diff options
Diffstat (limited to 'config/unbound')
-rw-r--r-- | config/unbound/unbound.inc | 216 | ||||
-rw-r--r-- | config/unbound/unbound.xml | 10 | ||||
-rw-r--r-- | config/unbound/unbound_acls.php | 16 | ||||
-rw-r--r-- | config/unbound/unbound_acls.xml | 8 | ||||
-rw-r--r-- | config/unbound/unbound_advanced.xml | 6 | ||||
-rwxr-xr-x | config/unbound/unbound_monitor.sh | 68 | ||||
-rw-r--r-- | config/unbound/unbound_status.php | 64 |
7 files changed, 214 insertions, 174 deletions
diff --git a/config/unbound/unbound.inc b/config/unbound/unbound.inc index 6588c5c2..2dd33bcd 100644 --- a/config/unbound/unbound.inc +++ b/config/unbound/unbound.inc @@ -23,6 +23,12 @@ POSSIBILITY OF SUCH DAMAGE. */ +// Define basedir constant for unbound according to FreeBSD version (PBI support or no PBI) +if (floatval(php_uname("r")) >= 8.3) + define("UNBOUND_BASE", "/usr/pbi/unbound-" . php_uname("m")); +else + define("UNBOUND_BASE", "/usr/local"); + if(!function_exists("is_service_running")) require_once("service-utils.inc"); @@ -40,34 +46,35 @@ function unbound_initial_setup() { // Make sure read-write conf_mount_rw(); - + if (!is_array($config['installedpackages']['unbound']['config'])) $config['installedpackages']['unbound']['config'] = array(); $unbound_config = &$config['installedpackages']['unbound']['config'][0]; // Ensure Unbound user exists - exec("/usr/sbin/pw useradd unbound"); + mwexec("/usr/sbin/pw useradd unbound", true); // Setup unbound // Create and chown dirs - mwexec("/bin/mkdir -p /usr/local/etc/unbound /usr/local/etc/unbound/dev"); - @chown("/usr/local/etc/unbound/.", "unbound"); - @chown("/usr/local/etc/unbound/dev.", "unbound"); + mwexec("/bin/mkdir -p " . UNBOUND_BASE . "/etc/unbound/dev"); + @chown(UNBOUND_BASE . "/etc/unbound/.", "unbound"); + @chown(UNBOUND_BASE . "/etc/unbound/dev.", "unbound"); // Touch needed files - @touch("/usr/local/etc/unbound/root.hints"); - @touch("/usr/local/etc/unbound/root-trust-anchor"); + @touch(UNBOUND_BASE . "/etc/unbound/root.hints"); + @touch(UNBOUND_BASE . "/etc/unbound/root-trust-anchor"); // Ensure files and folders belong to unbound - @chown("/usr/local/etc/unbound/root-trust-anchor", "unbound"); - @chgrp("/usr/local/etc/unbound/root-trust-anchor", "wheel"); - @chmod("/usr/local/etc/unbound/root-trust-anchor", 0600); + @chown(UNBOUND_BASE . "/etc/unbound/root-trust-anchor", "unbound"); + @chgrp(UNBOUND_BASE . "/etc/unbound/root-trust-anchor", "wheel"); + @chmod(UNBOUND_BASE . "/etc/unbound/root-trust-anchor", 0600); // We do not need the sample conf or the default rc.d startup file - @unlink_if_exists("/usr/local/etc/unbound/unbound.conf.sample"); + @unlink_if_exists(UNBOUND_BASE . "/etc/unbound/unbound.conf.sample"); + @unlink_if_exists(UNBOUND_BASE . "/etc/rc.d/unbound"); @unlink_if_exists("/usr/local/etc/rc.d/unbound"); - + // Setup rc file for startup and shutdown. unbound_rc_setup(); - + /* Check to see if Set initial interfaces that are allowed to query to lan, if that does not exist set it to the wan * */ @@ -77,34 +84,34 @@ function unbound_initial_setup() { else $unbound_config['active_interface'] = "wan"; } - + unbound_anchor_setup(); unbound_resync_config(); unbound_keys_setup(); - exec("/usr/sbin/chown -R unbound:wheel /usr/local/etc/unbound/*"); + exec("/usr/sbin/chown -R unbound:wheel " . UNBOUND_BASE . "/etc/unbound/*"); // Write out the XML config write_config(); - + // Back to read-only conf_mount_ro(); } function unbound_anchor_setup() { - + $conf = <<<EOD . IN DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5 EOD; - file_put_contents("/usr/local/etc/unbound/root-trust-anchor", $conf); - + file_put_contents(UNBOUND_BASE . "/etc/unbound/root-trust-anchor", $conf); + } function unbound_keys_setup() { - + // Generate SSL Keys for controlling the unbound server - mwexec("/usr/local/sbin/unbound-control-setup"); + mwexec(UNBOUND_BASE . "/sbin/unbound-control-setup"); } @@ -148,25 +155,21 @@ ENDPHP\n"; } function unbound_install() { - - conf_mount_rw(); unbound_initial_setup(); - conf_mount_ro(); - } function unbound_control($action) { global $config, $g; - + $unbound_config = $config['installedpackages']['unbound']['config'][0]; $cache_dumpfile = "/var/tmp/unbound_cache"; - + switch ($action) { case "forward": /* Dont utilize forward cmd if Unbound is doing DNS queries directly * XXX: We could make this an option to then make pfSense use Unbound * as the recursive nameserver instead of upstream ones(?) - */ + */ if ($unbound_config['forwarding_mode'] == "on") { // Get configured DNS servers and add them as forwarders if (!isset($config['system']['dnsallowoverride'])) { @@ -182,7 +185,7 @@ function unbound_control($action) { $dns_servers .