lucaspalomodevelop/core
1
0
Fork 0
mirror of https://github.com/lucaspalomodevelop/core.git synced 2026-03-19 19:15:22 +00:00
Code Issues Packages Projects Releases Wiki Activity

unbound: advanced page MVC migration prep

Browse Source
This commit is contained in:
Stephan de Wit 2022-09-25 23:03:03 +00:00
parent af9e9b48b7
commit d2b18299b4
10 changed files with 434 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
plist
View File

@ -386,6 +386,7 @@
/usr/local/opnsense/mvc/app/controllers/OPNsense/TrafficShaper/forms/dialogPipe.xml
/usr/local/opnsense/mvc/app/controllers/OPNsense/TrafficShaper/forms/dialogQueue.xml
/usr/local/opnsense/mvc/app/controllers/OPNsense/TrafficShaper/forms/dialogRule.xml
/usr/local/opnsense/mvc/app/controllers/OPNsense/Unbound/AdvancedController.php
/usr/local/opnsense/mvc/app/controllers/OPNsense/Unbound/Api/DiagnosticsController.php
/usr/local/opnsense/mvc/app/controllers/OPNsense/Unbound/Api/ServiceController.php
/usr/local/opnsense/mvc/app/controllers/OPNsense/Unbound/Api/SettingsController.php
@ -394,6 +395,7 @@
/usr/local/opnsense/mvc/app/controllers/OPNsense/Unbound/ForwardController.php
/usr/local/opnsense/mvc/app/controllers/OPNsense/Unbound/OverridesController.php
/usr/local/opnsense/mvc/app/controllers/OPNsense/Unbound/StatsController.php
/usr/local/opnsense/mvc/app/controllers/OPNsense/Unbound/forms/advanced.xml
/usr/local/opnsense/mvc/app/controllers/OPNsense/Unbound/forms/dialogDomainOverride.xml
/usr/local/opnsense/mvc/app/controllers/OPNsense/Unbound/forms/dialogDot.xml
/usr/local/opnsense/mvc/app/controllers/OPNsense/Unbound/forms/dialogHostAlias.xml
@ -666,6 +668,7 @@
/usr/local/opnsense/mvc/app/views/OPNsense/Syslog/index.volt
/usr/local/opnsense/mvc/app/views/OPNsense/TrafficShaper/index.volt
/usr/local/opnsense/mvc/app/views/OPNsense/TrafficShaper/statistics.volt
/usr/local/opnsense/mvc/app/views/OPNsense/Unbound/advanced.volt
/usr/local/opnsense/mvc/app/views/OPNsense/Unbound/dnsbl.volt
/usr/local/opnsense/mvc/app/views/OPNsense/Unbound/dot.volt
/usr/local/opnsense/mvc/app/views/OPNsense/Unbound/overrides.volt
@ -1057,6 +1060,7 @@
/usr/local/opnsense/service/templates/OPNsense/Syslog/syslog-ng-lockout.conf
/usr/local/opnsense/service/templates/OPNsense/Syslog/syslog-ng.conf
/usr/local/opnsense/service/templates/OPNsense/Unbound/core/+TARGETS
/usr/local/opnsense/service/templates/OPNsense/Unbound/core/advanced.conf
/usr/local/opnsense/service/templates/OPNsense/Unbound/core/blocklists.conf
/usr/local/opnsense/service/templates/OPNsense/Unbound/core/domainoverrides.conf
/usr/local/opnsense/service/templates/OPNsense/Unbound/core/dot.conf

1
src/etc/inc/plugins.inc.d/unbound.inc
View File

@ -313,6 +313,7 @@ pidfile: /var/run/unbound.pid
root-hints: /var/unbound/root.hints
use-syslog: yes
port: {$port}
include: /var/unbound/advanced.conf
verbosity: {$verbosity}
extended-statistics: {$extended_statistics}
log-queries: {$log_queries}

