
1080 ifaddr=${ifaddr%/*}
1081 ifname=${ifsubnet%@*}
1082 iffqdn="$ifname.$hostfqdn"
1083
1084
1085 if [ "$UB_D_LAN_FQDN" -eq 4 ] ; then
1086 names="$iffqdn $hostfqdn $UB_TXT_HOSTNAME"
1087 ptrrec=" local-data-ptr: \"$ifaddr 300 $iffqdn\""
1088 echo "$ptrrec" >> $UB_HOST_CONF
1089
1090 elif [ "$UB_D_LAN_FQDN" -eq 3 ] ; then
1091 names="$hostfqdn $UB_TXT_HOSTNAME"
1092 ptrrec=" local-data-ptr: \"$ifaddr 300 $hostfqdn\""
1093 echo "$ptrrec" >> $UB_HOST_CONF
1094
1095 else
1096 names="$UB_TXT_HOSTNAME"
1097 ptrrec=" local-data-ptr: \"$ifaddr 300 $UB_TXT_HOSTNAME\""
1098 echo "$ptrrec" >> $UB_HOST_CONF
1099 fi
1100
1101
1102 for name in $names ; do
1103 case $ifaddr in
1104 "${ulaprefix}"*)
1105 # IP6 ULA only is assigned for OPTION 1
1106 namerec=" local-data: \"$name. 300 IN AAAA $ifaddr\""
1107 echo "$namerec" >> $UB_HOST_CONF
1108 ;;
1109
1110 [1-9]*.*[0-9])
1111 namerec=" local-data: \"$name. 300 IN A $ifaddr\""
1112 echo "$namerec" >> $UB_HOST_CONF
1113 ;;
1114
1115 *)
1116 if [ "$UB_D_LAN_FQDN" -gt 1 ] ; then
1117 # IP6 GLA is assigned for higher options
1118 namerec=" local-data: \"$name. 300 IN AAAA $ifaddr\""
1119 echo "$namerec" >> $UB_HOST_CONF
1120 fi
1121 ;;
1122 esac
1123 done
1124 echo >> $UB_HOST_CONF
1125 done
1126 fi
1127
1128
1129 if [ -n "$UB_LIST_NETW_WAN" -a "$UB_D_WAN_FQDN" -gt 0 ] ; then
1130 for ifsubnet in $UB_LIST_NETW_WAN ; do
1131 ifaddr=${ifsubnet#*@}
1132 ifaddr=${ifaddr%/*}
1133 ifname=${ifsubnet%@*}
1134 iffqdn="$ifname.$hostfqdn"
1135
1136
1137 if [ "$UB_D_WAN_FQDN" -eq 4 ] ; then
1138 names="$iffqdn $hostfqdn $UB_TXT_HOSTNAME"
1139 ptrrec=" local-data-ptr: \"$ifaddr 300 $iffqdn\""
1140 echo "$ptrrec" >> $UB_HOST_CONF
1141
1142 elif [ "$UB_D_WAN_FQDN" -eq 3 ] ; then
1143 names="$hostfqdn $UB_TXT_HOSTNAME"
1144 ptrrec=" local-data-ptr: \"$ifaddr 300 $hostfqdn\""
1145 echo "$ptrrec" >> $UB_HOST_CONF
1146
1147 else
1148 names="$UB_TXT_HOSTNAME"
1149 ptrrec=" local-data-ptr: \"$ifaddr 300 $UB_TXT_HOSTNAME\""
1150 echo "$ptrrec" >> $UB_HOST_CONF
1151 fi
1152
1153
1154 for name in $names ; do
1155 case $ifaddr in
1156 "${ulaprefix}"*)
1157 # IP6 ULA only is assigned for OPTION 1
1158 namerec=" local-data: \"$name. 300 IN AAAA $ifaddr\""
1159 echo "$namerec" >> $UB_HOST_CONF
1160 ;;
1161
1162 [1-9]*.*[0-9])
1163 namerec=" local-data: \"$name. 300 IN A $ifaddr\""
1164 echo "$namerec" >> $UB_HOST_CONF
1165 ;;
1166
1167 *)
1168 if [ "$UB_D_WAN_FQDN" -gt 1 ] ; then
1169 # IP6 GLA is assigned for higher options
1170 namerec=" local-data: \"$name. 300 IN AAAA $ifaddr\""
1171 echo "$namerec" >> $UB_HOST_CONF
1172 fi
1173 ;;
1174 esac
1175 done
1176 echo >> $UB_HOST_CONF
1177 done
1178 fi
1179 fi # end if uci valid
