LILiK
/
openwrt-packages-dist

#!/bin/sh
################################################################################ This program is free software; you can redistribute it and/or modify# it under the terms of the GNU General Public License version 2 as# published by the Free Software Foundation.## This program is distributed in the hope that it will be useful,# but WITHOUT ANY WARRANTY; without even the implied warranty of# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the# GNU General Public License for more details.## Copyright (C) 2016 Eric Luehrsen################################################################################# This builds the basic UCI components currently supported for Unbound. It is# intentionally NOT comprehensive and bundles a lot of options. The UCI is to# be a simpler presentation of the total Unbound conf set.###############################################################################
UNBOUND_B_CONTROL=0UNBOUND_B_SLAAC6_MAC=0UNBOUND_B_DNSSEC=0UNBOUND_B_DNS64=0UNBOUND_B_GATE_NAME=0UNBOUND_B_HIDE_BIND=1UNBOUND_B_LOCL_BLCK=0UNBOUND_B_LOCL_SERV=1UNBOUND_B_MAN_CONF=0UNBOUND_B_NTP_BOOT=1UNBOUND_B_PRIV_BLCK=1UNBOUND_B_QUERY_MIN=0UNBOUND_B_QRY_MINST=0
UNBOUND_D_DOMAIN_TYPE=staticUNBOUND_D_DHCP_LINK=noneUNBOUND_D_LAN_FQDN=0UNBOUND_D_PROTOCOL=mixedUNBOUND_D_RESOURCE=smallUNBOUND_D_RECURSION=passiveUNBOUND_D_WAN_FQDN=0
UNBOUND_IP_DNS64="64:ff9b::/96"
UNBOUND_N_EDNS_SIZE=1280UNBOUND_N_FWD_PORTS=""UNBOUND_N_RX_PORT=53UNBOUND_N_ROOT_AGE=28
UNBOUND_TTL_MIN=120
UNBOUND_TXT_DOMAIN=lanUNBOUND_TXT_FWD_ZONE=""UNBOUND_TXT_HOSTNAME=thisrouter
##############################################################################
UNBOUND_LIBDIR=/usr/lib/unboundUNBOUND_VARDIR=/var/lib/unbound
UNBOUND_PIDFILE=/var/run/unbound.pid
UNBOUND_SRV_CONF=$UNBOUND_VARDIR/unbound_srv.confUNBOUND_EXT_CONF=$UNBOUND_VARDIR/unbound_ext.confUNBOUND_CONFFILE=$UNBOUND_VARDIR/unbound.conf
UNBOUND_KEYFILE=$UNBOUND_VARDIR/root.keyUNBOUND_HINTFILE=$UNBOUND_VARDIR/root.hintsUNBOUND_TIMEFILE=$UNBOUND_VARDIR/unbound.time
##############################################################################
UNBOUND_ANCHOR=/usr/sbin/unbound-anchorUNBOUND_CONTROL=/usr/sbin/unbound-controlUNBOUND_CONTROL_CFG="$UNBOUND_CONTROL -c $UNBOUND_CONFFILE"
##############################################################################
. /lib/functions.sh. /lib/functions/network.sh
. $UNBOUND_LIBDIR/dnsmasq.sh. $UNBOUND_LIBDIR/iptools.sh. $UNBOUND_LIBDIR/rootzone.sh
##############################################################################
create_interface_dns() {  local cfg="$1"  local ipcommand logint ignore ifname ifdashname  local name names address addresses  local ulaprefix if_fqdn host_fqdn mode mode_ptr
  # Create local-data: references for this hosts interfaces (router).  config_get logint "$cfg" interface  config_get_bool ignore "$cfg" ignore 0  network_get_device ifname "$cfg"
  ifdashname="${ifname//./-}"  ipcommand="ip -o address show $ifname"  addresses="$($ipcommand | awk '/inet/{sub(/\/.*/,"",$4); print $4}')"  ulaprefix="$(uci_get network @globals[0] ula_prefix)"  host_fqdn="$UNBOUND_TXT_HOSTNAME.$UNBOUND_TXT_DOMAIN"  if_fqdn="$ifdashname.$host_fqdn"

