From mboxrd@z Thu Jan 1 00:00:00 1970
From: Marcel Lorenz <marcel.lorenz@ipfire.org>
To: development@lists.ipfire.org
Subject: [PATCH] new package: unbound 1.5.9
Date: Tue, 02 Aug 2016 20:48:17 +0200
Message-ID: <1470163697-30802-2-git-send-email-marcel.lorenz@ipfire.org>
In-Reply-To: <1470163697-30802-1-git-send-email-marcel.lorenz@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============6610858721895677634=="
List-Id: <development.lists.ipfire.org>
--===============6610858721895677634==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Unbound is a validating, recursive, and caching DNS resolver.
https://www.unbound.net
Signed-off-by: Marcel Lorenz <marcel.lorenz(a)ipfire.org>
---
config/rootfiles/packages/unbound | 70 ++++++++
config/unbound/blocklists/ms-telemetry.conf | 49 ++++++
config/unbound/forward.conf | 6 +
config/unbound/root.hints | 90 ++++++++++
config/unbound/root.key | 9 +
config/unbound/site-packages/daemonize.py | 247 +++++++++++++++++++++++++=
++
config/unbound/site-packages/dhcpd.py | 108 ++++++++++++
config/unbound/site-packages/params.py | 46 +++++
config/unbound/site-packages/watcherdhcpd.py | 107 ++++++++++++
config/unbound/unbound-dhcpd.py | 145 ++++++++++++++++
config/unbound/unbound-switch | 80 +++++++++
config/unbound/unbound-zone | 78 +++++++++
config/unbound/unbound.conf | 123 +++++++++++++
lfs/unbound | 103 +++++++++++
make.sh | 1 +
src/initscripts/init.d/network-unbound | 114 +++++++++++++
src/initscripts/init.d/unbound | 178 +++++++++++++++++++
src/initscripts/init.d/unbound-dhcpd | 61 +++++++
src/paks/unbound/install.sh | 70 ++++++++
src/paks/unbound/uninstall.sh | 27 +++
src/paks/unbound/update.sh | 26 +++
21 files changed, 1738 insertions(+)
create mode 100644 config/rootfiles/packages/unbound
create mode 100644 config/unbound/blocklists/ms-telemetry.conf
create mode 100644 config/unbound/forward.conf
create mode 100644 config/unbound/root.hints
create mode 100644 config/unbound/root.key
create mode 100644 config/unbound/site-packages/daemonize.py
create mode 100644 config/unbound/site-packages/dhcpd.py
create mode 100644 config/unbound/site-packages/params.py
create mode 100644 config/unbound/site-packages/watcherdhcpd.py
create mode 100644 config/unbound/unbound-dhcpd.py
create mode 100755 config/unbound/unbound-switch
create mode 100644 config/unbound/unbound-zone
create mode 100644 config/unbound/unbound.conf
create mode 100644 lfs/unbound
create mode 100644 src/initscripts/init.d/network-unbound
create mode 100644 src/initscripts/init.d/unbound
create mode 100644 src/initscripts/init.d/unbound-dhcpd
create mode 100644 src/paks/unbound/install.sh
create mode 100644 src/paks/unbound/uninstall.sh
create mode 100644 src/paks/unbound/update.sh
diff --git a/config/rootfiles/packages/unbound b/config/rootfiles/packages/un=
bound
new file mode 100644
index 0000000..c468167
--- /dev/null
+++ b/config/rootfiles/packages/unbound
@@ -0,0 +1,70 @@
+etc/rc.d/init.d/network-unbound
+etc/rc.d/init.d/unbound
+etc/rc.d/init.d/unbound-dhcpd
+#etc/unbound
+#etc/unbound/blocklists
+etc/unbound/blocklists/ms-telemetry.conf
+etc/unbound/forward.conf
+etc/unbound/root.hints
+etc/unbound/root.key
+etc/unbound/unbound.conf
+etc/unbound/unbound_org.conf
+usr/bin/unbound-host
+#usr/include/unbound.h
+#usr/lib/libunbound.la
+usr/lib/libunbound.so
+usr/lib/libunbound.so.2
+usr/lib/libunbound.so.2.4.1
+#usr/lib/python2.7/site-packages/_unbound.la
+usr/lib/python2.7/site-packages/_unbound.so
+usr/lib/python2.7/site-packages/daemonize.py
+usr/lib/python2.7/site-packages/dhcpd.py
+usr/lib/python2.7/site-packages/params.py
+usr/lib/python2.7/site-packages/unbound.py
+usr/lib/python2.7/site-packages/watcherdhcpd.py
+usr/sbin/unbound
+usr/sbin/unbound-anchor
+usr/sbin/unbound-checkconf
+usr/sbin/unbound-dhcpd.py
+usr/sbin/unbound-control
+usr/sbin/unbound-control-setup
+usr/sbin/unbound-switch
+usr/sbin/unbound-zone
+#usr/share/man/man1/unbound-host.1
+#usr/share/man/man3/libunbound.3
+#usr/share/man/man3/ub_cancel.3
+#usr/share/man/man3/ub_ctx.3
+#usr/share/man/man3/ub_ctx_add_ta.3
+#usr/share/man/man3/ub_ctx_add_ta_file.3
+#usr/share/man/man3/ub_ctx_async.3
+#usr/share/man/man3/ub_ctx_config.3
+#usr/share/man/man3/ub_ctx_create.3
+#usr/share/man/man3/ub_ctx_data_add.3
+#usr/share/man/man3/ub_ctx_data_remove.3
+#usr/share/man/man3/ub_ctx_debuglevel.3
+#usr/share/man/man3/ub_ctx_debugout.3
+#usr/share/man/man3/ub_ctx_delete.3
+#usr/share/man/man3/ub_ctx_get_option.3
+#usr/share/man/man3/ub_ctx_hosts.3
+#usr/share/man/man3/ub_ctx_print_local_zones.3
+#usr/share/man/man3/ub_ctx_resolvconf.3
+#usr/share/man/man3/ub_ctx_set_fwd.3
+#usr/share/man/man3/ub_ctx_set_option.3
+#usr/share/man/man3/ub_ctx_trustedkeys.3
+#usr/share/man/man3/ub_ctx_zone_add.3
+#usr/share/man/man3/ub_ctx_zone_remove.3
+#usr/share/man/man3/ub_fd.3
+#usr/share/man/man3/ub_poll.3
+#usr/share/man/man3/ub_process.3
+#usr/share/man/man3/ub_resolve.3
+#usr/share/man/man3/ub_resolve_async.3
+#usr/share/man/man3/ub_resolve_free.3
+#usr/share/man/man3/ub_result.3
+#usr/share/man/man3/ub_strerror.3
+#usr/share/man/man3/ub_wait.3
+#usr/share/man/man5/unbound.conf.5
+#usr/share/man/man8/unbound-anchor.8
+#usr/share/man/man8/unbound-checkconf.8
+#usr/share/man/man8/unbound-control-setup.8
+#usr/share/man/man8/unbound-control.8
+#usr/share/man/man8/unbound.8
diff --git a/config/unbound/blocklists/ms-telemetry.conf b/config/unbound/blo=
cklists/ms-telemetry.conf
new file mode 100644
index 0000000..7801e76
--- /dev/null
+++ b/config/unbound/blocklists/ms-telemetry.conf
@@ -0,0 +1,49 @@
+# Windows telemetry
+local-data: "a-0001.a-msedge.net A 127.0.0.1"
+local-data: "asimov-win.settings.data.microsoft.com.akadns.net. A 127.0.0.1"
+local-data: "asimov-win.vortex.data.microsoft.com.akadns.net. A 127.0.0.1"
+local-data: "choice.microsoft.com A 127.0.0.1"
+local-data: "choice.microsoft.com.nsatc.net A 127.0.0.1"
+local-data: "compatexchange.cloudapp.net A 127.0.0.1"
+local-data: "corpext.msitadfs.glbdns2.microsoft.com A 127.0.0.1"
+local-data: "corp.sts.microsoft.com A 127.0.0.1"
+local-data: "cs1.wpc.v0cdn.net A 127.0.0.1"
+local-data: "df.telemetry.microsoft.com A 127.0.0.1"
+local-data: "diagnostics.support.microsoft.com A 127.0.0.1"
+local-data: "fe2.update.microsoft.com.akadns.net A 127.0.0.1"
+local-data: "feedback.microsoft-hohm.com A 127.0.0.1"
+local-data: "feedback.search.microsoft.com A 127.0.0.1"
+local-data: "feedback.windows.com A 127.0.0.1"
+local-data: "i1.services.social.microsoft.com A 127.0.0.1"
+local-data: "i1.services.social.microsoft.com.nsatc.net A 127.0.0.1"
+local-data: "nexus.officeapps.live.com A 127.0.0.1"
+local-data: "oca.telemetry.microsoft.com A 127.0.0.1"
+local-data: "oca.telemetry.microsoft.com.nsatc.net A 127.0.0.1"
+local-data: "pre.footprintpredict.com A 127.0.0.1"
+local-data: "redir.metaservices.microsoft.com A 127.0.0.1"
+local-data: "reports.wes.df.telemetry.microsoft.com A 127.0.0.1"
+local-data: "services.wes.df.telemetry.microsoft.com A 127.0.0.1"
+local-data: "settings-sandbox.data.microsoft.com A 127.0.0.1"
+local-data: "settings-win.data.microsoft.com A 127.0.0.1"
+local-data: "sls.update.microsoft.com.akadns.net A 127.0.0.1"
+local-data: "sqm.df.telemetry.microsoft.com A 127.0.0.1"
+local-data: "sqm.telemetry.microsoft.com A 127.0.0.1"
+local-data: "sqm.telemetry.microsoft.com.nsatc.net A 127.0.0.1"
+local-data: "statsfe1.ws.microsoft.com A 127.0.0.1"
+local-data: "statsfe2.update.microsoft.com.akadns.net A 127.0.0.1"
+local-data: "statsfe2.ws.microsoft.com A 127.0.0.1"
+local-data: "survey.watson.microsoft.com A 127.0.0.1"
+local-data: "telecommand.telemetry.microsoft.com A 127.0.0.1"
+local-data: "telecommand.telemetry.microsoft.com.nsatc.net A 127.0.0.1"
+local-data: "telemetry.appex.bing.net A 127.0.0.1"
+local-data: "telemetry.microsoft.com A 127.0.0.1"
+local-data: "telemetry.urs.microsoft.com A 127.0.0.1"
+local-data: "vortex.data.microsoft.com A 127.0.0.1"
+local-data: "vortex-sandbox.data.microsoft.com A 127.0.0.1"
+local-data: "vortex-win.data.microsoft.com A 127.0.0.1"
+local-data: "watson.live.com A 127.0.0.1"
+local-data: "watson.microsoft.com A 127.0.0.1"
+local-data: "watson.ppe.telemetry.microsoft.com A 127.0.0.1"
+local-data: "watson.telemetry.microsoft.com A 127.0.0.1"
+local-data: "watson.telemetry.microsoft.com.nsatc.net A 127.0.0.1"
+local-data: "wes.df.telemetry.microsoft.com A 127.0.0.1"
diff --git a/config/unbound/forward.conf b/config/unbound/forward.conf
new file mode 100644
index 0000000..5784f9f
--- /dev/null
+++ b/config/unbound/forward.conf
@@ -0,0 +1,6 @@
+forward-zone:
+ name: "."
