Hi, so I have been working on this for a bit over the weekend and started a branch with those changes.   http://cgit.ipfire.org/people/ms/ipfire-2.x.git/log/?h=unbound I rewrote the Python code which I didn't find clean enough and good enough for our standards. My solution is lacking some minor things (the domain is always .local) but those should be easily fixable. I am just running out of time here. However I wanted to share my changes for you to review and test because despite these small things and some other issues for which I created bug reports on Bugzilla, I think this is rather close to be finished.   https://bugzilla.ipfire.org/showdependencytree.cgi?id=11163&hide_resolved=1 So, please have a look and test. I won't be able to work much on this over the next few weeks, hence I would be happy if some people take over a small part and get that fixed. I will be responding to emails though. Best, -Michael On Tue, 2016-08-02 at 20:48 +0200, Marcel Lorenz wrote: > Unbound is a validating, recursive, and caching DNS resolver. > https://www.unbound.net > > Signed-off-by: Marcel Lorenz > > --- >  config/rootfiles/packages/unbound            |  70 ++++++++ >  config/unbound/blocklists/ms-telemetry.conf  |  49 ++++++ >  config/unbound/forward.conf                  |   6 + >  config/unbound/root.hints                    |  90 ++++++++++ >  config/unbound/root.key                      |   9 + >  config/unbound/site-packages/daemonize.py    | 247 > +++++++++++++++++++++++++++ >  config/unbound/site-packages/dhcpd.py        | 108 ++++++++++++ >  config/unbound/site-packages/params.py       |  46 +++++ >  config/unbound/site-packages/watcherdhcpd.py | 107 ++++++++++++ >  config/unbound/unbound-dhcpd.py              | 145 ++++++++++++++++ >  config/unbound/unbound-switch                |  80 +++++++++ >  config/unbound/unbound-zone                  |  78 +++++++++ >  config/unbound/unbound.conf                  | 123 +++++++++++++ >  lfs/unbound                                  | 103 +++++++++++ >  make.sh                                      |   1 + >  src/initscripts/init.d/network-unbound       | 114 +++++++++++++ >  src/initscripts/init.d/unbound               | 178 +++++++++++++++++++ >  src/initscripts/init.d/unbound-dhcpd         |  61 +++++++ >  src/paks/unbound/install.sh                  |  70 ++++++++ >  src/paks/unbound/uninstall.sh                |  27 +++ >  src/paks/unbound/update.sh                   |  26 +++ >  21 files changed, 1738 insertions(+) >  create mode 100644 config/rootfiles/packages/unbound >  create mode 100644 config/unbound/blocklists/ms-telemetry.conf >  create mode 100644 config/unbound/forward.conf >  create mode 100644 config/unbound/root.hints >  create mode 100644 config/unbound/root.key >  create mode 100644 config/unbound/site-packages/daemonize.py >  create mode 100644 config/unbound/site-packages/dhcpd.py >  create mode 100644 config/unbound/site-packages/params.py >  create mode 100644 config/unbound/site-packages/watcherdhcpd.py >  create mode 100644 config/unbound/unbound-dhcpd.py >  create mode 100755 config/unbound/unbound-switch >  create mode 100644 config/unbound/unbound-zone >  create mode 100644 config/unbound/unbound.conf >  create mode 100644 lfs/unbound >  create mode 100644 src/initscripts/init.d/network-unbound >  create mode 100644 src/initscripts/init.d/unbound >  create mode 100644 src/initscripts/init.d/unbound-dhcpd >  create mode 100644 src/paks/unbound/install.sh >  create mode 100644 src/paks/unbound/uninstall.sh >  create mode 100644 src/paks/unbound/update.sh > > diff --git a/config/rootfiles/packages/unbound > b/config/rootfiles/packages/unbound > new file mode 100644 > index 0000000..c468167 > --- /dev/null > +++ b/config/rootfiles/packages/unbound > @@ -0,0 +1,70 @@ > +etc/rc.d/init.d/network-unbound > +etc/rc.d/init.d/unbound > +etc/rc.d/init.d/unbound-dhcpd > +#etc/unbound > +#etc/unbound/blocklists > +etc/unbound/blocklists/ms-telemetry.conf > +etc/unbound/forward.conf > +etc/unbound/root.hints > +etc/unbound/root.key > +etc/unbound/unbound.conf > +etc/unbound/unbound_org.conf > +usr/bin/unbound-host > +#usr/include/unbound.h > +#usr/lib/libunbound.la > +usr/lib/libunbound.so > +usr/lib/libunbound.so.2 > +usr/lib/libunbound.so.2.4.1 > +#usr/lib/python2.7/site-packages/_unbound.la > +usr/lib/python2.7/site-packages/_unbound.so > +usr/lib/python2.7/site-packages/daemonize.py > +usr/lib/python2.7/site-packages/dhcpd.py > +usr/lib/python2.7/site-packages/params.py > +usr/lib/python2.7/site-packages/unbound.py > +usr/lib/python2.7/site-packages/watcherdhcpd.py > +usr/sbin/unbound > +usr/sbin/unbound-anchor > +usr/sbin/unbound-checkconf > +usr/sbin/unbound-dhcpd.py > +usr/sbin/unbound-control > +usr/sbin/unbound-control-setup > +usr/sbin/unbound-switch > +usr/sbin/unbound-zone > +#usr/share/man/man1/unbound-host.1 > +#usr/share/man/man3/libunbound.3 > +#usr/share/man/man3/ub_cancel.3 > +#usr/share/man/man3/ub_ctx.3 > +#usr/share/man/man3/ub_ctx_add_ta.3 > +#usr/share/man/man3/ub_ctx_add_ta_file.3 > +#usr/share/man/man3/ub_ctx_async.3 > +#usr/share/man/man3/ub_ctx_config.3 > +#usr/share/man/man3/ub_ctx_create.3 > +#usr/share/man/man3/ub_ctx_data_add.3 > +#usr/share/man/man3/ub_ctx_data_remove.3 > +#usr/share/man/man3/ub_ctx_debuglevel.3 > +#usr/share/man/man3/ub_ctx_debugout.3 > +#usr/share/man/man3/ub_ctx_delete.3 > +#usr/share/man/man3/ub_ctx_get_option.3 > +#usr/share/man/man3/ub_ctx_hosts.3 > +#usr/share/man/man3/ub_ctx_print_local_zones.3 > +#usr/share/man/man3/ub_ctx_resolvconf.3 > +#usr/share/man/man3/ub_ctx_set_fwd.3 > +#usr/share/man/man3/ub_ctx_set_option.3 > +#usr/share/man/man3/ub_ctx_trustedkeys.3 > +#usr/share/man/man3/ub_ctx_zone_add.3 > +#usr/share/man/man3/ub_ctx_zone_remove.3 > +#usr/share/man/man3/ub_fd.3 > +#usr/share/man/man3/ub_poll.3 > +#usr/share/man/man3/ub_process.3 > +#usr/share/man/man3/ub_resolve.3 > +#usr/share/man/man3/ub_resolve_async.3 > +#usr/share/man/man3/ub_resolve_free.3 > +#usr/share/man/man3/ub_result.3 > +#usr/share/man/man3/ub_strerror.3 > +#usr/share/man/man3/ub_wait.3 > +#usr/share/man/man5/unbound.conf.5 > +#usr/share/man/man8/unbound-anchor.8 > +#usr/share/man/man8/unbound-checkconf.8 > +#usr/share/man/man8/unbound-control-setup.8 > +#usr/share/man/man8/unbound-control.8 > +#usr/share/man/man8/unbound.8 > diff --git a/config/unbound/blocklists/ms-telemetry.conf > b/config/unbound/blocklists/ms-telemetry.conf > new file mode 100644 > index 0000000..7801e76 > --- /dev/null > +++ b/config/unbound/blocklists/ms-telemetry.conf > @@ -0,0 +1,49 @@ > +# Windows telemetry > +local-data: "a-0001.a-msedge.net A 127.0.0.1" > +local-data: "asimov-win.settings.data.microsoft.com.akadns.net. A 127.0.0.1" > +local-data: "asimov-win.vortex.data.microsoft.com.akadns.net. A 127.0.0.1" > +local-data: "choice.microsoft.com A 127.0.0.1" > +local-data: "choice.microsoft.com.nsatc.net A 127.0.0.1" > +local-data: "compatexchange.cloudapp.net A 127.0.0.1" > +local-data: "corpext.msitadfs.glbdns2.microsoft.com A 127.0.0.1" > +local-data: "corp.sts.microsoft.com A 127.0.0.1" > +local-data: "cs1.wpc.v0cdn.net A 127.0.0.1" > +local-data: "df.telemetry.microsoft.com A 127.0.0.1" > +local-data: "diagnostics.support.microsoft.com A 127.0.0.1" > +local-data: "fe2.update.microsoft.com.akadns.net A 127.0.0.1" > +local-data: "feedback.microsoft-hohm.com A 127.0.0.1" > +local-data: "feedback.search.microsoft.com A 127.0.0.1" > +local-data: "feedback.windows.com A 127.0.0.1" > +local-data: "i1.services.social.microsoft.com A 127.0.0.1" > +local-data: "i1.services.social.microsoft.com.nsatc.net A 127.0.0.1" > +local-data: "nexus.officeapps.live.com A 127.0.0.1" > +local-data: "oca.telemetry.microsoft.com A 127.0.0.1" > +local-data: "oca.telemetry.microsoft.com.nsatc.net A 127.0.0.1" > +local-data: "pre.footprintpredict.com A 127.0.0.1" > +local-data: "redir.metaservices.microsoft.com A 127.0.0.1" > +local-data: "reports.wes.df.telemetry.microsoft.com A 127.0.0.1" > +local-data: "services.wes.df.telemetry.microsoft.com A 127.0.0.1" > +local-data: "settings-sandbox.data.microsoft.com A 127.0.0.1" > +local-data: "settings-win.data.microsoft.com A 127.0.0.1" > +local-data: "sls.update.microsoft.com.akadns.net A 127.0.0.1" > +local-data: "sqm.df.telemetry.microsoft.com A 127.0.0.1" > +local-data: "sqm.telemetry.microsoft.com A 127.0.0.1" > +local-data: "sqm.telemetry.microsoft.com.nsatc.net A 127.0.0.1" > +local-data: "statsfe1.ws.microsoft.com A 127.0.0.1" > +local-data: "statsfe2.update.microsoft.com.akadns.net A 127.0.0.1" > +local-data: "statsfe2.ws.microsoft.com A 127.0.0.1" > +local-data: "survey.watson.microsoft.com A 127.0.0.1" > +local-data: "telecommand.telemetry.microsoft.com A 127.0.0.1" > +local-data: "telecommand.telemetry.microsoft.com.nsatc.net A 127.0.0.1" > +local-data: "telemetry.appex.bing.net A 127.0.0.1" > +local-data: "telemetry.microsoft.com A 127.0.0.1" > +local-data: "telemetry.urs.microsoft.com A 127.0.0.1" > +local-data: "vortex.data.microsoft.com A 127.0.0.1" > +local-data: "vortex-sandbox.data.microsoft.com A 127.0.0.1" > +local-data: "vortex-win.data.microsoft.com  A 127.0.0.1" > +local-data: "watson.live.com A 127.0.0.1" > +local-data: "watson.microsoft.com A 127.0.0.1" > +local-data: "watson.ppe.telemetry.microsoft.com A 127.0.0.1" > +local-data: "watson.telemetry.microsoft.com A 127.0.0.1" > +local-data: "watson.telemetry.microsoft.com.nsatc.net A 127.0.0.1" > +local-data: "wes.df.telemetry.microsoft.com A 127.0.0.1" > diff --git a/config/unbound/forward.conf b/config/unbound/forward.conf > new file mode 100644 > index 0000000..5784f9f > --- /dev/null > +++ b/config/unbound/forward.conf > @@ -0,0 +1,6 @@ > +forward-zone: > +  name: "." > +  forward-addr: 85.214.20.141 > +  forward-addr: 194.150.168.168 > +  forward-addr: 208.67.222.222 > +  forward-addr: 208.67.220.220 > diff --git a/config/unbound/root.hints b/config/unbound/root.hints > new file mode 100644 > index 0000000..3c82146 > --- /dev/null > +++ b/config/unbound/root.hints > @@ -0,0 +1,90 @@ > +;       This file holds the information on root name servers needed to > +;       initialize cache of Internet domain name servers > +;       (e.g. reference this file in the "cache  .  " > +;       configuration file of BIND domain name servers). > +; > +;       This file is made available by InterNIC  > +;       under anonymous FTP as > +;           file                /domain/named.cache > +;           on server           FTP.INTERNIC.NET > +;       -OR-                    RS.INTERNIC.NET > +; > +;       last update:    March 23, 2016 > +;       related version of root zone:   2016032301 > +; > +; formerly NS.INTERNIC.NET > +; > +.                        3600000      NS    A.ROOT-SERVERS.NET. > +A.ROOT-SERVERS.NET.      3600000      A     198.41.0.4 > +A.ROOT-SERVERS.NET.      3600000      AAAA  2001:503:ba3e::2:30 > +; > +; FORMERLY NS1.ISI.EDU > +; > +.                        3600000      NS    B.ROOT-SERVERS.NET. > +B.ROOT-SERVERS.NET.      3600000      A     192.228.79.201 > +B.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:84::b > +; > +; FORMERLY C.PSI.NET > +; > +.                        3600000      NS    C.ROOT-SERVERS.NET. > +C.ROOT-SERVERS.NET.      3600000      A     192.33.4.12 > +C.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:2::c > +; > +; FORMERLY TERP.UMD.EDU > +; > +.                        3600000      NS    D.ROOT-SERVERS.NET. > +D.ROOT-SERVERS.NET.      3600000      A     199.7.91.13 > +D.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:2d::d > +; > +; FORMERLY NS.NASA.GOV > +; > +.                        3600000      NS    E.ROOT-SERVERS.NET. > +E.ROOT-SERVERS.NET.      3600000      A     192.203.230.10 > +; > +; FORMERLY NS.ISC.ORG > +; > +.                        3600000      NS    F.ROOT-SERVERS.NET. > +F.ROOT-SERVERS.NET.      3600000      A     192.5.5.241 > +F.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:2f::f > +; > +; FORMERLY NS.NIC.DDN.MIL > +; > +.                        3600000      NS    G.ROOT-SERVERS.NET. > +G.ROOT-SERVERS.NET.      3600000      A     192.112.36.4 > +; > +; FORMERLY AOS.ARL.ARMY.MIL > +; > +.                        3600000      NS    H.ROOT-SERVERS.NET. > +H.ROOT-SERVERS.NET.      3600000      A     198.97.190.53 > +H.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:1::53 > +; > +; FORMERLY NIC.NORDU.NET > +; > +.                        3600000      NS    I.ROOT-SERVERS.NET. > +I.ROOT-SERVERS.NET.      3600000      A     192.36.148.17 > +I.ROOT-SERVERS.NET.      3600000      AAAA  2001:7fe::53 > +; > +; OPERATED BY VERISIGN, INC. > +; > +.                        3600000      NS    J.ROOT-SERVERS.NET. > +J.ROOT-SERVERS.NET.      3600000      A     192.58.128.30 > +J.ROOT-SERVERS.NET.      3600000      AAAA  2001:503:c27::2:30 > +; > +; OPERATED BY RIPE NCC > +; > +.                        3600000      NS    K.ROOT-SERVERS.NET. > +K.ROOT-SERVERS.NET.      3600000      A     193.0.14.129 > +K.ROOT-SERVERS.NET.      3600000      AAAA  2001:7fd::1 > +; > +; OPERATED BY ICANN > +; > +.                        3600000      NS    L.ROOT-SERVERS.NET. > +L.ROOT-SERVERS.NET.      3600000      A     199.7.83.42 > +L.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:9f::42 > +; > +; OPERATED BY WIDE > +; > +.                        3600000      NS    M.ROOT-SERVERS.NET. > +M.ROOT-SERVERS.NET.      3600000      A     202.12.27.33 > +M.ROOT-SERVERS.NET.      3600000      AAAA  2001:dc3::35 > +; End of file > diff --git a/config/unbound/root.key b/config/unbound/root.key > new file mode 100644 > index 0000000..fb540e3 > --- /dev/null > +++ b/config/unbound/root.key > @@ -0,0 +1,9 @@ > +; autotrust trust anchor file > +;;id: . 1 > +;;last_queried: 1467576595 ;;Sun Jul  3 22:09:55 2016 > +;;last_success: 1467576595 ;;Sun Jul  3 22:09:55 2016 > +;;next_probe_time: 1467616562 ;;Mon Jul  4 09:16:02 2016 > +;;query_failed: 0 > +;;query_interval: 43200 > +;;retry_time: 8640 > +. 172800 IN DNSKEY 257 3 8 > AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0Ez > rAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkj > f5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCT > MjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqr > AmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0= ;{id = 19036 (ksk), size = 2048b} > ;;state=2 [  VALID  ] ;;count=0 ;;lastchange=1467575383 ;;Sun Jul  3 21:49:43 > 2016 > diff --git a/config/unbound/site-packages/daemonize.py b/config/unbound/site- > packages/daemonize.py > new file mode 100644 > index 0000000..e083feb > --- /dev/null > +++ b/config/unbound/site-packages/daemonize.py > @@ -0,0 +1,247 @@ > +# #!/usr/bin/python > + > +import fcntl > +import os > +import pwd > +import grp > +import sys > +import signal > +import resource > +import logging > +import atexit > +from logging import handlers > +import traceback > + > + > +__version__ = "2.4.6" > + > + > +class Daemonize(object): > +    """ > +    Daemonize object. > + > +    Object constructor expects three arguments. > + > +    :param app: contains the application name which will be sent to syslog. > +    :param pid: path to the pidfile. > +    :param action: your custom function which will be executed after > daemonization. > +    :param keep_fds: optional list of fds which should not be closed. > +    :param auto_close_fds: optional parameter to not close opened fds. > +    :param privileged_action: action that will be executed before drop > privileges if user or > +                              group parameter is provided. > +                              If you want to transfer anything from > privileged_action to action, such as > +                              opened privileged file descriptor, you should > return it from > +                              privileged_action function and catch it inside > action function. > +    :param user: drop privileges to this user if provided. > +    :param group: drop privileges to this group if provided. > +    :param verbose: send debug messages to logger if provided. > +    :param logger: use this logger object instead of creating new one, if > provided. > +    :param foreground: stay in foreground; do not fork (for debugging) > +    :param chdir: change working directory if provided or / > +    """ > +    def __init__(self, app, pid, action, > +                 keep_fds=None, auto_close_fds=True, privileged_action=None, > +                 user=None, group=None, verbose=False, logger=None, > +                 foreground=False, chdir="/"): > +        self.app = app > +        self.pid = os.path.abspath(pid) > +        self.action = action > +        self.keep_fds = keep_fds or [] > +        self.privileged_action = privileged_action or (lambda: ()) > +        self.user = user > +        self.group = group > +        self.logger = logger > +        self.verbose = verbose > +        self.auto_close_fds = auto_close_fds > +        self.foreground = foreground > +        self.chdir = chdir > + > +    def sigterm(self, signum, frame): > +        """ > +        These actions will be done after SIGTERM. > +        """ > +        self.logger.warn("Caught signal %s. Stopping daemon." % signum) > +        sys.exit(0) > + > +    def exit(self): > +        """ > +        Cleanup pid file at exit. > +        """ > +        self.logger.warn("Stopping daemon.") > +        os.remove(self.pid) > +        sys.exit(0) > + > +    def start(self): > +        """ > +        Start daemonization process. > +        """ > +        # If pidfile already exists, we should read pid from there; to > overwrite it, if locking > +        # will fail, because locking attempt somehow purges the file > contents. > +        if os.path.isfile(self.pid): > +            with open(self.pid, "r") as old_pidfile: > +                old_pid = old_pidfile.read() > +        # Create a lockfile so that only one instance of this daemon is > running at any time. > +        try: > +            lockfile = open(self.pid, "w") > +        except IOError: > +            print("Unable to create the pidfile.") > +            sys.exit(1) > +        try: > +            # Try to get an exclusive lock on the file. This will fail if > another process has the file > +            # locked. > +            fcntl.flock(lockfile, fcntl.LOCK_EX | fcntl.LOCK_NB) > +        except IOError: > +            print("Unable to lock on the pidfile.") > +            # We need to overwrite the pidfile if we got here. > +            with open(self.pid, "w") as pidfile: > +                pidfile.write(old_pid) > +            sys.exit(1) > + > +        # skip fork if foreground is specified > +        if not self.foreground: > +            # Fork, creating a new process for the child. > +            