diff --git a/plist b/plist index 3984e04aa..6ba2a87dc 100644 --- a/plist +++ b/plist @@ -374,11 +374,9 @@ /usr/local/opnsense/mvc/app/controllers/OPNsense/Unbound/Api/SettingsController.php /usr/local/opnsense/mvc/app/controllers/OPNsense/Unbound/DnsblController.php /usr/local/opnsense/mvc/app/controllers/OPNsense/Unbound/DotController.php -/usr/local/opnsense/mvc/app/controllers/OPNsense/Unbound/MiscellaneousController.php /usr/local/opnsense/mvc/app/controllers/OPNsense/Unbound/StatsController.php /usr/local/opnsense/mvc/app/controllers/OPNsense/Unbound/forms/dialogDot.xml /usr/local/opnsense/mvc/app/controllers/OPNsense/Unbound/forms/dnsbl.xml -/usr/local/opnsense/mvc/app/controllers/OPNsense/Unbound/forms/miscellaneous.xml /usr/local/opnsense/mvc/app/library/Google/API/Drive.php /usr/local/opnsense/mvc/app/library/OPNsense/Auth/API.php /usr/local/opnsense/mvc/app/library/OPNsense/Auth/AuthenticationFactory.php @@ -601,7 +599,6 @@ /usr/local/opnsense/mvc/app/views/OPNsense/TrafficShaper/statistics.volt /usr/local/opnsense/mvc/app/views/OPNsense/Unbound/dnsbl.volt /usr/local/opnsense/mvc/app/views/OPNsense/Unbound/dot.volt -/usr/local/opnsense/mvc/app/views/OPNsense/Unbound/miscellaneous.volt /usr/local/opnsense/mvc/app/views/OPNsense/Unbound/stats.volt /usr/local/opnsense/mvc/app/views/layout_partials/base_dialog.volt /usr/local/opnsense/mvc/app/views/layout_partials/base_dialog_processing.volt @@ -834,9 +831,9 @@ /usr/local/opnsense/scripts/systemhealth/logformats/squid.py /usr/local/opnsense/scripts/systemhealth/logformats/syslog.py /usr/local/opnsense/scripts/systemhealth/queryLog.py +/usr/local/opnsense/scripts/unbound/blocklists.py /usr/local/opnsense/scripts/unbound/cache.sh /usr/local/opnsense/scripts/unbound/check.sh -/usr/local/opnsense/scripts/unbound/download_blacklists.py /usr/local/opnsense/scripts/unbound/start.sh /usr/local/opnsense/scripts/unbound/wrapper.py /usr/local/opnsense/service/conf/actions.d/actions_auth.conf @@ -977,7 +974,7 @@ /usr/local/opnsense/service/templates/OPNsense/Syslog/syslog-ng-lockout.conf /usr/local/opnsense/service/templates/OPNsense/Syslog/syslog-ng.conf /usr/local/opnsense/service/templates/OPNsense/Unbound/core/+TARGETS -/usr/local/opnsense/service/templates/OPNsense/Unbound/core/blacklists.conf +/usr/local/opnsense/service/templates/OPNsense/Unbound/core/blocklists.conf /usr/local/opnsense/service/templates/OPNsense/Unbound/core/dot.conf /usr/local/opnsense/service/templates/OPNsense/Unbound/core/miscellaneous.conf /usr/local/opnsense/service/templates/OPNsense/Unbound/core/root.min.hints diff --git a/src/etc/inc/plugins.inc.d/unbound.inc b/src/etc/inc/plugins.inc.d/unbound.inc index 1efb6bdb7..797d792c6 100644 --- a/src/etc/inc/plugins.inc.d/unbound.inc +++ b/src/etc/inc/plugins.inc.d/unbound.inc @@ -117,10 +117,6 @@ function unbound_generate_config() mwexecf('/sbin/mount -t devfs devfs %s', '/var/unbound/dev'); } - foreach (glob('/var/unbound/etc/*') as $file) { - unlink($file); - } - $optimization = unbound_optimization(); $dns64prefix = ''; @@ -374,8 +370,6 @@ EOD; file_put_contents('/var/unbound/unbound.conf', $unboundconf); configd_run('template