40
src/opnsense/mvc/app/controllers/OPNsense/Unbound/AdvancedController.php Executable file
View File

@ -0,0 +1,40 @@
<?php
/*
* Copyright (C) 2022 Deciso B.V.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
*
* 1. Redistributions of source code must retain the above copyright notice,
* this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
* INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
* AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
* OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*/
namespace OPNsense\Unbound;
use OPNsense\Base\IndexController;
class AdvancedController extends IndexController
{
public function indexAction()
{
$this->view->advancedForm = $this->getForm('advanced');
$this->view->pick('OPNsense/Unbound/advanced');
}
}

183
src/opnsense/mvc/app/controllers/OPNsense/Unbound/forms/advanced.xml Executable file
View File

@ -0,0 +1,183 @@
<form>
<field>
<id>unbound.advanced.hideidentity</id>
<label>Hide Identity</label>
<type>checkbox</type>
<help>If enabled, id.server and hostname.bind queries are refused.</help>
</field>
<field>
<id>unbound.advanced.hideversion</id>
<label>Hide Version</label>
<type>checkbox</type>
<help>If enabled, version.server and version.bind queries are refused.</help>
</field>
<field>
<id>unbound.advanced.prefetch</id>
<label>Prefetch Support</label>
<type>checkbox</type>
<help>
Message cache elements are prefetched before they expire to help keep the cache up to date.
When enabled, this option can cause an increase of around 10% more DNS traffic and load
on the server, but frequently requested items will not expire from the cache.
</help>
</field>
<field>
<id>unbound.advanced.prefetchkey</id>
<label>Prefetch DNS Key Support</label>
<type>checkbox</type>
<help>
DNSKEYs are fetched earlier in the validation process when a Delegation signer is encountered.
This helps lower the latency of requests but does utilize a little more CPU.
</help>
</field>
<field>
<id>unbound.advanced.dnssecstripped</id>
<label>Harden DNSSEC Data</label>
<type>checkbox</type>
<help>
DNSSEC data is required for trust-anchored zones. If such data is absent, the zone becomes bogus.
If this is disabled and no DNSSEC data is received, then the zone is made insecure.
</help>
</field>
<field>
<id>unbound.advanced.serveexpired</id>
<label>Serve Expired Responses</label>
<type>checkbox</type>
<help>
Serve expired responses from the cache with a TTL of 0 without waiting for the actual resolution to finish.
</help>
</field>
<field>
<id>unbound.advanced.qnameinstrict</id>
<label>Strict QNAME Minimisation</label>
<type>checkbox</type>
<help>
Send minimum amount of information to upstream servers to enhance privacy.
Do not fall-back to sending full QNAME to potentially broken nameservers.
A lot of domains will not be resolvable when this option in enabled.
Only use if you know what you are doing.
</help>
</field>
<field>
<id>unbound.advanced.extendedstatistics</id>
<label>Extended Statistics</label>
<type>checkbox</type>
<help>If enabled, extended statistics are printed.</help>
</field>
<field>
<id>unbound.advanced.logqueries</id>
<label>Log Queries</label>
<type>checkbox</type>
<help>
If enabled, prints one line per query to the log, with the log timestamp and IP address, name, type and class.
</help>
</field>
<field>
<id>unbound.advanced.msgcachesize</id>
<label>Message Cache Size</label>
<type>dropdown</type>
<help>
Size of the message cache. The message cache stores DNS rcodes and validation statuses.
The RRSet cache will automatically be set to twice this amount. The RRSet cache contains the actual RR data.
The default is 4 megabytes.
</help>
</field>
<field>
<id>unbound.advanced.outgoingnumtcp</id>
<label>Outgoing TCP Buffers</label>
<type>dropdown</type>
<help>
The number of outgoing TCP buffers to allocate per thread. The default value is 10.