try: > +                process_id = os.fork() > +            except OSError as e: > +                self.logger.error("Unable to fork, errno: > {0}".format(e.errno)) > +                sys.exit(1) > +            if process_id != 0: > +                # This is the parent process. Exit without cleanup, > +                # see https://github.com/thesharp/daemonize/issues/46 > +                os._exit(0) > +            # This is the child process. Continue. > + > +            # Stop listening for signals that the parent process receives. > +            # This is done by getting a new process id. > +            # setpgrp() is an alternative to setsid(). > +            # setsid puts the process in a new parent group and detaches its > controlling terminal. > +            process_id = os.setsid() > +            if process_id == -1: > +                # Uh oh, there was a problem. > +                sys.exit(1) > + > +            # Add lockfile to self.keep_fds. > +            self.keep_fds.append(lockfile.fileno()) > + > +            # Close all file descriptors, except the ones mentioned in > self.keep_fds. > +            devnull = "/dev/null" > +            if hasattr(os, "devnull"): > +                # Python has set os.devnull on this system, use it instead as > it might be different > +                # than /dev/null. > +                devnull = os.devnull > + > +            if self.auto_close_fds: > +                for fd in range(3, > resource.getrlimit(resource.RLIMIT_NOFILE)[0]): > +                    if fd not in self.keep_fds: > +                        try: > +                            os.close(fd) > +                        except OSError: > +                            pass > + > +            devnull_fd = os.open(devnull, os.O_RDWR) > +            os.dup2(devnull_fd, 0) > +            os.dup2(devnull_fd, 1) > +            os.dup2(devnull_fd, 2) > + > +        if self.logger is None: > +            # Initialize logging. > +            self.logger = logging.getLogger(self.app) > +            self.logger.setLevel(logging.DEBUG) > +            # Display log messages only on defined handlers. > +            self.logger.propagate = False > + > +            # Initialize syslog. > +            # It will correctly work on OS X, Linux and FreeBSD. > +            if sys.platform == "darwin": > +                syslog_address = "/var/run/syslog" > +            else: > +                syslog_address = "/dev/log" > + > +            # We will continue with syslog initialization only if actually > have such capabilities > +            # on the machine we are running this. > +            if os.path.exists(syslog_address): > +                syslog = handlers.SysLogHandler(syslog_address) > +                if self.verbose: > +                    syslog.setLevel(logging.DEBUG) > +                else: > +                    syslog.setLevel(logging.INFO) > +                # Try to mimic to normal syslog messages. > +                formatter = logging.Formatter("%(asctime)s %(name)s: > %(message)s", > +                                              "%b %e %H:%M:%S") > +                syslog.setFormatter(formatter) > + > +                self.logger.addHandler(syslog) > + > +        # Set umask to default to safe file permissions when running as a > root daemon. 027 is an > +        # octal number which we are typing as 0o27 for Python3 compatibility. > +        os.umask(0o27) > + > +        # Change to a known directory. If this isn't done, starting a daemon > in a subdirectory that > +        # needs to be deleted results in "directory busy" errors. > +        os.chdir(self.chdir) > + > +        # Execute privileged action > +        privileged_action_result = self.privileged_action() > +        if not privileged_action_result: > +            privileged_action_result = [] > + > +        # Change owner of pid file, it's required because pid file will be > removed at exit. > +        uid, gid = -1, -1 > + > +        if self.group: > +            try: > +                gid = grp.getgrnam(self.group).gr_gid > +            except KeyError: > +                self.logger.error("Group {0} not found".format(self.group)) > +                sys.exit(1) > + > +        if self.user: > +            try: > +                uid = pwd.getpwnam(self.user).pw_uid > +            except KeyError: > +                self.logger.error("User {0} not found.".format(self.user)) > +                sys.exit(1) > + > +        if uid != -1 or gid != -1: > +            os.chown(self.pid, uid, gid) > + > +        # Change gid > +        if self.group: > +            try: > +                os.setgid(gid) > +            except OSError: > +                self.logger.error("Unable to change gid.") > +                sys.exit(1) > + > +        # Change uid > +        if self.user: > +            try: > +                uid = pwd.getpwnam(self.user).pw_uid > +            except KeyError: > +                self.logger.error("User {0} not found.".format(self.user)) > +                sys.exit(1) > +            try: > +                os.setuid(uid) > +            except OSError: > +                self.logger.error("Unable to change uid.") > +                sys.exit(1) > + > +        try: > +            lockfile.write("%s" % (os.getpid())) > +            lockfile.flush() > +        except IOError: > +            self.logger.error("Unable to write pid to the pidfile.") > +            print("Unable to write pid to the pidfile.") > +            sys.exit(1) > + > +        # Set custom action on SIGTERM. > +        signal.signal(signal.SIGTERM, self.sigterm) > +        atexit.register(self.exit) > + > +        self.logger.warn("Starting daemon.") > + > +        try: > +            self.action(*privileged_action_result) > +        except Exception as e: > +            for line in traceback.format_exc(e).split("\n"): > +                self.logger.error(line) > diff --git a/config/unbound/site-packages/dhcpd.py b/config/unbound/site- > packages/dhcpd.py > new file mode 100644 > index 0000000..6d586c7 > --- /dev/null > +++ b/config/unbound/site-packages/dhcpd.py > @@ -0,0 +1,108 @@ > +""" > +    Copyright (c) 2016 Ad Schellevis > +    All rights reserved. > + > +    Redistribution and use in source and binary forms, with or without > +    modification, are permitted provided that the following conditions are > met: > + > +    1. Redistributions of source code must retain the above copyright notice, > +     this list of conditions and the following disclaimer. > + > +    2. Redistributions in binary form must reproduce the above copyright > +     notice, this list of conditions and the following disclaimer in the > +     documentation and/or other materials provided with the distribution. > + > +    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED > WARRANTIES, > +    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY > +    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL > THE > +    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, > EXEMPLARY, > +    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF > +    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS > +    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN > +    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) > +    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF > THE > +    POSSIBILITY OF SUCH DAMAGE. > +""" > +import os > +import time > +import datetime > + > +class DHCPDLease(object): > +    watch_file = '/var/dhcpd/var/db/dhcpd.leases' > + > +    def __init__(self): > +        """ init watcher > +        :return: watcher object > +        """ > +        self._section_data = [] > +        self._fhandle = None > +        self._last_pos = None > +        self._open() > + > +    def _open(self): > +        """ (re)open watched file > +        :return: watcher object > +        """ > +        try: > +            self._fhandle = open(self.watch_file, 'r') > +            self._last_pos = None > +            self._section_data = [] > +            return True > +        except IOError: > +            self._fhandle = None > +            return False > + > +    @staticmethod > +    def parse_lease(lines): > +        """ parse dhcp lease > +        :param lines: lease section as list item > +        :return: dictionary > +        """ > +        lease = dict() > +        lease['address'] = lines[0].split()[1] > +        for line in lines: > +            parts =  line.split() > +            field_name = parts[0] > +            field_value = None > +            if field_name in ('starts', 'ends', 'tstp', 'tsfp', 'atsfp', > 'cltt') and len(parts) >= 3: > +                dt = '%s %s'%(parts[2], parts[3]) > +                try: > +                    field_value = time.mktime(datetime.datetime.strptime(dt, > "%Y/%m/%d %H:%M:%S;").timetuple()) > +                except ValueError: > +                    field_value = None > +            elif field_name == 'hardware' and len(parts) >= 3: > +                field_value = {'hardware-type': parts[1], 'mac-address': > parts[2]} > +            elif field_name in('uid', 'client-hostname') and len(parts) >= 2 > and parts[1].find('"') > -1: > +                field_value = parts[1].split('"')[1] > + > +            if field_value is not None: > +                lease[field_name] = field_value > + > +        return lease > + > +    def watch(self): > +        """ watch file, return lease dictionaries > +        :return: iterator for leases > +        """ > +        if self._fhandle is None or os.fstat(self._fhandle.fileno()).st_nlink > == 0: > +            # nothing to watch, try to (re)open return when failed > +            if not self._open(): > +                return > +        elif self._last_pos is not None: > +            self._fhandle.seek(self._last_pos) > + > +        while True: > +            line = self._fhandle.readline() > +            if line: > +                if len(line) > 5 and line[0:5] == 'lease': > +                    self._section_data.append(line) > +                elif len(line) > 1 and line[0] == '}': > +                    self._section_data.append(line) > +                    yield self.parse_lease(self._section_data) > +                    self._section_data = [] > +                elif len(self._section_data) > 0: > +                    self._section_data.append(line) > +            else: > +                break > + > +        self._last_pos = self._fhandle.tell() > diff --git a/config/unbound/site-packages/params.py b/config/unbound/site- > packages/params.py > new file mode 100644 > index 0000000..6be3244 > --- /dev/null > +++ b/config/unbound/site-packages/params.py > @@ -0,0 +1,46 @@ > +""" > +    Copyright (c) 2015-2016 Ad Schellevis > +    All rights reserved. > + > +    Redistribution and use in source and binary forms, with or without > +    modification, are permitted provided that the following conditions are > met: > + > +    1. Redistributions of source code must retain the above copyright notice, > +     this list of conditions and the following disclaimer. > + > +    2. Redistributions in binary form must reproduce the above copyright > +     notice, this list of conditions and the following disclaimer in the > +     documentation and/or other materials provided with the distribution. > + > +    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED > WARRANTIES, > +    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY > +    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL > THE > +    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, > EXEMPLARY, > +    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF > +    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS > +    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN > +    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) > +    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF > THE > +    POSSIBILITY OF SUCH DAMAGE. > +""" > + > +import sys > + > + > +def update_params(parameters): > +    """ update predefined parameters with given list from shell (as switches) > +        for example /a valA /b valB > +        converts to > +            {'a':'valA','b':'valB'} > +        (assuming parameters contains both a and b) > +    :param parameters: parameter dictionary > +    :return: > +    """ > +    cmd = None > +    for arg in sys.argv[1:]: > +        if cmd is None: > +            cmd = arg[1:] > +        else: > +            if cmd in parameters and arg.strip() != '': > +                parameters[cmd] = arg.strip() > +            cmd = None > diff --git a/config/unbound/site-packages/watcherdhcpd.py > b/config/unbound/site-packages/watcherdhcpd.py > new file mode 100644 > index 0000000..c726d5c > --- /dev/null > +++ b/config/unbound/site-packages/watcherdhcpd.py > @@ -0,0 +1,107 @@ > +""" > +    Copyright (c) 2016 Ad Schellevis > +    All rights reserved. > + > +    Redistribution and use in source and binary forms, with or without > +    modification, are permitted provided that the following conditions are > met: > + > +    1. Redistributions of source code must retain the above copyright notice, > +     this list of conditions and the following disclaimer. > + > +    2. Redistributions in binary form must reproduce the above copyright > +     notice, this list of conditions and the following disclaimer in the > +     documentation and/or other materials provided with the distribution. > + > +    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED > WARRANTIES, > +    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY > +    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL > THE > +    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, > EXEMPLARY, > +    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF > +    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS > +    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN > +    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) > +    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF > THE > +    POSSIBILITY OF SUCH DAMAGE. > +""" > +import os > +import time > +import datetime > + > +class DHCPDLease(object): > +    watch_file = '/var/state/dhcp/dhcpd.leases' > + > +    def __init__(self): > +        """ init watcher > +        :return: watcher object > +        """ > +        self._section_data = [] > +        self._fhandle = None > +        self._last_pos = None > +        self._open() > + > +    def _open(self): > +        """ (re)open watched file > +        :return: watcher object > +        """ > +        try: > +            self._fhandle = open(self.watch_file, 'r') > +            self._last_pos = None > +            self._section_data = [] > +            return True > +        except IOError: > +            self._fhandle = None > +            return False > + > +    @staticmethod > +    def parse_lease(lines): > +        """ parse dhcp lease > +        :param lines: lease section as list item > +        :return: dictionary > +        """ > +        lease = dict() > +        lease['address'] = lines[0].split()[1] > +        for line in lines: > +            parts =  line.split() > +            field_name = parts[0] > +            field_value = None > +            if field_name in ('starts', 'ends', 'tstp', 'tsfp', 'atsfp', > 'cltt') and len(parts) >= 3: > +                dt = '%s %s'%(parts[2], parts[3]) > +                try: > +                    field_value = time.mktime(datetime.datetime.strptime(dt, > "%Y/%m/%d %H:%M:%S;").timetuple()) > +                except ValueError: > +                    field_value = None > +            elif field_name == 'hardware' and len(parts) >= 3: > +                field_value = {'hardware-type': parts[1], 'mac-address': > parts[2]} > +            elif field_name in('uid', 'client-hostname') and len(parts) >= 2 > and parts[1].find('"') > -1: > +                field_value = parts[1].split('"')[1] > + > +            if field_value is not None: > +                lease[field_name] = field_value > +        return lease > + > +    def watch(self): > +        """ watch file, return lease dictionaries > +        :return: iterator for leases > +        """ > +        if self._fhandle is None or os.fstat(self._fhandle.fileno()).st_nlink > == 0: > +            # nothing to watch, try to (re)open return when failed > +            if not self._open(): > +                return > +        elif self._last_pos is not None: > +            self._fhandle.seek(self._last_pos) > + > +        while True: > +            line = self._fhandle.readline() > +            if line: > +                if len(line) > 5 and line[0:5] == 'lease': > +                    self._section_data.append(line) > +                elif len(line) > 1 and line[0] == '}': > +                    self._section_data.append(line) > +                    yield self.parse_lease(self._section_data) > +                    self._section_data = [] > +                elif len(self._section_data) > 0: > +                    self._section_data.append(line) > +            else: > +                break > + > +        self._last_pos = self._fhandle.tell() > diff --git a/config/unbound/unbound-dhcpd.py b/config/unbound/unbound-dhcpd.py > new file mode 100644 > index 0000000..0afedc9 > --- /dev/null > +++ b/config/unbound/unbound-dhcpd.py > @@ -0,0 +1,145 @@ > +#!