Merge pull request #4871 from EricLuehrsen/unbound_control

unbound: upstream 1.6.6 and enhance control UCI option
7 years ago · 59735c02c8
--- a/net/unbound/Makefile
+++ b/net/unbound/Makefile
@ -8,8 +8,8 @@
 include $(TOPDIR)/rules.mk

 PKG_NAME:=unbound
 PKG_VERSION:=1.6.5
 PKG_RELEASE:=1
 PKG_VERSION:=1.6.6
 PKG_RELEASE:=2

 PKG_LICENSE:=BSD-3-Clause
 PKG_LICENSE_FILES:=LICENSE
@ -17,7 +17,7 @@ PKG_MAINTAINER:=Eric Luehrsen <ericluehrsen@hotmail.com>

 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=http://www.unbound.net/downloads
 PKG_HASH:=e297aa1229015f25bf24e4923cb1dadf1f29b84f82a353205006421f82cc104e
 PKG_HASH:=972b14dc33093e672652a7b2b5f159bab2198b0fe9c9e1c5707e1895d4d4b390

 PKG_BUILD_DEPENDS:=libexpat
 PKG_BUILD_PARALLEL:=1
--- a/net/unbound/files/README.md
+++ b/net/unbound/files/README.md
@ -200,6 +200,13 @@ config unbound
    Bytes. Extended DNS is necessary for DNSSEC. However, it can run
    into MTU issues. Use this size in bytes to manage drop outs.

  option extended_luci '0'
    Boolean. Extends a tab hierarchy in LuCI for advanced congfiguration.

  option extended_stats '0'
    Boolean. extended statistics are printed from unbound-control.
    Keeping track of more statistics takes time.

  option hide_binddata '1'
    Boolean. If enabled version.server, version.bind, id.server, and
    hostname.bind queries are refused.
@ -266,8 +273,12 @@ config unbound
    Typical to configure maybe 0~300, but 1800 is the maximum accepted.

  option unbound_control '0'
    Boolean. Enables unbound-control application access ports. Enabling
    this without the unbound-control package installed is robust.
    Level. Enables unbound-control application access ports.
    0 - No unbound-control Access, or add your own in 'unbound_ext.conf'
    1 - Unencrypted Local Host Access
    2 - SSL Local Host Access; auto unbound-control-setup if available
    3 - SSL Network Access; auto unbound-control-setup if available
    4 - SSL Network Access; static key/pem files must already exist

  option validator '0'
    Boolean. Enable DNSSEC. Unbound names this the "validator" module.
--- a/net/unbound/files/odhcpd.awk
+++ b/net/unbound/files/odhcpd.awk
@ -68,7 +68,7 @@
      if ( bconf == 1 ) {
        x = ( "local-data: \"" fqdn ". 120 IN A " adr "\"" ) ;
        y = ( "local-data-ptr: \"" adr " 120 " fqdn "\"" ) ;
        print ( x "\n" y ) > hostfile ;
        print ( x "\n" y "\n" ) > hostfile ;
      }

      else {
@ -91,17 +91,17 @@
            # GA or ULA routed addresses only (not LL or MC)
            sub( /\/.*/, "", adr ) ;
            adr = ( adr slaac ) ;
            
            
            if ( split( adr, tmp0, ":" ) >= 8 ) { 
              sub( "::", ":", adr ) ; 


            if ( split( adr, tmp0, ":" ) >= 8 ) {
              sub( "::", ":", adr ) ;
            }


            if ( bconf == 1 ) {
              x = ( "local-data: \"" fqdn ". 120 IN AAAA " adr "\"" ) ;
              y = ( "local-data-ptr: \"" adr " 120 " fqdn "\"" ) ;
              print ( x "\n" y ) > hostfile ;
              print ( x "\n" y "\n" ) > hostfile ;
            }

            else {
@ -124,7 +124,7 @@
      if ( bconf == 1 ) {
        x = ( "local-data: \"" fqdn ". 120 IN AAAA " adr "\"" ) ;
        y = ( "local-data-ptr: \"" adr " 120 " fqdn "\"" ) ;
        print ( x "\n" y ) > hostfile ;
        print ( x "\n" y "\n" ) > hostfile ;
      }

      else {
@ -135,12 +135,12 @@
        print ( x "\n" y ) > hostfile ;
      }
    }
    

    if (( cdr2 == 128 ) && ( hst != "-" )) {
      if ( bconf == 1 ) {
        x = ( "local-data: \"" fqdn ". 120 IN AAAA " adr2 "\"" ) ;
        y = ( "local-data-ptr: \"" adr2 " 120 " fqdn "\"" ) ;
        print ( x "\n" y ) > hostfile ;
        print ( x "\n" y "\n" ) > hostfile ;
      }

      else {
--- a/net/unbound/files/unbound.sh
+++ b/net/unbound/files/unbound.sh
@ -23,10 +23,10 @@
 #
 ##############################################################################