= " $nameserver"; } } - + if(is_service_running("unbound")) { unbound_ctl_exec("forward $dns_servers"); } else { @@ -192,7 +195,7 @@ function unbound_control($action) { } } break; - + case "start": //Start unbound if($unbound_config['unbound_status'] == "on") { @@ -203,28 +206,31 @@ function unbound_control($action) { @unlink("/var/run/dnsmasq.pid"); mwexec("/bin/ln -s /var/run/unbound.pid /var/run/dnsmasq.pid"); } + mwexec_bg("/usr/local/bin/unbound_monitor.sh"); fetch_root_hints(); } break; - + case "stop": //Stop unbound and unmount the file system if($unbound_config['unbound_status'] == "on") { - unbound_ctl_exec("stop"); + mwexec_bg("/usr/local/bin/unbound_monitor.sh stop"); + unbound_ctl_exec("stop"); } break; - + case "termstop": //Stop Unbound by sigkillbypid(); + mwexec_bg("/usr/local/bin/unbound_monitor.sh stop"); sigkillbypid("{$g['varrun_path']}/unbound.pid", "TERM"); break; - + case "dump_cache": //Dump Unbound's Cache if($unbound_config['dumpcache'] == "on") unbound_ctl_exec("dump_cache > $cache_dumpfile"); break; - + case "restore_cache": //Restore Unbound's Cache if ((is_service_running("unbound")) && ($unbound_config['dumpcache'] == "on")) { @@ -234,13 +240,13 @@ function unbound_control($action) { break; case "anchor_update": //Update the Root Trust Anchor - mwexec("/usr/local/sbin/unbound-anchor -a /usr/local/etc/unbound/root-trust-anchor", true); + mwexec(UNBOUND_BASE . "/sbin/unbound-anchor -a " . UNBOUND_BASE . "/etc/unbound/root-trust-anchor", true); break; default: break; - + } - + } function unbound_get_network_interface_addresses() { @@ -251,7 +257,7 @@ function unbound_get_network_interface_addresses() { $unboundint = explode(",", $unbound_config['active_interface']); $unbound_interfaces = array(); $i = 0; - + foreach ($unboundint as $unboundidx => $unboundif) { /* Configure IPv4 addresses */ if (is_ipaddr($interfaces[$unboundif]['ipaddr'])) { @@ -283,7 +289,7 @@ function unbound_get_network_interface_addresses() { $unbound_interfaces[$i]['ipv4']['subnet'] = find_interface_subnet($unboundrealif); $unbound_interfaces[$i]['ipv4']['network'] = gen_subnet($unbound_interfaces[$i]['ipv4']['ipaddr'],$unbound_interfaces[$i]['ipv4']['subnet']); } - + /* Configure IPv6 addresses */ if(function_exists("is_ipaddrv6")) { if(is_ipaddrv6($interfaces[$unboundif]['ipaddrv6'])) { @@ -370,7 +376,7 @@ function unbound_get_query_interface_addresses() { function unbound_acls_config() { global $config; - + /* Configure the ACLs */ if(is_array($config['installedpackages']['unboundacls']['config'])) { $unbound_acls = $config['installedpackages']['unboundacls']['config']; @@ -381,7 +387,7 @@ function unbound_acls_config() { if ($unbound_acl['aclaction'] == "allow snoop") $unbound_acl['aclaction'] = "allow_snoop"; $unboundcfg .= "access-control: {$network['acl_network']}/{$network['mask']} {$unbound_acl['aclaction']}\n"; - } + } } return $unboundcfg; } else @@ -390,21 +396,20 @@ function unbound_acls_config() { function unbound_resync_config() { global $config, $g, $input_errors; - + + $unbound_base = UNBOUND_BASE; + if (!is_array($config['installedpackages']['unbound']['config'])) $config['installedpackages']['unbound']['config'] = array(); $unbound_config = &$config['installedpackages']['unbound']['config'][0]; - + // Interfaces to bind to and setup acls for nics $unbound_bind_interfaces = ""; $unbound_allowed_networks = ""; $unboundnetcfg = unbound_get_network_interface_addresses(); foreach($unboundnetcfg as $netent) { foreach($netent as $entry) { - # If virtual interface then skip - if (!$entry['network'] && !$entry['subnet'] && ($entry['ipaddr'] != "127.0.0.1" && $entry['ipaddr'] != "::1")) - continue; $unbound_bind_interfaces .="interface: {$entry['ipaddr']}\n"; if($entry['ipaddr'] != "127.0.0.1" && $entry['ipaddr'] != "::1") $unbound_allowed_networks .= "access-control: {$entry['network']}/{$entry['subnet']} allow\n"; @@ -420,19 +425,19 @@ function unbound_resync_config() { /* Configure user configured ACLs */ $unbound_allowed_networks .