  if [ "$ignore" -gt 0 ] ; then    mode="$UNBOUND_D_WAN_FQDN"
  else    mode="$UNBOUND_D_LAN_FQDN"  fi

  case "$mode" in  3)    mode_ptr="$host_fqdn"    names="$host_fqdn  $UNBOUND_TXT_HOSTNAME"    ;;
  4)    mode_ptr="$if_fqdn"    names="$if_fqdn  $host_fqdn  $UNBOUND_TXT_HOSTNAME"    ;;
  *)    mode_ptr="$UNBOUND_TXT_HOSTNAME"    names="$UNBOUND_TXT_HOSTNAME"    ;;  esac

  if [ "$mode" -gt 1 ] ; then    {      for address in $addresses ; do        case $address in        fe80:*|169.254.*)           echo "  # note link address $address"          ;;                  [1-9a-f]*:*[0-9a-f])          # GA and ULA IP6 for HOST IN AAA records (ip command is robust)          for name in $names ; do            echo "  local-data: \"$name. 120 IN AAAA $address\""          done          echo "  local-data-ptr: \"$address 120 $mode_ptr\""          ;;
        [1-9]*.*[0-9])          # Old fashioned HOST IN A records          for name in $names ; do            echo "  local-data: \"$name. 120 IN A $address\""          done          echo "  local-data-ptr: \"$address 120 $mode_ptr\""          ;;        esac      done      echo    } >> $UNBOUND_CONFFILE
  elif [ "$mode" -gt 0 ] ; then    {      for address in $addresses ; do        case $address in        fe80:*|169.254.*)           echo "  # note link address $address"          ;;                  "${ulaprefix%%:/*}"*)          # Only this networks ULA and only hostname          echo "  local-data: \"$UNBOUND_TXT_HOSTNAME. 120 IN AAAA $address\""          echo "  local-data-ptr: \"$address 120 $UNBOUND_TXT_HOSTNAME\""          ;;
        [1-9]*.*[0-9])          echo "  local-data: \"$UNBOUND_TXT_HOSTNAME. 120 IN A $address\""          echo "  local-data-ptr: \"$address 120 $UNBOUND_TXT_HOSTNAME\""          ;;        esac      done      echo    } >> $UNBOUND_CONFFILE  fi}
##############################################################################
create_access_control() {  local cfg="$1"  local subnets subnets4 subnets6  local validip4 validip6
  network_get_subnets  subnets4 "$cfg"  network_get_subnets6 subnets6 "$cfg"  subnets="$subnets4 $subnets6"

  if [ -n "$subnets" ] ; then    for subnet in $subnets ; do      validip4=$( valid_subnet4 $subnet )      validip6=$( valid_subnet6 $subnet )

      if [ "$validip4" = "ok" -o "$validip6" = "ok" ] ; then        # For each "network" UCI add "access-control:" white list for queries        echo "  access-control: $subnet allow" >> $UNBOUND_CONFFILE      fi    done  fi}
##############################################################################
create_domain_insecure() {  echo "  domain-insecure: \"$1\"" >> $UNBOUND_CONFFILE}
##############################################################################
unbound_mkdir() {  local resolvsym=0  local dhcp_origin=$( uci get dhcp.@odhcpd[0].leasefile )  local dhcp_dir=$( dirname "$dhcp_origin" )

  if [ ! -x /usr/sbin/dnsmasq -o ! -x /etc/init.d/dnsmasq ] ; then    resolvsym=1  else    /etc/init.d/dnsmasq enabled || resolvsym=1  fi

  if [ "$resolvsym" -gt 0 ] ; then    rm -f /tmp/resolv.conf

    {      # Set resolver file to local but not if /etc/init.d/dnsmasq will do it.      echo "nameserver 127.0.0.1"      echo "nameserver ::1"      echo "search $UNBOUND_TXT_DOMAIN"    } > /tmp/resolv.conf  fi

