unbound: allow to retain cache; closes #2750

plist

@@ -836,7 +836,7 @@
 /usr/local/opnsense/scripts/systemhealth/queryLog.py
 /usr/local/opnsense/scripts/unbound/cache.sh
 /usr/local/opnsense/scripts/unbound/download_blacklists.py
-/usr/local/opnsense/scripts/unbound/unbound_start.sh
+/usr/local/opnsense/scripts/unbound/start.sh
 /usr/local/opnsense/scripts/unbound/wrapper.py
 /usr/local/opnsense/service/conf/actions.d/actions_auth.conf
 /usr/local/opnsense/service/conf/actions.d/actions_captiveportal.conf

src/etc/inc/plugins.inc.d/openssh.inc

@@ -39,7 +39,7 @@ function openssh_enabled()
 function openssh_configure()
 {
     return array(
-        'earlybootup' => array('openssh_configure_do'),
+        'early' => array('openssh_configure_do'),
         'local' => array('openssh_configure_do'),
         'newwanip' => array('openssh_configure_do:2'),
     );

src/etc/inc/plugins.inc.d/unbound.inc

@@ -42,6 +42,7 @@ function unbound_configure()
     return array(
         'bootup' => array('unbound_configure_do'),
         'dns' => array('unbound_configure_do'),
+        'early' => array('unbound_cache_flush'),
         'hosts' => array('unbound_hosts_generate:0'),
         'local' => array('unbound_configure_do'),
         'newwanip' => array('unbound_configure_do:2'),
@@ -377,50 +378,24 @@ EOD;
     mwexecf('/usr/sbin/chown -R unbound:unbound %s', '/var/unbound');
 }
 
-function unbound_interface($interface)
+function unbound_cache_flush()
 {
-    global $config;
-
-    if (empty($interface)) {
-        /* emulate non-interface reload */
-        return true;
-    }
-
-    if (!empty($config['unbound']['active_interface'])) {
-        foreach (explode(',', $config['unbound']['active_interface']) as $used) {
-            if ($used == $interface) {
-                return true;
-            }
-        }
-    }
-
-    if (!empty($config['unbound']['outgoing_interface'])) {
-        foreach (explode(',', $config['unbound']['outgoing_interface']) as $used) {
-            if ($used == $interface) {
-                return true;
-            }
-        }
-    }
-
-    /*
-     * We can ignore this request as we don't listen here
-     * or always listen on :: / 0.0.0.0 so that a reload
-     * is not necessary.
-     */
-    return false;
+    configd_run('unbound cache flush');
 }
 
 function unbound_configure_do($verbose = false, $interface = '')
 {
     global $config;
 
-    unbound_generate_config();
-
-    if (!unbound_interface($interface) && isvalidpid('/var/run/unbound.pid')) {
-        return;
+    if (empty($config['unbound']['cacheflush'])) {
+        if (isvalidpid('/var/run/unbound.pid')) {
+            configd_run('unbound cache dump');
+        }
+    } else {
+        unbound_cache_flush();
     }
 
-    //configd_run('unbound cache dump');
+    unbound_generate_config();
 
     killbypid('/var/run/unbound_dhcpd.pid', 'TERM', true);
     killbypid('/var/run/unbound.pid', 'TERM', true);
@@ -434,7 +409,7 @@ function unbound_configure_do($verbose = false, $interface = '')
         flush();
     }
 
-    configd_run("unbound start", true);
+    configd_run('unbound start', true);
 
     if (isset($config['unbound']['regdhcp'])) {
         $domain = $config['system']['domain'];
@@ -444,8 +419,6 @@ function unbound_configure_do($verbose = false, $interface = '')
         mwexecf('/usr/local/opnsense/scripts/dns/unbound_dhcpd.py --domain %s', $domain);
     }
 
-    //configd_run('unbound cache load');
-
     if ($verbose) {
         echo "done.\n";
     }

src/etc/inc/plugins.inc.d/webgui.inc

@@ -31,7 +31,7 @@
 function webgui_configure()
 {
     return array(
-        'earlybootup' => array('webgui_configure_do'),
+        'early' => array('webgui_configure_do'),
         'local' => array('webgui_configure_do'),
         'newwanip' => array('webgui_configure_do:2'),
         'webgui' => array('webgui_configure_do'),

src/etc/rc.bootup

@@ -99,7 +99,7 @@ interfaces_configure(true);
 
 system_resolvconf_generate(true);
 filter_configure_sync(true);
-plugins_configure('earlybootup', true);
+plugins_configure('early', true);
 system_cron_configure(true, true);
 system_routing_configure(true);
 

src/opnsense/scripts/unbound/cache.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 
-# Copyright (c) 2017 Franco Fichtner <franco@opnsense.org>
+# Copyright (c) 2017-2021 Franco Fichtner <franco@opnsense.org>
 #
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions
@@ -28,13 +28,13 @@
 set -e
 
 UNBOUNDCTL="/usr/local/sbin/unbound-control -c /var/unbound/unbound.conf"
-CACHE="/var/unbound/cache.dump"
+CACHE="/var/unbound/cache.dump.gz"
 COMMAND=${1}
 
 if [ "${COMMAND}" = "dump" ]; then
-	${UNBOUNDCTL} dump_cache > ${CACHE}
+	${UNBOUNDCTL} dump_cache | gzip > ${CACHE}
 elif [ "${COMMAND}" = "load" -a -f "${CACHE}" ]; then
-	cat ${CACHE} | ${UNBOUNDCTL} load_cache
+	gunzip -c ${CACHE} | ${UNBOUNDCTL} load_cache
 elif [ "${COMMAND}" = "flush" ]; then
 	rm -f ${CACHE}
 fi

src/opnsense/scripts/unbound/start.sh

@@ -1,4 +1,5 @@
 #!/bin/sh
+
 # Copyright (c) 2020 Deciso B.V.
 # All rights reserved.
 #
@@ -25,6 +26,8 @@
 # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 # SUCH DAMAGE.
 