 UNBOUND_B_CONTROL=0
 UNBOUND_B_SLAAC6_MAC=0
 UNBOUND_B_DNSSEC=0
 UNBOUND_B_DNS64=0
 UNBOUND_B_EXT_STATS=0
 UNBOUND_B_GATE_NAME=0
 UNBOUND_B_HIDE_BIND=1
 UNBOUND_B_LOCL_BLCK=0
@ -37,6 +37,7 @@ UNBOUND_B_PRIV_BLCK=1
 UNBOUND_B_QUERY_MIN=0
 UNBOUND_B_QRY_MINST=0

 UNBOUND_D_CONTROL=0
 UNBOUND_D_DOMAIN_TYPE=static
 UNBOUND_D_DHCP_LINK=none
 UNBOUND_D_EXTRA_DNS=0
@ -80,6 +81,11 @@ UNBOUND_KEYFILE=$UNBOUND_VARDIR/root.key
 UNBOUND_HINTFILE=$UNBOUND_VARDIR/root.hints
 UNBOUND_TIMEFILE=$UNBOUND_VARDIR/hotplug.time

 UNBOUND_CTLKEY_FILE=$UNBOUND_VARDIR/unbound_control.key
 UNBOUND_CTLPEM_FILE=$UNBOUND_VARDIR/unbound_control.pem
 UNBOUND_SRVKEY_FILE=$UNBOUND_VARDIR/unbound_server.key
 UNBOUND_SRVPEM_FILE=$UNBOUND_VARDIR/unbound_server.pem

 ##############################################################################

 UNBOUND_ANCHOR=/usr/sbin/unbound-anchor
@ -457,17 +463,54 @@ unbound_mkdir() {

  # Ensure access and prepare to jail
  chown -R unbound:unbound $UNBOUND_VARDIR
  chmod 775 $UNBOUND_VARDIR
  chmod 664 $UNBOUND_VARDIR/*
  chmod 755 $UNBOUND_VARDIR
  chmod 644 $UNBOUND_VARDIR/*


  if [ -f $UNBOUND_CTLKEY_FILE -o -f $UNBOUND_CTLPEM_FILE \
    -o -f $UNBOUND_SRVKEY_FILE -o -f $UNBOUND_SRVPEM_FILE ] ; then
    # Keys (some) exist already; do not create new ones
    chmod 640 $UNBOUND_CTLKEY_FILE $UNBOUND_CTLPEM_FILE \
              $UNBOUND_SRVKEY_FILE $UNBOUND_SRVPEM_FILE

  elif [ -x /usr/sbin/unbound-control-setup ] ; then
    case "$UNBOUND_D_CONTROL" in
    [2-3])
      # unbound-control-setup for encrypt opt. 2 and 3, but not 4 "static"
      /usr/sbin/unbound-control-setup -d $UNBOUND_VARDIR

      chown -R unbound:unbound  $UNBOUND_CTLKEY_FILE $UNBOUND_CTLPEM_FILE \
                                $UNBOUND_SRVKEY_FILE $UNBOUND_SRVPEM_FILE

      chmod 640 $UNBOUND_CTLKEY_FILE $UNBOUND_CTLPEM_FILE \
                $UNBOUND_SRVKEY_FILE $UNBOUND_SRVPEM_FILE

      cp -p $UNBOUND_CTLKEY_FILE /etc/unbound/unbound_control.key
      cp -p $UNBOUND_CTLPEM_FILE /etc/unbound/unbound_control.pem
      cp -p $UNBOUND_SRVKEY_FILE /etc/unbound/unbound_server.key
      cp -p $UNBOUND_SRVPEM_FILE /etc/unbound/unbound_server.pem
      ;;
    esac
  fi
 }