+ forward-addr: 85.214.20.141
+ forward-addr: 194.150.168.168
+ forward-addr: 208.67.222.222
+ forward-addr: 208.67.220.220
diff --git a/config/unbound/root.hints b/config/unbound/root.hints
new file mode 100644
index 0000000..3c82146
--- /dev/null
+++ b/config/unbound/root.hints
@@ -0,0 +1,90 @@
+; This file holds the information on root name servers needed to
+; initialize cache of Internet domain name servers
+; (e.g. reference this file in the "cache . <file>"
+; configuration file of BIND domain name servers).
+;
+; This file is made available by InterNIC=20
+; under anonymous FTP as
+; file /domain/named.cache
+; on server FTP.INTERNIC.NET
+; -OR- RS.INTERNIC.NET
+;
+; last update: March 23, 2016
+; related version of root zone: 2016032301
+;
+; formerly NS.INTERNIC.NET
+;
+. 3600000 NS A.ROOT-SERVERS.NET.
+A.ROOT-SERVERS.NET. 3600000 A 198.41.0.4
+A.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:ba3e::2:30
+;
+; FORMERLY NS1.ISI.EDU
+;
+. 3600000 NS B.ROOT-SERVERS.NET.
+B.ROOT-SERVERS.NET. 3600000 A 192.228.79.201
+B.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:84::b
+;
+; FORMERLY C.PSI.NET
+;
+. 3600000 NS C.ROOT-SERVERS.NET.
+C.ROOT-SERVERS.NET. 3600000 A 192.33.4.12
+C.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2::c
+;
+; FORMERLY TERP.UMD.EDU
+;
+. 3600000 NS D.ROOT-SERVERS.NET.
+D.ROOT-SERVERS.NET. 3600000 A 199.7.91.13
+D.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2d::d
+;
+; FORMERLY NS.NASA.GOV
+;
+. 3600000 NS E.ROOT-SERVERS.NET.
+E.ROOT-SERVERS.NET. 3600000 A 192.203.230.10
+;
+; FORMERLY NS.ISC.ORG
+;
+. 3600000 NS F.ROOT-SERVERS.NET.
+F.ROOT-SERVERS.NET. 3600000 A 192.5.5.241
+F.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2f::f
+;
+; FORMERLY NS.NIC.DDN.MIL
+;
+. 3600000 NS G.ROOT-SERVERS.NET.
+G.ROOT-SERVERS.NET. 3600000 A 192.112.36.4
+;
+; FORMERLY AOS.ARL.ARMY.MIL
+;
+. 3600000 NS H.ROOT-SERVERS.NET.
+H.ROOT-SERVERS.NET. 3600000 A 198.97.190.53
+H.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:1::53
+;
+; FORMERLY NIC.NORDU.NET
+;
+. 3600000 NS I.ROOT-SERVERS.NET.
+I.ROOT-SERVERS.NET. 3600000 A 192.36.148.17
+I.ROOT-SERVERS.NET. 3600000 AAAA 2001:7fe::53
+;
+; OPERATED BY VERISIGN, INC.
+;
+. 3600000 NS J.ROOT-SERVERS.NET.
+J.ROOT-SERVERS.NET. 3600000 A 192.58.128.30
+J.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:c27::2:30
+;
+; OPERATED BY RIPE NCC
+;
+. 3600000 NS K.ROOT-SERVERS.NET.
+K.ROOT-SERVERS.NET. 3600000 A 193.0.14.129
+K.ROOT-SERVERS.NET. 3600000 AAAA 2001:7fd::1
+;
+; OPERATED BY ICANN
+;
+. 3600000 NS L.ROOT-SERVERS.NET.
+L.ROOT-SERVERS.NET. 3600000 A 199.7.83.42
+L.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:9f::42
+;
+; OPERATED BY WIDE
+;
+. 3600000 NS M.ROOT-SERVERS.NET.
+M.ROOT-SERVERS.NET. 3600000 A 202.12.27.33
+M.ROOT-SERVERS.NET. 3600000 AAAA 2001:dc3::35
+; End of file
diff --git a/config/unbound/root.key b/config/unbound/root.key
new file mode 100644
index 0000000..fb540e3
--- /dev/null
+++ b/config/unbound/root.key
@@ -0,0 +1,9 @@
+; autotrust trust anchor file
+;;id: . 1
+;;last_queried: 1467576595 ;;Sun Jul 3 22:09:55 2016
+;;last_success: 1467576595 ;;Sun Jul 3 22:09:55 2016
+;;next_probe_time: 1467616562 ;;Mon Jul 4 09:16:02 2016
+;;query_failed: 0
+;;query_interval: 43200
+;;retry_time: 8640
+. 172800 IN DNSKEY 257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0=
O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg=
37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dl=
zEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS=
Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0=3D ;{id =
=3D 19036 (ksk), size =3D 2048b} ;;state=3D2 [ VALID ] ;;count=3D0 ;;lastch=
ange=3D1467575383 ;;Sun Jul 3 21:49:43 2016
diff --git a/config/unbound/site-packages/daemonize.py b/config/unbound/site-=
packages/daemonize.py
new file mode 100644
index 0000000..e083feb
--- /dev/null
+++ b/config/unbound/site-packages/daemonize.py
@@ -0,0 +1,247 @@
+# #!/usr/bin/python
+
+import fcntl
+import os
+import pwd
+import grp
+import sys
+import signal
+import resource
+import logging
+import atexit
+from logging import handlers
+import traceback
+
+
+__version__ =3D "2.4.6"
+
+
+class Daemonize(object):
+ """
+ Daemonize object.
+
+ Object constructor expects three arguments.
+
+ :param app: contains the application name which will be sent to syslog.
+ :param pid: path to the pidfile.
+ :param action: your custom function which will be executed after daemoni=
zation.
+ :param keep_fds: optional list of fds which should not be closed.
+ :param auto_close_fds: optional parameter to not close opened fds.
+ :param privileged_action: action that will be executed before drop privi=
leges if user or
+ group parameter is provided.
+ If you want to transfer anything from privileg=
ed_action to action, such as
+ opened privileged file descriptor, you should =
return it from
+ privileged_action function and catch it inside=
action function.
+ :param user: drop privileges to this user if provided.
+ :param group: drop privileges to this group if provided.
+ :param verbose: send debug messages to logger if provided.
+ :param logger: use this logger object instead of creating new one, if pr=
ovided.
+ :param foreground: stay in foreground; do not fork (for debugging)
+ :param chdir: change working directory if provided or /
+ """
+ def __init__(self, app, pid, action,
+ keep_fds=3DNone, auto_close_fds=3DTrue, privileged_action=
=3DNone,
+ user=3DNone, group=3DNone, verbose=3DFalse, logger=3DNone,
+ foreground=3DFalse, chdir=3D"/"):
+ self.app =3D app
+ self.pid =3D os.path.abspath(pid)
+ self.action =3D action
+ self.keep_fds =3D keep_fds or []
+ self.privileged_action =3D privileged_action or (lambda: ())
+ self.user =3D user
+ self.group =3D group
+ self.logger =3D logger
+ self.verbose =3D verbose
+ self.auto_close_fds =3D auto_close_fds
+ self.foreground =3D foreground
+ self.chdir =3D chdir
+
+ def sigterm(self, signum, frame):
+ """
+ These actions will be done after SIGTERM.
+ """
+ self.logger.warn("Caught signal %s. Stopping daemon." % signum)
+ sys.exit(0)
+
+ def exit(self):
+ """
+ Cleanup pid file at exit.
+ """
+ self.logger.warn("Stopping daemon.")
+ os.remove(self.pid)
+ sys.exit(0)
+
+ def start(self):
+ """
+ Start daemonization process.
+ """
+ # If pidfile already exists, we should read pid from there; to overw=
rite it, if locking
+ # will fail, because locking attempt somehow purges the file content=
s.