  if [ "$UNBOUND_D_DHCP_LINK" = "odhcpd" -a ! -d "$dhcp_dir" ] ; then    # make sure odhcpd has a directory to write (not done itself, yet)    mkdir -p "$dhcp_dir"  fi

  mkdir -p $UNBOUND_VARDIR  rm -f $UNBOUND_VARDIR/dhcp_*  touch $UNBOUND_CONFFILE  touch $UNBOUND_SRV_CONF  touch $UNBOUND_EXT_CONF  cp -p /etc/unbound/* $UNBOUND_VARDIR/

  if [ ! -f $UNBOUND_HINTFILE ] ; then    if [ -f /usr/share/dns/root.hints ] ; then      # Debian-like package dns-root-data      cp -p /usr/share/dns/root.hints $UNBOUND_HINTFILE
    else      logger -t unbound -s "iterator will use built-in root hints"    fi  fi

  if [ ! -f $UNBOUND_KEYFILE ] ; then    if [ -f /usr/share/dns/root.key ] ; then      # Debian-like package dns-root-data      cp -p /usr/share/dns/root.key $UNBOUND_KEYFILE
    elif [ -x "$UNBOUND_ANCHOR" ] ; then      $UNBOUND_ANCHOR -a $UNBOUND_KEYFILE
    else      logger -t unbound -s "validator will use built-in trust anchor"    fi  fi

  # Ensure access and prepare to jail  chown -R unbound:unbound $UNBOUND_VARDIR  chmod 775 $UNBOUND_VARDIR  chmod 664 $UNBOUND_VARDIR/*}
##############################################################################
unbound_control() {  if [ "$UNBOUND_B_CONTROL" -gt 0 ] ; then    {      # Enable remote control tool, but only at local host for security      # You can hand write fancier encrypted access with /etc/..._ext.conf      echo "remote-control:"      echo "  control-enable: yes"      echo "  control-use-cert: no"      echo "  control-interface: 127.0.0.1"      echo "  control-interface: ::1"      echo    } >> $UNBOUND_CONFFILE  fi

  {    # Amend your own extended clauses here like forward zones or disable     # above (local, no encryption) and amend your own remote encrypted control    echo    echo "include: $UNBOUND_EXT_CONF" >> $UNBOUND_CONFFILE    echo  } >> $UNBOUND_CONFFILE}
##############################################################################
unbound_conf() {  local cfg="$1"  local rt_mem rt_conn modulestring

  {    # Make fresh conf file    echo "# $UNBOUND_CONFFILE generated by UCI $( date )"    echo  } > $UNBOUND_CONFFILE

  {    # No threading    echo "server:"    echo "  username: unbound"    echo "  num-threads: 1"    echo "  msg-cache-slabs: 1"    echo "  rrset-cache-slabs: 1"    echo "  infra-cache-slabs: 1"    echo "  key-cache-slabs: 1"    echo  } >> $UNBOUND_CONFFILE

  {    # Logging    echo "  verbosity: 1"    echo "  statistics-interval: 0"    echo "  statistics-cumulative: no"    echo "  extended-statistics: no"    echo  } >> $UNBOUND_CONFFILE

  {    # Interfaces (access contol "option local_service")    echo "  interface: 0.0.0.0"    echo "  interface: ::0"    echo "  outgoing-interface: 0.0.0.0"    echo "  outgoing-interface: ::0"    echo  } >> $UNBOUND_CONFFILE

  case "$UNBOUND_D_PROTOCOL" in    ip4_only)      {        echo "  do-ip4: yes"        echo "  do-ip6: no"      } >> $UNBOUND_CONFFILE      ;;
    ip6_only)      {        echo "  do-ip4: no"        echo "  do-ip6: yes"      } >> $UNBOUND_CONFFILE      ;;
    ip6_prefer)      {        echo "  do-ip4: yes"        echo "  do-ip6: yes"        echo "  prefer-ip6: yes"      } >> $UNBOUND_CONFFILE      ;;
    *)      {        echo "  do-ip4: yes"        echo "  do-ip6: yes"      } >> $UNBOUND_CONFFILE      ;;  esac

