From 0febd1df75639733ba8fe875394daa82f8764787 Mon Sep 17 00:00:00 2001 From: Warren Baker Date: Sun, 19 Jun 2011 18:53:27 +0200 Subject: Refactor network interface setup and now configure Unbound to listen on IPv6. --- config/unbound/unbound.inc | 77 ++++++++++++++++++++++------------------------ 1 file changed, 37 insertions(+), 40 deletions(-) (limited to 'config/unbound') diff --git a/config/unbound/unbound.inc b/config/unbound/unbound.inc index 595bde52..56c76066 100644 --- a/config/unbound/unbound.inc +++ b/config/unbound/unbound.inc @@ -31,7 +31,9 @@ if(!function_exists("get_dns_servers")) if(!function_exists("get_nameservers")) require_once("system.inc"); - + +if(!function_exists("gen_subnetv6") || !function_exists("gen_subnet")) + require_once("util.inc"); function unbound_initial_setup() { global $config, $g; @@ -231,28 +233,21 @@ function unbound_control($action) { } -function unbound_get_network_interface_addresses($subnet=false, $mask=false) { +function unbound_get_network_interface_addresses() { global $config; - - /* calculate interface ip + subnet information */ - $interfaces = explode(",", $config['installedpackages']['unbound']['config'][0]['active_interface']); + + $interfaces = $config['interfaces']; + $unbound_config = $config['installedpackages']['unbound']['config'][0]; + $unboundint = explode(",", $unbound_config['active_interface']); $unbound_interfaces = array(); - foreach ($interfaces as $unboundidx => $unboundif) { - $unboundrealif = convert_friendly_interface_to_real_interface_name($unboundif); - $unboundip = find_interface_ip($unboundrealif); - $ipmask = find_interface_subnet($unboundrealif); - - // If $subnet is passed then calculate the beginning of the network range for the IP address - if ($subnet) - $network = gen_subnet($unboundip, $ipmask); - else - $network = $unboundip; - - if ($mask) - $unbound_interfaces[] = "$network/$ipmask"; - else { - $unbound_interfaces[] = $network; - // Check for CARP addresses and also return those + + foreach ($unboundint as $unboundidx => $unboundif) { + /* Configure IPv4 addresses */ + if (is_ipaddr($interfaces[$unboundif]['ipaddr'])) { + $unbound_interfaces['ipv4']['ipaddr'] = $interfaces[$unboundif]['ipaddr']; + $unbound_interfaces['ipv4']['subnet'] = $interfaces[$unboundif]['subnet']; + $unbound_interfaces['ipv4']['network'] = gen_subnet($unbound_interfaces['ipv4']['ipaddr'],$unbound_interfaces['ipv4']['subnet']); + // Check for CARP addresses and also return those - only IPv4 for now if (isset($config['virtualip'])) { if(is_array($config['virtualip']['vip'])) { foreach($config['virtualip']['vip'] as $vip) { @@ -261,21 +256,28 @@ function unbound_get_network_interface_addresses($subnet=false, $mask=false) { if ($virtual_ip == '') { log_error("Unbound DNS: There was a problem setting up the Virtual IP for the interface ".link_ip_to_carp_interface($vip['subnet'])); } else { - $unbound_interfaces[] = $virtual_ip; + $unbound_interfaces['virtual']['ipaddr'] = $virtual_ip; } } } } } } - } - return $unbound_interfaces; + /* Configure IPv6 addresses */ + if(is_ipaddr($interfaces[$unboundif]['ipaddrv6'])) { + $unbound_interfaces['ipv6']['ipaddr'] = $interfaces[$unboundif]['ipaddrv6']; + $unbound_interfaces['ipv6']['subnet'] = $interfaces[$unboundif]['subnetv6']; + $unbound_interfaces['ipv6']['network'] = gen_subnetv6($unbound_interfaces['ipv6']['ipaddr'], $unbound_interfaces['ipv6']['subnet']); + } + } + return $unbound_interfaces; } function unbound_acls_config() { global $config; - + + /* Configure the ACLs */ if(is_array($config['installedpackages']['unboundacls']['config'])) { $unbound_acls = $config['installedpackages']['unboundacls']['config']; $unboundcfg = ""; @@ -298,27 +300,23 @@ function unbound_resync_config() { $config['installedpackages']['unbound']['config'] = array(); $unbound_config = &$config['installedpackages']['unbound']['config'][0]; - $unbound_stats = &$config['installedpackages']['unbound_statistics']['config'][0]; - // Add networks physically attached to allowed networks and then call the acls - $interfaces = unbound_get_network_interface_addresses(true, true); - foreach($interfaces as $allowed_network) { - $unbound_allowed_networks .= "access-control: $allowed_network allow\n"; + // Interfaces to bind to and setup acls for nics + $unbound_bind_interfaces = ""; + $unbound_allowed_networks = ""; + $unboundnetcfg = unbound_get_network_interface_addresses(); + foreach($unboundnetcfg as $netcfgidx => $netent) { + $unbound_bind_interfaces .="interface: {$netent['ipaddr']}\n"; + $unbound_allowed_networks .= "access-control: {$netent['network']}/{$netent['subnet']} allow\n"; } + /* Configure user configured ACLs */ $unbound_allowed_networks .= unbound_acls_config(); if($unbound_config['dnssec_status'] == "on") { $module_config = "validator iterator"; $anchor_file = "auto-trust-anchor-file: /usr/local/etc/unbound/root-trust-anchor"; - } else { + } else $module_config = "iterator"; - } - - // Interfaces to bind to - $interface_ips = unbound_get_network_interface_addresses(); - foreach($interface_ips as $ifip) { - $unbound_bind_interfaces .="interface: $ifip\n"; - } // Host entries $host_entries = unbound_add_host_entries(); @@ -370,7 +368,6 @@ EOF; $harden_dnssec_stripped = ($unbound_config['harden_dnssec_stripped'] == "on") ? "yes" : "no"; $prefetch = ($unbound_config['prefetch'] == "on") ? "yes" : "no"; $prefetch_key = ($unbound_config['prefetch_key'] == "on") ? "yes" : "no"; - $ipv6 = ($unbound_config['unbound_ipv6'] == "on") ? "yes" : "no"; $outgoing_num_tcp = (!empty($unbound_config['outgoing_num_tcp'])) ? $unbound_config['outgoing_num_tcp'] : "10"; $incoming_num_tcp = (!empty($unbound_config['incoming_num_tcp'])) ? $unbound_config['incoming_num_tcp'] : "10"; $edns_buffer_size = (!empty($unbound_config['edns_buffer_size'])) ? $unbound_config['edns_buffer_size'] : "4096"; @@ -406,7 +403,7 @@ use-syslog: yes port: 53 verbosity: {$log_verbosity} do-ip4: yes -do-ip6: {$ipv6} +do-ip6: yes do-udp: yes do-tcp: yes do-daemonize: yes -- cgit v1.2.3