From 18c3d97ef2b6ce0867fb9890a9aff5bdfa5371ba Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Sun, 16 Sep 2018 15:07:10 +0200
Subject: [PATCH] unbound: always bind to loopback

get_possible_listen_ips() should go away and Dnsmasq already
does the right thing so let Unbound follow.

While here get rid of writing empty values into the config
and even offering them on the GUI...
---
 src/etc/inc/plugins.inc.d/unbound.inc | 10 +++-
 src/etc/inc/system.inc                |  5 +-
 src/www/services_dnsmasq.php          |  2 +-
 src/www/services_unbound.php          | 76 +++++++++++++--------------
 4 files changed, 49 insertions(+), 44 deletions(-)

diff --git a/src/etc/inc/plugins.inc.d/unbound.inc b/src/etc/inc/plugins.inc.d/unbound.inc
index 2b203e92f..34e93e6bb 100644
--- a/src/etc/inc/plugins.inc.d/unbound.inc
+++ b/src/etc/inc/plugins.inc.d/unbound.inc
@@ -163,16 +163,24 @@ EOF;
     $bindints = "";
     if (!empty($config['unbound']['active_interface'])) {
         $active_interfaces = explode(",", $config['unbound']['active_interface']);
+        $loopback = false;
         foreach ($active_interfaces as $ubif) {
             $intip = get_interface_ip($ubif);
             if (!empty($intip)) {
                 $bindints .= "interface: $intip\n";
+                if ($intip == '127.0.0.1') {
+                    $loopback = true;
+                }
             }
             $intip = get_interface_ipv6($ubif);
             if (!empty($intip)) {
                 $bindints .= "interface: $intip\n";
             }
         }
+        if (!$loopback) {
+            /* always bind to this loopback IP for system */
+            $bindints .= "interface: 127.0.0.1\n";
+        }
     } else {
         $bindints .= "interface: 0.0.0.0\n";
         $bindints .= "interface: ::0\n";
@@ -696,7 +704,7 @@ function unbound_acls_subnets()
     /* add our networks for active interfaces including localhost */
     $subnets = array('127.0.0.1/8', '::1/64');
 
-    foreach ($active_interfaces as $ubif => $ifdesc) {
+    foreach ($active_interfaces as $ubif => $unused) {
         foreach (legacy_getall_interface_addresses(get_real_interface($ubif)) as $subnet) {
             $subnets[] = $subnet;
         }
diff --git a/src/etc/inc/system.inc b/src/etc/inc/system.inc
index 087b9f816..8d03abbbc 100644
--- a/src/etc/inc/system.inc
+++ b/src/etc/inc/system.inc
@@ -157,10 +157,7 @@ function system_resolvconf_generate($verbose = false)
         $resolvconf = "domain {$syscfg['domain']}\n";
     }
 
-    /* XXX Unbound should always bind to loopback like Dnsmasq */
-    if (!isset($config['system']['dnslocalhost']) && (isset($config['dnsmasq']['enable']) ||
-      (isset($config['unbound']['enable']) && (empty($config['unbound']['active_interface']) ||
-      in_array('lo0', explode(',', $config['unbound']['active_interface'])))))) {
+    if (!isset($config['system']['dnslocalhost']) && (isset($config['dnsmasq']['enable']) || isset($config['unbound']['enable']))) {
         $resolvconf .= "nameserver 127.0.0.1\n";
     }
 
diff --git a/src/www/services_dnsmasq.php b/src/www/services_dnsmasq.php
index c358a9e0c..da71a1e7e 100644
--- a/src/www/services_dnsmasq.php
+++ b/src/www/services_dnsmasq.php
@@ -349,7 +349,7 @@ $( document ).ready(function() {
                 <tr>
                   <td><a id="help_for_interfaces" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Interfaces"); ?></td>
                   <td>
-                    <select id="interface" name="interface[]" multiple="multiple" class="selectpicker" title="<?= html_safe(gettext('All')) ?>">
+                    <select id="interface" name="interface[]" multiple="multiple" class="selectpicker" title="<?= html_safe(gettext('All (recommended)')) ?>">
 <?php foreach (get_configured_interface_with_descr() as  $iface => $ifacename): ?>
                       <option value="<?= html_safe($iface) ?>" <?=in_array($iface, $pconfig['interface']) ? 'selected="selected"' : "" ?>>
                         <?= html_safe($ifacename) ?>
diff --git a/src/www/services_unbound.php b/src/www/services_unbound.php
index f514c5ff4..6dc738f91 100644
--- a/src/www/services_unbound.php
+++ b/src/www/services_unbound.php
@@ -1,32 +1,32 @@
 <?php
 