  {    # protocol level tuning    echo "  edns-buffer-size: $UNBOUND_N_EDNS_SIZE"    echo "  msg-buffer-size: 8192"    echo "  port: $UNBOUND_N_RX_PORT"    echo "  outgoing-port-permit: 10240-65535"    echo  } >> $UNBOUND_CONFFILE

  {    # Other harding and options for an embedded router    echo "  harden-short-bufsize: yes"    echo "  harden-large-queries: yes"    echo "  harden-glue: yes"    echo "  harden-below-nxdomain: no"    echo "  harden-referral-path: no"    echo "  use-caps-for-id: no"    echo  } >> $UNBOUND_CONFFILE

  {    # Default Files    echo "  use-syslog: yes"    echo "  chroot: \"$UNBOUND_VARDIR\""    echo "  directory: \"$UNBOUND_VARDIR\""    echo "  pidfile: \"$UNBOUND_PIDFILE\""  } >> $UNBOUND_CONFFILE

  if [ -f "$UNBOUND_HINTFILE" ] ; then    # Optional hints if found    echo "  root-hints: \"$UNBOUND_HINTFILE\"" >> $UNBOUND_CONFFILE  fi

  if [ "$UNBOUND_B_DNSSEC" -gt 0 -a -f "$UNBOUND_KEYFILE" ] ; then    {      echo "  auto-trust-anchor-file: \"$UNBOUND_KEYFILE\""      echo    } >> $UNBOUND_CONFFILE
  else    echo >> $UNBOUND_CONFFILE  fi

  case "$UNBOUND_D_RESOURCE" in    # Tiny - Unbound's recommended cheap hardware config    tiny)   rt_mem=1  ; rt_conn=1 ;;    # Small - Half RRCACHE and open ports    small)  rt_mem=8  ; rt_conn=5 ;;    # Medium - Nearly default but with some added balancintg    medium) rt_mem=16 ; rt_conn=10 ;;    # Large - Double medium    large)  rt_mem=32 ; rt_conn=10 ;;    # Whatever unbound does    *) rt_mem=0 ; rt_conn=0 ;;  esac

  if [ "$rt_mem" -gt 0 ] ; then    {      # Set memory sizing parameters      echo "  outgoing-range: $(($rt_conn*64))"      echo "  num-queries-per-thread: $(($rt_conn*32))"      echo "  outgoing-num-tcp: $(($rt_conn))"      echo "  incoming-num-tcp: $(($rt_conn))"      echo "  rrset-cache-size: $(($rt_mem*256))k"      echo "  msg-cache-size: $(($rt_mem*128))k"      echo "  key-cache-size: $(($rt_mem*128))k"      echo "  neg-cache-size: $(($rt_mem*64))k"      echo "  infra-cache-numhosts: $(($rt_mem*256))"      echo    } >> $UNBOUND_CONFFILE
  else    logger -t unbound -s "default memory resource consumption"  fi
  # Assembly of module-config: options is tricky; order matters  modulestring="iterator"

  if [ "$UNBOUND_B_DNSSEC" -gt 0 ] ; then    if [ ! -f "$UNBOUND_TIMEFILE" -a "$UNBOUND_B_NTP_BOOT" -gt 0 ] ; then      # DNSSEC chicken and egg with getting NTP time      echo "  val-override-date: -1" >> $UNBOUND_CONFFILE    fi

    {      echo "  harden-dnssec-stripped: yes"      echo "  val-clean-additional: yes"      echo "  ignore-cd-flag: yes"    } >> $UNBOUND_CONFFILE

    modulestring="validator $modulestring"  fi

  if [ "$UNBOUND_B_DNS64" -gt 0 ] ; then    echo "  dns64-prefix: $UNBOUND_IP_DNS64" >> $UNBOUND_CONFFILE
    modulestring="dns64 $modulestring"  fi