1180 }
1181
1182 ##############################################################################
1183
1184 unbound_uci() {
1185 local cfg="$1"
1186 local dnsmasqpath hostnm
1187
1188 hostnm=$( uci_get system.@system[0].hostname | awk '{print tolower($0)}' )
1189 UB_TXT_HOSTNAME=${hostnm:-thisrouter}
1190
1191 config_get_bool UB_B_SLAAC6_MAC "$cfg" dhcp4_slaac6 0
1192 config_get_bool UB_B_DNS64 "$cfg" dns64 0
1193 config_get_bool UB_B_EXT_STATS "$cfg" extended_stats 0
1194 config_get_bool UB_B_HIDE_BIND "$cfg" hide_binddata 1
1195 config_get_bool UB_B_LOCL_SERV "$cfg" localservice 1
1196 config_get_bool UB_B_MAN_CONF "$cfg" manual_conf 0
1197 config_get_bool UB_B_QUERY_MIN "$cfg" query_minimize 0
1198 config_get_bool UB_B_QRY_MINST "$cfg" query_min_strict 0
1199 config_get_bool UB_B_AUTH_ROOT "$cfg" prefetch_root 0
1200 config_get_bool UB_B_LOCL_BLCK "$cfg" rebind_localhost 0
1201 config_get_bool UB_B_DNSSEC "$cfg" validator 0
1202 config_get_bool UB_B_NTP_BOOT "$cfg" validator_ntp 1
1203
1204 config_get UB_IP_DNS64 "$cfg" dns64_prefix "64:ff9b::/96"
1205
1206 config_get UB_N_EDNS_SIZE "$cfg" edns_size 1280
1207 config_get UB_N_RX_PORT "$cfg" listen_port 53
1208 config_get UB_N_ROOT_AGE "$cfg" root_age 9
1209
1210 config_get UB_D_CONTROL "$cfg" unbound_control 0
1211 config_get UB_D_DOMAIN_TYPE "$cfg" domain_type static
1212 config_get UB_D_DHCP_LINK "$cfg" dhcp_link none
1213 config_get UB_D_EXTRA_DNS "$cfg" add_extra_dns 0
1214 config_get UB_D_LAN_FQDN "$cfg" add_local_fqdn 0
1215 config_get UB_D_PRIV_BLCK "$cfg" rebind_protection 1
1216 config_get UB_D_PROTOCOL "$cfg" protocol mixed
1217 config_get UB_D_RECURSION "$cfg" recursion passive
1218 config_get UB_D_RESOURCE "$cfg" resource small
1219 config_get UB_D_VERBOSE "$cfg" verbosity 1
1220 config_get UB_D_WAN_FQDN "$cfg" add_wan_fqdn 0
1221
1222 config_get UB_TTL_MIN "$cfg" ttl_min 120
1223 config_get UB_TXT_DOMAIN "$cfg" domain lan
1224
1225 config_list_foreach "$cfg" domain_insecure bundle_domain_insecure
1226
1227
1228 if [ "$UB_D_DHCP_LINK" = "none" ] ; then
1229 config_get_bool UB_B_DNSMASQ "$cfg" dnsmasq_link_dns 0
1230
1231
1232 if [ "$UB_B_DNSMASQ" -gt 0 ] ; then
1233 UB_D_DHCP_LINK=dnsmasq
1234
1235
1236 if [ "$UB_B_READY" -eq 0 ] ; then
1237 logger -t unbound -s "Please use 'dhcp_link' selector instead"
1238 fi
1239 fi
1240 fi
1241
1242
1243 if [ "$UB_D_DHCP_LINK" = "dnsmasq" ] ; then
1244 if [ ! -x /usr/sbin/dnsmasq -o ! -x /etc/init.d/dnsmasq ] ; then
1245 UB_D_DHCP_LINK=none
1246 else
1247 /etc/init.d/dnsmasq enabled || UB_D_DHCP_LINK=none
1248 fi
1249
1250
1251 if [ "$UB_B_READY" -eq 0 -a "$UB_D_DHCP_LINK" = "none" ] ; then