reload OPNsense/Unbound/*'); - mwexecf('cp /usr/local/etc/unbound.opnsense.d/*.conf /var/unbound/etc/'); - mwexecf('/usr/sbin/chown -R unbound:unbound %s', '/var/unbound'); } function unbound_cache_flush() diff --git a/src/opnsense/mvc/app/controllers/OPNsense/Unbound/MiscellaneousController.php b/src/opnsense/mvc/app/controllers/OPNsense/Unbound/MiscellaneousController.php deleted file mode 100644 index b47c0ce54..000000000 --- a/src/opnsense/mvc/app/controllers/OPNsense/Unbound/MiscellaneousController.php +++ /dev/null @@ -1,40 +0,0 @@ - - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are met: - * - * 1. Redistributions of source code must retain the above copyright notice, - * this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. - */ - -namespace OPNsense\Unbound; - -use OPNsense\Base\IndexController; - -class MiscellaneousController extends IndexController -{ - public function indexAction() - { - $this->view->miscellaneousForm = $this->getForm('miscellaneous'); - $this->view->pick('OPNsense/Unbound/miscellaneous'); - } -} diff --git a/src/opnsense/mvc/app/controllers/OPNsense/Unbound/forms/dnsbl.xml b/src/opnsense/mvc/app/controllers/OPNsense/Unbound/forms/dnsbl.xml index 45c236a63..a2f7f32ab 100644 --- a/src/opnsense/mvc/app/controllers/OPNsense/Unbound/forms/dnsbl.xml +++ b/src/opnsense/mvc/app/controllers/OPNsense/Unbound/forms/dnsbl.xml @@ -13,12 +13,12 @@ unbound.dnsbl.lists - + select_multiple true true - List of domains from where blacklist will be downloaded. + List of domains from where blocklist will be downloaded. unbound.dnsbl.whitelists @@ -28,4 +28,12 @@ true List of domains to whitelist. You can use regular expressions. + + unbound.miscellaneous.privatedomain + + select_multiple + + true + List of domains to mark as private. You only need this for some DNSBL lists which resolve to private addresses. + diff --git a/src/opnsense/mvc/app/controllers/OPNsense/Unbound/forms/miscellaneous.xml b/src/opnsense/mvc/app/controllers/OPNsense/Unbound/forms/miscellaneous.xml deleted file mode 100644 index e8e968a03..000000000 --- a/src/opnsense/mvc/app/controllers/OPNsense/Unbound/forms/miscellaneous.xml +++ /dev/null @@ -1,10 +0,0 @@ -
- - unbound.miscellaneous.privatedomain - - select_multiple - - true - List of domains to mark as private. You only need this for some DNSBL lists which resolve to private addresses. - -
diff --git a/src/opnsense/mvc/app/models/OPNsense/Unbound/ACL/ACL.xml b/src/opnsense/mvc/app/models/OPNsense/Unbound/ACL/ACL.xml index 6b8ddc3d2..ccb5279a7 100644 --- a/src/opnsense/mvc/app/models/OPNsense/Unbound/ACL/ACL.xml +++ b/src/opnsense/mvc/app/models/OPNsense/Unbound/ACL/ACL.xml @@ -39,7 +39,7 @@ - Services: Unbound (mvc) + Services: Unbound (MVC) ui/unbound/* api/unbound/* diff --git a/src/opnsense/mvc/app/models/OPNsense/Unbound/Menu/Menu.xml b/src/opnsense/mvc/app/models/OPNsense/Unbound/Menu/Menu.xml index f80337e02..4d0c98a08 100644 --- a/src/opnsense/mvc/app/models/OPNsense/Unbound/Menu/Menu.xml +++ b/src/opnsense/mvc/app/models/OPNsense/Unbound/Menu/Menu.xml @@ -10,9 +10,8 @@ - - - + + diff --git