  {    # Print final module string    echo "  module-config: \"$modulestring\""    echo  }  >> $UNBOUND_CONFFILE

  if [ "$UNBOUND_B_QRY_MINST" -gt 0 -a "$UNBOUND_B_QUERY_MIN" -gt 0 ] ; then    {      # Some query privacy but "strict" will break some name servers      echo "  qname-minimisation: yes"      echo "  qname-minimisation-strict: yes"    } >> $UNBOUND_CONFFILE
  elif [ "$UNBOUND_B_QUERY_MIN" -gt 0 ] ; then    # Minor improvement on query privacy    echo "  qname-minimisation: yes" >> $UNBOUND_CONFFILE
  else    echo "  qname-minimisation: no" >> $UNBOUND_CONFFILE  fi

  case "$UNBOUND_D_RECURSION" in    passive)      {        echo "  prefetch: no"        echo "  prefetch-key: no"        echo "  target-fetch-policy: \"0 0 0 0 0\""        echo      } >> $UNBOUND_CONFFILE      ;;
    aggressive)      {        echo "  prefetch: yes"        echo "  prefetch-key: yes"        echo "  target-fetch-policy: \"3 2 1 0 0\""        echo      } >> $UNBOUND_CONFFILE      ;;
    *)      logger -t unbound -s "default recursion configuration"      ;;  esac

  {    # Reload records more than 10 hours old    # DNSSEC 5 minute bogus cool down before retry    # Adaptive infrastructure info kept for 15 minutes    echo "  cache-min-ttl: $UNBOUND_TTL_MIN"    echo "  cache-max-ttl: 36000"    echo "  val-bogus-ttl: 300"    echo "  infra-host-ttl: 900"    echo  } >> $UNBOUND_CONFFILE

  if [ "$UNBOUND_B_HIDE_BIND" -gt 0 ] ; then    {      # Block server id and version DNS TXT records      echo "  hide-identity: yes"      echo "  hide-version: yes"      echo    } >> $UNBOUND_CONFFILE  fi

  if [ "$UNBOUND_B_PRIV_BLCK" -gt 0 ] ; then    {      # Remove _upstream_ or global reponses with private addresses.      # Unbounds own "local zone" and "forward zone" may still use these.      # RFC1918, RFC3927, RFC4291, RFC6598, RFC6890      echo "  private-address: 10.0.0.0/8"      echo "  private-address: 100.64.0.0/10"      echo "  private-address: 169.254.0.0/16"      echo "  private-address: 172.16.0.0/12"      echo "  private-address: 192.168.0.0/16"      echo "  private-address: fc00::/8"      echo "  private-address: fd00::/8"      echo "  private-address: fe80::/10"    } >> $UNBOUND_CONFFILE  fi

  if [ "$UNBOUND_B_LOCL_BLCK" -gt 0 ] ; then    {      # Remove DNS reponses from upstream with loopback IP      # Black hole DNS method for ad blocking, so consider...      echo "  private-address: 127.0.0.0/8"      echo "  private-address: ::1/128"      echo    } >> $UNBOUND_CONFFILE
  else    echo >> $UNBOUND_CONFFILE  fi

  # Except and accept domains as insecure (DNSSEC); work around broken domains  config_list_foreach "$cfg" "domain_insecure" create_domain_insecure  echo >> $UNBOUND_CONFFILE}
##############################################################################
unbound_access() {  # TODO: Unbound 1.6.0 added "tags" and "views", so we can add tags to  # each access-control IP block, and then divert access.  # -- "guest" WIFI will not be allowed to see local zone data  # -- "child" LAN can black whole a list of domains to http~deadpixel

  if [ "$UNBOUND_B_LOCL_SERV" -gt 0 ] ; then    # Only respond to queries from which this device has an interface.    # Prevent DNS amplification attacks by not responding to the universe.    config_load network    config_foreach create_access_control interface

