unbound: read internal subnets from ifconfig; closes #2472

2026-03-16 09:34:39 +00:00 · 2018-06-23 12:24:42 +00:00 · 2018-06-23 12:24:42 +00:00 · d346577092
commit d346577092
parent 90e5274b54
2 changed files with 26 additions and 56 deletions
--- a/src/etc/inc/plugins.inc.d/unbound.inc
+++ b/src/etc/inc/plugins.inc.d/unbound.inc
@ -661,39 +661,39 @@ function unbound_add_host_entries()
    file_put_contents('/var/unbound/host_entries.conf', $unbound_entries);
 }

-function unbound_acls_config()
+function unbound_acls_subnets()
 {
    global $config;

-    $aclcfg = "access-control: 127.0.0.1/32 allow\n";
-    $aclcfg .= "access-control: ::1 allow\n";
-    // Add our networks for active interfaces including localhost
    if (!empty($config['unbound']['active_interface'])) {
        $active_interfaces = array_flip(explode(",", $config['unbound']['active_interface']));
    } else {
        $active_interfaces = get_configured_interface_with_descr();
    }

-    $bindints = "";
+    /* add our networks for active interfaces including localhost */
+    $subnets = array('127.0.0.1/8', '::1/64');
+
    foreach ($active_interfaces as $ubif => $ifdesc) {
-        $ifip = get_interface_ip($ubif);
-        if (!empty($ifip)) {
-            $subnet_bits = get_interface_subnet($ubif);
-            $subnet_ip = gen_subnet($ifip, $subnet_bits);
-            if (!empty($subnet_bits) && !empty($subnet_ip)) {
-                $aclcfg .= "access-control: {$subnet_ip}/{$subnet_bits} allow\n";
-            }
-        }
-        $ifip = get_interface_ipv6($ubif);
-        if (!empty($ifip)) {
-            $subnet_bits = get_interface_subnetv6($ubif);
-            $subnet_ip = gen_subnetv6($ifip, $subnet_bits);
-            if (!empty($subnet_bits) && !empty($subnet_ip)) {
-                $aclcfg .= "access-control: {$subnet_ip}/{$subnet_bits} allow\n";
-            }
+        foreach (legacy_getall_interface_addresses(get_real_interface($ubif)) as $subnet) {
+            $subnets[] = $subnet;
        }
    }

+    return $subnets;
+}
+
+function unbound_acls_config()
+{
+    global $config;
+
+    $subnets = unbound_acls_subnets();
+    $aclcfg = '';
+
+    foreach ($subnets as $subnet) {
+        $aclcfg .= "access-control: {$subnet} allow\n";
+    }
+
    // Configure the custom ACLs
    if (isset($config['unbound']['acls'])) {
        foreach ($config['unbound']['acls'] as $unbound_acl) {
@ -711,7 +711,6 @@ function unbound_acls_config()
        }
    }

-    // Write out Access list
    file_put_contents('/var/unbound/access_lists.conf', $aclcfg);
 }

--- a/src/www/services_unbound_acls.php
+++ b/src/www/services_unbound_acls.php
@ -31,6 +31,7 @@ require_once("guiconfig.inc");
 require_once("system.inc");
 require_once("services.inc");
 require_once("interfaces.inc");
+require_once("plugins.inc.d/unbound.inc");

 $a_acls = &config_read_array('unbound', 'acls');

@ -335,9 +336,6 @@ if (!isset($_GET['act'])) {
            <form method="post" name="iform" id="iform">
              <table class="table table-striped">
                <thead>
-                  <tr>
-                    <th colspan="3"><?=gettext("From General settings");?></th>
-                  </tr>
                  <tr>
                    <th><?=gettext("Access List Name"); ?></th>
                    <th><?=gettext("Action"); ?></th>
@ -345,40 +343,13 @@ if (!isset($_GET['act'])) {
                  </tr>
                </thead>
                <body>
-<?php
-                  // collect networks where automatic rules will be created for
-                  if (!empty($config['unbound']['active_interface'])) {
-                      $active_interfaces = array_flip(explode(",", $config['unbound']['active_interface']));
-                  } else {
-                      $active_interfaces = get_configured_interface_with_descr();
-                  }
-                  $automatic_allowed = array();
-                  foreach ($active_interfaces as $ubif => $ifdesc) {
-                      $ifip = get_interface_ip($ubif);
-                      if (!empty($ifip)) {
-                          $subnet_bits = get_interface_subnet($ubif);
-                          $subnet_ip = gen_subnet($ifip, $subnet_bits);
-                          if (!empty($subnet_bits) && !empty($subnet_ip)) {
-                              $automatic_allowed[] = "{$subnet_ip}/{$subnet_bits}";
-                          }
-                      }
-                      $ifip = get_interface_ipv6($ubif);
-                      if (!empty($ifip)) {
-                          $subnet_bits = get_interface_subnetv6($ubif);
-                          $subnet_ip = gen_subnetv6($ifip, $subnet_bits);
-                          if (!empty($subnet_bits) && !empty($subnet_ip)) {
-                              $automatic_allowed[] = "{$subnet_ip}/{$subnet_bits}";
-                          }
-                      }
-                  }
-                  foreach ($automatic_allowed as $network):?>
+<?php foreach (unbound_acls_subnets() as $subnet): ?>
                  <tr>
-                    <td><?=gettext("Internal");?></td>
-                    <td><?=gettext("allow");?></td>
-                    <td><?=$network;?></td>
+                    <td><?= gettext('Internal') ?></td>
+                    <td><?= gettext('Allow') ?></td>
+                    <td><?= $subnet ?></td>
                  </tr>
-<?php
-                  endforeach;?>
+<?php endforeach ?>
                </tbody>
              </table>
            </div>