unbound: extend ACL to delegatable prefix #3797

Maybe this is wishful thinking: if the prefix changes the
whole idea falls apart anyway.

src/etc/inc/plugins.inc.d/unbound.inc

@@ -2,7 +2,7 @@
 
 /*
  * Copyright (C) 2018 Fabian Franz
- * Copyright (C) 2015-2019 Franco Fichtner <franco@opnsense.org>
+ * Copyright (C) 2015-2020 Franco Fichtner <franco@opnsense.org>
  * Copyright (C) 2015 Manuel Faux <mfaux@conf.at>
  * Copyright (C) 2014 Warren Baker <warren@decoy.co.za>
  * Copyright (C) 2004-2007 Scott Ullrich <sullrich@gmail.com>
@@ -730,19 +730,28 @@ function unbound_acls_subnets()
         }
     }
 
+    /* expand subnet for DHCPv6 trackers */
+    foreach (array_keys($active_interfaces) as $if) {
+        if (isset($config['interfaces'][$if]['track6-interface'])) {
+	    $realif = get_real_interface($if, 'inet6');
+	    $active_interfaces[$realif] = [];
+	    $active_interfaces[$realif]['net6'] = 64 - calculate_ipv6_delegation_length($config['interfaces'][$if]['track6-interface']);
+        }
+    }
+
     /* add our networks for active interfaces including localhost */
     $subnets = array('127.0.0.1/8', '::1/64');
 
     foreach (interfaces_addresses(array_keys($active_interfaces), true) as $subnet => $info) {
         if (!empty($active_interfaces[$info['name']]['net4']) && is_subnetv4($subnet)) {
             $subnet = explode('/', $subnet)[0] . '/' . $active_interfaces[$info['name']]['net4'];
-        } elseif (!empty($active_interfaces[$info['name']]['net6']) && is_subnetv6($subnet)) {
+        } elseif (!empty($active_interfaces[$info['name']]['net6']) && is_subnetv6($subnet) && !$info['scope']) {
             $subnet = explode('/', $subnet)[0] . '/' . $active_interfaces[$info['name']]['net6'];
         }
         $subnets[] = $subnet;
     }
 
-    return $subnets;
+    return array_unique($subnets);
 }
 
 function unbound_acls_config()