+set -e
+
 # prepare and startup unbound, so we can easily background it
 
 chroot -u unbound -g unbound / /usr/local/sbin/unbound-anchor -a /var/unbound/root.key
@@ -34,3 +37,4 @@ if [ ! -f /var/unbound/unbound_control.key ]; then
 fi
 
 /usr/local/sbin/unbound -c /var/unbound/unbound.conf
+/usr/local/opnsense/scripts/unbound/cache.sh load

src/opnsense/service/conf/actions.d/actions_unbound.conf

@@ -38,7 +38,7 @@ message:list local data
 command:/usr/local/opnsense/scripts/unbound/cache.sh
 parameters:%s
 type:script
-message:cache %s
+message:Unbound cache %s
 
 [reload]
 command:/usr/local/sbin/unbound-control -c /var/unbound/unbound.conf reload
@@ -47,10 +47,10 @@ type:script
 message:Reloading Unbound
 
 [start]
-command:/usr/local/bin/flock -n -E 0 -o /tmp/unbound_start.lock /usr/local/opnsense/scripts/unbound/unbound_start.sh
+command:/usr/local/bin/flock -n -E 0 -o /tmp/unbound_start.lock /usr/local/opnsense/scripts/unbound/start.sh
 parameters:
 type:script
-message:Start Unbound
+message:Starting Unbound
 
 [dnsbl]
 command:

src/www/services_unbound.php

@@ -1,7 +1,7 @@
 <?php
 
 /*
- * Copyright (C) 2018 Franco Fichtner <franco@opnsense.org>
+ * Copyright (C) 2018-2021 Franco Fichtner <franco@opnsense.org>
  * Copyright (C) 2018 Fabian Franz
  * Copyright (C) 2014-2016 Deciso B.V.
  * Copyright (C) 2014 Warren Baker <warren@decoy.co.za>
@@ -48,6 +48,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
     $pconfig['regdhcp'] = isset($a_unboundcfg['regdhcp']);
     $pconfig['regdhcpstatic'] = isset($a_unboundcfg['regdhcpstatic']);
     $pconfig['txtsupport'] = isset($a_unboundcfg['txtsupport']);
+    $pconfig['cacheflush'] = isset($a_unboundcfg['cacheflush']);
     // text values
     $pconfig['port'] = !empty($a_unboundcfg['port']) ? $a_unboundcfg['port'] : null;
     $pconfig['regdhcpdomain'] = !empty($a_unboundcfg['regdhcpdomain']) ? $a_unboundcfg['regdhcpdomain'] : null;
@@ -111,10 +112,11 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
             }
 
             // boolean values
+            $a_unboundcfg['cacheflush'] = !empty($pconfig['cacheflush']);
+            $a_unboundcfg['dns64'] = !empty($pconfig['dns64']);
+            $a_unboundcfg['dnssec'] = !empty($pconfig['dnssec']);
             $a_unboundcfg['enable'] = !empty($pconfig['enable']);
             $a_unboundcfg['enable_wpad'] = !empty($pconfig['enable_wpad']);
-            $a_unboundcfg['dnssec'] = !empty($pconfig['dnssec']);
-            $a_unboundcfg['dns64'] = !empty($pconfig['dns64']);
             $a_unboundcfg['forwarding'] = !empty($pconfig['forwarding']);
             $a_unboundcfg['noreglladdr6'] = empty($pconfig['reglladdr6']);
             $a_unboundcfg['regdhcp'] = !empty($pconfig['regdhcp']);
@@ -304,7 +306,17 @@ include_once("head.inc");
                           <input name="txtsupport" type="checkbox" value="yes" <?=!empty($pconfig['txtsupport']) ? 'checked="checked"' : '';?> />
                           <?= gettext('Create corresponding TXT records') ?>
                           <div class="hidden" data-for="help_for_txtsupport">
-                            <?=gettext("If this option is set, then any descriptions associated with Host entries and DHCP Static mappings will create a corresponding TXT record.");?><br />
+                            <?=gettext("If this option is set, then any descriptions associated with Host entries and DHCP Static mappings will create a corresponding TXT record.");?>
+                          </div>
+                        </td>
+                      </tr>
+                      <tr>
+                        <td><a id="help_for_cacheflush" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext('DNS Cache');?></td>
+                        <td>
+                          <input name="cacheflush" type="checkbox" value="yes" <?=!empty($pconfig['cacheflush']) ? 'checked="checked"' : '';?> />
+                          <?= gettext('Flush DNS cache during reload') ?>
+                          <div class="hidden" data-for="help_for_cacheflush">
+                            <?= gettext('If this option is set, the DNS cache will be flushed during each daemon reload. This is the default behavior for Unbound, but may be undesired when multiple dynamic interfaces require frequent reloading.') ?>
                           </div>
                         </td>
                       </tr>