 ##############################################################################

 unbound_control() {
  if [ "$UNBOUND_B_CONTROL" -gt 0 ] ; then
  if [ "$UNBOUND_D_CONTROL" -gt 1 ] ; then
    if [ ! -f $UNBOUND_CTLKEY_FILE -o ! -f $UNBOUND_CTLPEM_FILE \
      -o ! -f $UNBOUND_SRVKEY_FILE -o ! -f $UNBOUND_SRVPEM_FILE ] ; then
      # Key files need to be present; if unbound-control-setup was found, then
      # they might have been made during unbound_makedir() above.
      UNBOUND_D_CONTROL=0
    fi
  fi


  case "$UNBOUND_D_CONTROL" in
  1)
    {
      # Enable remote control tool, but only at local host for security
      # You can hand write fancier encrypted access with /etc/..._ext.conf
      # Local Host Only Unencrypted Remote Control
      echo "remote-control:"
      echo "  control-enable: yes"
      echo "  control-use-cert: no"
@ -475,7 +518,42 @@ unbound_control() {
      echo "  control-interface: ::1"
      echo
    } >> $UNBOUND_CONFFILE
  fi
    ;;

  2)
    {
      # Local Host Only Encrypted Remote Control
      echo "remote-control:"
      echo "  control-enable: yes"
      echo "  control-use-cert: yes"
      echo "  control-interface: 127.0.0.1"
      echo "  control-interface: ::1"
      echo "  server-key-file: \"$UNBOUND_SRVKEY_FILE\""
      echo "  server-cert-file: \"$UNBOUND_SRVPEM_FILE\""
      echo "  control-key-file: \"$UNBOUND_CTLKEY_FILE\""
      echo "  control-cert-file: \"$UNBOUND_CTLPEM_FILE\""
      echo
    } >> $UNBOUND_CONFFILE
    ;;

  [3-4])
    {
      # Network Encrypted Remote Control
      # (3) may auto setup and (4) must have static key/pem files
      # TODO: add UCI list for interfaces to bind
      echo "remote-control:"
      echo "  control-enable: yes"
      echo "  control-use-cert: yes"
      echo "  control-interface: 0.0.0.0"
      echo "  control-interface: ::0"
      echo "  server-key-file: \"$UNBOUND_SRVKEY_FILE\""
      echo "  server-cert-file: \"$UNBOUND_SRVPEM_FILE\""
      echo "  control-key-file: \"$UNBOUND_CTLKEY_FILE\""
      echo "  control-cert-file: \"$UNBOUND_CTLPEM_FILE\""
      echo
    } >> $UNBOUND_CONFFILE
    ;;
  esac


  {
@ -493,15 +571,14 @@ unbound_conf() {
  local cfg="$1"
  local rt_mem rt_conn modulestring

  # Make fresh conf file
  echo > $UNBOUND_CONFFILE


  {
    # Make fresh conf file
    echo "# $UNBOUND_CONFFILE generated by UCI $( date )"
    echo
  } > $UNBOUND_CONFFILE


  {
    # No threading
    echo "server:"
    echo "  username: unbound"
@ -511,27 +588,33 @@ unbound_conf() {
    echo "  infra-cache-slabs: 1"
    echo "  key-cache-slabs: 1"
    echo
  } >> $UNBOUND_CONFFILE


  {
    # Interface Wildcard (access contol handled by "option local_service")
    echo "  interface: 0.0.0.0"
    echo "  interface: ::0"
    echo "  outgoing-interface: 0.0.0.0"
    echo "  outgoing-interface: ::0"
    echo
    # Logging
    echo "  verbosity: 1"
    echo "  statistics-interval: 0"
    echo "  statistics-cumulative: no"
    echo "  extended-statistics: no"
    echo
  } >> $UNBOUND_CONFFILE