If 0 is selected then no TCP queries, to authoritative servers, are done.
</help>
</field>
<field>
<id>unbound.advanced.incomingnumtcp</id>
<label>Incoming TCP Buffers</label>
<type>dropdown</type>
<help>
The number of incoming TCP buffers to allocate per thread. The default value is 10.
If 0 is selected then no TCP queries, from clients, are accepted.
</help>
</field>
<field>
<id>unbound.advanced.numqueriesperthread</id>
<label>Number of queries per thread</label>
<type>dropdown</type>
<help>
The number of queries that every thread will service simultaneously. If more queries arrive that
need to be serviced, and no queries can be jostled, then these queries are dropped.
</help>
</field>
<field>
<id>unbound.advanced.jostletimeout</id>
<label>Jostle Timeout</label>
<type>dropdown</type>
<help>
This timeout is used for when the server is very busy. This protects against denial of service by
slow queries or high query rates. The default value is 200 milliseconds.
</help>
</field>
<field>
<id>unbound.advanced.cachemaxttl</id>
<label>Maximum TTL for RRsets and messages</label>
<type>text</type>
<help>
Configure a maximum Time to live for RRsets and messages in the cache.
The default is 86400 seconds (1 day). When the internal TTL expires the cache item is expired.
This can be configured to force the resolver to query for data more often and
not trust (very large) TTL values.
</help>
</field>
<field>
<id>unbound.advanced.cacheminttl</id>
<label>Minimum TTL for RRsets and messages</label>
<type>text</type>
<help>
Configure a minimum Time to live for RRsets and messages in the cache.
The default is 0 seconds. If the minimum value kicks in, the data is cached for longer than
the domain owner intended, and thus less queries are made to look up the data.
The 0 value ensures the data in the cache is as the domain owner intended.
High values can lead to trouble as the data in the cache might not match up with the actual data anymore.
</help>
</field>
<field>
<id>unbound.advanced.infrahostttl</id>
<label>TTL for Host Cache entries</label>
<type>dropdown</type>
<help>
Time to live for entries in the host cache. The host cache contains roundtrip timing and EDNS
support information. The default is 15 minutes.
</help>
</field>
<field>
<id>unbound.advanced.infracachenumhosts</id>
<label>Number of Hosts to cache</label>
<type>dropdown</type>
<help>
Number of hosts for which information is cached. The default is 10000.
</help>
</field>
<field>
<id>unbound.advanced.unwantedreplythreshold</id>
<label>Unwanted Reply Threshold</label>
<type>dropdown</type>
<help>
If enabled, a total number of unwanted replies is kept track of in every thread.
When it reaches the threshold, a defensive action is taken and a warning is printed to the log file.
This defensive action is to clear the RRSet and message caches, hopefully flushing away any poison.
The default is disabled, but if enabled a value of 10 million is suggested.
</help>
</field>
<field>
<id>unbound.advanced.logverbosity</id>
<label>Log Level Verbosity</label>
<type>dropdown</type>
<help>
Select the log verbosity. Level 0 means no verbosity, only errors. Level 1 gives operational information.
Level 2 gives detailed operational information. Level 3 gives query level information, output per query.
Level 4 gives algorithm level information. Level 5 logs client identification for cache misses.
Default is level 1.
</help>
</field>
</form>

3
src/opnsense/mvc/app/models/OPNsense/Unbound/ACL/ACL.xml
View File

@ -14,7 +14,8 @@
<page-services-dnsresolver-advanced>
<name>Services: Unbound DNS: Advanced</name>
<patterns>
<pattern>services_unbound_advanced.php*</pattern>
<pattern>ui/unbound/advanced/*</pattern>
<pattern>api/unbound/advanced/*</pattern>
</patterns>
</page-services-dnsresolver-advanced>
<page-services-dnsresolver-overrides>