+ if os.path.isfile(self.pid):
+ with open(self.pid, "r") as old_pidfile:
+ old_pid =3D old_pidfile.read()
+ # Create a lockfile so that only one instance of this daemon is runn=
ing at any time.
+ try:
+ lockfile =3D open(self.pid, "w")
+ except IOError:
+ print("Unable to create the pidfile.")
+ sys.exit(1)
+ try:
+ # Try to get an exclusive lock on the file. This will fail if an=
other process has the file
+ # locked.
+ fcntl.flock(lockfile, fcntl.LOCK_EX | fcntl.LOCK_NB)
+ except IOError:
+ print("Unable to lock on the pidfile.")
+ # We need to overwrite the pidfile if we got here.
+ with open(self.pid, "w") as pidfile:
+ pidfile.write(old_pid)
+ sys.exit(1)
+
+ # skip fork if foreground is specified
+ if not self.foreground:
+ # Fork, creating a new process for the child.
+ try:
+ process_id =3D os.fork()
+ except OSError as e:
+ self.logger.error("Unable to fork, errno: {0}".format(e.errn=
o))
+ sys.exit(1)
+ if process_id !=3D 0:
+ # This is the parent process. Exit without cleanup,
+ # see https://github.com/thesharp/daemonize/issues/46
+ os._exit(0)
+ # This is the child process. Continue.
+
+ # Stop listening for signals that the parent process receives.
+ # This is done by getting a new process id.
+ # setpgrp() is an alternative to setsid().
+ # setsid puts the process in a new parent group and detaches its=
controlling terminal.
+ process_id =3D os.setsid()
+ if process_id =3D=3D -1:
+ # Uh oh, there was a problem.
+ sys.exit(1)
+
+ # Add lockfile to self.keep_fds.
+ self.keep_fds.append(lockfile.fileno())
+
+ # Close all file descriptors, except the ones mentioned in self.=
keep_fds.
+ devnull =3D "/dev/null"
+ if hasattr(os, "devnull"):
+ # Python has set os.devnull on this system, use it instead a=
s it might be different
+ # than /dev/null.
+ devnull =3D os.devnull
+
+ if self.auto_close_fds:
+ for fd in range(3, resource.getrlimit(resource.RLIMIT_NOFILE=
)[0]):
+ if fd not in self.keep_fds:
+ try:
+ os.close(fd)
+ except OSError:
+ pass
+
+ devnull_fd =3D os.open(devnull, os.O_RDWR)
+ os.dup2(devnull_fd, 0)
+ os.dup2(devnull_fd, 1)
+ os.dup2(devnull_fd, 2)
+
+ if self.logger is None:
+ # Initialize logging.
+ self.logger =3D logging.getLogger(self.app)
+ self.logger.setLevel(logging.DEBUG)
+ # Display log messages only on defined handlers.
+ self.logger.propagate =3D False
+
+ # Initialize syslog.
+ # It will correctly work on OS X, Linux and FreeBSD.
+ if sys.platform =3D=3D "darwin":
+ syslog_address =3D "/var/run/syslog"
+ else:
+ syslog_address =3D "/dev/log"
+
+ # We will continue with syslog initialization only if actually h=
ave such capabilities
+ # on the machine we are running this.
+ if os.path.exists(syslog_address):
+ syslog =3D handlers.SysLogHandler(syslog_address)
+ if self.verbose:
+ syslog.setLevel(logging.DEBUG)
+ else:
+ syslog.setLevel(logging.INFO)
+ # Try to mimic to normal syslog messages.
+ formatter =3D logging.Formatter("%(asctime)s %(name)s: %(mes=
sage)s",
+ "%b %e %H:%M:%S")
+ syslog.setFormatter(formatter)
+
+ self.logger.addHandler(syslog)
+
+ # Set umask to default to safe file permissions when running as a ro=
ot daemon. 027 is an
+ # octal number which we are typing as 0o27 for Python3 compatibility.
+ os.umask(0o27)
+
+ # Change to a known directory. If this isn't done, starting a daemon=
in a subdirectory that
+ # needs to be deleted results in "directory busy" errors.
+ os.chdir(self.chdir)
+
+ # Execute privileged action
+ privileged_action_result =3D self.privileged_action()
+ if not privileged_action_result:
+ privileged_action_result =3D []
+
+ # Change owner of pid file, it's required because pid file will be r=
emoved at exit.
+ uid, gid =3D -1, -1
+
+ if self.group:
+ try:
+ gid =3D grp.getgrnam(self.group).gr_gid
+ except KeyError:
+ self.logger.error("Group {0} not found".format(self.group))
+ sys.exit(1)
+
+ if self.user:
+ try:
+ uid =3D pwd.getpwnam(self.user).pw_uid
+ except KeyError:
+ self.logger.error("User {0} not found.".format(self.user))
+ sys.exit(1)
+
+ if uid !=3D -1 or gid !=3D -1:
+ os.chown(self.pid, uid, gid)
+
+ # Change gid
+ if self.group:
+ try:
+ os.setgid(gid)
+ except OSError:
+ self.logger.error("Unable to change gid.")
+ sys.exit(1)
+
+ # Change uid
+ if self.user:
+ try:
+ uid =3D pwd.getpwnam(self.user).pw_uid
+ except KeyError:
+ self.logger.error("User {0} not found.".format(self.user))
+ sys.exit(1)
+ try:
+ os.setuid(uid)
+ except OSError:
+ self.logger.error("Unable to change uid.")
+ sys.exit(1)
+
+ try:
+ lockfile.write("%s" % (os.getpid()))
+ lockfile.flush()
+ except IOError:
+ self.logger.error("Unable to write pid to the pidfile.")
+ print("Unable to write pid to the pidfile.")
+ sys.exit(1)
+
+ # Set custom action on SIGTERM.
+ signal.signal(signal.SIGTERM, self.sigterm)
+ atexit.register(self.exit)
+
+ self.logger.warn("Starting daemon.")
+
+ try:
+ self.action(*privileged_action_result)
+ except Exception as e:
+ for line in traceback.format_exc(e).split("\n"):
+ self.logger.error(line)
diff --git a/config/unbound/site-packages/dhcpd.py b/config/unbound/site-pack=
ages/dhcpd.py
new file mode 100644
index 0000000..6d586c7
--- /dev/null
+++ b/config/unbound/site-packages/dhcpd.py
@@ -0,0 +1,108 @@
+"""
+ Copyright (c) 2016 Ad Schellevis
+ All rights reserved.
+
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions are m=
et:
+
+ 1. Redistributions of source code must retain the above copyright notice,
+ this list of conditions and the following disclaimer.
+
+ 2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+
+ THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIE=
S,
+ INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL T=
HE
+ AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLAR=
Y,
+ OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF T=
HE
+ POSSIBILITY OF SUCH DAMAGE.
+"""
+import os
+import time
+import datetime
+
+class DHCPDLease(object):
+ watch_file =3D '/var/dhcpd/var/db/dhcpd.leases'
+
+ def __init__(self):
+ """ init watcher
+ :return: watcher object
+ """
+ self._section_data =3D []
+ self._fhandle =3D None
+ self._last_pos =3D None
+ self._open()
+
+ def _open(self):
+ """ (re)open watched file
+ :return: watcher object
+ """
+ try:
+ self._fhandle =3D open(self.watch_file, 'r')
+ self._last_pos =3D None
+ self._section_data =3D []
+ return True
+ except IOError:
+ self._fhandle =3D None
+ return False
+
+ @staticmethod
+ def parse_lease(lines):
+ """ parse dhcp lease
+ :param lines: lease section as list item
+ :return: dictionary
+ """
+ lease =3D dict()
+ lease['address'] =3D lines[0].split()[1]
+ for line in lines:
+ parts =3D line.split()
+ field_name =3D parts[0]
+ field_value =3D None
+ if field_name in ('starts', 'ends', 'tstp', 'tsfp', 'atsfp', 'cl=
tt') and len(parts) >=3D 3:
+ dt =3D '%s %s'%(parts[2], parts[3])
+ try:
+ field_value =3D time.mktime(datetime.datetime.strptime(d=
t, "%Y/%m/%d %H:%M:%S;").timetuple())
+ except ValueError:
+ field_value =3D None
+ elif field_name =3D=3D 'hardware' and len(parts) >=3D 3:
+ field_value =3D {'hardware-type': parts[1], 'mac-address': p=
arts[2]}
+ elif field_name in('uid', 'client-hostname') and len(parts) >=3D=
2 and parts[1].find('"') > -1:
+ field_value =3D parts[1].split('"')[1]
+
+ if field_value is not None:
+ lease[field_name] =3D field_value
+
+ return lease
+
+ def watch(self):
+ """ watch file, return lease dictionaries
+ :return: iterator for leases
+ """
+ if self._fhandle is None or os.fstat(self._fhandle.fileno()).st_nlin=
k =3D=3D 0:
+ # nothing to watch, try to (re)open return when failed
+ if not self._open():
+ return
+ elif self._last_pos is not None:
+ self._fhandle.seek(self._last_pos)
+
+ while True:
+ line =3D self._fhandle.readline()
+ if line:
+ if len(line) > 5 and line[0:5] =3D=3D 'lease':
+ self._section_data.append(line)
+ elif len(line) > 1 and line[0] =3D=3D '}':
+ self._section_data.append(line)
+ yield self.parse_lease(self._section_data)
+ self._section_data =3D []
+ elif len(self._section_data) > 0:
+ self._section_data.append(line)
+ else:
+ break
+
+ self._last_pos =3D self._fhandle.tell()
diff --git a/config/unbound/site-packages/params.py b/config/unbound/site-pac=
kages/params.py
new file mode 100644
index 0000000..6be3244
--- /dev/null
+++ b/config/unbound/site-packages/params.py
@@ -0,0 +1,46 @@
+"""
+ Copyright (c) 2015-2016 Ad Schellevis
+ All rights reserved.