/usr/bin/python2.7 > + > +""" > +    Copyright (c) 2016 Ad Schellevis > +    All rights reserved. > + > +    Redistribution and use in source and binary forms, with or without > +    modification, are permitted provided that the following conditions are > met: > + > +    1. Redistributions of source code must retain the above copyright notice, > +     this list of conditions and the following disclaimer. > + > +    2. Redistributions in binary form must reproduce the above copyright > +     notice, this list of conditions and the following disclaimer in the > +     documentation and/or other materials provided with the distribution. > + > +    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED > WARRANTIES, > +    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY > +    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL > THE > +    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, > EXEMPLARY, > +    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF > +    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS > +    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN > +    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) > +    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF > THE > +    POSSIBILITY OF SUCH DAMAGE. > + > +    ------------------------------------------------------------------------- > ------------- > +    watch dhcp lease file and build include file for unbound > +""" > +import os > +import sys > + > +sys.path.insert(0, "/usr/lib/python2.7/site-packages") > +import subprocess > +import time > +import tempfile > +from daemonize import Daemonize > +import watcherdhcpd > +import params > + > + > +def unbound_control(commands, output_stream=None): > +    """ execute (chrooted) unbound-control command > +        :param commands: command list (parameters) > +        :param output_stream: (optional)output stream > +        :return: None > +    """ > +    output_stream = open(os.devnull, 'w') > +    subprocess.check_call(['/usr/sbin/chroot', '--userspec=unbound:unbound', > '/', > +                           '/usr/sbin/unbound-control', '-c', > '/etc/unbound/unbound.conf'] + commands, > +                          stdout=output_stream, stderr=subprocess.STDOUT) > +    output_stream.seek(0) > + > + > +def unbound_known_addresses(): > +    """ fetch known addresses > +        :return: list > +    """ > +    result = list() > +    with tempfile.NamedTemporaryFile() as output_stream: > +        unbound_control(['list_local_data'], output_stream) > +        for line in output_stream.read().split('\n'): > +            parts = line.split() > +            if len(parts) > 4 and parts[3] == 'A': > +                result.append(parts[4]) > +    print result > +    return result > + > + > +# parse input params > +app_params = {'pid': '/var/run/unbound_dhcpd.pid', > +              'domain': 'local', > +              'target': '/etc/unbound/dhcpleases.conf', > +              'background': '1'} > +params.update_params(app_params) > + > + > +def main(): > +    # cleanup interval (seconds) > +    cleanup_interval = 60 > + > +    # All times in the lease database are in Coordinated Universal Time > (UTC), not local time! > +    tzone = 0 > +    if app_params['background'] <> 1: > +       print "Add leases for domian:",app_params['domain'] > + > +    # initiate lease watcher and setup cache > +    dhcpdleases = watcherdhcpd.DHCPDLease() > +    cached_leases = dict() > +    known_addresses = unbound_known_addresses() > + > +    # start watching dhcp leases > +    last_cleanup = time.time() > +    while True: > +        dhcpd_changed = False > +        if time.daylight <> 0: > +            utctime = time.time() + time.altzone > +        else: > +            utctime = time.time() + time.timezone > + > +        for lease in dhcpdleases.watch(): > +            if 'ends' in lease and lease['ends'] > utctime and 'client- > hostname' in lease and 'address' in lease: > +                cached_leases[lease['address']] = lease > +                dhcpd_changed = True > +                if app_params['background'] <> 1: > +                   print "IP:",lease['address'],"Hostname:",lease['client- > hostname'],"Start:",lease['starts'],"End:",lease['ends'] > + > +        if time.time() - last_cleanup > cleanup_interval: > +            # cleanup every x seconds > +            last_cleanup = time.time() > +            addresses = cached_leases.keys() > +            for address in addresses: > +                if cached_leases[address]['ends'] < time.time(): > +                    del cached_leases[address] > +                    dhcpd_changed = True > + > +        if dhcpd_changed: > +            # dump dns output to target > +            with open(app_params['target'], 'w') as unbound_conf: > +                for address in cached_leases: > +                    unbound_conf.write('local-data-ptr: "%s %s.%s"\n' % > (address, > +                                                                         cach > ed_leases[address]['client-hostname'], > +                                                                         app_ > params['domain'])) > + > +                    unbound_conf.write('local-data: "%s.%s IN A %s"\n' % > (cached_leases[address]['client-hostname'], > +                                                                          app > _params['domain'], > +                                                                          add > ress)) > +            # signal unbound > +            for address in cached_leases: > +                if address not in known_addresses: > +                    fqdn = '%s.%s' % (cached_leases[address]['client- > hostname'], app_params['domain']) > +                    unbound_control(['local_data', address, 'PTR', fqdn]) > +                    unbound_control(['local_data', fqdn, 'IN A', address]) > +                    known_addresses.append(address) > +        # wait for next cycle > +        time.sleep(5) > + > + > +# startup > +if app_params['background'] == '1': > +    daemon = Daemonize(app="unbound_dhcpd", pid=app_params['pid'], > action=main) > +    daemon.start() > +else: > +    main() > diff --git a/config/unbound/unbound-switch b/config/unbound/unbound-switch > new file mode 100755 > index 0000000..60eeb89 > --- /dev/null > +++ b/config/unbound/unbound-switch > @@ -0,0 +1,80 @@ > +#!/bin/bash > +############################################################################# > ## > +#                                                                             >  # > +# IPFire.org - A linux based > firewall                                         # > +# This program is free software: you can redistribute it and/or > modify        # > +# it under the terms of the GNU General Public License as published > by        # > +# the Free Software Foundation, either version 3 of the License, > or           # > +# (at your option) any later > version.                                         # > +#                                                                             >  # > +# This program is distributed in the hope that it will be > useful,             # > +# but WITHOUT ANY WARRANTY; without even the implied warranty > of              # > +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See > the               # > +# GNU General Public License for more > details.                                # > +#                                                                             >  # > +# You should have received a copy of the GNU General Public > License           # > +# along with this program.  If not, see .       >  # > +#                                                                             >  # > +# Description : script to switch the DNS server/proxy in > IPfire               # > +#               rerun to easy go back to > dnsmasq                              # > +#                                                                             >  # > +# Author      : Marcel Lorenz                       >  # > +#                                                                             >  # > +############################################################################# > ## > + > +CGIFILE="/srv/web/ipfire/cgi-bin/services.cgi" > + > +install_cron_jobs() { > +cat > /etc/fcron.weekly/update_unbound_anchor << "EOF" > +#!/bin/bash > +# allow max all 30 minutes to update files > +if [[ $(( (`date +%s` - `stat -L --format %Y /etc/unbound/root.key`) > > (30*60) )) != 0 ]]; then > +  wget -q ftp://ftp.internic.net/domain/named.cache -O > /etc/unbound/root.hints > +  curl -sS -L --compressed "http://pgl.yoyo.org/adservers/serverlist.php?host > format=unbound&showintro=0&mimetype=plaintext" > /etc/unbound/blocklists/ad- > servers.conf > +  unbound-anchor > +fi > +exit 0 > +EOF > +chmod +x /etc/fcron.weekly/update_unbound_anchor > +cat > /etc/fcron.hourly/update_unbound_zone << "EOF" > +#!/bin/bash > +unbound-zone > +EOF > +chmod +x /etc/fcron.hourly/update_unbound_zone > +} > + > +# main switch > +if [[ -e /etc/rc.d/init.d/networking/red.up/05-RS-dnsmasq ]]; then > +  echo -e "\033[32mActivate Unbound DNS-proxy at start...\033[0m"; > +  # autostart symlinks > +  rm -f /etc/rc.d/init.d/networking/red.up/05-RS-dnsmasq > /etc/rc.d/init.d/networking/red.down/05-RS-dnsmasq > +  mv -f /etc/init.d/network /etc/init.d/network-dnsmasq > +  mv -f /etc/init.d/network-unbound /etc/init.d/network > +  # WebIF services.cgi  > +  sed -i "s|\$Lang::tr{'dns proxy server'} => 'dnsmasq',.*|\$Lang::tr{'dns > proxy server'} => 'unbound',|" ${CGIFILE} > +  install_cron_jobs > +  /etc/fcron.weekly/update_unbound_anchor > +  # Stop and start services  > +  /etc/rc.d/init.d/dnsmasq stop > +  sleep 1 > +  /etc/rc.d/init.d/unbound start > + > +else > +  echo -e "\033[32mActivate dnsmasq DNS-proxy at start...\033[0m"; > +  # autostart symlinks > +  ln -sf /etc/rc.d/init.d/dnsmasq /etc/rc.d/init.d/networking/red.up/05-RS- > dnsmasq > +  ln -sf /etc/rc.d/init.d/dnsmasq /etc/rc.d/init.d/networking/red.down/05-RS- > dnsmasq > +  mv -f /etc/init.d/network /etc/init.d/network-unbound > +  mv -f /etc/init.d/network-dnsmasq /etc/init.d/network > +  # WebIF services.cgi  > +  sed -i "s|\$Lang::tr{'dns proxy server'} => 'unbound',.*|\$Lang::tr{'dns > proxy server'} => 'dnsmasq',|" ${CGIFILE} > +  # Stop and start services  > +  /etc/rc.d/init.d/unbound stop > +  sleep 1 > +  /etc/rc.d/init.d/dnsmasq start > +  rm -f /etc/fcron.weekly/update_unbound_anchor > /etc/fcron.hourly/update_unbound_zone; > +fi > +unset CGIFILE > +echo -e "\033[32mdone...