a/src/opnsense/mvc/app/views/OPNsense/Unbound/miscellaneous.volt b/src/opnsense/mvc/app/views/OPNsense/Unbound/miscellaneous.volt deleted file mode 100644 index 7c9c8f1ca..000000000 --- a/src/opnsense/mvc/app/views/OPNsense/Unbound/miscellaneous.volt +++ /dev/null @@ -1,60 +0,0 @@ -{# - # Copyright (c) 2019-2020 Deciso B.V. - # Copyright (c) 2019 Michael Muenz - # All rights reserved. - # - # Redistribution and use in source and binary forms, with or without modification, - # are permitted provided that the following conditions are met: - # - # 1. Redistributions of source code must retain the above copyright notice, - # this list of conditions and the following disclaimer. - # - # 2. Redistributions in binary form must reproduce the above copyright notice, - # this list of conditions and the following disclaimer in the documentation - # and/or other materials provided with the distribution. - # - # THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - # AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - # AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - # POSSIBILITY OF SUCH DAMAGE. - #} - - - -
- {{ partial("layout_partials/base_form",['fields':miscellaneousForm,'id':'frm_miscellaneous_settings'])}} -
-
- -
-
diff --git a/src/opnsense/scripts/unbound/download_blacklists.py b/src/opnsense/scripts/unbound/blocklists.py similarity index 80% rename from src/opnsense/scripts/unbound/download_blacklists.py rename to src/opnsense/scripts/unbound/blocklists.py index 116a015d4..681e5b5fb 100755 --- a/src/opnsense/scripts/unbound/download_blacklists.py +++ b/src/opnsense/scripts/unbound/blocklists.py @@ -45,7 +45,7 @@ def uri_reader(uri): try: req = requests.get(**req_opts) except Exception as e: - syslog.syslog(syslog.LOG_ERR,'blacklist download : unable to download file from %s (error : %s)' % (uri, e)) + syslog.syslog(syslog.LOG_ERR,'blocklist download : unable to download file from %s (error : %s)' % (uri, e)) return if req.status_code >= 200 and req.status_code <= 299: @@ -67,7 +67,7 @@ def uri_reader(uri): yield part else: syslog.syslog(syslog.LOG_ERR, - 'blacklist download : unable to download file from %s (status_code: %d)' % (uri, req.status_code) + 'blocklist download : unable to download file from %s (status_code: %d)' % (uri, req.status_code) ) @@ -75,7 +75,7 @@ def uri_reader(uri): if __name__ == '__main__': # check for a running download process, this may take a while so it's better to check... try: - lck = open('/tmp/unbound-download_blacklists.tmp', 'w+') + lck = open('/tmp/unbound-download_blocklists.tmp', 'w+') fcntl.flock(lck, fcntl.LOCK_EX | fcntl.LOCK_NB) except IOError: # already running, exit status 99 @@ -88,11 +88,11 @@ if __name__ == '__main__': startup_time = time.time() syslog.openlog('unbound', logoption=syslog.LOG_DAEMON, facility=syslog.LOG_LOCAL4) - blacklist_items = set() - if os.path.exists('/tmp/unbound-blacklists.conf'): + blocklist_items = set() + if os.path.exists('/tmp/unbound-blocklists.conf'): cnf = ConfigParser() - cnf.read('/tmp/unbound-blacklists.conf') - # exclude (white) lists, compile to regex to be used to filter blacklist entries + cnf.read('/tmp/unbound-blocklists.conf') + # exclude (white) lists, compile to regex to be used to filter blocklist entries if cnf.has_section('exclude'): exclude_list = set() for exclude_item in cnf['exclude']: @@ -101,7 +101,7 @@ if __name__ == '__main__': exclude_list.add(cnf['exclude'][exclude_item]) except re.error: syslog.syslog(syslog.LOG_ERR, - 'blacklist download : skip invalid whitelist exclude pattern "%s" (%s)' % ( + 'blocklist download : skip invalid whitelist exclude pattern "%s" (%s)' % ( exclude_item, cnf['exclude'][exclude_item] ) ) @@ -110,13 +110,13 @@ if __name__ == '__main__': wp = '|'.join(exclude_list) whitelist_pattern = re.compile(wp, re.IGNORECASE) - syslog.syslog(syslog.LOG_NOTICE, 'blacklist download : exclude domains matching %s' % wp) + syslog.syslog(syslog.LOG_NOTICE, 'blocklist download : exclude domains matching %s' % wp) - # fetch all blacklists - if cnf.has_section('blacklists'): - for blacklist in cnf['blacklists']: - file_stats = {'uri': cnf['blacklists'][blacklist], 'skip' : 0, 'blacklist': 0, 'lines' :0} - for line in uri_reader(cnf['blacklists'][blacklist]): + # fetch all blocklists + if cnf.has_section('blocklists'): + for blocklist in cnf['blocklists']: + file_stats = {'uri': cnf['blocklists'][blocklist], 'skip' : 0, 'blocklist': 0, 'lines' :0} + for line in uri_reader(cnf['blocklists'][blocklist]): file_stats['lines'] += 1 # cut line into parts before comment marker (if any) tmp = line.split('#')[0].split() @@ -131,23 +131,23 @@ if __name__ == '__main__': file_stats['skip'] += 1 else: if domain_pattern.match(domain): - file_stats['blacklist'] += 1 - blacklist_items.add(entry) + file_stats['blocklist'] += 1 + blocklist_items.add(entry) else: file_stats['skip'] += 1 syslog.syslog( syslog.LOG_NOTICE, - 'blacklist download %(uri)s (lines: %(lines)d exclude: %(skip)d black: %(blacklist)d)' % file_stats + 'blocklist download %(uri)s (lines: %(lines)d exclude: %(skip)d block: %(blocklist)d)' % file_stats ) # write out results with open("/usr/local/etc/unbound.opnsense.d/dnsbl.conf", 'w') as unbound_outf: - if blacklist_items: + if blocklist_items: unbound_outf.write('server:\n') - for entry in blacklist_items: + for entry in blocklist_items: unbound_outf.write("local-data: \"%s A 0.0.0.0\"\n" % entry) - syslog.syslog(syslog.LOG_NOTICE, "blacklist download done in %0.2f seconds (%d records)" % ( - time.time() - startup_time, len(blacklist_items) + syslog.syslog(syslog.LOG_NOTICE, "blocklist download done in %0.2f seconds (%d records)" % ( + time.time() - startup_time, len(blocklist_items) )) diff --git a/src/opnsense/scripts/unbound/start.sh b/src/opnsense/scripts/unbound/start.sh index e751d4aea..3d3092aa3 100755 --- a/src/opnsense/scripts/unbound/start.sh +++ b/src/opnsense/scripts/unbound/start.sh @@ -1,6 +1,6 @@ #!