1252 logger -t unbound -s "cannot forward to dnsmasq"
1253 fi
1254 fi
1255
1256
1257 if [ "$UB_D_DHCP_LINK" = "odhcpd" ] ; then
1258 if [ ! -x /usr/sbin/odhcpd -o ! -x /etc/init.d/odhcpd ] ; then
1259 UB_D_DHCP_LINK=none
1260 else
1261 /etc/init.d/odhcpd enabled || UB_D_DHCP_LINK=none
1262 fi
1263
1264
1265 if [ "$UB_B_READY" -eq 0 -a "$UB_D_DHCP_LINK" = "none" ] ; then
1266 logger -t unbound -s "cannot receive records from odhcpd"
1267 fi
1268 fi
1269
1270
1271 if [ "$UB_N_EDNS_SIZE" -lt 512 \
1272 -o 4096 -lt "$UB_N_EDNS_SIZE" ] ; then
1273 logger -t unbound -s "edns_size exceeds range, using default"
1274 UB_N_EDNS_SIZE=1280
1275 fi
1276
1277
1278 if [ "$UB_N_RX_PORT" -ne 53 \
1279 -a \( "$UB_N_RX_PORT" -lt 1024 -o 10240 -lt "$UB_N_RX_PORT" \) ] ; then
1280 logger -t unbound -s "privileged port or in 5 digits, using default"
1281 UB_N_RX_PORT=53
1282 fi
1283
1284
1285 if [ "$UB_TTL_MIN" -gt 1800 ] ; then
1286 logger -t unbound -s "ttl_min could have had awful side effects, using 300"
1287 UB_TTL_MIN=300
1288 fi
1289 }
1290
1291 ##############################################################################
1292
1293 unbound_include() {
1294 local adb_enabled
1295 local adb_files=$( ls $UB_VARDIR/adb_list.* 2>/dev/null )
1296
1297 echo "# $UB_TOTAL_CONF generated by UCI $( date -Is )" > $UB_TOTAL_CONF
1298
1299
1300 if [ -f "$UB_CORE_CONF" ] ; then
1301 # Yes this all looks busy, but it is in TMPFS. Working on separate files
1302 # and piecing together is easier. UCI order is less constrained.
1303 cat $UB_CORE_CONF >> $UB_TOTAL_CONF
1304 rm $UB_CORE_CONF
1305 fi
1306
1307
1308 if [ -f "$UB_HOST_CONF" ] ; then
1309 # UCI definitions of local host or local subnet
1310 cat $UB_HOST_CONF >> $UB_TOTAL_CONF
1311 rm $UB_HOST_CONF
1312 fi
1313
1314
1315 if [ -f $UB_SRVMASQ_CONF ] ; then
1316 # UCI found link to dnsmasq
1317 cat $UB_SRVMASQ_CONF >> $UB_TOTAL_CONF
1318 rm $UB_SRVMASQ_CONF
1319 fi
1320
1321
1322 if [ -f "$UB_DHCP_CONF" ] ; then
1323 {
1324 # Seed DHCP records because dhcp scripts trigger externally
1325 # Incremental Unbound restarts may drop unbound-control records
1326 echo "include: $UB_DHCP_CONF"
1327 echo
1328 }>> $UB_TOTAL_CONF
1329 fi
1330
1331
1332 if [ -z "$adb_files" \
1333 -o ! -x /usr/bin/adblock.sh -o ! -x /etc/init.d/adblock ] ; then
1334 adb_enabled=0
1335
1336 elif /etc/init.d/adblock enabled ; then
1337 adb_enabled=1
1338 {
1339 # Pull in your selected openwrt/pacakges/net/adblock generated lists
1340 echo "include: $UB_VARDIR/adb_list.*"
1341 echo
1342 } >> $UB_TOTAL_CONF
1343
1344 else
1345 adb_enabled=0
1346 fi
1347
1348
1349 if [ -f $UB_SRV_CONF ] ; then
1350 {
1351 # Pull your own "server:" options here