\033[0m"; > +exit 0 > +# end of unbound-proxy > diff --git a/config/unbound/unbound-zone b/config/unbound/unbound-zone > new file mode 100644 > index 0000000..9a0de1f > --- /dev/null > +++ b/config/unbound/unbound-zone > @@ -0,0 +1,78 @@ > +#!/bin/bash > +############################################################################# > ## > +#                                                                             >  # > +# IPFire.org - A linux based > firewall                                         # > +# This program is free software: you can redistribute it and/or > modify        # > +# it under the terms of the GNU General Public License as published > by        # > +# the Free Software Foundation, either version 3 of the License, > or           # > +# (at your option) any later > version.                                         # > +#                                                                             >  # > +# This program is distributed in the hope that it will be > useful,             # > +# but WITHOUT ANY WARRANTY; without even the implied warranty > of              # > +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See > the               # > +# GNU General Public License for more > details.                                # > +#                                                                             >  # > +# You should have received a copy of the GNU General Public > License           # > +# along with this program.  If not, see .       >  # > +#                                                                             >  # > +# Description : small script to create the zone file for > ipfire's             # > +#               internal domain (for example > ipfire.local)                    # > +#                                                                             >  # > +# Author      : Marcel Lorenz                       >  # > +#                                                                             >  # > +############################################################################# > ## > + > +ZONEFILE="/etc/unbound/zones/local.conf" > +HOSTSFILE="/var/ipfire/main/hosts" > + > +eval $(/usr/local/bin/readhash /var/ipfire/main/settings) > +eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings) > +REV_GREEN=$(echo ${GREEN_ADDRESS} |awk -F. '{print $4"."$3"."$2"."$1}') > + > +# overwrite existing file > +cat > ${ZONEFILE} << "EOF" > +# This is the automatically created zone file for unbound > +# please do not edit this file, use the webinterface to add or remove hosts > +# if need more zones, create a new zone file and restart unbound  > +# > +EOF > + > +# create zone header  > +echo "# Zone file created at $(date)" >> ${ZONEFILE} > +echo "">> ${ZONEFILE}  > +echo "# zone definition " >> ${ZONEFILE} > +echo "private-domain: \"${DOMAINNAME}\"" >> ${ZONEFILE} > +echo "local-zone: \"${DOMAINNAME}.\" static" >> ${ZONEFILE} > +echo "local-data: \"${HOSTNAME}.${DOMAINNAME}. IN A ${GREEN_ADDRESS}\"" >> > ${ZONEFILE} > +echo "local-data: \"wpad.${DOMAINNAME}. IN A ${GREEN_ADDRESS}\"" >> > ${ZONEFILE} > +echo "local-data: \"${REV_GREEN}.in-addr.arpa. 10800 IN PTR > ${HOSTNAME}.${DOMAINNAME}.\"" >> ${ZONEFILE} > + > +# write forward entrys to zone file > +echo "" >> ${ZONEFILE}  > +echo "# Hosts from /var/ipfire/main/hosts" >> ${ZONEFILE} > + > +while read line            > +do            > +  if [[ $(echo ${line}|awk -F, '{print $1}') = on ]]; then > +    IP=$(echo ${line}|awk -F, '{print $2}') > +    HOST=$(echo ${line}|awk -F, '{print $3}') > +    DOMAIN=$(echo ${line}|awk -F, '{print $4}') > +    echo "local-data: \"${HOST}.${DOMAIN}. IN A ${IP}\"" >> ${ZONEFILE} > +  fi > +done < ${HOSTSFILE} > + > +# write reverse entrys to zone file > +echo "" >> ${ZONEFILE}  > +echo "# reverse entrys" >> ${ZONEFILE} > +while read line            > +do            > +  if [[ $(echo ${line}|awk -F, '{print $1}') = on ]]; then > +    IP=$(echo ${line}|awk -F, '{print $2}'|awk -F. '{print > $4"."$3"."$2"."$1}') > +    HOST=$(echo ${line}|awk -F, '{print $3}') > +    DOMAIN=$(echo ${line}|awk -F, '{print $4}') > +    echo "local-data: \"${IP}.in-addr.arpa. 10800 IN PTR ${HOST}.${DOMAIN}\"" > >> ${ZONEFILE} > +  fi > +done < ${HOSTSFILE} > +unset IP HOST DOMAIN REV_GREEN; > +exit 0 > +# end of unbound-zone > diff --git a/config/unbound/unbound.conf b/config/unbound/unbound.conf > new file mode 100644 > index 0000000..8dc72e6 > --- /dev/null > +++ b/config/unbound/unbound.conf > @@ -0,0 +1,123 @@ > +# > +# Unbound configuration file for IPFire > +# > +# The full documentation is available at: > +# https://www.unbound.net/documentation/unbound.conf.html > +# > + > +server: > + # common server options > + chroot: "/etc/unbound" > + username: "unbound" > + pidfile: "/var/run/unbound.pid" > + num-threads: 2 > + port: 53 > + do-ip4: yes > + do-ip6: no > + do-udp: yes > + do-tcp: yes > + prefetch: yes > + so-reuseport: yes > + cache-min-ttl: 3600 > + cache-max-ttl: 86400 > + unwanted-reply-threshold: 10000 > + do-not-query-localhost: yes > + > + # logging options > + logfile: "log/unbound.log" > + use-syslog: no > + verbosity: 1 > + log-queries: no > + log-time-ascii: yes > + > + # Unbound Statistics > + statistics-interval: 3600 > + statistics-cumulative: yes > + extended-statistics: yes > + > + # privacy options > + hide-identity: yes > + hide-version: yes > + qname-minimisation: yes > + minimal-responses: yes > + > + # hardening options (some experimental) > + harden-glue: yes > + harden-large-queries: yes > + harden-dnssec-stripped: yes > + harden-short-bufsize: no > + harden-below-nxdomain: no > + harden-referral-path: no > + harden-algo-downgrade: no > + use-caps-for-id: yes > + > + # listen on localhost interface > + interface: 127.0.0.1 > + > + # file with ipfire interfaces > + include:  "/etc/unbound/interfaces.conf" > + > + # control which clients are allowed to make (recursive) queries > + access-control: 0.0.0.0/0 refuse > + access-control: 127.0.0.0/8 allow > + access-control: ::0/0 refuse > + access-control: ::1 allow > + access-control: ::ffff:127.0.0.1 allow > + > + # file with ipfire networks > + include: "/etc/unbound/access.conf" > + > + # dnssec main options > + val-clean-additional: yes > + val-log-level: 1 > + # file with ipfire dnssec configuration > + include:  "/etc/unbound/dnssec.conf" > + > + # DNS Rebinding > + # For DNS Rebinding prevention > + # > + # All these addresses are either private or should not be routable in > the global IPv4 or IPv6 internet. > + # IPv4 Addresses > + private-address: 0.0.0.0/8       # Broadcast address > + private-address: 10.0.0.0/8 > + private-address: 127.0.0.0/8     # Loopback Localhost > + private-address: 172.16.0.0/12 > + private-address: 192.168.0.0/16 > + private-address: 169.254.0.0/16 > + private-address: 198.18.0.0/15   # Used for testing inter-network > communications > + private-address: 198.51.100.0/24 # Documentation network TEST-NET-2 > + private-address: 203.0.113.0/24  # Documentation network TEST-NET-3 > + private-address: 233.252.0.0/24  # Documentation network MCAST-TEST- > NET > + # IPv6 Addresses > + private-address: ::1/128         # Loopback Localhost > + private-address: 2001:db8::/32   # Documentation network IPv6 > + private-address: fc00::/8        # Unique local address (ULA) part of > "fc00::/7", not defined yet > + private-address: fd00::/8        # Unique local address (ULA) part of > "fc00::/7", "/48" prefix group > + private-address: fe80::/10       # Link-local address (LLA) > + > + # file with root servers  > + root-hints: "/etc/unbound/root.hints" > + > + # custom DNS zone files > + include: "/etc/unbound/zones/*.conf" > + > + # DHCP leases (if configured) > + include: /etc/unbound/dhcpleases.conf > + > + # Blocklists > + include: "/etc/unbound/blocklists/*.conf" > +# end server config > + > +# enable remote control only on localhost > +remote-control: > + control-enable: yes > + control-use-cert: yes > + control-interface: 127.0.0.1 > + server-key-file: "/etc/unbound/unbound_server.key" > + server-cert-file: "/etc/unbound/unbound_server.pem" > + control-key-file: "/etc/unbound/unbound_control.key" > + control-cert-file: "/etc/unbound/unbound_control.pem" > +# end remote control config > + > +# custom DNS forward config > +include: "/etc/unbound/forward.conf" > diff --git a/lfs/unbound b/lfs/unbound > new file mode 100644 > index 0000000..d91c0f9 > --- /dev/null > +++ b/lfs/unbound > @@ -0,0 +1,103 @@ > +############################################################################# > ## > +#                                                                             >  # > +# IPFire.org - A linux based > firewall                                         # > +# Copyright (C) 2007  Michael Tremer & Christian > Schmidt                      # > +#                                                                             >  # > +# This program is free software: you can redistribute it and/or > modify        # > +# it under the terms of the GNU General Public License as published > by        # > +# the Free Software Foundation, either version 3 of the License, > or           # > +# (at your option) any later > version.                                         # > +#                                                                             >  # > +# This program is distributed in the hope that it will be > useful,             # > +# but WITHOUT ANY WARRANTY; without even the implied warranty > of              # > +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See > the               # > +# GNU General Public License for more > details.                                # > +#                                                                             >  # > +# You should have received a copy of the GNU General Public > License           # > +# along with this program.  If not, see .       >  # > +#                                                                             >  # > +############################################################################# > ## > + > +############################################################################# > ## > +# Definitions > +############################################################################# > ## > + > +include Config > + > +VER        = 1.5.9 > +THISAPP    = unbound-$(VER) > +DL_FILE    = $(THISAPP).tar.gz > +DL_FROM    = $(URL_IPFIRE) > +DIR_APP    = $(DIR_SRC)/$(THISAPP) > +TARGET     = $(DIR_INFO)/$(THISAPP) > +PROG       = unbound > +PAK_VER    = 1 > +DEPS       = "" > + > +############################################################################# > ## > +# Top-level Rules > +############################################################################# > ## > + > +objects = $(DL_FILE) > + > +$(DL_FILE) = $(DL_FROM)/$(DL_FILE) > + > +$(DL_FILE)_MD5 = 0cefa62c1690b4db18583db84bff00e3 > + > +install : $(TARGET) > + > +check : $(patsubst %,$(DIR_CHK)/%,$(objects)) > + > +download :$(patsubst %,$(DIR_DL)/%,$(objects)) > + > +md5 : $(subst %,%_MD5,$(objects)) > + > +dist:  > + $(PAK) > + > +############################################################################# > ## > +# Downloading, checking, md5sum > +############################################################################# > ## > + > +$(patsubst %,$(DIR_CHK)/%,$(objects)) : > + @$(CHECK) > + > +$(patsubst %,$(DIR_DL)/%,$(objects)) : > + @$(LOAD) > + > +$(subst %,%_MD5,$(objects)) : > + @$(MD5) > + > +############################################################################# > ## > +# Installation Details > +############################################################################# > ## > + > +$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) > + @$(PREBUILD) > + @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE) > + cd $(DIR_APP) && ./configure \ > + --prefix=/usr \ > + --sysconfdir=/etc \ > + --disable-static \ > + --with-libevent \ > + --with-pyunbound \ > + --with-pidfile=/var/run/unbound.pid > + cd $(DIR_APP) && make $(MAKETUNING) > + cd $(DIR_APP) && make install > + mv -v /usr/sbin/unbound-host /usr/bin/ > + # add ipfire config > + mkdir -pv /etc/unbound/blocklists > + mv -v /etc/unbound/unbound.conf /etc/unbound/unbound_org.conf > + install -v -m 644 $(DIR_SRC)/config/unbound/*.conf /etc/unbound/ > + install -v -m 644 $(DIR_SRC)/config/unbound/root.hints /etc/unbound/ > + install -v -m 644 $(DIR_SRC)/config/unbound/root.key /etc/unbound/ > + install -v -m 644 $(DIR_SRC)/config/unbound/blocklists/*.conf > /etc/unbound/blocklists/ > + install -v -m 644 $(DIR_SRC)/config/unbound/site-packages/* > /usr/lib/python2.7/site-packages/ > + install -v -m 754 $(DIR_SRC)/config/unbound/unbound-switch /usr/sbin/ > + install -v -m 754 $(DIR_SRC)/config/unbound/unbound-zone /usr/sbin/ > + install -v -m 754 $(DIR_SRC)/config/unbound/unbound-dhcpd.py > /usr/sbin/ > + install -v -m 754 $(DIR_SRC)/src/initscripts/init.d/unbound > /etc/rc.d/init.d/ > + install -v -m 754 $(DIR_SRC)/src/initscripts/init.d/unbound-dhcpd > /etc/rc.d/init.d/ > + install -v -m 754 $(DIR_SRC)/src/initscripts/init.d/network-unbound > /etc/rc.d/init.d/ > + @rm -rf $(DIR_APP) > + @$(POSTBUILD) > diff --git a/make.sh b/make.sh > index a9fac52..74bc06a 100755 > --- a/make.sh > +++ b/make.sh > @@ -870,6 +870,7 @@ buildipfire() { >    ipfiremake libpciaccess >    ipfiremake libyajl >    ipfiremake libvirt > +  ipfiremake unbound >  } >   >  buildinstaller() { > diff --git a/src/initscripts/init.d/network-unbound > b/src/initscripts/init.d/network-unbound > new file mode 100644 > index 0000000..31fe173 > --- /dev/null > +++ b/src/initscripts/init.d/network-unbound > @@ -0,0 +1,114 @@ > +#!/bin/sh > +######################################################################## > +# Begin $rc_base/init.d/network > +# > +# Description : Network Control Script > +# > +# Authors     : Michael Tremer - mitch(a)ipfire.org > +# > +# Version     : 01.00 > +# > +# Notes       : Written for IPFire by its team > +# > +######################################################################## > + > +. /etc/sysconfig/rc > +. ${rc_functions} > +eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings) > + > + > +DO="${1}" > +shift > + > +if [ -n "${1}" ]; then > + ALL=0 > + for i in green red blue orange; do > + eval "${i}=0" > + done > +else > + ALL=1 > + for i in green red blue orange; do > + eval "${i}=1" > + done > +fi > + > +while [ ! $# = 0 ]; do > + for i in green red blue orange; do > + if [ "${i}" == "${1}" ]; then > + eval "${i}=1" > + shift > + fi > + done > +done > + > +case "${DO}" in > + start) > + > + # Starting interfaces... > + # GREEN > + [ "$green" == "1" ] && /etc/rc.d/init.d/networking/green > start > + > + # BLUE > + [ "$blue" == "1" ] && [ "$CONFIG_TYPE" = "3" -o > "$CONFIG_TYPE" = "4" ] && \ > + /etc/rc.d/init.d/networking/blue start > + > + # ORANGE > + [ "$orange" == "1" ] && [ "$CONFIG_TYPE" = "2" -o > "$CONFIG_TYPE" = "4" ] && \ > + /etc/rc.d/init.d/networking/orange start > + > + # RED > + if [ "$red" == "1" ]; then > + if [ "$CONFIG_TYPE" = "1" -o "$CONFIG_TYPE" = "2" -o > "$CONFIG_TYPE" = "3" -o "$CONFIG_TYPE" = "4" ]; then > + # Remove possible leftover files > + rm -f /var/ipfire/red/{active,device,dial-on- > demand,dns1,dns2,local-ipaddress,remote-ipaddress,resolv.conf} > + [ "$AUTOCONNECT" == "off" ] || > /etc/rc.d/init.d/networking/red start > + fi > + fi > + > + /etc/rc.d/init.d/static-routes start > + [ "${ALL}" == "1" ] && /etc/rc.d/init.d/unbound start > + ;; > + > + stop) > + > + [ "${ALL}" == "1" ] && /etc/rc.d/init.d/unbound stop > + # Stopping interfaces... > + # GREEN > + [ "$green" == "1" ] && /etc/rc.d/init.d/networking/green stop > + > + # BLUE > + [ "$blue" == "1" ] && [ "$CONFIG_TYPE" = "3" -o > "$CONFIG_TYPE" = "4" ] && \ > + /etc/rc.d/init.d/networking/blue stop > + > + # ORANGE > + [ "$orange" == "1" ] && [ "$CONFIG_TYPE" = "2" -o > "$CONFIG_TYPE" = "4" ] && \ > + /etc/rc.d/init.d/networking/orange stop > + > + # RED > + if [ "$red" == "1" ]; then > + if [ "$CONFIG_TYPE" = "1" -o "$CONFIG_TYPE" = "2" -o > "$CONFIG_TYPE" = "3" -o "$CONFIG_TYPE" = "4" ]; then > + /etc/rc.d/init.d/networking/red stop > + fi > + fi > + > + exit 0 > + ;; > + > + restart) > + for i in green red blue orange; do > + if [ "${!i}" == "1" ]; then > + ARGS+=" ${i}" > + fi > + done > + ${0} stop ${ARGS} > + sleep 1 > + ${0} start ${ARGS} > + ;; > + > + *) > + echo "Usage: ${0} {start|stop|restart} [device(s)]" > + exit 1 > + ;; > +esac > + > +# End /etc/rc.d/init.d/network > diff --git a/src/initscripts/init.d/unbound b/src/initscripts/init.d/unbound > new file mode 100644 > index 0000000..8e6881e > --- /dev/null > +++ b/src/initscripts/init.d/unbound > @@ -0,0 +1,178 @@ > +#!/bin/sh > +# Begin $rc_base/init.d/unbound > + > +# Description : Unbound DNS resolver boot script for IPfire > +# Author      : Marcel Lorenz > +# > +# Comment     : This init script additional starts the dhcpd watcher daemon > +#               if DNS-Update (RFC2136) in web interface enabled > + > +. /etc/sysconfig/rc > +. ${rc_functions} > + > +if [[ ! -d /run/var ]]; then mkdir /run/var; fi; > + > +CONTROL_INTERFACE_FILE=1 > +CONTROL_ACCESS_FILE=1 > +USE_CUSTOM_FORWARDS=0 > +ENABLE_DNSSEC=1 > + > +# Unbound daemon pid file > +PIDFILE=/var/run/unbound.pid > + > +# Watcher deamon pid file must be the same in unbound main init script > +WAPIDFILE=/var/run/unbound_dhcpd.pid > + > +function cidr() { > +    local cidr nbits IFS; > +    IFS=. read -r i1 i2 i3 i4 <<< ${1} > +    IFS=. read -r m1 m2 m3 m4 <<< ${2} > +    cidr=$(printf "%d.%d.%d.