= unbound_acls_config(); - + if($unbound_config['dnssec_status'] == "on") { $module_config = "validator iterator"; - $anchor_file = "auto-trust-anchor-file: /usr/local/etc/unbound/root-trust-anchor"; + $anchor_file = "auto-trust-anchor-file: " . UNBOUND_BASE . "/etc/unbound/root-trust-anchor"; } else $module_config = "iterator"; - + // Host entries $host_entries = unbound_add_host_entries(); - + // Domain Overrides $domain_overrides = unbound_add_domain_overrides(); - + // Unbound Statistics if($unbound_config['stats'] == "on") { $stats_interval = $unbound_config['stats_interval']; @@ -440,13 +445,13 @@ function unbound_resync_config() { if ($unbound_config['extended_stats'] == "on") $extended_stats = "yes"; else - $extended_stats = "no"; + $extended_stats = "no"; } else { $stats_interval = "0"; $cumulative_stats = "no"; $extended_stats = "no"; } - + // Private-address support for DNS Rebinding if($unbound_config['private_address'] == "on") { $pvt_addr = <<<EOF @@ -467,7 +472,7 @@ EOF; //Setup optimization $optimization = unbound_optimization(); - + $unbound_config = &$config['installedpackages']['unboundadvanced']['config'][0]; // Setup Advanced options $log_verbosity = (isset($unbound_config['unbound_verbosity'])) ? $unbound_config['unbound_verbosity'] : "1"; @@ -488,8 +493,7 @@ EOF; $infra_lame_ttl = (!empty($unbound_config['infra_lame_ttl'])) ? $unbound_config['infra_lame_ttl'] : "900"; $infra_cache_numhosts = (!empty($unbound_config['infra_cache_numhosts'])) ? $unbound_config['infra_cache_numhosts'] : "10000"; $unwanted_reply_threshold = (!empty($unbound_config['unwanted_reply_threshold'])) ? $unbound_config['unwanted_reply_threshold'] : "0"; - - + $unbound_conf = <<<EOD ######################### @@ -502,7 +506,7 @@ EOF; server: chroot: "" username: "unbound" -directory: "/usr/local/etc/unbound" +directory: "{$unbound_base}/etc/unbound" pidfile: "{$g['varrun_path']}/unbound.pid" root-hints: "root.hints" harden-referral-path: no @@ -564,14 +568,14 @@ access-control: ::1 allow EOD; -# Handle custom options -if(!empty($unbound_config['custom_options'])) { - $custom_options = explode(";", ($unbound_config['custom_options'])); - $unbound_conf .= "# Unbound Custom options\n"; - foreach ($custom_options as $ent) { - $unbound_conf .= $ent."\n"; + # Handle custom options + if(!empty($unbound_config['custom_options'])) { + $custom_options = explode(";", ($unbound_config['custom_options'])); + $unbound_conf .= "# Unbound Custom options\n"; + foreach ($custom_options as $ent) { + $unbound_conf .= $ent."\n"; + } } -} $unbound_conf .= <<<EOD @@ -582,22 +586,24 @@ remote-control: control-enable: yes control-interface: 127.0.0.1 control-port: 953 -server-key-file: "/usr/local/etc/unbound/unbound_server.key" -server-cert-file: "/usr/local/etc/unbound/unbound_server.pem" -control-key-file: "/usr/local/etc/unbound/unbound_control.key" -control-cert-file: "/usr/local/etc/unbound/unbound_control.pem" +server-key-file: "{$unbound_base}/etc/unbound/unbound_server.key" +server-cert-file: "{$unbound_base}/etc/unbound/unbound_server.pem" +control-key-file: "{$unbound_base}/etc/unbound/unbound_control.key" +control-cert-file: "{$unbound_base}/etc/unbound/unbound_control.pem" EOD; - file_put_contents("/usr/local/etc/unbound/unbound.conf", $unbound_conf); - + conf_mount_rw(); + file_put_contents("{$unbound_base}/etc/unbound/unbound.conf", $unbound_conf); + conf_mount_ro(); + } function unbound_ctl_exec($cmd) { - - mwexec("/usr/local/sbin/unbound-control $cmd"); - + + mwexec(UNBOUND_BASE . "/sbin/unbound-control $cmd"); + } @@ -609,7 +615,7 @@ function unbound_optimization() { $unbound_config = $config['installedpackages']['unboundadvanced']['config'][0]; $optimization_settings = array(); - + // Set the number of threads equal to number of CPUs. // Use 1 (disable threading) if for some reason this sysctl fails. $numprocs = intval(trim(`/sbin/sysctl kern.smp.cpus | /usr/bin/cut -d" " -f2`)); @@ -617,7 +623,7 @@ function unbound_optimization() { $optimization['number_threads'] = "num-threads: {$numprocs}"; else $optimization['number_threads'] = "num-threads: 1"; - + // Slabs to help reduce lock contention. if ($numprocs > 4) { $optimization['msg_cache_slabs'] = "msg-cache-slabs: {$numprocs}"; @@ -630,7 +636,7 @@ function unbound_optimization() { $optimization['infra_cache_slabs'] = "infra-cache-slabs: 