mirror of
https://github.com/lucaspalomodevelop/core.git
synced 2026-03-13 16:14:40 +00:00
unbound: more refactoring, less pages, blacklist -> blocklist
PR: https://github.com/opnsense/core/issues/4327
This commit is contained in:
Franco Fichtner
parent
dac9a74479
commit
72e6ca2fee
7
plist
7
plist
@ -374,11 +374,9 @@
|
||||
/usr/local/opnsense/mvc/app/controllers/OPNsense/Unbound/Api/SettingsController.php
|
||||
/usr/local/opnsense/mvc/app/controllers/OPNsense/Unbound/DnsblController.php
|
||||
/usr/local/opnsense/mvc/app/controllers/OPNsense/Unbound/DotController.php
|
||||
/usr/local/opnsense/mvc/app/controllers/OPNsense/Unbound/MiscellaneousController.php
|
||||
/usr/local/opnsense/mvc/app/controllers/OPNsense/Unbound/StatsController.php
|
||||
/usr/local/opnsense/mvc/app/controllers/OPNsense/Unbound/forms/dialogDot.xml
|
||||
/usr/local/opnsense/mvc/app/controllers/OPNsense/Unbound/forms/dnsbl.xml
|
||||
/usr/local/opnsense/mvc/app/controllers/OPNsense/Unbound/forms/miscellaneous.xml
|
||||
/usr/local/opnsense/mvc/app/library/Google/API/Drive.php
|
||||
/usr/local/opnsense/mvc/app/library/OPNsense/Auth/API.php
|
||||
/usr/local/opnsense/mvc/app/library/OPNsense/Auth/AuthenticationFactory.php
|
||||
@ -601,7 +599,6 @@
|
||||
/usr/local/opnsense/mvc/app/views/OPNsense/TrafficShaper/statistics.volt
|
||||
/usr/local/opnsense/mvc/app/views/OPNsense/Unbound/dnsbl.volt
|
||||
/usr/local/opnsense/mvc/app/views/OPNsense/Unbound/dot.volt
|
||||
/usr/local/opnsense/mvc/app/views/OPNsense/Unbound/miscellaneous.volt
|
||||
/usr/local/opnsense/mvc/app/views/OPNsense/Unbound/stats.volt
|
||||
/usr/local/opnsense/mvc/app/views/layout_partials/base_dialog.volt
|
||||
/usr/local/opnsense/mvc/app/views/layout_partials/base_dialog_processing.volt
|
||||
@ -834,9 +831,9 @@
|
||||
/usr/local/opnsense/scripts/systemhealth/logformats/squid.py
|
||||
/usr/local/opnsense/scripts/systemhealth/logformats/syslog.py
|
||||
/usr/local/opnsense/scripts/systemhealth/queryLog.py
|
||||
/usr/local/opnsense/scripts/unbound/blocklists.py
|
||||
/usr/local/opnsense/scripts/unbound/cache.sh
|
||||
/usr/local/opnsense/scripts/unbound/check.sh
|
||||
/usr/local/opnsense/scripts/unbound/download_blacklists.py
|
||||
/usr/local/opnsense/scripts/unbound/start.sh
|
||||
/usr/local/opnsense/scripts/unbound/wrapper.py
|
||||
/usr/local/opnsense/service/conf/actions.d/actions_auth.conf
|
||||
@ -977,7 +974,7 @@
|
||||
/usr/local/opnsense/service/templates/OPNsense/Syslog/syslog-ng-lockout.conf
|
||||
/usr/local/opnsense/service/templates/OPNsense/Syslog/syslog-ng.conf
|
||||
/usr/local/opnsense/service/templates/OPNsense/Unbound/core/+TARGETS
|
||||
/usr/local/opnsense/service/templates/OPNsense/Unbound/core/blacklists.conf
|
||||
/usr/local/opnsense/service/templates/OPNsense/Unbound/core/blocklists.conf
|
||||
/usr/local/opnsense/service/templates/OPNsense/Unbound/core/dot.conf
|
||||
/usr/local/opnsense/service/templates/OPNsense/Unbound/core/miscellaneous.conf
|
||||
/usr/local/opnsense/service/templates/OPNsense/Unbound/core/root.min.hints
|
||||
|
||||
@ -117,10 +117,6 @@ function unbound_generate_config()
|
||||
mwexecf('/sbin/mount -t devfs devfs %s', '/var/unbound/dev');
|
||||
}
|
||||
|
||||
foreach (glob('/var/unbound/etc/*') as $file) {
|
||||
unlink($file);
|
||||
}
|
||||
|
||||
$optimization = unbound_optimization();
|
||||
|
||||
$dns64prefix = '';
|
||||
@ -374,8 +370,6 @@ EOD;
|
||||
|
||||
file_put_contents('/var/unbound/unbound.conf', $unboundconf);
|
||||
configd_run('template reload OPNsense/Unbound/*');
|
||||
mwexecf('cp /usr/local/etc/unbound.opnsense.d/*.conf /var/unbound/etc/');
|
||||
mwexecf('/usr/sbin/chown -R unbound:unbound %s', '/var/unbound');
|
||||
}
|
||||
|
||||
function unbound_cache_flush()
|
||||
|
||||
@ -1,40 +0,0 @@
|
||||
<?php
|
||||
|
||||
/*
|
||||
* Copyright (C) 2019 Michael Muenz <m.muenz@gmail.com>
|
||||
* All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions are met:
|
||||
*
|
||||
* 1. Redistributions of source code must retain the above copyright notice,
|
||||
* this list of conditions and the following disclaimer.