+
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions are m=
et:
+
+ 1. Redistributions of source code must retain the above copyright notice,
+ this list of conditions and the following disclaimer.
+
+ 2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+
+ THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIE=
S,
+ INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL T=
HE
+ AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLAR=
Y,
+ OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF T=
HE
+ POSSIBILITY OF SUCH DAMAGE.
+"""
+
+import sys
+
+
+def update_params(parameters):
+ """ update predefined parameters with given list from shell (as switches)
+ for example /a valA /b valB
+ converts to
+ {'a':'valA','b':'valB'}
+ (assuming parameters contains both a and b)
+ :param parameters: parameter dictionary
+ :return:
+ """
+ cmd =3D None
+ for arg in sys.argv[1:]:
+ if cmd is None:
+ cmd =3D arg[1:]
+ else:
+ if cmd in parameters and arg.strip() !=3D '':
+ parameters[cmd] =3D arg.strip()
+ cmd =3D None
diff --git a/config/unbound/site-packages/watcherdhcpd.py b/config/unbound/si=
te-packages/watcherdhcpd.py
new file mode 100644
index 0000000..c726d5c
--- /dev/null
+++ b/config/unbound/site-packages/watcherdhcpd.py
@@ -0,0 +1,107 @@
+"""
+ Copyright (c) 2016 Ad Schellevis
+ All rights reserved.
+
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions are m=
et:
+
+ 1. Redistributions of source code must retain the above copyright notice,
+ this list of conditions and the following disclaimer.
+
+ 2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+
+ THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIE=
S,
+ INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL T=
HE
+ AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLAR=
Y,
+ OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF T=
HE
+ POSSIBILITY OF SUCH DAMAGE.
+"""
+import os
+import time
+import datetime
+
+class DHCPDLease(object):
+ watch_file =3D '/var/state/dhcp/dhcpd.leases'
+
+ def __init__(self):
+ """ init watcher
+ :return: watcher object
+ """
+ self._section_data =3D []
+ self._fhandle =3D None
+ self._last_pos =3D None
+ self._open()
+
+ def _open(self):
+ """ (re)open watched file
+ :return: watcher object
+ """
+ try:
+ self._fhandle =3D open(self.watch_file, 'r')
+ self._last_pos =3D None
+ self._section_data =3D []
+ return True
+ except IOError:
+ self._fhandle =3D None
+ return False
+
+ @staticmethod
+ def parse_lease(lines):
+ """ parse dhcp lease
+ :param lines: lease section as list item
+ :return: dictionary
+ """
+ lease =3D dict()
+ lease['address'] =3D lines[0].split()[1]
+ for line in lines:
+ parts =3D line.split()
+ field_name =3D parts[0]
+ field_value =3D None
+ if field_name in ('starts', 'ends', 'tstp', 'tsfp', 'atsfp', 'cl=
tt') and len(parts) >=3D 3:
+ dt =3D '%s %s'%(parts[2], parts[3])
+ try:
+ field_value =3D time.mktime(datetime.datetime.strptime(d=
t, "%Y/%m/%d %H:%M:%S;").timetuple())
+ except ValueError:
+ field_value =3D None
+ elif field_name =3D=3D 'hardware' and len(parts) >=3D 3:
+ field_value =3D {'hardware-type': parts[1], 'mac-address': p=
arts[2]}
+ elif field_name in('uid', 'client-hostname') and len(parts) >=3D=
2 and parts[1].find('"') > -1:
+ field_value =3D parts[1].split('"')[1]
+
+ if field_value is not None:
+ lease[field_name] =3D field_value
+ return lease
+
+ def watch(self):
+ """ watch file, return lease dictionaries
+ :return: iterator for leases
+ """
+ if self._fhandle is None or os.fstat(self._fhandle.fileno()).st_nlin=
k =3D=3D 0:
+ # nothing to watch, try to (re)open return when failed
+ if not self._open():
+ return
+ elif self._last_pos is not None:
+ self._fhandle.seek(self._last_pos)
+
+ while True:
+ line =3D self._fhandle.readline()
+ if line:
+ if len(line) > 5 and line[0:5] =3D=3D 'lease':
+ self._section_data.append(line)
+ elif len(line) > 1 and line[0] =3D=3D '}':
+ self._section_data.append(line)
+ yield self.parse_lease(self._section_data)
+ self._section_data =3D []
+ elif len(self._section_data) > 0:
+ self._section_data.append(line)
+ else:
+ break
+
+ self._last_pos =3D self._fhandle.tell()
diff --git a/config/unbound/unbound-dhcpd.py b/config/unbound/unbound-dhcpd.py
new file mode 100644
index 0000000..0afedc9
--- /dev/null
+++ b/config/unbound/unbound-dhcpd.py
@@ -0,0 +1,145 @@
+#!/usr/bin/python2.7
+
+"""
+ Copyright (c) 2016 Ad Schellevis
+ All rights reserved.
+
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions are m=
et:
+
+ 1. Redistributions of source code must retain the above copyright notice,
+ this list of conditions and the following disclaimer.
+
+ 2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+
+ THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIE=
S,
+ INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL T=
HE
+ AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLAR=
Y,
+ OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF T=
HE
+ POSSIBILITY OF SUCH DAMAGE.
+
+ ------------------------------------------------------------------------=
--------------
+ watch dhcp lease file and build include file for unbound
+"""
+import os
+import sys
+
+sys.path.insert(0, "/usr/lib/python2.7/site-packages")
+import subprocess
+import time
+import tempfile
+from daemonize import Daemonize
+import watcherdhcpd
+import params
+
+
+def unbound_control(commands, output_stream=3DNone):
+ """ execute (chrooted) unbound-control command
+ :param commands: command list (parameters)
+ :param output_stream: (optional)output stream
+ :return: None
+ """
+ output_stream =3D open(os.devnull, 'w')
+ subprocess.check_call(['/usr/sbin/chroot', '--userspec=3Dunbound:unbound=
', '/',
+ '/usr/sbin/unbound-control', '-c', '/etc/unbound/=
unbound.conf'] + commands,
+ stdout=3Doutput_stream, stderr=3Dsubprocess.STDOUT)
+ output_stream.seek(0)
+
+
+def unbound_known_addresses():
+ """ fetch known addresses
+ :return: list
+ """
+ result =3D list()
+ with tempfile.NamedTemporaryFile() as output_stream:
+ unbound_control(['list_local_data'], output_stream)
+ for line in output_stream.read().split('\n'):
+ parts =3D line.split()
+ if len(parts) > 4 and parts[3] =3D=3D 'A':
+ result.append(parts[4])
+ print result
+ return result
+
+
+# parse input params
+app_params =3D {'pid': '/var/run/unbound_dhcpd.pid',
+ 'domain': 'local',
+ 'target': '/etc/unbound/dhcpleases.conf',
+ 'background': '1'}
+params.update_params(app_params)
+
+
+def main():
+ # cleanup interval (seconds)
+ cleanup_interval =3D 60
+
+ # All times in the lease database are in Coordinated Universal Time (UTC=
), not local time!