4"; $optimization['key_cache_slabs'] = "key-cache-slabs: 4"; } - + // Memory usage - default is 4Mb if nothing has been selected if(isset($unbound_config['msg_cache_size'])) { $rr = $unbound_config['msg_cache_size']*2; @@ -640,7 +646,7 @@ function unbound_optimization() { $optimization['msg_cache_size'] = "msg-cache-size: 4m"; $optimization['rrset_cache_size'] = "rrset-cache-size: 8m"; } - + // More outgoing connections per thread otherwise assign a default of 4096 for a single thread if($numprocs > 0) { $or = (1024/$numprocs) - 50; @@ -659,7 +665,7 @@ function unbound_optimization() { $optimization['so_rcvbuf'] = "so-rcvbuf: {$so}m"; else unset($optimization['so_rcvbuf']); - + } } // Safety check in case kern.ipc.maxsockbuf is deleted. @@ -671,12 +677,12 @@ function unbound_optimization() { function fetch_root_hints() { - $destination_file = "/usr/local/etc/unbound/root.hints"; + $destination_file = UNBOUND_BASE . "/etc/unbound/root.hints"; if (filesize($destination_file) == 0 ) { conf_mount_rw(); $fout = fopen($destination_file, "w"); $url = "ftp://ftp.internic.net/domain/named.cache"; - + $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch,CURLOPT_RETURNTRANSFER, 1); @@ -688,7 +694,7 @@ function fetch_root_hints() { fwrite($fout, $data); fclose($fout); conf_mount_ro(); - + return ($http_code == 200) ? true : $http_code; } else { return false; @@ -700,18 +706,18 @@ function unbound_validate($post, $type=null) { if($post['unbound_status'] == "on" && isset($config['dnsmasq']['enable'])) $input_errors[] = "The system dns-forwarder is still active. Disable it before enabling the Unbound service."; - + /* Validate the access lists */ if($type == "acl") { $acls = $post; // Check to ensure values entered is an action that is in the list if ($acls['aclaction'] != 'refuse' && $acls['aclaction'] != 'allow' && $acls['aclaction'] != 'allow_snoop' && $acls['aclaction'] != 'deny') $input_errors[] = "{$acls['aclaction']} is not a valid ACL Action. Please select one of the four actions defined in the list."; - + // Make sure there is at least 1 network defined. - if (!isset($acls['acl_network0'])) + if (!isset($acls['acl_network0'])) $input_errors[] = "You need to specify at least one network to create a valid ACL."; - + $count = 0; // Get number of rows added, should be passed by the form - will look into that later for($i=0; $i<99; $i++) { @@ -719,7 +725,7 @@ function unbound_validate($post, $type=null) { // Check to ensure values entered are networks if(!is_ipaddr($acls['acl_network'.$i]) && !is_subnet($acls['mask'.$i])) $input_errors[] = "{$acls['acl_network'.$i]}/{$acls['mask'.$i]} is not a valid network."; - } + } } } else if($type == "advanced") { if(!is_numeric($post['cache_max_ttl'])) @@ -732,7 +738,7 @@ function unbound_validate($post, $type=null) { $input_errors[] = "You must enter a valid number in 'TTL for lame delegation'."; if(!is_numeric($post['infra_cache_numhosts'])) $input_errors[] = "You must enter a valid number in 'Number of Hosts to cache'."; - + } else if($type == "basic") { /* Validate settings */ if($post['active_interface'] == "") @@ -742,9 +748,9 @@ function unbound_validate($post, $type=null) { function unbound_reconfigure() { global $config; - + $unbound_config = $config['installedpackages']['unbound']['config'][0]; - + if ($unbound_config['unbound_status'] != "on") { if(is_service_running("unbound")) unbound_control("termstop"); @@ -759,7 +765,7 @@ function unbound_reconfigure() { unbound_control("forward"); unbound_control("restore_cache"); } - } + } } function unbound_uninstall() { @@ -769,20 +775,20 @@ function unbound_uninstall() { unbound_control("termstop"); // Remove pkg config directory and startup file - mwexec("rm -rf /usr/local/etc/unbound"); + mwexec("rm -rf " . UNBOUND_BASE . "/etc/unbound"); @unlink("/usr/local/etc/rc.d/unbound.sh"); @unlink("{$g['varlog_path']}/unbound.log"); @unlink("/var/tmp/unbound_cache"); - conf_mount_ro(); + conf_mount_ro(); } function read_hosts() { - + // Open /etc/hosts and extract the only dhcpleases info $etc_hosts = array(); - foreach (file('/etc/hosts') as $line) { + foreach (file('/etc/hosts') as $line) { $d = preg_split('/\s/', $line, -1, PREG_SPLIT_NO_EMPTY); if (empty($d) || substr(reset($d), 0, 1) == "#") continue; @@ -806,12 +812,12 @@ function read_hosts() { */ function unbound_add_host_entries() { global $config; - + /* XXX: break this out into a separate config file and make use of include */ $unboundcfg = $config['installedpackages']['unbound']['config'][0]; $syscfg = $config['system']; $dnsmasqcfg = $config['dnsmasq']; - + $unbound_entries = "local-zone: \"{$syscfg['domain']}\" transparent\n"; // IPv4 entries $unbound_entries .