unbound: fix /var MFS dilemma for DNSBL after boot; closes #4938

o Create a persistent directory to feed the unbound includes
o Move runtime data to /tmp directory

After reboot we use the old persistent list still available.

I am not sure if it's clear enough that the blacklists cannot
auto-update and therefore require a cron job or manual update
from the respective GUI page ("apply" essentially is "download
and apply").

plist

@@ -150,6 +150,7 @@
 /usr/local/etc/rc.syshook.d/update/10-refresh
 /usr/local/etc/ssl/opnsense.cnf
 /usr/local/etc/strongswan.opnsense.d/README
+/usr/local/etc/unbound.opnsense.d/README
 /usr/local/libexec/opnsense-auth
 /usr/local/opnsense/contrib/IXR/IXR_Library.php
 /usr/local/opnsense/contrib/base32/Base32.php

src/etc/inc/plugins.inc.d/unbound.inc

@@ -116,12 +116,12 @@ function unbound_generate_config()
         mwexecf('/sbin/mount -t devfs devfs %s', '/var/unbound/dev');
     }
 
-    mwexecf('/usr/sbin/chown -R unbound:unbound %s', '/var/unbound');
+    foreach (glob('/var/unbound/etc/*') as $file) {
+        unlink($file);
+    }
 
-    // Setup optimization
     $optimization = unbound_optimization();
 
-    // Setup DNS64 and DNSSEC support
     $dns64prefix = '';
     if (isset($config['unbound']['dns64'])) {
         $module_config = 'dns64 ';
@@ -136,9 +136,7 @@ function unbound_generate_config()
         $module_config .= 'iterator';
     }
 
-    // Setup DNS Rebinding
     if (!isset($config['system']['webgui']['nodnsrebindcheck'])) {
-        // Private-addresses for DNS Rebinding
         $private_addr = <<<EOF
 # For DNS Rebinding prevention
 #
@@ -211,19 +209,14 @@ EOF;
         }
     }
 
-    // Allow DNS Rebind for forwarded domains
+    /* allow DNS Rebind for forwarded domains */
     if (!empty($config['unbound']['domainoverrides'])) {
         $private_domains = "# Set private domains in case authoritative name server returns a Private IP address\n";
         $private_domains .= unbound_add_domain_overrides(true);
     }
 
-    // Configure static Host entries
     unbound_add_host_entries($ifconfig_details);
-
-    // Configure Domain Overrides
     unbound_add_domain_overrides();
-
-    // Configure Unbound access-lists
     unbound_acls_config();
 
     // Add custom Unbound options
@@ -232,7 +225,6 @@ EOF;
         $custom_options = "# Unbound custom options\n{$config['unbound']['custom_options']}\n";
     }
 
-    // Server configuration variables
     $port = is_port($config['unbound']['port']) ? $config['unbound']['port'] : "53";
     $hide_id = !empty($config['unbound']['hideidentity']) ? "yes" : "no";
     $hide_version = !empty($config['unbound']['hideversion']) ? "yes" : "no";
@@ -389,6 +381,8 @@ EOD;
 
     file_put_contents('/var/unbound/unbound.conf', $unboundconf);
     configd_run('template reload OPNsense/Unbound/*');
+    mwexecf('cp /usr/local/etc/unbound.opnsense.d/*.conf /var/unbound/etc/');
+    mwexecf('/usr/sbin/chown -R unbound:unbound %s', '/var/unbound');
 }
 
 function unbound_interface($interface)

src/etc/unbound.opnsense.d/README

@@ -0,0 +1,2 @@
+OPNsense: automatically included unbound.conf configuration files
+moved into chroot directory /var/unbound/etc on reconfigure.

src/opnsense/mvc/app/controllers/OPNsense/Unbound/Api/ServiceController.php

@@ -46,7 +46,7 @@ class ServiceController extends ApiMutableServiceControllerBase
         $this->sessionClose();
         $backend = new Backend();
         $backend->configdRun('template reload ' . escapeshellarg(static::$internalServiceTemplate));
-        $response = $backend->configdpRun('unbound dnsbl');
-        return array("status" => $response);
+        $response = $backend->configdRun(static::$internalServiceName . ' dnsbl');
+        return array('status' => $response);
     }
 }

src/opnsense/scripts/unbound/download_blacklists.py

@@ -89,9 +89,9 @@ if __name__ == '__main__':
     startup_time = time.time()
     syslog.openlog('unbound', logoption=syslog.LOG_DAEMON, facility=syslog.LOG_LOCAL4)
     blacklist_items = set()
-    if os.path.exists('/var/unbound/etc/blacklists.ini'):
+    if os.path.exists('/tmp/unbound-blacklists.conf'):
         cnf = ConfigParser()
-        cnf.read('/var/unbound/etc/blacklists.ini')
+        cnf.read('/tmp/unbound-blacklists.conf')
         # exclude (white) lists, compile to regex to be used to filter blacklist entries
         if cnf.has_section('exclude'):
             exclude_list = set()
@@ -142,7 +142,7 @@ if __name__ == '__main__':
                 )
 
     # write out results
-    with open("/var/unbound/etc/dnsbl.conf", 'w') as unbound_outf:
+    with open("/usr/local/etc/unbound.opnsense.d/dnsbl.conf", 'w') as unbound_outf:
         if blacklist_items:
             unbound_outf.write('server:\n')
             for entry in blacklist_items:

src/opnsense/service/conf/actions.d/actions_unbound.conf

@@ -53,11 +53,14 @@ type:script
 message:Start Unbound
 
 [dnsbl]
-command:/usr/local/opnsense/scripts/unbound/download_blacklists.py && /usr/local/sbin/unbound-control -c /var/unbound/unbound.conf reload
+command:
+    /usr/local/opnsense/scripts/unbound/download_blacklists.py &&
+    cp /usr/local/etc/unbound.opnsense.d/dnsbl.conf /var/unbound/etc/ &&
+    /usr/local/sbin/unbound-control -c /var/unbound/unbound.conf reload
 parameters:
 type:script
-message:fetching and applying DNSBLs
-description: Download Unbound DNSBLs and restart
+message:Updating Unbound DNSBLs
+description:Update Unbound DNSBLs
 
 [status]
 command:pgrep -q -nF /var/run/unbound.pid && echo "unbound is running" || echo "unbound is not running" ;exit 0

src/opnsense/service/templates/OPNsense/Unbound/core/+TARGETS

@@ -1,4 +1,4 @@
-blacklists.conf:/var/unbound/etc/blacklists.ini
-dot.conf:/var/unbound/etc/dot.conf
-miscellaneous.conf:/var/unbound/etc/miscellaneous.conf
+blacklists.conf:/tmp/unbound-blacklists.conf
+dot.conf:/usr/local/etc/unbound.opnsense.d/dot.conf
+miscellaneous.conf:/usr/local/etc/unbound.opnsense.d/miscellaneous.conf
 root.min.hints:/var/unbound/root.hints