+ tzone =3D 0
+ if app_params['background'] <> 1:
+ print "Add leases for domian:",app_params['domain']
+
+ # initiate lease watcher and setup cache
+ dhcpdleases =3D watcherdhcpd.DHCPDLease()
+ cached_leases =3D dict()
+ known_addresses =3D unbound_known_addresses()
+
+ # start watching dhcp leases
+ last_cleanup =3D time.time()
+ while True:
+ dhcpd_changed =3D False
+ if time.daylight <> 0:
+ utctime =3D time.time() + time.altzone
+ else:
+ utctime =3D time.time() + time.timezone
+
+ for lease in dhcpdleases.watch():
+ if 'ends' in lease and lease['ends'] > utctime and 'client-hostn=
ame' in lease and 'address' in lease:
+ cached_leases[lease['address']] =3D lease
+ dhcpd_changed =3D True
+ if app_params['background'] <> 1:
+ print "IP:",lease['address'],"Hostname:",lease['client-ho=
stname'],"Start:",lease['starts'],"End:",lease['ends']
+
+ if time.time() - last_cleanup > cleanup_interval:
+ # cleanup every x seconds
+ last_cleanup =3D time.time()
+ addresses =3D cached_leases.keys()
+ for address in addresses:
+ if cached_leases[address]['ends'] < time.time():
+ del cached_leases[address]
+ dhcpd_changed =3D True
+
+ if dhcpd_changed:
+ # dump dns output to target
+ with open(app_params['target'], 'w') as unbound_conf:
+ for address in cached_leases:
+ unbound_conf.write('local-data-ptr: "%s %s.%s"\n' % (add=
ress,
+ cac=
hed_leases[address]['client-hostname'],
+ app=
_params['domain']))
+
+ unbound_conf.write('local-data: "%s.%s IN A %s"\n' % (ca=
ched_leases[address]['client-hostname'],
+ ap=
p_params['domain'],
+ ad=
dress))
+ # signal unbound
+ for address in cached_leases:
+ if address not in known_addresses:
+ fqdn =3D '%s.%s' % (cached_leases[address]['client-hostn=
ame'], app_params['domain'])
+ unbound_control(['local_data', address, 'PTR', fqdn])
+ unbound_control(['local_data', fqdn, 'IN A', address])
+ known_addresses.append(address)
+ # wait for next cycle
+ time.sleep(5)
+
+
+# startup
+if app_params['background'] =3D=3D '1':
+ daemon =3D Daemonize(app=3D"unbound_dhcpd", pid=3Dapp_params['pid'], act=
ion=3Dmain)
+ daemon.start()
+else:
+ main()
diff --git a/config/unbound/unbound-switch b/config/unbound/unbound-switch
new file mode 100755
index 0000000..60eeb89
--- /dev/null
+++ b/config/unbound/unbound-switch
@@ -0,0 +1,80 @@
+#!/bin/bash
+############################################################################=
###
+# =
#
+# IPFire.org - A linux based firewall =
#
+# This program is free software: you can redistribute it and/or modify =
#
+# it under the terms of the GNU General Public License as published by =
#
+# the Free Software Foundation, either version 3 of the License, or =
#
+# (at your option) any later version. =
#
+# =
#
+# This program is distributed in the hope that it will be useful, =
#
+# but WITHOUT ANY WARRANTY; without even the implied warranty of =
#
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the =
#
+# GNU General Public License for more details. =
#
+# =
#
+# You should have received a copy of the GNU General Public License =
#
+# along with this program. If not, see <http://www.gnu.org/licenses/>. =
#
+# =
#
+# Description : script to switch the DNS server/proxy in IPfire =
#
+# rerun to easy go back to dnsmasq =
#
+# =
#
+# Author : Marcel Lorenz <marcel.lorenz(a)ipfire.org> =
#
+# =
#
+############################################################################=
###
+
+CGIFILE=3D"/srv/web/ipfire/cgi-bin/services.cgi"
+
+install_cron_jobs() {
+cat > /etc/fcron.weekly/update_unbound_anchor << "EOF"
+#!/bin/bash
+# allow max all 30 minutes to update files
+if [[ $(( (`date +%s` - `stat -L --format %Y /etc/unbound/root.key`) > (30*6=
0) )) !=3D 0 ]]; then
+ wget -q ftp://ftp.internic.net/domain/named.cache -O /etc/unbound/root.hin=
ts
+ curl -sS -L --compressed "http://pgl.yoyo.org/adservers/serverlist.php?hos=
tformat=3Dunbound&showintro=3D0&mimetype=3Dplaintext" > /etc/unbound/blocklis=
ts/ad-servers.conf
+ unbound-anchor
+fi
+exit 0
+EOF
+chmod +x /etc/fcron.weekly/update_unbound_anchor
+cat > /etc/fcron.hourly/update_unbound_zone << "EOF"
+#!/bin/bash
+unbound-zone
+EOF
+chmod +x /etc/fcron.hourly/update_unbound_zone
+}
+
+# main switch
+if [[ -e /etc/rc.d/init.d/networking/red.up/05-RS-dnsmasq ]]; then
+ echo -e "\033[32mActivate Unbound DNS-proxy at start...\033[0m";
+ # autostart symlinks
+ rm -f /etc/rc.d/init.d/networking/red.up/05-RS-dnsmasq /etc/rc.d/init.d/ne=
tworking/red.down/05-RS-dnsmasq
+ mv -f /etc/init.d/network /etc/init.d/network-dnsmasq
+ mv -f /etc/init.d/network-unbound /etc/init.d/network
+ # WebIF services.cgi=20
+ sed -i "s|\$Lang::tr{'dns proxy server'} =3D> 'dnsmasq',.*|\$Lang::tr{'dns=
proxy server'} =3D> 'unbound',|" ${CGIFILE}
+ install_cron_jobs
+ /etc/fcron.weekly/update_unbound_anchor
+ # Stop and start services=20
+ /etc/rc.d/init.d/dnsmasq stop
+ sleep 1
+ /etc/rc.d/init.d/unbound start
+
+else
+ echo -e "\033[32mActivate dnsmasq DNS-proxy at start...\033[0m";
+ # autostart symlinks
+ ln -sf /etc/rc.d/init.d/dnsmasq /etc/rc.d/init.d/networking/red.up/05-RS-d=
nsmasq
+ ln -sf /etc/rc.d/init.d/dnsmasq /etc/rc.d/init.d/networking/red.down/05-RS=
-dnsmasq
+ mv -f /etc/init.d/network /etc/init.d/network-unbound
+ mv -f /etc/init.d/network-dnsmasq /etc/init.d/network
+ # WebIF services.cgi=20
+ sed -i "s|\$Lang::tr{'dns proxy server'} =3D> 'unbound',.*|\$Lang::tr{'dns=
proxy server'} =3D> 'dnsmasq',|" ${CGIFILE}
+ # Stop and start services=20
+ /etc/rc.d/init.d/unbound stop
+ sleep 1
+ /etc/rc.d/init.d/dnsmasq start
+ rm -f /etc/fcron.weekly/update_unbound_anchor /etc/fcron.hourly/update_unb=
ound_zone;
+fi
+unset CGIFILE
+echo -e "\033[32mdone...\033[0m";
+exit 0
+# end of unbound-proxy
diff --git a/config/unbound/unbound-zone b/config/unbound/unbound-zone
new file mode 100644
index 0000000..9a0de1f
--- /dev/null
+++ b/config/unbound/unbound-zone
@@ -0,0 +1,78 @@
+#!/bin/bash
+############################################################################=
###
+# =
#
+# IPFire.org - A linux based firewall =
#
+# This program is free software: you can redistribute it and/or modify =
#
+# it under the terms of the GNU General Public License as published by =
#
+# the Free Software Foundation, either version 3 of the License, or =
#
+# (at your option) any later version. =
#
+# =
#
+# This program is distributed in the hope that it will be useful, =
#
+# but WITHOUT ANY WARRANTY; without even the implied warranty of =
#
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the =
#
+# GNU General Public License for more details. =
#
+# =
#
+# You should have received a copy of the GNU General Public License =
#
+# along with this program. If not, see <http://www.gnu.org/licenses/>. =
#
+# =
#
+# Description : small script to create the zone file for ipfire's =
#
+# internal domain (for example ipfire.local) =
#
+# =
#
+# Author : Marcel Lorenz <marcel.lorenz(a)ipfire.org> =
#
+# =
#
+############################################################################=
###
+
+ZONEFILE=3D"/etc/unbound/zones/local.conf"
+HOSTSFILE=3D"/var/ipfire/main/hosts"
+
+eval $(/usr/local/bin/readhash /var/ipfire/main/settings)
+eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
+REV_GREEN=3D$(echo ${GREEN_ADDRESS} |awk -F. '{print $4"."$3"."$2"."$1}')
+
+# overwrite existing file
+cat > ${ZONEFILE} << "EOF"
+# This is the automatically created zone file for unbound
+# please do not edit this file, use the webinterface to add or remove hosts
+# if need more zones, create a new zone file and restart unbound=20
+#
+EOF
+
+# create zone header=20
+echo "# Zone file created at $(date)" >> ${ZONEFILE}
+echo "">> ${ZONEFILE}=20
+echo "# zone definition " >> ${ZONEFILE}
+echo "private-domain: \"${DOMAINNAME}\"" >> ${ZONEFILE}
+echo "local-zone: \"${DOMAINNAME}.\" static" >> ${ZONEFILE}
+echo "local-data: \"${HOSTNAME}.${DOMAINNAME}. IN A ${GREEN_ADDRESS}\"" >> $=
{ZONEFILE}
+echo "local-data: \"wpad.${DOMAINNAME}. IN A ${GREEN_ADDRESS}\"" >> ${ZONEFI=
LE}
+echo "local-data: \"${REV_GREEN}.in-addr.arpa. 10800 IN PTR ${HOSTNAME}.${DO=
MAINNAME}.\"" >> ${ZONEFILE}
+
+# write forward entrys to zone file
+echo "" >> ${ZONEFILE}=20
+echo "# Hosts from /var/ipfire/main/hosts" >> ${ZONEFILE}
+
+while read line =20
+do =20
+ if [[ $(echo ${line}|awk -F, '{print $1}') =3D on ]]; then
+ IP=3D$(echo ${line}|awk -F, '{print $2}')
+ HOST=3D$(echo ${line}|awk -F, '{print $3}')
+ DOMAIN=3D$(echo ${line}|awk -F, '{print $4}')
+ echo "local-data: \"${HOST}.${DOMAIN}. IN A ${IP}\"" >> ${ZONEFILE}
+ fi
+done < ${HOSTSFILE}
+
+# write reverse entrys to zone file
+echo "" >> ${ZONEFILE}=20
+echo "# reverse entrys" >> ${ZONEFILE}
+while read line =20
+do =20
+ if [[ $(echo ${line}|awk -F, '{print $1}') =3D on ]]; then
+ IP=3D$(echo ${line}|awk -F, '{print $2}'|awk -F. '{print $4"."$3"."$2"."=
$1}')
+ HOST=3D$(echo ${line}|awk -F, '{print $3}')
+ DOMAIN=3D$(echo ${line}|awk -F, '{print $4}')
+ echo "local-data: \"${IP}.in-addr.arpa. 10800 IN PTR ${HOST}.${DOMAIN}\"=
" >> ${ZONEFILE}
+ fi
+done < ${HOSTSFILE}
+unset IP HOST DOMAIN REV_GREEN;
+exit 0
+# end of unbound-zone
diff --git a/config/unbound/unbound.conf b/config/unbound/unbound.conf
new file mode 100644
index 0000000..8dc72e6
--- /dev/null
+++ b/config/unbound/unbound.conf
@@ -0,0 +1,123 @@
+#
+# Unbound configuration file for IPFire
+#
+# The full documentation is available at:
+# https://www.unbound.net/documentation/unbound.conf.html
+#
+
+server:
+ # common server options
+ chroot: "/etc/unbound"
+ username: "unbound"
+ pidfile: "/var/run/unbound.pid"
+ num-threads: 2
+ port: 53
+ do-ip4: yes
+ do-ip6: no
+ do-udp: yes
+ do-tcp: yes
+ prefetch: yes
+ so-reuseport: yes
+ cache-min-ttl: 3600
+ cache-max-ttl: 86400
+ unwanted-reply-threshold: 10000
+ do-not-query-localhost: yes
+
+ # logging options
+ logfile: "log/unbound.log"
+ use-syslog: no
+ verbosity: 1
+ log-queries: no
+ log-time-ascii: yes
+
+ # Unbound Statistics
+ statistics-interval: 3600
+ statistics-cumulative: yes
+ extended-statistics: yes
+
+ # privacy options
+ hide-identity: yes
+ hide-version: yes
+ qname-minimisation: yes
+ minimal-responses: yes
+
+ # hardening options (some experimental)
+ harden-glue: yes
+ harden-large-queries: yes
+ harden-dnssec-stripped: yes
+ harden-short-bufsize: no
+ harden-below-nxdomain: no
+ harden-referral-path: no
+ harden-algo-downgrade: no
+ use-caps-for-id: yes
+
+ # listen on localhost interface
+ interface: 127.0.0.1
+
+ # file with ipfire interfaces
+ include: "/etc/unbound/interfaces.conf"
+
+ # control which clients are allowed to make (recursive) queries
+ access-control: 0.0.0.0/0 refuse
+ access-control: 127.0.0.0/8 allow
+ access-control: ::0/0 refuse
+ access-control: ::1 allow
+ access-control: ::ffff:127.0.0.1 allow
+
+ # file with ipfire networks
+ include: "/etc/unbound/access.conf"
+
+ # dnssec main options
+ val-clean-additional: yes
+ val-log-level: 1
+ # file with ipfire dnssec configuration
+ include: "/etc/unbound/dnssec.conf"
+
+ # DNS Rebinding
+ # For DNS Rebinding prevention
+ #
+ # All these addresses are either private or should not be routable in the g=
lobal IPv4 or IPv6 internet.