 /*
-    Copyright (C) 2018 Fabian Franz
-    Copyright (C) 2014-2016 Deciso B.V.
-    Copyright (C) 2014 Warren Baker <warren@decoy.co.za>
-    All rights reserved.
-
-    Redistribution and use in source and binary forms, with or without
-    modification, are permitted provided that the following conditions are met:
-
-    1. Redistributions of source code must retain the above copyright notice,
-       this list of conditions and the following disclaimer.
-
-    2. Redistributions in binary form must reproduce the above copyright
-       notice, this list of conditions and the following disclaimer in the
-       documentation and/or other materials provided with the distribution.
-
-    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
-    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
-    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
-    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
-    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
-    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
-    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
-    POSSIBILITY OF SUCH DAMAGE.
-*/
+ * Copyright (C) 2018 Fabian Franz
+ * Copyright (C) 2014-2016 Deciso B.V.
+ * Copyright (C) 2014 Warren Baker <warren@decoy.co.za>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
 
 require_once("guiconfig.inc");
 require_once("services.inc");
@@ -75,12 +75,6 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
         if (!empty($pconfig['regdhcpdomain']) && !is_domain($pconfig['regdhcpdomain'])) {
             $input_errors[] = gettext("The domain may only contain the characters a-z, 0-9, '-' and '.'.");
         }
-        if (empty($pconfig['active_interface'])) {
-            $input_errors[] = gettext("A single network interface needs to be selected for the DNS Resolver to bind to.");
-        }
-        if (empty($pconfig['outgoing_interface'])) {
-            $input_errors[] = gettext("A single outgoing network interface needs to be selected for the DNS Resolver to use for outgoing DNS requests.");
-        }
         if (!empty($pconfig['port']) && !is_port($pconfig['port'])) {
             $input_errors[] = gettext("You must specify a valid port number.");
         }
@@ -119,8 +113,16 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
             $a_unboundcfg['txtsupport'] = !empty($pconfig['txtsupport']);
 
             // array types
-            $a_unboundcfg['active_interface'] = !empty( $pconfig['active_interface']) ? implode(",", $pconfig['active_interface']) : array();
-            $a_unboundcfg['outgoing_interface'] = !empty( $pconfig['outgoing_interface']) ? implode(",", $pconfig['outgoing_interface']) : array();
+            if (!empty($pconfig['active_interface'])) {
+                $a_unboundcfg['active_interface'] = implode(',', $pconfig['active_interface']);
+            } elseif (isset($a_unboundcfg['active_interface'])) {
+                unset($a_unboundcfg['active_interface']);
+            }
+            if (!empty($pconfig['outgoing_interface'])) {
+                $a_unboundcfg['outgoing_interface'] = implode(',', $pconfig['outgoing_interface']);
+            } elseif (isset($a_unboundcfg['outgoing_interface'])) {
+                unset($a_unboundcfg['outgoing_interface']);
+            }
 
             write_config("DNS Resolver configured.");
             mark_subsystem_dirty('unbound');
@@ -191,8 +193,7 @@ include_once("head.inc");
                       <tr>
                         <td><a id="help_for_active_interface" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Network Interfaces"); ?></td>
                         <td>
-                          <select name="active_interface[]" multiple="multiple" size="3" class="selectpicker" data-live-search="true">
-                            <option value="" <?=empty($pconfig['active_interface'][0]) ? 'selected="selected"' : ""; ?>><?=gettext("All");?></option>
+                          <select name="active_interface[]" multiple="multiple" class="selectpicker" title="<?= html_safe(gettext('All (recommended)')) ?>">
 <?php
                             foreach (get_possible_listen_ips(false) as $laddr):?>
                             <option value="<?=$laddr['value'];?>" <?=!empty($pconfig['active_interface'][0]) && in_array($laddr['value'], $pconfig['active_interface']) ? 'selected="selected"' : "";?>><?=htmlspecialchars($laddr['name']);?></option>
@@ -323,8 +324,7 @@ include_once("head.inc");
                       <tr class="showadv" style="display:none">
                         <td><a id="help_for_outgoing_interface" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Outgoing Network Interfaces"); ?></td>
                         <td>
-                          <select id="outgoing_interface" name="outgoing_interface[]" multiple="multiple" size="3" class="selectpicker" data-live-search="true">
-                            <option value="" <?=empty($pconfig['outgoing_interface'][0]) ? 'selected="selected"' : ""; ?>><?=gettext("All");?></option>
+                          <select id="outgoing_interface" name="outgoing_interface[]" multiple="multiple" class="selectpicker" title="<?= html_safe(gettext('All (recommended)')) ?>">
 <?php
                             foreach (get_possible_listen_ips(true) as $laddr):?>
                             <option value="<?=$laddr['value'];?>" <?=!empty($pconfig['outgoing_interface'][0]) && in_array($laddr['value'], $pconfig['outgoing_interface']) ? 'selected="selected"' : "";?>>