= "local-data-ptr: \"127.0.0.1 localhost\"\n"; @@ -823,7 +829,7 @@ function unbound_add_host_entries() { $unbound_entries .= "local-data: \"localhost AAAA ::1\"\n"; $unbound_entries .= "local-data: \"localhost.{$syscfg['domain']} AAAA ::1\"\n"; } - + if ($config['interfaces']['lan']) { $cfgip = get_interface_ip("lan"); if (is_ipaddr($cfgip)) { @@ -866,12 +872,12 @@ function unbound_add_host_entries() { $host_entries .= "local-data: \"{$host['host']}{$host['domain']} IN A {$host['ip']}\"\n"; if (!empty($host['descr']) && $unboundcfg['txtsupport'] == 'on') $host_entries .= "local-data: '{$host['host']}{$host['domain']} TXT \"".addslashes($host['descr'])."\"'\n"; - + // Do not add duplicate entries $added_item[$current_host] = true; } } - $unbound_entries .= $host_entries; + $unbound_entries .= $host_entries; } // Static DHCP entries $host_entries = ""; @@ -886,7 +892,7 @@ function unbound_add_host_entries() { $host_entries .= "local-data: '{$host['hostname']}.{$syscfg['domain']} TXT \"".addslashes($host['descr'])."\"'\n"; } $unbound_entries .= $host_entries; - } + } // Handle DHCPLeases added host entries $dhcplcfg = read_hosts(); @@ -915,7 +921,7 @@ function unbound_add_domain_overrides($pvt=false) { // Domain overrides that have multiple entries need multiple stub-addr: added $sorted_domains = msort($domains, "domain"); - $result = array(); + $result = array(); foreach($sorted_domains as $domain) { $domain_key = current($domain); if(!isset($result[$domain_key])) { @@ -923,7 +929,7 @@ function unbound_add_domain_overrides($pvt=false) { } $result[$domain_key][] = $domain['ip']; } - + $domain_entries = ""; foreach($result as $domain=>$ips) { if($pvt == true) { @@ -939,7 +945,7 @@ function unbound_add_domain_overrides($pvt=false) { } } return $domain_entries; - } + } } function unbound_acl_id_used($id) { @@ -962,4 +968,4 @@ function unbound_get_next_id() { return $aclid; } -?>
\ No newline at end of file +?> diff --git a/config/unbound/unbound.xml b/config/unbound/unbound.xml index 202e8451..10de1f97 100644 --- a/config/unbound/unbound.xml +++ b/config/unbound/unbound.xml @@ -9,7 +9,7 @@ part of the Unbound package for pfSense (http://www.pfSense.com) Copyright (C) 2011 Warren Baker All rights reserved. - */ + */ /* ========================================================================== */ /* Redistribution and use in source and binary forms, with or without @@ -34,13 +34,13 @@ POSSIBILITY OF SUCH DAMAGE. */ /* ========================================================================== */ - ]]> + ]]> </copyright> <description>Unbound is a validating, recursive, and caching DNS resolver.</description> <requirements/> <faq/> <name>unbound</name> - <version>1.4.14</version> + <version>1.4.20_5</version> <title>Services: Unbound DNS Forwarder: Basic Settings</title> <include_file>/usr/local/pkg/unbound.inc</include_file> <menu> @@ -76,7 +76,7 @@ <item>http://www.pfsense.org/packages/config/unbound/unbound_advanced.xml</item> </additional_files_needed> <additional_files_needed> - <prefix>/usr/local/etc/rc.d/</prefix> + <prefix>/usr/local/bin/</prefix> <chmod>0755</chmod> <item>http://www.pfsense.org/packages/config/unbound/unbound_monitor.sh</item> </additional_files_needed> @@ -142,7 +142,7 @@ <fieldname>forwarding_mode</fieldname> <fielddescr>Enable forwarding mode</fielddescr> <description>Configure the server to make use of the DNS servers configured in <a href="system.php">System: General setup</a>. <br/> - <b>Note:</b> Disabling this will cause Unbound to perform DNS queries without + <b>Note:</b> Disabling this will cause Unbound to perform DNS queries without using the upstream configured DNS servers.</description> <type>checkbox</type> <default_value>on</default_value> diff --git a/config/unbound/unbound_acls.php b/config/unbound/unbound_acls.php index a7c3ea9e..721d3adb 100644 --- a/config/unbound/unbound_acls.php +++ b/config/unbound/unbound_acls.php @@ -95,7 +95,7 @@ if ($_POST) { $input_errors[] = gettext("You must enter a valid IPv4 address for {$networkacl[$x]['acl_network']}."); } } - + if (!