    {      echo "  access-control: 127.0.0.0/8 allow"      echo "  access-control: ::1/128 allow"      echo "  access-control: fe80::/10 allow"      echo    } >> $UNBOUND_CONFFILE
  else    {      echo "  access-control: 0.0.0.0/0 allow"      echo "  access-control: ::0/0 allow"      echo    } >> $UNBOUND_CONFFILE  fi

  {    # Amend your own "server:" stuff here    echo    echo "include: $UNBOUND_SRV_CONF"    echo  } >> $UNBOUND_CONFFILE}
##############################################################################
unbound_hostname() {  if [ -n "$UNBOUND_TXT_DOMAIN" ] ; then    {      # TODO: Unbound 1.6.0 added "tags" and "views" and we could make      # domains by interface to prevent DNS from "guest" to "home"      echo "  local-zone: $UNBOUND_TXT_DOMAIN. $UNBOUND_D_DOMAIN_TYPE"      echo "  domain-insecure: $UNBOUND_TXT_DOMAIN"      echo "  private-domain: $UNBOUND_TXT_DOMAIN"      echo      echo "  local-zone: $UNBOUND_TXT_HOSTNAME. $UNBOUND_D_DOMAIN_TYPE"      echo "  domain-insecure: $UNBOUND_TXT_HOSTNAME"      echo "  private-domain: $UNBOUND_TXT_HOSTNAME"      echo    } >> $UNBOUND_CONFFILE

    case "$UNBOUND_D_DOMAIN_TYPE" in    deny|inform_deny|refuse|static)      {        # avoid upstream involvement in RFC6762 like responses (link only)        echo "  local-zone: local. $UNBOUND_D_DOMAIN_TYPE"        echo "  domain-insecure: local"        echo "  private-domain: local"        echo      } >> $UNBOUND_CONFFILE      ;;    esac

    if [ "$UNBOUND_D_LAN_FQDN" -gt 0 -o "$UNBOUND_D_WAN_FQDN" -gt 0 ] ; then      config_load dhcp      config_foreach create_interface_dns dhcp    fi  fi}
##############################################################################
unbound_uci() {  local cfg="$1"  local dnsmasqpath hostnm
  hostnm="$(uci_get system.@system[0].hostname | awk '{print tolower($0)}')"  UNBOUND_TXT_HOSTNAME=${hostnm:-thisrouter}
  config_get_bool UNBOUND_B_SLAAC6_MAC "$cfg" dhcp4_slaac6 0  config_get_bool UNBOUND_B_DNS64      "$cfg" dns64 0  config_get_bool UNBOUND_B_HIDE_BIND  "$cfg" hide_binddata 1  config_get_bool UNBOUND_B_LOCL_SERV  "$cfg" localservice 1  config_get_bool UNBOUND_B_MAN_CONF   "$cfg" manual_conf 0  config_get_bool UNBOUND_B_QUERY_MIN  "$cfg" query_minimize 0  config_get_bool UNBOUND_B_QRY_MINST  "$cfg" query_min_strict 0  config_get_bool UNBOUND_B_PRIV_BLCK  "$cfg" rebind_protection 1  config_get_bool UNBOUND_B_LOCL_BLCK  "$cfg" rebind_localhost 0  config_get_bool UNBOUND_B_CONTROL    "$cfg" unbound_control 0  config_get_bool UNBOUND_B_DNSSEC     "$cfg" validator 0  config_get_bool UNBOUND_B_NTP_BOOT   "$cfg" validator_ntp 1
  config_get UNBOUND_IP_DNS64    "$cfg" dns64_prefix "64:ff9b::/96"
  config_get UNBOUND_N_EDNS_SIZE "$cfg" edns_size 1280  config_get UNBOUND_N_RX_PORT   "$cfg" listen_port 53  config_get UNBOUND_N_ROOT_AGE  "$cfg" root_age 7
  config_get UNBOUND_D_DOMAIN_TYPE "$cfg" domain_type static  config_get UNBOUND_D_DHCP_LINK   "$cfg" dhcp_link none  config_get UNBOUND_D_LAN_FQDN    "$cfg" add_local_fqdn 0  config_get UNBOUND_D_PROTOCOL    "$cfg" protocol mixed  config_get UNBOUND_D_RECURSION   "$cfg" recursion passive  config_get UNBOUND_D_RESOURCE    "$cfg" resource small  config_get UNBOUND_D_WAN_FQDN    "$cfg" add_wan_fqdn 0
  config_get UNBOUND_TTL_MIN     "$cfg" ttl_min 120  config_get UNBOUND_TXT_DOMAIN  "$cfg" domain lan