+ # IPv4 Addresses
+ private-address: 0.0.0.0/8 # Broadcast address
+ private-address: 10.0.0.0/8
+ private-address: 127.0.0.0/8 # Loopback Localhost
+ private-address: 172.16.0.0/12
+ private-address: 192.168.0.0/16
+ private-address: 169.254.0.0/16
+ private-address: 198.18.0.0/15 # Used for testing inter-network communica=
tions
+ private-address: 198.51.100.0/24 # Documentation network TEST-NET-2
+ private-address: 203.0.113.0/24 # Documentation network TEST-NET-3
+ private-address: 233.252.0.0/24 # Documentation network MCAST-TEST-NET
+ # IPv6 Addresses
+ private-address: ::1/128 # Loopback Localhost
+ private-address: 2001:db8::/32 # Documentation network IPv6
+ private-address: fc00::/8 # Unique local address (ULA) part of "fc00=
::/7", not defined yet
+ private-address: fd00::/8 # Unique local address (ULA) part of "fc00=
::/7", "/48" prefix group
+ private-address: fe80::/10 # Link-local address (LLA)
+
+ # file with root servers=20
+ root-hints: "/etc/unbound/root.hints"
+
+ # custom DNS zone files
+ include: "/etc/unbound/zones/*.conf"
+
+ # DHCP leases (if configured)
+ include: /etc/unbound/dhcpleases.conf
+
+ # Blocklists
+ include: "/etc/unbound/blocklists/*.conf"
+# end server config
+
+# enable remote control only on localhost
+remote-control:
+ control-enable: yes
+ control-use-cert: yes
+ control-interface: 127.0.0.1
+ server-key-file: "/etc/unbound/unbound_server.key"
+ server-cert-file: "/etc/unbound/unbound_server.pem"
+ control-key-file: "/etc/unbound/unbound_control.key"
+ control-cert-file: "/etc/unbound/unbound_control.pem"
+# end remote control config
+
+# custom DNS forward config
+include: "/etc/unbound/forward.conf"
diff --git a/lfs/unbound b/lfs/unbound
new file mode 100644
index 0000000..d91c0f9
--- /dev/null
+++ b/lfs/unbound
@@ -0,0 +1,103 @@
+############################################################################=
###
+# =
#
+# IPFire.org - A linux based firewall =
#
+# Copyright (C) 2007 Michael Tremer & Christian Schmidt =
#
+# =
#
+# This program is free software: you can redistribute it and/or modify =
#
+# it under the terms of the GNU General Public License as published by =
#
+# the Free Software Foundation, either version 3 of the License, or =
#
+# (at your option) any later version. =
#
+# =
#
+# This program is distributed in the hope that it will be useful, =
#
+# but WITHOUT ANY WARRANTY; without even the implied warranty of =
#
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the =
#
+# GNU General Public License for more details. =
#
+# =
#
+# You should have received a copy of the GNU General Public License =
#
+# along with this program. If not, see <http://www.gnu.org/licenses/>. =
#
+# =
#
+############################################################################=
###
+
+############################################################################=
###
+# Definitions
+############################################################################=
###
+
+include Config
+
+VER =3D 1.5.9
+THISAPP =3D unbound-$(VER)
+DL_FILE =3D $(THISAPP).tar.gz
+DL_FROM =3D $(URL_IPFIRE)
+DIR_APP =3D $(DIR_SRC)/$(THISAPP)
+TARGET =3D $(DIR_INFO)/$(THISAPP)
+PROG =3D unbound
+PAK_VER =3D 1
+DEPS =3D ""
+
+############################################################################=
###
+# Top-level Rules
+############################################################################=
###
+
+objects =3D $(DL_FILE)
+
+$(DL_FILE) =3D $(DL_FROM)/$(DL_FILE)
+
+$(DL_FILE)_MD5 =3D 0cefa62c1690b4db18583db84bff00e3
+
+install : $(TARGET)
+
+check : $(patsubst %,$(DIR_CHK)/%,$(objects))
+
+download :$(patsubst %,$(DIR_DL)/%,$(objects))
+
+md5 : $(subst %,%_MD5,$(objects))
+
+dist:=20
+ $(PAK)
+
+############################################################################=
###
+# Downloading, checking, md5sum
+############################################################################=
###
+
+$(patsubst %,$(DIR_CHK)/%,$(objects)) :
+ @$(CHECK)
+
+$(patsubst %,$(DIR_DL)/%,$(objects)) :
+ @$(LOAD)
+
+$(subst %,%_MD5,$(objects)) :
+ @$(MD5)
+
+############################################################################=
###
+# Installation Details
+############################################################################=
###
+
+$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
+ @$(PREBUILD)
+ @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE)
+ cd $(DIR_APP) && ./configure \
+ --prefix=3D/usr \
+ --sysconfdir=3D/etc \
+ --disable-static \
+ --with-libevent \
+ --with-pyunbound \
+ --with-pidfile=3D/var/run/unbound.pid
+ cd $(DIR_APP) && make $(MAKETUNING)
+ cd $(DIR_APP) && make install
+ mv -v /usr/sbin/unbound-host /usr/bin/
+ # add ipfire config
+ mkdir -pv /etc/unbound/blocklists
+ mv -v /etc/unbound/unbound.conf /etc/unbound/unbound_org.conf
+ install -v -m 644 $(DIR_SRC)/config/unbound/*.conf /etc/unbound/
+ install -v -m 644 $(DIR_SRC)/config/unbound/root.hints /etc/unbound/
+ install -v -m 644 $(DIR_SRC)/config/unbound/root.key /etc/unbound/
+ install -v -m 644 $(DIR_SRC)/config/unbound/blocklists/*.conf /etc/unbound/=
blocklists/
+ install -v -m 644 $(DIR_SRC)/config/unbound/site-packages/* /usr/lib/python=
2.7/site-packages/
+ install -v -m 754 $(DIR_SRC)/config/unbound/unbound-switch /usr/sbin/
+ install -v -m 754 $(DIR_SRC)/config/unbound/unbound-zone /usr/sbin/
+ install -v -m 754 $(DIR_SRC)/config/unbound/unbound-dhcpd.py /usr/sbin/
+ install -v -m 754 $(DIR_SRC)/src/initscripts/init.d/unbound /etc/rc.d/init.=
d/
+ install -v -m 754 $(DIR_SRC)/src/initscripts/init.d/unbound-dhcpd /etc/rc.d=
/init.d/
+ install -v -m 754 $(DIR_SRC)/src/initscripts/init.d/network-unbound /etc/rc=
.d/init.d/
+ @rm -rf $(DIR_APP)
+ @$(POSTBUILD)
diff --git a/make.sh b/make.sh
index a9fac52..74bc06a 100755
--- a/make.sh
+++ b/make.sh
@@ -870,6 +870,7 @@ buildipfire() {
ipfiremake libpciaccess
ipfiremake libyajl
ipfiremake libvirt
+ ipfiremake unbound
}
=20
buildinstaller() {
diff --git a/src/initscripts/init.d/network-unbound b/src/initscripts/init.d/=
network-unbound
new file mode 100644
index 0000000..31fe173
--- /dev/null
+++ b/src/initscripts/init.d/network-unbound
@@ -0,0 +1,114 @@
+#!/bin/sh
+########################################################################
+# Begin $rc_base/init.d/network
+#
+# Description : Network Control Script
+#
+# Authors : Michael Tremer - mitch(a)ipfire.org
+#
+# Version : 01.00
+#
+# Notes : Written for IPFire by its team
+#
+########################################################################
+
+. /etc/sysconfig/rc
+. ${rc_functions}
+eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
+
+
+DO=3D"${1}"
+shift
+
+if [ -n "${1}" ]; then
+ ALL=3D0
+ for i in green red blue orange; do
+ eval "${i}=3D0"
+ done
+else
+ ALL=3D1
+ for i in green red blue orange; do
+ eval "${i}=3D1"
+ done
+fi
+
+while [ ! $# =3D 0 ]; do
+ for i in green red blue orange; do
+ if [ "${i}" =3D=3D "${1}" ]; then
+ eval "${i}=3D1"
+ shift
+ fi
+ done
+done
+
+case "${DO}" in
+ start)
+
+ # Starting interfaces...