|
||||
*
|
||||
* 2. Redistributions in binary form must reproduce the above copyright
|
||||
* notice, this list of conditions and the following disclaimer in the
|
||||
* documentation and/or other materials provided with the distribution.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
|
||||
* INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
|
||||
* AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
|
||||
* AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
|
||||
* OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
|
||||
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
|
||||
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
|
||||
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
||||
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
||||
* POSSIBILITY OF SUCH DAMAGE.
|
||||
*/
|
||||
|
||||
namespace OPNsense\Unbound;
|
||||
|
||||
use OPNsense\Base\IndexController;
|
||||
|
||||
class MiscellaneousController extends IndexController
|
||||
{
|
||||
public function indexAction()
|
||||
{
|
||||
$this->view->miscellaneousForm = $this->getForm('miscellaneous');
|
||||
$this->view->pick('OPNsense/Unbound/miscellaneous');
|
||||
}
|
||||
}
|
||||
@ -13,12 +13,12 @@
|
||||
</field>
|
||||
<field>
|
||||
<id>unbound.dnsbl.lists</id>
|
||||
<label>URLs of Blacklists</label>
|
||||
<label>URLs of Blocklists</label>
|
||||
<type>select_multiple</type>
|
||||
<style>tokenize</style>
|
||||
<allownew>true</allownew>
|
||||
<advanced>true</advanced>
|
||||
<help>List of domains from where blacklist will be downloaded.</help>
|
||||
<help>List of domains from where blocklist will be downloaded.</help>
|
||||
</field>
|
||||
<field>
|
||||
<id>unbound.dnsbl.whitelists</id>
|
||||
@ -28,4 +28,12 @@
|
||||
<allownew>true</allownew>
|
||||
<help>List of domains to whitelist. You can use regular expressions.</help>
|
||||
</field>
|
||||
<field>
|
||||
<id>unbound.miscellaneous.privatedomain</id>
|
||||
<label>Private Domains</label>
|
||||
<type>select_multiple</type>
|
||||
<style>tokenize</style>
|
||||
<allownew>true</allownew>
|
||||
<help>List of domains to mark as private. You only need this for some DNSBL lists which resolve to private addresses.</help>
|
||||
</field>
|
||||
</form>
|
||||
|
||||
@ -1,10 +0,0 @@
|
||||
<form>
|
||||
<field>
|
||||
<id>unbound.miscellaneous.privatedomain</id>
|
||||
<label>Private Domains</label>
|
||||
<type>select_multiple</type>
|
||||
<style>tokenize</style>
|
||||
<allownew>true</allownew>
|
||||
<help>List of domains to mark as private. You only need this for some DNSBL lists which resolve to private addresses.</help>
|
||||
</field>
|
||||
</form>
|
||||
@ -39,7 +39,7 @@
|
||||
</patterns>
|
||||
</page-diagnostics-logs-resolver>
|
||||
<page-services-unbound>
|
||||
<name>Services: Unbound (mvc)</name>
|
||||
<name>Services: Unbound (MVC)</name>
|
||||
<patterns>
|
||||
<pattern>ui/unbound/*</pattern>
|
||||
<pattern>api/unbound/*</pattern>
|
||||
|
||||
@ -10,9 +10,8 @@
|
||||
<ACL VisibleName="Access Lists" order="40" url="/services_unbound_acls.php">
|
||||
<All url="/services_unbound_acls.php*" visibility="hidden"/>
|
||||
</ACL>
|
||||
<Blacklist order="50" url="/ui/unbound/dnsbl/index"/>
|
||||
<Dot VisibleName="DNS over TLS" order="55" url="/ui/unbound/dot/index"/>
|
||||
<Miscellaneous order="60" url="/ui/unbound/miscellaneous/index"/>
|
||||
<Blocklist order="50" url="/ui/unbound/dnsbl/index"/>
|
||||
<Dot VisibleName="DNS over TLS" order="60" url="/ui/unbound/dot/index"/>
|
||||
<Statistics order="90" url="/ui/unbound/stats"/>
|
||||
<LogFile VisibleName="Log File" order="100" url="/ui/diagnostics/log/core/resolver"/>
