ditch filterdns, since we've refactored the aliases in https://github.com/opnsense/core/issues/1971 the only use for this is ipsec, but it's doubtful if it's required. see https://github.com/opnsense/core/issues/2003

2026-03-13 08:09:41 +00:00 · 2017-12-18 20:44:16 +01:00 · 2017-12-18 20:44:16 +01:00 · e8a4fc1b46
commit e8a4fc1b46
parent c2210a6988
9 changed files with 4 additions and 117 deletions
--- a/1
+++ b/1
@ -80,7 +80,6 @@ CORE_DEPENDS?=		${CORE_DEPENDS_${CORE_ARCH}} \
 			dhcpleases \
 			dnsmasq \
 			expiretable \
-			filterdns \
 			filterlog \
 			ifinfo \
 			flock \
--- a/2
+++ b/2
@ -116,7 +116,6 @@
 /usr/local/etc/rc.loader.d/20-misc
 /usr/local/etc/rc.loader.d/20-modules
 /usr/local/etc/rc.loader.d/20-netgraph
-/usr/local/etc/rc.newipsecdns
 /usr/local/etc/rc.newwanip
 /usr/local/etc/rc.newwanipv6
 /usr/local/etc/rc.openvpn
@ -668,7 +667,6 @@
 /usr/local/opnsense/service/conf/actions.d/actions_interface.conf
 /usr/local/opnsense/service/conf/actions.d/actions_ipfw.conf
 /usr/local/opnsense/service/conf/actions.d/actions_ipsec.conf
-/usr/local/opnsense/service/conf/actions.d/actions_ipsecdns.conf
 /usr/local/opnsense/service/conf/actions.d/actions_netflow.conf
 /usr/local/opnsense/service/conf/actions.d/actions_openssh.conf
 /usr/local/opnsense/service/conf/actions.d/actions_openvpn.conf
--- a/src/etc/inc/gwlb.inc
+++ b/src/etc/inc/gwlb.inc
@ -93,8 +93,8 @@ rrd interval 60s;

 ## These parameters can be overridden in a specific alarm configuration
 alarm default {
-  command on "/usr/local/opnsense/service/configd_ctl.py -m 'dyndns reload %T' 'rfc2136 reload %T' 'ipsecdns reload' 'openvpn reload %T'  'filter reload' "
-  command off "/usr/local/opnsense/service/configd_ctl.py -m 'dyndns reload %T' 'rfc2136 reload %T' 'ipsecdns reload' 'openvpn reload %T' 'filter reload' "
+  command on "/usr/local/opnsense/service/configd_ctl.py -m 'dyndns reload %T' 'rfc2136 reload %T' 'openvpn reload %T'  'filter reload' "
+  command off "/usr/local/opnsense/service/configd_ctl.py -m 'dyndns reload %T' 'rfc2136 reload %T' 'openvpn reload %T' 'filter reload' "
  combine 10s
 }

--- a/src/etc/inc/plugins.inc.d/ipsec.inc
+++ b/src/etc/inc/plugins.inc.d/ipsec.inc
@ -762,8 +762,6 @@ function ipsec_configure_do($verbose = false, $interface = '')
    if (!isset($ipseccfg['enable'])) {
        /* try to stop charon */
        mwexec('/usr/local/sbin/ipsec stop');
-        /* Stop dynamic monitoring */
-        killbypid('/var/run/filterdns-ipsec.pid');

        /* wait for process to die */
        sleep(2);
@ -798,7 +796,6 @@ function ipsec_configure_do($verbose = false, $interface = '')

        /* resolve all local, peer addresses and setup pings */
        $rgmap = array();
-        $filterdns_list = array();
        $ipsecpinghosts = "";

        /* step through each phase1 entry */
@ -812,30 +809,10 @@ function ipsec_configure_do($verbose = false, $interface = '')
            }
            $ep = ipsec_get_phase1_src($ph1ent);

-            /* see if this tunnel has a hostname for the remote-gateway. If so,
-               try to resolve it now and add it to the list for filterdns */
-
            if (isset($ph1ent['mobile'])) {
                continue;
            }

-            $rg = $ph1ent['remote-gateway'];
-
-            if (!is_ipaddr($rg)) {
-                $filterdns_list[] = "{$rg}";
-                if (!file_exists('/var/run/booting')) {
-                    $rg = resolve_retry($rg);
-                }
-                if (!is_ipaddr($rg)) {
-                    continue;
-                }
-            }
-            if (array_search($rg, $rgmap)) {
-                log_error("The remote gateway {$rg} already exists on another phase 1 entry");
-                continue;
-            }
-            $rgmap[$ph1ent['remote-gateway']] = $rg;
-
            /* step through each phase2 entry */
            foreach ($a_phase2 as $ph2ent) {
                if (isset($ph2ent['disabled'])) {
@ -1592,36 +1569,10 @@ EOD;
        mwexec("/usr/local/sbin/ipsec start", false);
    }