+ # GREEN
+ [ "$green" =3D=3D "1" ] && /etc/rc.d/init.d/networking/green start
+
+ # BLUE
+ [ "$blue" =3D=3D "1" ] && [ "$CONFIG_TYPE" =3D "3" -o "$CONFIG_TYPE" =3D "=
4" ] && \
+ /etc/rc.d/init.d/networking/blue start
+
+ # ORANGE
+ [ "$orange" =3D=3D "1" ] && [ "$CONFIG_TYPE" =3D "2" -o "$CONFIG_TYPE" =3D=
"4" ] && \
+ /etc/rc.d/init.d/networking/orange start
+
+ # RED
+ if [ "$red" =3D=3D "1" ]; then
+ if [ "$CONFIG_TYPE" =3D "1" -o "$CONFIG_TYPE" =3D "2" -o "$CONFIG_TYPE" =
=3D "3" -o "$CONFIG_TYPE" =3D "4" ]; then
+ # Remove possible leftover files
+ rm -f /var/ipfire/red/{active,device,dial-on-demand,dns1,dns2,local-ipad=
dress,remote-ipaddress,resolv.conf}
+ [ "$AUTOCONNECT" =3D=3D "off" ] || /etc/rc.d/init.d/networking/red start
+ fi
+ fi
+
+ /etc/rc.d/init.d/static-routes start
+ [ "${ALL}" =3D=3D "1" ] && /etc/rc.d/init.d/unbound start
+ ;;
+
+ stop)
+
+ [ "${ALL}" =3D=3D "1" ] && /etc/rc.d/init.d/unbound stop
+ # Stopping interfaces...
+ # GREEN
+ [ "$green" =3D=3D "1" ] && /etc/rc.d/init.d/networking/green stop
+=09
+ # BLUE
+ [ "$blue" =3D=3D "1" ] && [ "$CONFIG_TYPE" =3D "3" -o "$CONFIG_TYPE" =3D "=
4" ] && \
+ /etc/rc.d/init.d/networking/blue stop
+
+ # ORANGE
+ [ "$orange" =3D=3D "1" ] && [ "$CONFIG_TYPE" =3D "2" -o "$CONFIG_TYPE" =3D=
"4" ] && \
+ /etc/rc.d/init.d/networking/orange stop
+
+ # RED
+ if [ "$red" =3D=3D "1" ]; then
+ if [ "$CONFIG_TYPE" =3D "1" -o "$CONFIG_TYPE" =3D "2" -o "$CONFIG_TYPE" =
=3D "3" -o "$CONFIG_TYPE" =3D "4" ]; then
+ /etc/rc.d/init.d/networking/red stop
+ fi
+ fi
+
+ exit 0
+ ;;
+
+ restart)
+ for i in green red blue orange; do
+ if [ "${!i}" =3D=3D "1" ]; then
+ ARGS+=3D" ${i}"
+ fi
+ done
+ ${0} stop ${ARGS}
+ sleep 1
+ ${0} start ${ARGS}
+ ;;
+
+ *)
+ echo "Usage: ${0} {start|stop|restart} [device(s)]"
+ exit 1
+ ;;
+esac
+
+# End /etc/rc.d/init.d/network
diff --git a/src/initscripts/init.d/unbound b/src/initscripts/init.d/unbound
new file mode 100644
index 0000000..8e6881e
--- /dev/null
+++ b/src/initscripts/init.d/unbound
@@ -0,0 +1,178 @@
+#!/bin/sh
+# Begin $rc_base/init.d/unbound
+
+# Description : Unbound DNS resolver boot script for IPfire
+# Author : Marcel Lorenz <marcel.lorenz(a)ipfire.org>
+#
+# Comment : This init script additional starts the dhcpd watcher daemon
+# if DNS-Update (RFC2136) in web interface enabled
+
+. /etc/sysconfig/rc
+. ${rc_functions}
+
+if [[ ! -d /run/var ]]; then mkdir /run/var; fi;
+
+CONTROL_INTERFACE_FILE=3D1
+CONTROL_ACCESS_FILE=3D1
+USE_CUSTOM_FORWARDS=3D0
+ENABLE_DNSSEC=3D1
+
+# Unbound daemon pid file
+PIDFILE=3D/var/run/unbound.pid
+
+# Watcher deamon pid file must be the same in unbound main init script
+WAPIDFILE=3D/var/run/unbound_dhcpd.pid
+
+function cidr() {
+ local cidr nbits IFS;
+ IFS=3D. read -r i1 i2 i3 i4 <<< ${1}
+ IFS=3D. read -r m1 m2 m3 m4 <<< ${2}
+ cidr=3D$(printf "%d.%d.%d.%d\n" "$((i1 & m1))" "$((i2 & m2))" "$((i3 & m=
3))" "$((i4 & m4))")
+ nbits=3D0
+ IFS=3D.
+ for dec in $2 ; do
+ case $dec in
+ 255) let nbits+=3D8;;
+ 254) let nbits+=3D7;;
+ 252) let nbits+=3D6;;
+ 248) let nbits+=3D5;;
+ 240) let nbits+=3D4;;
+ 224) let nbits+=3D3;;
+ 192) let nbits+=3D2;;
+ 128) let nbits+=3D1;;
+ 0);;
+ *) echo "Error: $dec is not recognised"; exit 1
+ esac
+ done
+ echo "${cidr}/${nbits}"
+}
+
+case "$1" in
+ start)
+
+ if [[ -f ${PIDFILE} ]]; then
+ log_warning_msg "Unbound daemon is running with Process ID $(cat ${PIDF=
ILE})"
+ else
+ eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
+ #ARGS=3D"$CUSTOM_ARGS"
+ #[ "$DOMAIN_NAME_GREEN" !=3D "" ] && ARGS=3D"$ARGS -s $DOMAIN_NAME_GREE=
N"
+
+ echo > /var/ipfire/red/resolv.conf # Clear it
+ if [ -e "/var/ipfire/red/dns1" ]; then
+ DNS1=3D$(cat /var/ipfire/red/dns1 2>/dev/null)
+ if [ ! -z ${DNS1} ]; then
+ echo "nameserver ${DNS1}" >> /var/ipfire/red/resolv.conf
+ NAMESERVERS=3D"${DNS1} "
+ fi
+ fi
+ if [ -e "/var/ipfire/red/dns2" ]; then
+ DNS2=3D$(cat /var/ipfire/red/dns2 2>/dev/null)
+ if [ ! -z ${DNS2} ]; then
+ echo "nameserver ${DNS2}" >> /var/ipfire/red/resolv.conf
+ NAMESERVERS+=3D"${DNS2} "
+ fi
+ fi
+
+ # create unbound interfaces.conf
+ if [ ${CONTROL_INTERFACE_FILE} =3D 1 ]; then
+ echo -n > /etc/unbound/interfaces.conf # Clear it
+ if [ ! -z ${GREEN_ADDRESS} ]; then
+ echo "interface: ${GREEN_ADDRESS}" >> /etc/unbound/interfaces.conf
+ fi
+ if [ ! -z ${BLUE_ADDRESS} ]; then
+ echo "interface: ${BLUE_ADDRESS}" >> /etc/unbound/interfaces.conf
+ fi
+ if [ ! -z ${ORANGE_ADDRESS} ]; then
+ echo "interface: ${ORANGE_ADDRESS}" >> /etc/unbound/interfaces.conf
+ fi
+ fi
+
+ # create unbound access.conf
+ if [ ${CONTROL_ACCESS_FILE} =3D 1 ]; then
+ echo -n > /etc/unbound/access.conf # Clear it
+ if [ ! -z ${GREEN_ADDRESS} ]; then
+ echo "access-control: $(cidr ${GREEN_ADDRESS} ${GREEN_NETMASK}) allow" >> =
/etc/unbound/access.conf
+ fi
+ if [ ! -z ${BLUE_ADDRESS} ]; then
+ echo "access-control: $(cidr ${BLUE_ADDRESS} ${BLUE_NETMASK}) allow" >> /e=
tc/unbound/access.conf
+ fi
+ if [ ! -z ${ORANGE_ADDRESS} ]; then
+ echo "access-control: $(cidr ${ORANGE_ADDRESS} ${ORANGE_NETMASK}) allow" >=
> /etc/unbound/access.conf
+ fi
+ fi
+
+ # create unbound dnssec.conf
+ echo -n > /etc/unbound/dnssec.conf # Clear it
+ if [ ${ENABLE_DNSSEC} =3D 1 ]; then
+ echo " # dessec enabled per default" >> /etc/unbound/dnssec.conf
+ echo " # no necessary config options in this file" >> /etc/unbound/dn=
ssec.conf
+ else
+ echo " # dnssec now disabled" >> /etc/unbound/dnssec.conf
+ echo " module-config: iterator" >> /etc/unbound/dnssec.conf
+ echo " val-permissive-mode: yes" >> /etc/unbound/dnssec.conf
+ fi
+
+ # create zone file for internal ipfire domain=20
+ unbound-zone
+
+ boot_mesg "Starting Unbound DNS proxy..."