|
||||
</Unbound>
|
||||
|
||||
@ -1,60 +0,0 @@
|
||||
{#
|
||||
# Copyright (c) 2019-2020 Deciso B.V.
|
||||
# Copyright (c) 2019 Michael Muenz <m.muenz@gmail.com>
|
||||
# All rights reserved.
|
||||
#
|
||||
# Redistribution and use in source and binary forms, with or without modification,
|
||||
# are permitted provided that the following conditions are met:
|
||||
#
|
||||
# 1. Redistributions of source code must retain the above copyright notice,
|
||||
# this list of conditions and the following disclaimer.
|
||||
#
|
||||
# 2. Redistributions in binary form must reproduce the above copyright notice,
|
||||
# this list of conditions and the following disclaimer in the documentation
|
||||
# and/or other materials provided with the distribution.
|
||||
#
|
||||
# THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
|
||||
# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
|
||||
# AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
|
||||
# AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
|
||||
# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
|
||||
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
|
||||
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
|
||||
# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
||||
# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
||||
# POSSIBILITY OF SUCH DAMAGE.
|
||||
#}
|
||||
|
||||
<script>
|
||||
$(document).ready(function() {
|
||||
var data_get_map = {'frm_miscellaneous_settings':"/api/unbound/settings/get"};
|
||||
mapDataToFormUI(data_get_map).done(function(data){
|
||||
formatTokenizersUI();
|
||||
$('.selectpicker').selectpicker('refresh');
|
||||
});
|
||||
$("#saveAct").SimpleActionButton({
|
||||
onPreAction: function() {
|
||||
const dfObj = new $.Deferred();
|
||||
saveFormToEndpoint("/api/unbound/settings/set", 'frm_miscellaneous_settings', function(){
|
||||
dfObj.resolve();
|
||||
});
|
||||
return dfObj;
|
||||
}
|
||||
});
|
||||
|
||||
updateServiceControlUI('unbound');
|
||||
});
|
||||
</script>
|
||||
|
||||
<div class="content-box" style="padding-bottom: 1.5em;">
|
||||
{{ partial("layout_partials/base_form",['fields':miscellaneousForm,'id':'frm_miscellaneous_settings'])}}
|
||||
<div class="col-md-12">
|
||||
<hr />
|
||||
<button class="btn btn-primary" id="saveAct"
|
||||
data-endpoint='/api/unbound/service/reconfigure'
|
||||
data-label="{{ lang._('Apply') }}"
|
||||
data-error-title="{{ lang._('Error reloading unbound') }}"
|
||||
type="button">
|
||||
</button>
|
||||
</div>
|
||||
</div>
|
||||
@ -45,7 +45,7 @@ def uri_reader(uri):
|
||||
try:
|
||||
req = requests.get(**req_opts)
|
||||
except Exception as e:
|
||||
syslog.syslog(syslog.LOG_ERR,'blacklist download : unable to download file from %s (error : %s)' % (uri, e))
|
||||
syslog.syslog(syslog.LOG_ERR,'blocklist download : unable to download file from %s (error : %s)' % (uri, e))
|
||||
return
|
||||
|
||||
if req.status_code >= 200 and req.status_code <= 299:
|
||||
@ -67,7 +67,7 @@ def uri_reader(uri):
|
||||
yield part
|
||||
else:
|
||||
syslog.syslog(syslog.LOG_ERR,
|
||||
'blacklist download : unable to download file from %s (status_code: %d)' % (uri, req.status_code)
|
||||
'blocklist download : unable to download file from %s (status_code: %d)' % (uri, req.status_code)
|
||||
)
|
||||
|
||||
|
||||
@ -75,7 +75,7 @@ def uri_reader(uri):
|
||||
if __name__ == '__main__':