-    /* start filterdns, if necessary */
-    if (count($filterdns_list) > 0) {
-        $interval = 60;
-        if (!empty($ipseccfg['dns-interval']) && is_numeric($ipseccfg['dns-interval'])) {
-            $interval = $ipseccfg['dns-interval'];
-        }
-
-        $hostnames = "";
-        array_unique($filterdns_list);
-        foreach ($filterdns_list as $hostname) {
-            $hostnames .= "cmd {$hostname} '/usr/local/opnsense/service/configd_ctl.py ipsecdns reload'\n";
-        }
-        file_put_contents("/usr/local/etc/filterdns-ipsec.hosts", $hostnames);
-        unset($hostnames);
-
-        if (isvalidpid('/var/run/filterdns-ipsec.pid')) {
-            killbypid('/var/run/filterdns-ipsec.pid', 'HUP');
-        } else {
-            mwexec("/usr/local/sbin/filterdns -p /var/run/filterdns-ipsec.pid -i {$interval} -c /usr/local/etc/filterdns-ipsec.hosts -d 1");
-        }
-    } else {
-        killbypid('/var/run/filterdns-ipsec.pid');
-    }
-
    /* load manually defined SPD entries */
    ipsec_configure_spd();

    if ($verbose) {
        echo "done.\n";
    }
-
-    return count($filterdns_list);
 }
--- a/src/etc/inc/system.inc
+++ b/src/etc/inc/system.inc
@ -684,7 +684,7 @@ function system_syslogd_start($verbose = false)
        $syslogconfs['gateways'] = array('facility' => array('apinger'), 'remote' => 'apinger');
        $syslogconfs['portalauth'] = array('facility' => array('captiveportal'), 'remote' => 'portalauth');
        $syslogconfs['ppps'] = array('facility' => array('ppp'));
-        $syslogconfs['resolver'] = array('facility' => array('filterdns', 'unbound'), 'remote' => 'dns');
+        $syslogconfs['resolver'] = array('facility' => array('unbound'), 'remote' => 'dns');
        $syslogconfs['routing'] = array('facility' => array('radvd', 'routed', 'rtsold', 'olsrd', 'zebra', 'ospfd', 'bgpd', 'miniupnpd'));
        $syslogconfs['wireless'] = array('facility' => array('hostapd'), 'remote' => 'hostapd');

--- a/src/etc/rc.bootup
+++ b/src/etc/rc.bootup
@ -123,7 +123,7 @@ configd_run('template reload *');
 plugins_configure('bootup', true);

 /* start IPsec tunnels */
-$ipsec_dynamic_hosts = ipsec_configure_do(true);
+ipsec_configure_do(true);

 rrd_configure(true);
 system_powerd_configure(true);
@ -135,11 +135,6 @@ system_powerd_configure(true);
 */
 system_syslogd_start(true);

-/* If there are ipsec dynamic hosts try again to reload the tunnels as rc.newipsecdns does */
-if ($ipsec_dynamic_hosts) {
-    ipsec_configure_do(true);
-}
-
 system_console_unmute();

 exit(0);
--- a/src/etc/rc.newipsecdns
+++ b/src/etc/rc.newipsecdns
@ -1,50 +0,0 @@
-#!/usr/local/bin/php
-<?php
-
-/*
- * Copyright (C) 2007 Manuel Kasper <mk@neon1.net>.
- * Copyright (C) 2009 Seth Mos <seth.mos@dds.nl>.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are met:
- *
- * 1. Redistributions of source code must retain the above copyright notice,
- *    this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- * POSSIBILITY OF SUCH DAMAGE.
- */
-
-require_once("util.inc");
-require_once("config.inc");
-require_once("filter.inc");
-require_once('plugins.inc.d/ipsec.inc');
-require_once('auth.inc');
-require_once("interfaces.inc");
-
-/* make sure to wait until the boot scripts have finished */
-if (file_exists('/var/run/booting')) {
-    return;
-} elseif (isset($config['ipsec']['enable'])) {
-    sleep(15);
-    log_error("IPSEC: One or more IPsec tunnel endpoints has changed its IP. Refreshing.");
-} else {
-    return;
-}
-
-$ipseclck = lock('ipsecdns', LOCK_EX);
-ipsec_configure_do(true);
-unlock($ipseclck);
--- a/src/opnsense/service/conf/actions.d/actions_ipsecdns.conf
+++ b/src/opnsense/service/conf/actions.d/actions_ipsecdns.conf
@ -1,5 +0,0 @@
-[reload]
-command:/usr/local/etc/rc.newipsecdns
-parameters:
-type:script
-message:Restarting ipsec tunnels
--- a/src/www/system_gateway_groups.php
+++ b/src/www/system_gateway_groups.php
@ -55,7 +55,6 @@ if ($_SERVER['REQUEST_METHOD'] === 'POST') {

        configd_run('dyndns reload');
        configd_run('rfc2136 reload');
-        configd_run('ipsecdns reload');
        configd_run('filter reload');

        /* reconfigure our gateway monitor */