  if [ "$UNBOUND_D_DHCP_LINK" = "none" ] ; then    config_get_bool UNBOUND_B_DNSMASQ   "$cfg" dnsmasq_link_dns 0

    if [ "$UNBOUND_B_DNSMASQ" -gt 0 ] ; then      UNBOUND_D_DHCP_LINK=dnsmasq      logger -t unbound -s "Please use 'dhcp_link' selector instead"    fi  fi

  if [ "$UNBOUND_D_DHCP_LINK" = "dnsmasq" ] ; then    if [ ! -x /usr/sbin/dnsmasq -o ! -x /etc/init.d/dnsmasq ] ; then      UNBOUND_D_DHCP_LINK=none    else      /etc/init.d/dnsmasq enabled || UNBOUND_D_DHCP_LINK=none    fi

    if [ "$UNBOUND_D_DHCP_LINK" = "none" ] ; then      logger -t unbound -s "cannot forward to dnsmasq"    fi  fi

  if [ "$UNBOUND_D_DHCP_LINK" = "odhcpd" ] ; then    if [ ! -x /usr/sbin/odhcpd -o ! -x /etc/init.d/odhcpd ] ; then      UNBOUND_D_DHCP_LINK=none    else      /etc/init.d/odhcpd enabled || UNBOUND_D_DHCP_LINK=none    fi

    if [ "$UNBOUND_D_DHCP_LINK" = "none" ] ; then      logger -t unbound -s "cannot receive records from odhcpd"    fi  fi

  if [ "$UNBOUND_N_EDNS_SIZE" -lt 512 \
    -o 4096 -lt "$UNBOUND_N_EDNS_SIZE" ] ; then    # exceeds range, back to default    UNBOUND_N_EDNS_SIZE=1280  fi

  if [ "$UNBOUND_N_RX_PORT" -lt 1024 \
    -o 10240 -lt "$UNBOUND_N_RX_PORT" ] ; then    # special port or in 5 digits, back to default    UNBOUND_N_RX_PORT=53  fi

  if [ "$UNBOUND_TTL_MIN" -gt 1800 ] ; then    # that could have had awful side effects    UNBOUND_TTL_MIN=300  fi}
##############################################################################
unbound_start() {  config_load unbound  config_foreach unbound_uci unbound  unbound_mkdir

  if [ "$UNBOUND_B_MAN_CONF" -eq 0 ] ; then    unbound_conf    unbound_access
    if [ "$UNBOUND_D_DHCP_LINK" = "dnsmasq" ] ; then      dnsmasq_link    else      unbound_hostname    fi
    unbound_control  fi}
##############################################################################
unbound_stop() {  local resolvsym=0
  rootzone_update

  if [ ! -x /usr/sbin/dnsmasq -o ! -x /etc/init.d/dnsmasq ] ; then    resolvsym=1  else    /etc/init.d/dnsmasq enabled || resolvsym=1  fi

  if [ "$resolvsym" -gt 0 ] ; then    # set resolver file to normal, but don't stomp on dnsmasq    rm -f /tmp/resolv.conf    ln -s /tmp/resolv.conf.auto /tmp/resolv.conf  fi

  # Unbound has a log dump which takes time; don't overlap a "restart"  sleep 1}
##############################################################################