$input_errors) { if ($pconfig['Submit'] == gettext("Save")) { @@ -173,7 +173,7 @@ if (is_subsystem_dirty("unbound")) print_info_box_np(gettext("The settings for Unbound DNS has changed. You must apply the configuration to take affect.")); ?> <table width="100%" border="0" cellpadding="0" cellspacing="0"> - <tr> + <tr> <td class="tabnavtbl"> <ul id="tabnav"> <?php @@ -186,7 +186,7 @@ if (is_subsystem_dirty("unbound")) ?> </ul> </td> - </tr> + </tr> <tr> <td class="tabcont"> @@ -221,10 +221,10 @@ if (is_subsystem_dirty("unbound")) <br/> <span class="vexpl"> <?=gettext("Choose what to do with DNS requests that match the criteria specified below.");?> <br/> - <?=gettext("<b>Deny:</b> This actions stops queries from hosts within the netblock defined below.");?> <br/> - <?=gettext("<b>Refuse:</b> This actions also stops queries from hosts within the netblock defined below, but sends back DNS rcode REFUSED error message back tot eh client.");?> <br/> - <?=gettext("<b>Allow:</b> This actions allows queries from hosts within the netblock defined below.");?> <br/> - <?=gettext("<b>Allow Snoop:</b> This actions allows recursive and nonrecursive access from hosts within the netblock defined below. Used for cache snooping and ideally should only be configured for your administrative host.");?> <br/> + <?=gettext("<b>Deny:</b> This action stops queries from hosts within the netblock defined below.");?> <br/> + <?=gettext("<b>Refuse:</b> This action also stops queries from hosts within the netblock defined below, but sends a DNS rcode REFUSED error message back to the client.");?> <br/> + <?=gettext("<b>Allow:</b> This action allows queries from hosts within the netblock defined below.");?> <br/> + <?=gettext("<b>Allow Snoop:</b> This action allows recursive and nonrecursive access from hosts within the netblock defined below. Used for cache snooping and ideally should only be configured for your administrative host.");?> <br/> </span> </td> </tr> @@ -375,4 +375,4 @@ if (is_subsystem_dirty("unbound")) </tr> </table> </body> -<?php include("fend.inc"); ?>
\ No newline at end of file +<?php include("fend.inc"); ?> diff --git a/config/unbound/unbound_acls.xml b/config/unbound/unbound_acls.xml index 7c6840ce..04319169 100644 --- a/config/unbound/unbound_acls.xml +++ b/config/unbound/unbound_acls.xml @@ -99,10 +99,10 @@ <fieldname>aclaction</fieldname> <fielddescr>Action</fielddescr> <description><br/>Choose an action:<br/><br/> - <b>Allow:</b> This actions allows queries from hosts within the netblock(s) defined below.<br/> - <b>Allow Snoop:</b> This actions allows recursive and nonrecursive access from hosts within the netblock(s) defined below. Used for cache snooping and ideally should only be configured for your administrative host.<br/> - <b>Deny:</b> This actions stops queries from hosts within the netblock(s) defined below.<br/> - <b>Refuse:</b> This actions also stops queries from hosts within the netblock(s) defined below, but sends back DNS rcode REFUSED error message back to the client.</description> + <b>Allow:</b> This action allows queries from hosts within the netblock(s) defined below.<br/> + <b>Allow Snoop:</b> This action allows recursive and nonrecursive access from hosts within the netblock(s) defined below. Used for cache snooping and ideally should only be configured for your administrative host.<br/> + <b>Deny:</b> This action stops queries from hosts within the netblock(s) defined below.<br/> + <b>Refuse:</b> This action also stops queries from hosts within the netblock(s) defined below, but sends a DNS rcode REFUSED error message back to the client.</description> <type>select</type> <options> <option><name>Allow</name><value>allow</value></option> diff --git a/config/unbound/unbound_advanced.xml b/config/unbound/unbound_advanced.xml index 30fca482..7603d0aa 100644 --- a/config/unbound/unbound_advanced.xml +++ b/config/unbound/unbound_advanced.xml @@ -99,7 +99,7 @@ <field> <fieldname>prefetch</fieldname> <fielddescr>Prefetch Support</fielddescr> - <description>If enabled, the message cache elements are prefetched before they expire to keep the cache up to date. Enabling this option causes an increase of about 10 percent more traffic and load on the server, but popular items do not expire form the cache. Default is disabled.