/bin/sh -# Copyright (c) 2020 Deciso B.V. +# Copyright (c) 2020-2021 Deciso B.V. # All rights reserved. # # Redistribution and use in source and binary forms, with or without @@ -36,5 +36,15 @@ if [ ! -f /var/unbound/unbound_control.key ]; then chroot -u unbound -g unbound / /usr/local/sbin/unbound-control-setup -d /var/unbound fi +for FILE in $(find /var/unbound/etc -depth 1); do + rm -rf ${FILE} +done + +for FILE in $(find /usr/local/etc/unbound.opnsense.d -depth 1 -name '*.conf'); do + cp ${FILE} /var/unbound/etc/ +done + +chown -R unbound:unbound /var/unbound + /usr/local/sbin/unbound -c /var/unbound/unbound.conf /usr/local/opnsense/scripts/unbound/cache.sh load diff --git a/src/opnsense/service/conf/actions.d/actions_unbound.conf b/src/opnsense/service/conf/actions.d/actions_unbound.conf index 4b5a36e44..e1809664a 100644 --- a/src/opnsense/service/conf/actions.d/actions_unbound.conf +++ b/src/opnsense/service/conf/actions.d/actions_unbound.conf @@ -68,9 +68,10 @@ message:Checking Unbound configuration [dnsbl] command: - /usr/local/opnsense/scripts/unbound/download_blacklists.py && + /usr/local/opnsense/scripts/unbound/blocklists.py && cp /usr/local/etc/unbound.opnsense.d/dnsbl.conf /var/unbound/etc/ && - /usr/local/sbin/unbound-control -c /var/unbound/unbound.conf reload + /usr/local/sbin/unbound-control -c /var/unbound/unbound.conf stop && + /usr/local/bin/flock -n -E 0 -o /tmp/unbound_start.lock /usr/local/opnsense/scripts/unbound/start.sh parameters: type:script message:Updating Unbound DNSBLs diff --git a/src/opnsense/service/templates/OPNsense/Unbound/core/+TARGETS b/src/opnsense/service/templates/OPNsense/Unbound/core/+TARGETS index 8fc5fde59..5ff626cfd 100644 --- a/src/opnsense/service/templates/OPNsense/Unbound/core/+TARGETS +++ b/src/opnsense/service/templates/OPNsense/Unbound/core/+TARGETS @@ -1,4 +1,4 @@ -blacklists.conf:/tmp/unbound-blacklists.conf +blocklists.conf:/tmp/unbound-blocklists.conf dot.conf:/usr/local/etc/unbound.opnsense.d/dot.conf miscellaneous.conf:/usr/local/etc/unbound.opnsense.d/miscellaneous.conf root.min.hints:/var/unbound/root.hints diff --git a/src/opnsense/service/templates/OPNsense/Unbound/core/blacklists.conf b/src/opnsense/service/templates/OPNsense/Unbound/core/blocklists.conf similarity index 99% rename from src/opnsense/service/templates/OPNsense/Unbound/core/blacklists.conf rename to src/opnsense/service/templates/OPNsense/Unbound/core/blocklists.conf index b065d939d..d867a70ff 100644 --- a/src/opnsense/service/templates/OPNsense/Unbound/core/blacklists.conf +++ b/src/opnsense/service/templates/OPNsense/Unbound/core/blocklists.conf @@ -35,7 +35,7 @@ } %} {% if not helpers.empty('OPNsense.unboundplus.dnsbl.enabled') %} -[blacklists] +[blocklists] {% if not helpers.empty('OPNsense.unboundplus.dnsbl.type') %} {% for shortcode in OPNsense.unboundplus.dnsbl.type.split(',') %} {% if shortcode in predefined %} diff --git a/src/opnsense/service/templates/OPNsense/Unbound/core/dot.conf b/src/opnsense/service/templates/OPNsense/Unbound/core/dot.conf index 0f27be58d..266c16602 100644 --- a/src/opnsense/service/templates/OPNsense/Unbound/core/dot.conf +++ b/src/opnsense/service/templates/OPNsense/Unbound/core/dot.conf @@ -12,7 +12,7 @@ forward-zone: name: "." forward-tls-upstream: yes {% for dot in dots %} - forward-addr: {{ dot.server }}@{{ dot.port }}{% if dot.verify != '' %}{{ dot.verify }}{% endif %} + forward-addr: {{ dot.server }}@{{ dot.port }}{% if dot.verify %}#{{ dot.verify }}{% endif %} {% endfor %} {% endif %}