  {
    # Interfaces (access contol "option local_service")
    echo "  interface: 0.0.0.0"
    echo "  interface: ::0"
    echo "  outgoing-interface: 0.0.0.0"
    echo "  outgoing-interface: ::0"
    echo
  } >> $UNBOUND_CONFFILE
  if [ "$UNBOUND_B_EXT_STATS" -gt 0 ] ; then
    {
      # Log More
      echo "  extended-statistics: yes"
      echo
    } >> $UNBOUND_CONFFILE

  else
    {
      # Log Less
      echo "  extended-statistics: no"
      echo
    } >> $UNBOUND_CONFFILE
  fi


  case "$UNBOUND_D_PROTOCOL" in
@ -930,6 +1013,7 @@ unbound_uci() {

  config_get_bool UNBOUND_B_SLAAC6_MAC "$cfg" dhcp4_slaac6 0
  config_get_bool UNBOUND_B_DNS64      "$cfg" dns64 0
  config_get_bool UNBOUND_B_EXT_STATS  "$cfg" extended_stats 0
  config_get_bool UNBOUND_B_HIDE_BIND  "$cfg" hide_binddata 1
  config_get_bool UNBOUND_B_LOCL_SERV  "$cfg" localservice 1
  config_get_bool UNBOUND_B_MAN_CONF   "$cfg" manual_conf 0
@ -937,7 +1021,6 @@ unbound_uci() {
  config_get_bool UNBOUND_B_QRY_MINST  "$cfg" query_min_strict 0
  config_get_bool UNBOUND_B_PRIV_BLCK  "$cfg" rebind_protection 1
  config_get_bool UNBOUND_B_LOCL_BLCK  "$cfg" rebind_localhost 0
  config_get_bool UNBOUND_B_CONTROL    "$cfg" unbound_control 0
  config_get_bool UNBOUND_B_DNSSEC     "$cfg" validator 0
  config_get_bool UNBOUND_B_NTP_BOOT   "$cfg" validator_ntp 1

@ -947,6 +1030,7 @@ unbound_uci() {
  config_get UNBOUND_N_RX_PORT   "$cfg" listen_port 53
  config_get UNBOUND_N_ROOT_AGE  "$cfg" root_age 9

  config_get UNBOUND_D_CONTROL     "$cfg" unbound_control 0
  config_get UNBOUND_D_DOMAIN_TYPE "$cfg" domain_type static
  config_get UNBOUND_D_DHCP_LINK   "$cfg" dhcp_link none
  config_get UNBOUND_D_EXTRA_DNS   "$cfg" add_extra_dns 0
--- a/net/unbound/files/unbound.uci
+++ b/net/unbound/files/unbound.uci
@ -9,6 +9,8 @@ config unbound
 	option domain 'lan'
 	option domain_type 'static'
 	option edns_size '1280'
 	option extended_luci '0'
 	option extended_stats '0'
 	option hide_binddata '1'
 	option listen_port '53'
 	option localservice '1'
--- a/net/unbound/files/unbound_ext.conf
+++ b/net/unbound/files/unbound_ext.conf
@ -1,8 +1,9 @@
 ##############################################################################
 # UNBOUND UCI USER ADDED CLAUSES
 # Extended user clauses added to the end of the UCI generated 'unbound.conf'
 #
 # Put your own forward:, view:, stub:, and control: clauses here. This file is
 # appended to the end of UCI auto generated 'unbound.conf'. This is done with
 # include: statement. Notice, it is outside of the server: clause.
 # Put your own forward:, view:, stub:, or remote-control: clauses here. This
 # file is appended to the end of 'unbound.conf' with an include: statement.
 # Notice that it is not part of the server: clause. Use 'unbound_srv.conf' to
 # place custom option statements in the server: clause.
 ##############################################################################

--- a/net/unbound/files/unbound_srv.conf
+++ b/net/unbound/files/unbound_srv.conf
@ -1,8 +1,9 @@
 ##############################################################################
 # UNBOUND UCI USER ADDED SERVER OPTIONS
 # User custom options added in the server: clause part of UCI 'unbound.conf'
 #
 # Put your own choice options here when not covered by UCI. These are all part
 # of the server: clause only. Most likely are hardening options or local-zone:
 # This is in an include: statement towards the end of the server: cluase. 
 # Add your own option statements here when they are not covered by UCI. This
 # file is placed _inside_ the server: clause with an include: statement. Do
 # not start other clauses here, because that would brake the server: clause.
 # Use 'unbound_ext.conf' to start new clauses at the end of 'unbound.conf'.
 ##############################################################################

--- a/net/unbound/patches/001-conf.patch
+++ b/net/unbound/patches/001-conf.patch
@ -6,7 +6,7 @@ index 5396029..cbb51ec 100644
 -#
 -# Example configuration file.
 -#
 -# See unbound.conf(5) man page, version 1.6.5.
 -# See unbound.conf(5) man page, version 1.6.6.
 -#
 -# this is a comment.
 +##############################################################################