2
src/opnsense/mvc/app/models/OPNsense/Unbound/Menu/Menu.xml
View File

@ -3,7 +3,7 @@
<Unbound VisibleName="Unbound DNS" cssClass="fa fa-tags fa-fw">
<General order="10" url="/services_unbound.php"/>
<Overrides order="20" url="/ui/unbound/overrides/"/>
<Advanced order="30" url="/services_unbound_advanced.php"/>
<Advanced order="30" url="/ui/unbound/advanced/"/>
<ACL VisibleName="Access Lists" order="40" url="/services_unbound_acls.php">
<All url="/services_unbound_acls.php*" visibility="hidden"/>
</ACL>

149
src/opnsense/mvc/app/models/OPNsense/Unbound/Unbound.xml
View File

@ -6,6 +6,155 @@
<service_enabled type="LegacyLinkField">
<Source>unbound.enable</Source>
</service_enabled>
<advanced>
<hideidentity type="BooleanField">
<default>0</default>
<Required>N</Required>
</hideidentity>
<hideversion type="BooleanField">
<default>0</default>
<Required>N</Required>
</hideversion>
<prefetch type="BooleanField">
<default>0</default>
<Required>N</Required>
</prefetch>
<prefetchkey type="BooleanField">
<default>0</default>
<Required>N</Required>
</prefetchkey>
<dnssecstripped type="BooleanField">
<default>0</default>
<Required>N</Required>
</dnssecstripped>
<serveexpired type="BooleanField">
<default>0</default>
<Required>N</Required>
</serveexpired>
<qnameinstrict type="BooleanField">
<default>0</default>
<Required>N</Required>
</qnameinstrict>
<extendedstatistics type="BooleanField">
<default>0</default>
<Required>N</Required>
</extendedstatistics>
<logqueries type="BooleanField">
<default>0</default>
<Required>N</Required>
</logqueries>
<msgcachesize type="OptionField">
<Required>N</Required>
<default>opt1</default>
<OptionValues>
<opt1 value="4">4 MB</opt1>
<opt2 value="10">10 MB</opt2>
<opt3 value="20">20 MB</opt3>
<opt4 value="50">50 MB</opt4>
<opt5 value="100">100 MB</opt5>
<opt6 value="250">250 MB</opt6>
<opt7 value="512">512 MB</opt7>
</OptionValues>
</msgcachesize>
<outgoingnumtcp type="OptionField">
<Required>N</Required>
<default>opt2</default>
<OptionValues>
<opt1 value="0">0</opt1>
<opt2 value="10">10</opt2>
<opt3 value="20">20</opt3>
<opt4 value="30">30</opt4>
<opt5 value="40">40</opt5>
<opt6 value="50">50</opt6>
</OptionValues>
</outgoingnumtcp>
<incomingnumtcp type="OptionField">
<Required>N</Required>
<default>opt2</default>
<OptionValues>
<opt1 value="0">0</opt1>
<opt2 value="10">10</opt2>
<opt3 value="20">20</opt3>
<opt4 value="30">30</opt4>
<opt5 value="40">40</opt5>
<opt6 value="50">50</opt6>
</OptionValues>
</incomingnumtcp>
<numqueriesperthread type="OptionField">
<Required>N</Required>
<default>opt4</default>
<OptionValues>
<opt1 value="512">512</opt1>
<opt2 value="1024">1024</opt2>
<opt3 value="2048">2048</opt3>
<opt4 value="4096">4096</opt4>
<opt5 value="8192">8192</opt5>
</OptionValues>
</numqueriesperthread>
<jostletimeout type="OptionField">
<Required>N</Required>
<default>opt2</default>
<OptionValues>
<opt1 value="100">100</opt1>
<opt2 value="200">200</opt2>
<opt3 value="500">500</opt3>
<opt4 value="1000">1000</opt4>
</OptionValues>
</jostletimeout>
<cachemaxttl type="NumericField">
<Required>N</Required>
<default>86400</default>
</cachemaxttl>
<cacheminttl type="NumericField">
<Required>N</Required>
<default>0</default>
</cacheminttl>
<infrahostttl type="OptionField">
<Required>N</Required>
<default>opt5</default>
<OptionValues>
<opt1 value="60">1 minute</opt1>
<opt2 value="120">2 minutes</opt2>
<opt3 value="300">5 minutes</opt3>
<opt4 value="600">10 minutes</opt4>
<opt5 value="900">15 minutes</opt5>
</OptionValues>
</infrahostttl>
<infracachenumhosts type="OptionField">
<Required>N</Required>
<default>opt3</default>
<OptionValues>
<opt1 value="1000">1000</opt1>
<opt2 value="5000">5000</opt2>
<opt3 value="10000">10000</opt3>
<opt4 value="20000">20000</opt4>
<opt5 value="50000">50000</opt5>
</OptionValues>
</infracachenumhosts>
<unwantedreplythreshold type="OptionField">
<Required>N</Required>
<BlankDesc>Disabled</BlankDesc>
<OptionValues>
<opt1 value="5000000">5 million</opt1>
<opt2 value="10000000">10 million</opt2>
<opt3 value="20000000">20 million</opt3>
<opt4 value="40000000">40 million</opt4>
<opt5 value="50000000">50 million</opt5>
</OptionValues>
</unwantedreplythreshold>
<logverbosity type="OptionField">
<Required>N</Required>
<default>opt2</default>
<OptionValues>
<opt1 value="0">Level 0</opt1>
<opt2 value="1">Level 1</opt2>
<opt3 value="2">Level 2</opt3>
<opt4 value="3">Level 3</opt4>
<opt5 value="4">Level 4</opt5>
<opt6 value="5">Level 5</opt6>
</OptionValues>
</logverbosity>
</advanced>
<dnsbl>
<enabled type="BooleanField">
<default>0</default>