</description> + <description>If enabled, the message cache elements are prefetched before they expire to keep the cache up to date. Enabling this option causes an increase of about 10 percent more traffic and load on the server, but popular items do not expire from the cache. Default is disabled.</description> <type>checkbox</type> <default_value>off</default_value> <advancedfield/> @@ -123,7 +123,7 @@ <field> <fieldname>harden_dnssec_stripped</fieldname> <fielddescr>Harden DNSSEC data</fielddescr> - <description>If enabled, DNSSEC data is required for trust-anchored zones. If such data is absent, the zone is becomes bogus. If disabled then and no DNSSEC data is received, then the zone is made insecure. The default is enabled.</description> + <description>If enabled, DNSSEC data is required for trust-anchored zones. If such data is absent, the zone is considered bogus. If disabled and no DNSSEC data is received, then the zone is made insecure. The default is enabled.</description> <type>checkbox</type> <default_value>on</default_value> <advancedfield/> @@ -305,7 +305,7 @@ <field> <fielddescr>Custom Options</fielddescr> <fieldname>custom_options</fieldname> - <description>You can put your own custom options here, separated by semi-colons (;). These configurations options will then be added to the configuration file. <br/> <b>Note:</b> They need to be Unbound native configuration options, otherwise Unbound will <b>not</b> work.</description> + <description>You can put your own custom options here, separated by semi-colons (;). These configuration options will then be added to the configuration file. <br/> <b>Note:</b> They need to be Unbound native configuration options, otherwise Unbound will <b>not</b> work.</description> <type>textarea</type> <cols>65</cols> <rows>5</rows> diff --git a/config/unbound/unbound_monitor.sh b/config/unbound/unbound_monitor.sh index 152a308e..91e5a2ed 100755 --- a/config/unbound/unbound_monitor.sh +++ b/config/unbound/unbound_monitor.sh @@ -27,37 +27,65 @@ # POSSIBILITY OF SUCH DAMAGE. # +export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin + set -e LOOP_SLEEP=5 +PIDFILE=/var/run/unbound_monitor.pid if [ -f /var/run/unbound_alarm ]; then rm /var/run/unbound_alarm fi +PID="" +if [ -f "${PIDFILE}" ]; then + PID=`head -n 1 ${PIDFILE}` +fi + +if [ "$1" = "stop" ]; then + if [ -n "${PID}" ] && ps -p ${PID} | grep -q unbound_monitor.sh; then + kill ${PID} + else + pkill -f unbound_monitor.sh + fi + exit 0 +fi + +if [ -n "${PID}" ] && ps -p ${PID} | grep -q unbound_monitor.sh; then + echo "There is another unbound monitor process running" + exit 0 +fi + +echo $$ > ${PIDFILE} + # Sleep 5 seconds on startup not to mangle with existing boot scripts. sleep 5 -while [ /bin/true ]; do - if [ ! -f /var/run/unbound_alarm ]; then - NUM_PROCS=`/bin/pgrep unbound | wc -l | awk '{print $1}'` - if [ $NUM_PROCS -lt 1 ]; then - # Unbound is not running - echo "Unbound has exited." | logger -p daemon.info -i -t Unbound_Alarm - echo "Attempting restart..." | logger -p daemon.info -i -t Unbound_Alarm - /usr/local/etc/rc.d/unbound.sh start - sleep 3 - touch /var/run/unbound_alarm - fi - fi - NUM_PROCS=`/bin/pgrep unbound | wc -l | awk '{print $1}'` - if [ $NUM_PROCS -gt 0 ]; then - if [ -f /var/run/unbound_alarm ]; then - echo "Unbound has resumed." | logger -p daemon.info -i -t Unbound_Alarm - rm /var/run/unbound_alarm - fi - fi - sleep $LOOP_SLEEP +while true; do + if [ ! -f "${PIDFILE}" ]; then + echo $$ > ${PIDFILE} + fi + + if [ ! -f /var/run/unbound_alarm ]; then + NUM_PROCS=`pgrep unbound | wc -l | awk '{print $1}'` + if [ $NUM_PROCS -lt 1 ]; then + # Unbound is not running + echo "Unbound has exited." | logger -p daemon.info -i -t Unbound_Alarm + echo "Attempting restart..." | logger -p daemon.info -i -t Unbound_Alarm + /usr/local/etc/rc.d/unbound.sh start + sleep 3 + touch /var/run/unbound_alarm + fi + fi + NUM_PROCS=`pgrep unbound | wc -l | awk '{print $1}'` + if [ $NUM_PROCS -gt 0 ]; then + if [ -f /var/run/unbound_alarm ]; then + echo "Unbound has resumed." | logger -p daemon.info -i -t Unbound_Alarm + rm /var/run/unbound_alarm + fi + fi + sleep $LOOP_SLEEP done if [ -f /var/run/unbound_alarm ]; then diff --git a/config/unbound/unbound_status.php b/config/unbound/unbound_status.php index d011b109..d7371f29 100644 --- a/config/unbound/unbound_status.php +++ b/config/unbound/unbound_status.php @@ -31,6 +31,12 @@ require("guiconfig.inc"); +// Define basedir constant for unbound according to FreeBSD version (PBI support or no PBI) +if (floatval(php_uname("r")) >= 8.3) + define("UNBOUND_BASE", "/usr/pbi/unbound-" . php_uname("m")); +else + define("UNBOUND_BASE", "/usr/local"); + if(!is_process_running("unbound")) { Header("Location: /pkg_edit.php?xml=unbound.xml&id=0"); exit; @@ -40,11 +46,11 @@ $pgtitle = "Services: Unbound DNS Forwarder: Status"; include("head.inc"); function doCmdT($title, $command, $rows) { - echo "<p>\n"; - echo "<a name=\"" . $title . "\">\n"; - echo "<table width=\"100%\" border=\"0\" cellpadding=\"0\" cellspacing=\"0\">\n"; - echo "<tr><td class=\"listtopic\">" . $title . "</td></tr>\n"; - echo "<tr><td class=\"listlr\"><textarea style=\"font-family:courier\"cols=\"101\" rows=\"$rows\">"; /* no newline after pre */ + echo "<p>\n"; + echo "<a name=\"" . $title . "\">\n"; + echo "<table width=\"100%\" border=\"0\" cellpadding=\"0\" cellspacing=\"0\">\n"; + echo "<tr><td class=\"listtopic\">" . $title . "</td></tr>\n"; + echo "<tr><td class=\"listlr\"><textarea style=\"font-family:courier\"cols=\"101\" rows=\"$rows\">"; /* no newline after pre */ if ($command == "dumpconfigxml") { $fd = @fopen("/conf/config.xml", "r"); @@ -71,46 +77,46 @@ function doCmdT($title, $command, $rows) { echo htmlspecialchars($execOutput[$i],ENT_NOQUOTES); } } - echo "</textarea></tr>\n"; - echo "</table>\n"; + echo "</textarea></tr>\n"; + echo "</table>\n"; } /* Execute a command, giving it a title which is the same as the command. */ function doCmd($command) { - doCmdT($command,$command); + doCmdT($command,$command); } /* Define a command, with a title, to be executed later. */ function defCmdT($title, $command, $rows = "20") { - global $commands; - $title = htmlspecialchars($title,ENT_NOQUOTES); - $commands[] = array($title, $command, $rows); + global $commands; + $title = htmlspecialchars($title,ENT_NOQUOTES); + $commands[] = array($title, $command, $rows); } /* Define a command, with a title which is the same as the command, * to be executed later. */ function defCmd($command) { - defCmdT($command,$command); + defCmdT($command,$command); } /* List all of the commands as an index. */ function listCmds() { - global $commands; - echo "<p>" . gettext("This status page includes the following information") . ":\n"; - echo "<ul width=\"100%\">\n"; - for ($i = 0; isset($commands[$i]); $i++ ) { - echo "<li><strong><a href=\"#" . $commands[$i][0] . "\">" . $commands[$i][0] . "</a></strong>\n"; - } - echo "</ul>\n"; + global $commands; + echo "<p>" . gettext("This status page includes the following information") . ":\n"; + echo "<ul width=\"100%\">\n"; + for ($i = 0; isset($commands[$i]); $i++ ) { + echo "<li><strong><a href=\"#" . $commands[$i][0] . "\">" . $commands[$i][0] . "</a></strong>\n"; + } + echo "</ul>\n"; } /* Execute all of the commands which were defined by a call to defCmd. */ function execCmds() { - global $commands; - for ($i = 0; isset($commands[$i]); $i++ ) { - doCmdT($commands[$i][0], $commands[$i][1], $commands[$i][2]); - } + global $commands; + for ($i = 0; isset($commands[$i]); $i++ ) { + doCmdT($commands[$i][0], $commands[$i][1], $commands[$i][2]); + } } ?> @@ -135,10 +141,10 @@ function execCmds() { </tr> </table> <table width="100%" border="0" cellpadding="0" cellspacing="0"> - <tr> - <td class="tabcont" width="100%"> + <tr> + <td class="tabcont" width="100%"> <?php - $entries = trim(exec("/usr/local/sbin/unbound-control dump_cache | wc -l")); + $entries = trim(exec(UNBOUND_BASE . "/sbin/unbound-control dump_cache | wc -l")); defCmdT("Unbound status", "unbound-control status", "6"); defCmdT("Unbound stats", "unbound-control stats_noreset"); defCmdT("Unbound stubs", "unbound-control list_stubs", "8"); @@ -146,12 +152,12 @@ function execCmds() { defCmdT("Unbound local zones", "unbound-control list_local_zones"); defCmdT("Unbound local data", "unbound-control list_local_data"); defCmdT("Unbound cache ($entries entries)", "unbound-control dump_cache", "60"); - defCmdT("Unbound configuration", "/bin/cat /usr/local/etc/unbound/unbound.conf", "60"); + defCmdT("Unbound configuration", "/bin/cat " . UNBOUND_BASE . "/etc/unbound/unbound.conf", "60"); listCmds(); execCmds(); ?> - </td> - </tr> + </td> + </tr> </table> </div> <?php include("fend.inc"); ?> |