+ unbound-anchor
+ loadproc /usr/sbin/unbound
+
+ # start dhcpd watcher daemon if DNS-Update (RFC2136) activated
+ eval $(/usr/local/bin/readhash /var/ipfire/dhcp/settings)
+ if [[ ${DNS_UPDATE_ENABLED} =3D on && ! -f ${WAPIDFILE} ]]; then
+ /etc/rc.d/init.d/unbound-dhcpd start
+ fi
+
+ # use setup configured DNS servers=20
+ if [ "${USE_CUSTOM_FORWARDS}" -eq 0 ]; then
+ unbound-control forward_add +i . ${NAMESERVERS} &> /dev/null
+ fi;
+
+ FORWADRS=3D$(unbound-control list_forwards |sed 's|. IN forward ||g'|se=
d 's|+i ||g')
+ if [ "${USE_CUSTOM_FORWARDS}" -eq 0 ]; then
+ boot_mesg "Using DNS server(s): ${FORWADRS}"
+ else
+ boot_mesg "Using custom DNS server(s): ${FORWADRS}"
+ fi
+ if [ ${ENABLE_DNSSEC} =3D 1 ]; then
+ boot_mesg "DNSSEC is enabled!"
+ else
+ boot_mesg "DNSSEC is disabled!"
+ fi
+ fi=20
+ ;;
+
+ stop)
+
+ if [[ -f ${PIDFILE} ]]; then
+ # stop dhcpd watcher daemon if activted
+ if [[ -f ${WAPIDFILE} ]]; then
+ /etc/rc.d/init.d/unbound-dhcpd stop
+ fi
+ # stop Unbound daemon
+ boot_mesg "Stopping Unbound DNS proxy..."
+ killproc -p "/var/run/unbound.pid" /usr/sbin/unbound
+ else
+ log_warning_msg "Unbound daemon is not running..."
+ fi
+ ;;
+
+ restart)
+ $0 stop
+ sleep 1
+ $0 start
+ ;;
+
+ status)
+ statusproc /usr/sbin/unbound
+ ;;
+
+ *)
+ echo "Usage: $0 {start|stop|restart|status}"
+ exit 1
+ ;;
+esac
+
+# End $rc_base/init.d/unbound
diff --git a/src/initscripts/init.d/unbound-dhcpd b/src/initscripts/init.d/un=
bound-dhcpd
new file mode 100644
index 0000000..4c24a3c
--- /dev/null
+++ b/src/initscripts/init.d/unbound-dhcpd
@@ -0,0 +1,61 @@
+#!/bin/sh
+# Begin $rc_base/init.d/unbound-dhcpd
+
+# Description : Unbound dhcpd lease file wachter daemon boot script for IPFi=
re
+# Author : Marcel Lorenz <marcel.lorenz(a)ipfire.org>
+
+. /etc/sysconfig/rc
+. $rc_functions
+
+PIDFILE=3D/var/run/unbound_dhcpd.pid
+SETFILE=3D/var/ipfire/main/settings
+
+case "$1" in
+ start)
+ if [[ -f ${PIDFILE} ]]; then
+ log_warning_msg "Unbound dhcpd watcher daemon is running with Process ID=
$(cat ${PIDFILE})"
+ else
+ eval $(/usr/local/bin/readhash ${SETFILE})
+ boot_mesg "Starting Unbound dhcpd watcher deamon..."
+ loadproc /usr/bin/python /usr/sbin/unbound-dhcpd.py /domain ${DOMAINNAME=
} /pid ${PIDFILE}
+ fi
+ ;;
+
+ stop)
+ if [[ -f ${PIDFILE} ]]; then
+ boot_mesg "Stopping Unbound dhcpd watcher deamon..."
+ kill $(/bin/cat ${PIDFILE})
+ sleep 1
+ if [[ -f ${PIDFILE} ]]; then
+ echo_failure
+ else
+ echo_ok
+ fi
+ else
+ log_warning_msg "Unbound dhcpd watcher daemon is not running..."
+ fi
+ ;;
+
+ restart)
+ $0 stop
+ sleep 1
+ $0 start
+ ;;
+
+ status)
+ if [[ -f "$PIDFILE" ]]; then=20
+ echo -e "\\033[1;36mUnbound dhcpd watcher daemon is running with Process=
ID $(cat ${PIDFILE})\\033[0;39m"
+ exit 0
+ else
+ echo -e "\\033[1;36mUnbound dhcpd watcher daemon is not running...\\033[=
0;39m"
+ exit 0
+ fi
+ ;;
+
+ *)
+ echo "Usage: $0 {start|stop|restart|status}"
+ exit 1
+ ;;
+esac
+
+# End $rc_base/init.d/unbound-dhcpd
\ No newline at end of file
diff --git a/src/paks/unbound/install.sh b/src/paks/unbound/install.sh
new file mode 100644
index 0000000..84c93f3
--- /dev/null
+++ b/src/paks/unbound/install.sh
@@ -0,0 +1,70 @@
+#!/bin/bash
+############################################################################
+# #
+# This file is part of the IPFire Firewall. #
+# #
+# IPFire is free software; you can redistribute it and/or modify #
+# it under the terms of the GNU General Public License as published by #
+# the Free Software Foundation; either version 2 of the License, or #
+# (at your option) any later version. #
+# #
+# IPFire is distributed in the hope that it will be useful, #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
+# GNU General Public License for more details. #
+# #
+# You should have received a copy of the GNU General Public License #
+# along with IPFire; if not, write to the Free Software #
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA #
+# #
+# Copyright (C) 2016 IPFire-Team <info(a)ipfire.org>. =
#
+# #
+############################################################################
+#
+. /opt/pakfire/lib/functions.sh
+extract_files
+restore_backup ${NAME}
+
+# add unbound user and group
+groupadd -g 85 unbound=20
+useradd -c "Unbound DNS resolver" -d /var/lib/unbound -u 85 -g unbound -s /b=
in/false unbound
+
+# create config subdir's
+mkdir -pv /etc/unbound/log /etc/unbound/zones /var/log/unbound
+chown unbound:unbound -R /var/log/unbound/ /etc/unbound/log/;
+
+echo "Add logrotate config for unbound now..."
+LOGROTATE=3D$(grep -A 1 '/var/log/unbound/unbound.log' /etc/logrotate.conf)
+if [[ ! "${LOGROTATE}" ]]; then
+cat >> /etc/logrotate.conf << "EOF"
+# Unbound
+/var/log/unbound/unbound.log {
+ daily
+ rotate 30
+ copytruncate
+ compress
+ missingok
+ prerotate
+ /bin/mv -f /etc/unbound/log/unbound.log /var/log/unbound/unbound.log
+ /usr/sbin/unbound-control log_reopen &> /dev/null
+ endscript
+}
+
+EOF
+touch /etc/unbound/dhcpleases.conf
+touch /var/log/unbound/unbound.log
+chown unbound:unbound /var/log/unbound/unbound.log
+fi
+
+# create link to current logfile
+ln -svf /etc/unbound/log/unbound.log /var/log/unbound/current.log
+
+# create remote control key files and set rights=20
+/usr/sbin/unbound-control-setup &> /dev/null
+chown unbound:unbound /etc/unbound/{unbound_control.*,unbound_server.*,root.=
key,root.hints}
+
+# at last switch the DNS-Resolver to unbound
+/usr/sbin/unbound-switch
+
+unset LOGROTATE
+exit 0
diff --git a/src/paks/unbound/uninstall.sh b/src/paks/unbound/uninstall.sh
new file mode 100644
index 0000000..fc39f9f
--- /dev/null
+++ b/src/paks/unbound/uninstall.sh
@@ -0,0 +1,27 @@
+#!/bin/bash
+############################################################################
+# #
+# This file is part of the IPFire Firewall. #
+# #
+# IPFire is free software; you can redistribute it and/or modify #
+# it under the terms of the GNU General Public License as published by #
+# the Free Software Foundation; either version 2 of the License, or #
+# (at your option) any later version. #
+# #
+# IPFire is distributed in the hope that it will be useful, #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
+# GNU General Public License for more details. #
+# #
+# You should have received a copy of the GNU General Public License #
+# along with IPFire; if not, write to the Free Software #
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA #
+# #
+# Copyright (C) 2007 IPFire-Team <info(a)ipfire.org>. =
#
+# #
+############################################################################
+#
+. /opt/pakfire/lib/functions.sh
+/usr/sbin/resolver.sh
+make_backup ${NAME}
+remove_files
diff --git a/src/paks/unbound/update.sh b/src/paks/unbound/update.sh
new file mode 100644
index 0000000..89c40d0
--- /dev/null
+++ b/src/paks/unbound/update.sh
@@ -0,0 +1,26 @@
+#!/bin/bash
+############################################################################
+# #
+# This file is part of the IPFire Firewall. #
+# #
+# IPFire is free software; you can redistribute it and/or modify #
+# it under the terms of the GNU General Public License as published by #
+# the Free Software Foundation; either version 2 of the License, or #
+# (at your option) any later version. #
+# #
+# IPFire is distributed in the hope that it will be useful, #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
+# GNU General Public License for more details. #
+# #
+# You should have received a copy of the GNU General Public License #
+# along with IPFire; if not, write to the Free Software #
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA #
+# #
+# Copyright (C) 2007 IPFire-Team <info(a)ipfire.org>. =
#
+# #
+############################################################################
+#
+. /opt/pakfire/lib/functions.sh
+./uninstall.sh
+./install.sh
--=20
1.9.1
--===============6610858721895677634==--