|
||||
# check for a running download process, this may take a while so it's better to check...
|
||||
try:
|
||||
lck = open('/tmp/unbound-download_blacklists.tmp', 'w+')
|
||||
lck = open('/tmp/unbound-download_blocklists.tmp', 'w+')
|
||||
fcntl.flock(lck, fcntl.LOCK_EX | fcntl.LOCK_NB)
|
||||
except IOError:
|
||||
# already running, exit status 99
|
||||
@ -88,11 +88,11 @@ if __name__ == '__main__':
|
||||
|
||||
startup_time = time.time()
|
||||
syslog.openlog('unbound', logoption=syslog.LOG_DAEMON, facility=syslog.LOG_LOCAL4)
|
||||
blacklist_items = set()
|
||||
if os.path.exists('/tmp/unbound-blacklists.conf'):
|
||||
blocklist_items = set()
|
||||
if os.path.exists('/tmp/unbound-blocklists.conf'):
|
||||
cnf = ConfigParser()
|
||||
cnf.read('/tmp/unbound-blacklists.conf')
|
||||
# exclude (white) lists, compile to regex to be used to filter blacklist entries
|
||||
cnf.read('/tmp/unbound-blocklists.conf')
|
||||
# exclude (white) lists, compile to regex to be used to filter blocklist entries
|
||||
if cnf.has_section('exclude'):
|
||||
exclude_list = set()
|
||||
for exclude_item in cnf['exclude']:
|
||||
@ -101,7 +101,7 @@ if __name__ == '__main__':
|
||||
exclude_list.add(cnf['exclude'][exclude_item])
|
||||
except re.error:
|
||||
syslog.syslog(syslog.LOG_ERR,
|
||||
'blacklist download : skip invalid whitelist exclude pattern "%s" (%s)' % (
|
||||
'blocklist download : skip invalid whitelist exclude pattern "%s" (%s)' % (
|
||||
exclude_item, cnf['exclude'][exclude_item]
|
||||
)
|
||||
)
|
||||
@ -110,13 +110,13 @@ if __name__ == '__main__':
|
||||
|
||||
wp = '|'.join(exclude_list)
|
||||
whitelist_pattern = re.compile(wp, re.IGNORECASE)
|
||||
syslog.syslog(syslog.LOG_NOTICE, 'blacklist download : exclude domains matching %s' % wp)
|
||||
syslog.syslog(syslog.LOG_NOTICE, 'blocklist download : exclude domains matching %s' % wp)
|
||||
|
||||
# fetch all blacklists
|
||||
if cnf.has_section('blacklists'):
|
||||
for blacklist in cnf['blacklists']:
|
||||
file_stats = {'uri': cnf['blacklists'][blacklist], 'skip' : 0, 'blacklist': 0, 'lines' :0}
|
||||
for line in uri_reader(cnf['blacklists'][blacklist]):
|
||||
# fetch all blocklists
|
||||
if cnf.has_section('blocklists'):
|
||||
for blocklist in cnf['blocklists']:
|
||||
file_stats = {'uri': cnf['blocklists'][blocklist], 'skip' : 0, 'blocklist': 0, 'lines' :0}
|
||||
for line in uri_reader(cnf['blocklists'][blocklist]):
|
||||
file_stats['lines'] += 1
|
||||
# cut line into parts before comment marker (if any)
|
||||
tmp = line.split('#')[0].split()
|
||||
@ -131,23 +131,23 @@ if __name__ == '__main__':
|
||||
file_stats['skip'] += 1
|
||||
else:
|
||||
if domain_pattern.match(domain):
|
||||
file_stats['blacklist'] += 1
|
||||
blacklist_items.add(entry)
|
||||
file_stats['blocklist'] += 1
|
||||
blocklist_items.add(entry)
|
||||
else:
|
||||
file_stats['skip'] += 1
|
||||
|
||||
syslog.syslog(
|
||||
syslog.LOG_NOTICE,
|
||||
'blacklist download %(uri)s (lines: %(lines)d exclude: %(skip)d black: %(blacklist)d)' % file_stats
|
||||
'blocklist download %(uri)s (lines: %(lines)d exclude: %(skip)d block: %(blocklist)d)' % file_stats
|
||||
)
|
||||
|
||||
# write out results
|
||||
with open("/usr/local/etc/unbound.opnsense.d/dnsbl.conf", 'w') as unbound_outf:
|
||||
if blacklist_items:
|
||||
if blocklist_items:
|
||||
unbound_outf.write('server:\n')
|
||||
for entry in blacklist_items:
|
||||
for entry in blocklist_items:
|
||||
unbound_outf.write("local-data: \"%s A 0.0.0.0\"\n" % entry)
|
||||
|
||||
syslog.syslog(syslog.LOG_NOTICE, "blacklist download done in %0.2f seconds (%d records)" % (
|
||||
time.time() - startup_time, len(blacklist_items)
|
||||
syslog.syslog(syslog.LOG_NOTICE, "blocklist download done in %0.2f seconds (%d records)" % (
|
||||
time.time() - startup_time, len(blocklist_items)
|
||||
))