1352 echo "include: $UB_SRV_CONF"
1353 echo
1354 }>> $UB_TOTAL_CONF
1355 fi
1356
1357
1358 if [ -f "$UB_ZONE_CONF" ] ; then
1359 # UCI defined forward, stub, and auth zones
1360 cat $UB_ZONE_CONF >> $UB_TOTAL_CONF
1361 rm $UB_ZONE_CONF
1362 fi
1363
1364
1365 if [ -f "$UB_CTRL_CONF" ] ; then
1366 # UCI defined control application connection
1367 cat $UB_CTRL_CONF >> $UB_TOTAL_CONF
1368 rm $UB_CTRL_CONF
1369 fi
1370
1371
1372 if [ -f "$UB_EXTMASQ_CONF" ] ; then
1373 # UCI found link to dnsmasq
1374 cat $UB_EXTMASQ_CONF >> $UB_TOTAL_CONF
1375 rm $UB_EXTMASQ_CONF
1376 fi
1377
1378
1379 if [ -f "$UB_EXT_CONF" ] ; then
1380 {
1381 # Pull your own extend feature clauses here
1382 echo "include: $UB_EXT_CONF"
1383 echo
1384 } >> $UB_TOTAL_CONF
1385 fi
1386 }
1387
1388 ##############################################################################
1389
1390 resolv_setup() {
1391 if [ "$UB_N_RX_PORT" != "53" ] ; then
1392 return
1393
1394 elif [ -x /etc/init.d/dnsmasq ] \
1395 && /etc/init.d/dnsmasq enabled \
1396 && nslookup localhost 127.0.0.1#53 >/dev/null 2>&1 ; then
1397 # unbound is configured for port 53, but dnsmasq is enabled and a resolver
1398 # listens on localhost:53, lets assume dnsmasq manages the resolver file.
1399 # TODO:
1400 # really check if dnsmasq runs a local (main) resolver in stead of using
1401 # nslookup that times out when no resolver listens on localhost:53.
1402 return
1403 fi
1404
1405
1406 # unbound is designated to listen on 127.0.0.1#53,
1407 # set resolver file to local.
1408 rm -f /tmp/resolv.conf
1409
1410 {
1411 echo "# /tmp/resolv.conf generated by Unbound UCI $( date -Is )"
1412 echo "nameserver 127.0.0.1"
1413 echo "nameserver ::1"
1414 echo "search $UB_TXT_DOMAIN."
1415 } > /tmp/resolv.conf
1416 }
1417
1418 ##############################################################################
1419
1420 unbound_start() {
1421 config_load unbound
1422 config_foreach unbound_uci unbound
1423 unbound_mkdir
1424
1425
1426 if [ "$UB_B_MAN_CONF" -eq 0 ] ; then
1427 # iterate zones before we load other UCI
1428 # forward-zone: auth-zone: and stub-zone:
1429 config_foreach unbound_zone zone
1430 # associate potential DNS RR with interfaces
1431 config_load network
1432 config_foreach bundle_all_networks interface
1433 config_load dhcp
1434 config_foreach bundle_lan_networks dhcp
1435 bundle_wan_networks
1436 # server:
1437 unbound_conf
1438 unbound_hostname
1439 # control:
1440 unbound_control
1441 # dnsmasq
1442 dnsmasq_link
1443 # merge
1444 unbound_include
1445 fi
1446
1447
1448 resolv_setup
1449 }
1450
1451 ##############################################################################
1452
Mirror of packages feed