53
src/opnsense/mvc/app/views/OPNsense/Unbound/advanced.volt Executable file
View File

@ -0,0 +1,53 @@
{#
# Copyright (c) 2022 Deciso B.V.
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without modification,
# are permitted provided that the following conditions are met:
#
# 1. Redistributions of source code must retain the above copyright notice,
# this list of conditions and the following disclaimer.
#
# 2. Redistributions in binary form must reproduce the above copyright notice,
# this list of conditions and the following disclaimer in the documentation
# and/or other materials provided with the distribution.
#
# THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
# AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
# AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
# POSSIBILITY OF SUCH DAMAGE.
#}
<script>
$( document ).ready(function() {
var data_get_map = {'frm_AdvancedSettings':"/api/unbound/settings/get"};
mapDataToFormUI(data_get_map).done(function(data) {
//formatTokenizersUI();
$('.selectpicker').selectpicker('refresh');
console.log(data);
});
$("#reconfigureAct").SimpleActionButton();
updateServiceControlUI('unbound');
});
</script>
<div class="content-box" style="padding-bottom: 1.5em;">
{{ partial("layout_partials/base_form",['fields':advancedForm,'id':'frm_AdvancedSettings'])}}
<div class="col-md-12">
<hr/>
<button class="btn btn-primary" id="reconfigureAct"
data-endpoint='/api/unbound/service/reconfigure'
data-label="{{ lang._('Apply') }}"
data-error-title="{{ lang._('Error reconfiguring unbound') }}"
type="button">
</button>
</div>
</div>

1
src/opnsense/service/templates/OPNsense/Unbound/core/+TARGETS
View File

@ -1,3 +1,4 @@
advanced.conf:/var/unbound/advanced.conf
blocklists.conf:/tmp/unbound-blocklists.conf
dot.conf:/usr/local/etc/unbound.opnsense.d/dot.conf
private_domains.conf:/var/unbound/private_domains.conf

0
src/opnsense/service/templates/OPNsense/Unbound/core/advanced.conf Executable file
View File