|
||||
@ -1,6 +1,6 @@
|
||||
#!/bin/sh
|
||||
|
||||
# Copyright (c) 2020 Deciso B.V.
|
||||
# Copyright (c) 2020-2021 Deciso B.V.
|
||||
# All rights reserved.
|
||||
#
|
||||
# Redistribution and use in source and binary forms, with or without
|
||||
@ -36,5 +36,15 @@ if [ ! -f /var/unbound/unbound_control.key ]; then
|
||||
chroot -u unbound -g unbound / /usr/local/sbin/unbound-control-setup -d /var/unbound
|
||||
fi
|
||||
|
||||
for FILE in $(find /var/unbound/etc -depth 1); do
|
||||
rm -rf ${FILE}
|
||||
done
|
||||
|
||||
for FILE in $(find /usr/local/etc/unbound.opnsense.d -depth 1 -name '*.conf'); do
|
||||
cp ${FILE} /var/unbound/etc/
|
||||
done
|
||||
|
||||
chown -R unbound:unbound /var/unbound
|
||||
|
||||
/usr/local/sbin/unbound -c /var/unbound/unbound.conf
|
||||
/usr/local/opnsense/scripts/unbound/cache.sh load
|
||||
|
||||
@ -68,9 +68,10 @@ message:Checking Unbound configuration
|
||||
|
||||
[dnsbl]
|
||||
command:
|
||||
/usr/local/opnsense/scripts/unbound/download_blacklists.py &&
|
||||
/usr/local/opnsense/scripts/unbound/blocklists.py &&
|
||||
cp /usr/local/etc/unbound.opnsense.d/dnsbl.conf /var/unbound/etc/ &&
|
||||
/usr/local/sbin/unbound-control -c /var/unbound/unbound.conf reload
|
||||
/usr/local/sbin/unbound-control -c /var/unbound/unbound.conf stop &&
|
||||
/usr/local/bin/flock -n -E 0 -o /tmp/unbound_start.lock /usr/local/opnsense/scripts/unbound/start.sh
|
||||
parameters:
|
||||
type:script
|
||||
message:Updating Unbound DNSBLs
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
blacklists.conf:/tmp/unbound-blacklists.conf
|
||||
blocklists.conf:/tmp/unbound-blocklists.conf
|
||||
dot.conf:/usr/local/etc/unbound.opnsense.d/dot.conf
|
||||
miscellaneous.conf:/usr/local/etc/unbound.opnsense.d/miscellaneous.conf
|
||||
root.min.hints:/var/unbound/root.hints
|
||||
|
||||
@ -35,7 +35,7 @@
|
||||
}
|
||||
%}
|
||||
{% if not helpers.empty('OPNsense.unboundplus.dnsbl.enabled') %}
|
||||
[blacklists]
|
||||
[blocklists]
|
||||
{% if not helpers.empty('OPNsense.unboundplus.dnsbl.type') %}
|
||||
{% for shortcode in OPNsense.unboundplus.dnsbl.type.split(',') %}
|
||||
{% if shortcode in predefined %}
|
||||
@ -12,7 +12,7 @@ forward-zone:
|
||||
name: "."
|
||||
forward-tls-upstream: yes
|
||||
{% for dot in dots %}
|
||||
forward-addr: {{ dot.server }}@{{ dot.port }}{% if dot.verify != '' %}{{ dot.verify }}{% endif %}
|
||||
forward-addr: {{ dot.server }}@{{ dot.port }}{% if dot.verify %}#{{ dot.verify }}{% endif %}
|
||||
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user