%d\n" "$((i1 & m1))" "$((i2 & m2))" "$((i3 & > m3))" "$((i4 & m4))") > +    nbits=0 > +    IFS=. > +    for dec in $2 ; do > +        case $dec in > +            255) let nbits+=8;; > +            254) let nbits+=7;; > +            252) let nbits+=6;; > +            248) let nbits+=5;; > +            240) let nbits+=4;; > +            224) let nbits+=3;; > +            192) let nbits+=2;; > +            128) let nbits+=1;; > +            0);; > +            *) echo "Error: $dec is not recognised"; exit 1 > +        esac > +    done > +    echo "${cidr}/${nbits}" > +} > + > +case "$1" in > + start) > + > +   if [[ -f ${PIDFILE} ]]; then > +     log_warning_msg "Unbound daemon is running with Process ID $(cat > ${PIDFILE})" > +   else > +     eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings) > +     #ARGS="$CUSTOM_ARGS" > +     #[ "$DOMAIN_NAME_GREEN" != "" ] && ARGS="$ARGS -s > $DOMAIN_NAME_GREEN" > + > +     echo > /var/ipfire/red/resolv.conf # Clear it > +     if [ -e "/var/ipfire/red/dns1" ]; then > +        DNS1=$(cat /var/ipfire/red/dns1 2>/dev/null) > +       if [ ! -z ${DNS1} ]; then > + echo "nameserver ${DNS1}" >> /var/ipfire/red/resolv.conf > + NAMESERVERS="${DNS1} " > +       fi > +     fi > +     if [ -e "/var/ipfire/red/dns2" ]; then > +       DNS2=$(cat /var/ipfire/red/dns2 2>/dev/null) > +       if [ ! -z ${DNS2} ]; then > + echo "nameserver ${DNS2}" >> /var/ipfire/red/resolv.conf > + NAMESERVERS+="${DNS2} " > +       fi > +     fi > + > +     # create unbound interfaces.conf > +     if [ ${CONTROL_INTERFACE_FILE} = 1 ]; then > +   echo -n > /etc/unbound/interfaces.conf # Clear it > +       if [ ! -z ${GREEN_ADDRESS} ]; then > + echo "interface: ${GREEN_ADDRESS}" >> > /etc/unbound/interfaces.conf > +       fi > +       if [ ! -z ${BLUE_ADDRESS} ]; then > + echo "interface: ${BLUE_ADDRESS}" >> > /etc/unbound/interfaces.conf > +       fi > + if [ ! -z ${ORANGE_ADDRESS} ]; then > + echo "interface: ${ORANGE_ADDRESS}" >> > /etc/unbound/interfaces.conf > +       fi > +     fi > + > +     # create unbound access.conf > +     if [ ${CONTROL_ACCESS_FILE} = 1 ]; then > +       echo -n > /etc/unbound/access.conf # Clear it > +       if [ ! -z ${GREEN_ADDRESS} ]; then > + echo "access-control: $(cidr ${GREEN_ADDRESS} > ${GREEN_NETMASK}) allow" >> /etc/unbound/access.conf > +       fi > +       if [ ! -z ${BLUE_ADDRESS} ]; then > + echo "access-control: $(cidr ${BLUE_ADDRESS} ${BLUE_NETMASK}) > allow" >> /etc/unbound/access.conf > +       fi > +       if [ ! -z ${ORANGE_ADDRESS} ]; then > + echo "access-control: $(cidr ${ORANGE_ADDRESS} > ${ORANGE_NETMASK}) allow" >> /etc/unbound/access.conf > +       fi > +     fi > + > +     # create unbound dnssec.conf > +     echo -n > /etc/unbound/dnssec.conf # Clear it > +     if [ ${ENABLE_DNSSEC} = 1 ]; then > +       echo " # dessec enabled per default" >> > /etc/unbound/dnssec.conf > +       echo " # no necessary config options in this file" >> > /etc/unbound/dnssec.conf > +     else > +       echo " # dnssec now disabled" >> > /etc/unbound/dnssec.conf > +       echo " module-config: iterator" >> > /etc/unbound/dnssec.conf > +       echo " val-permissive-mode: yes" >> > /etc/unbound/dnssec.conf > +     fi > + > +     # create zone file for internal ipfire domain  > +     unbound-zone > + > +     boot_mesg "Starting Unbound DNS proxy..." > +     unbound-anchor > +     loadproc /usr/sbin/unbound > + > +     # start dhcpd watcher daemon if DNS-Update (RFC2136) activated > +     eval $(/usr/local/bin/readhash /var/ipfire/dhcp/settings) > +     if [[ ${DNS_UPDATE_ENABLED} = on && ! -f ${WAPIDFILE} ]]; then > +       /etc/rc.d/init.d/unbound-dhcpd start > +     fi > + > +     # use setup configured DNS servers  > +     if [ "${USE_CUSTOM_FORWARDS}" -eq 0 ]; then > +        unbound-control forward_add +i . ${NAMESERVERS} &> /dev/null > +     fi; > + > +     FORWADRS=$(unbound-control list_forwards |sed 's|. IN forward > ||g'|sed 's|+i ||g') > +     if [ "${USE_CUSTOM_FORWARDS}" -eq 0 ]; then > +       boot_mesg "Using DNS server(s): ${FORWADRS}" > +     else > +       boot_mesg "Using custom DNS server(s): ${FORWADRS}" > +     fi > +     if [ ${ENABLE_DNSSEC} = 1 ]; then > +       boot_mesg "DNSSEC is enabled!" > +     else > +       boot_mesg "DNSSEC is disabled!" > +     fi > +   fi  > +   ;; > + > + stop) > + > +   if [[ -f ${PIDFILE} ]]; then > +     # stop dhcpd watcher daemon if activted > +     if [[ -f ${WAPIDFILE} ]]; then > +       /etc/rc.d/init.d/unbound-dhcpd stop > +     fi > +     # stop Unbound daemon > +     boot_mesg "Stopping Unbound DNS proxy..." > +     killproc -p "/var/run/unbound.pid" /usr/sbin/unbound > +   else > +     log_warning_msg "Unbound daemon is not running..." > +   fi > +   ;; > + > + restart) > +   $0 stop > +   sleep 1 > +   $0 start > +   ;; > + > + status) > +   statusproc /usr/sbin/unbound > +   ;; > + > + *) > +   echo "Usage: $0 {start|stop|restart|status}" > +   exit 1 > +   ;; > +esac > + > +# End $rc_base/init.d/unbound > diff --git a/src/initscripts/init.d/unbound-dhcpd > b/src/initscripts/init.d/unbound-dhcpd > new file mode 100644 > index 0000000..4c24a3c > --- /dev/null > +++ b/src/initscripts/init.d/unbound-dhcpd > @@ -0,0 +1,61 @@ > +#!/bin/sh > +# Begin $rc_base/init.d/unbound-dhcpd > + > +# Description : Unbound dhcpd lease file wachter daemon boot script for > IPFire > +# Author      : Marcel Lorenz > + > +. /etc/sysconfig/rc > +. $rc_functions > + > +PIDFILE=/var/run/unbound_dhcpd.pid > +SETFILE=/var/ipfire/main/settings > + > +case "$1" in > + start) > + if [[ -f ${PIDFILE} ]]; then > +   log_warning_msg "Unbound dhcpd watcher daemon is running > with Process ID $(cat ${PIDFILE})" > + else > +   eval $(/usr/local/bin/readhash ${SETFILE}) > +   boot_mesg "Starting Unbound dhcpd watcher deamon..." > +   loadproc /usr/bin/python /usr/sbin/unbound-dhcpd.py /domain > ${DOMAINNAME} /pid ${PIDFILE} > + fi > + ;; > + > + stop) > + if [[ -f ${PIDFILE} ]]; then > +   boot_mesg "Stopping Unbound dhcpd watcher deamon..." > +   kill $(/bin/cat ${PIDFILE}) > +   sleep 1 > +   if [[ -f ${PIDFILE} ]]; then > +     echo_failure > +   else > +     echo_ok > +   fi > + else > +   log_warning_msg "Unbound dhcpd watcher daemon is not > running..." > + fi > + ;; > + > + restart) > + $0 stop > + sleep 1 > + $0 start > + ;; > + > + status) > + if [[ -f "$PIDFILE" ]]; then  > +   echo -e "\\033[1;36mUnbound dhcpd watcher daemon is running > with Process ID $(cat ${PIDFILE})\\033[0;39m" > +   exit 0 > + else > +   echo -e "\\033[1;36mUnbound dhcpd watcher daemon is not > running...\\033[0;39m" > +   exit 0 > + fi > + ;; > + > + *) > + echo "Usage: $0 {start|stop|restart|status}" > + exit 1 > + ;; > +esac > + > +# End $rc_base/init.d/unbound-dhcpd > \ No newline at end of file > diff --git a/src/paks/unbound/install.sh b/src/paks/unbound/install.sh > new file mode 100644 > index 0000000..84c93f3 > --- /dev/null > +++ b/src/paks/unbound/install.sh > @@ -0,0 +1,70 @@ > +#!/bin/bash > +############################################################################ > +#                                                                          # > +# This file is part of the IPFire Firewall.                                # > +#                                                                          # > +# IPFire is free software; you can redistribute it and/or modify           # > +# it under the terms of the GNU General Public License as published by     # > +# the Free Software Foundation; either version 2 of the License, or        # > +# (at your option) any later version.                                      # > +#                                                                          # > +# IPFire is distributed in the hope that it will be useful,                # > +# but WITHOUT ANY WARRANTY; without even the implied warranty of           # > +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the            # > +# GNU General Public License for more details.                             # > +#                                                                          # > +# You should have received a copy of the GNU General Public License        # > +# along with IPFire; if not, write to the Free Software                    # > +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307 USA # > +#                                                                          # > +# Copyright (C) 2016 IPFire-Team .                        # > +#                                                                          # > +############################################################################ > +# > +. /opt/pakfire/lib/functions.sh > +extract_files > +restore_backup ${NAME} > + > +# add unbound user and group > +groupadd -g 85 unbound  > +useradd -c "Unbound DNS resolver" -d /var/lib/unbound -u 85 -g unbound -s > /bin/false unbound > + > +# create config subdir's > +mkdir -pv /etc/unbound/log /etc/unbound/zones  /var/log/unbound > +chown unbound:unbound -R /var/log/unbound/ /etc/unbound/log/; > + > +echo "Add logrotate config for unbound now..." > +LOGROTATE=$(grep -A 1 '/var/log/unbound/unbound.log' /etc/logrotate.conf) > +if [[ ! "${LOGROTATE}" ]]; then > +cat >> /etc/logrotate.conf << "EOF" > +# Unbound > +/var/log/unbound/unbound.log { > +    daily > +    rotate 30 > +    copytruncate > +    compress > +    missingok > +    prerotate > +      /bin/mv -f /etc/unbound/log/unbound.log /var/log/unbound/unbound.log > +      /usr/sbin/unbound-control log_reopen &> /dev/null > +    endscript > +} > + > +EOF > +touch /etc/unbound/dhcpleases.conf > +touch /var/log/unbound/unbound.log > +chown unbound:unbound /var/log/unbound/unbound.log > +fi > + > +# create link to current logfile > +ln -svf /etc/unbound/log/unbound.log /var/log/unbound/current.log > + > +# create remote control key files and set rights  > +/usr/sbin/unbound-control-setup &> /dev/null > +chown unbound:unbound > /etc/unbound/{unbound_control.*,unbound_server.*,root.key,root.hints} > + > +# at last switch the DNS-Resolver to unbound > +/usr/sbin/unbound-switch > + > +unset LOGROTATE > +exit 0 > diff --git a/src/paks/unbound/uninstall.sh b/src/paks/unbound/uninstall.sh > new file mode 100644 > index 0000000..fc39f9f > --- /dev/null > +++ b/src/paks/unbound/uninstall.sh > @@ -0,0 +1,27 @@ > +#!/bin/bash > +############################################################################ > +#                                                                          # > +# This file is part of the IPFire Firewall.                                # > +#                                                                          # > +# IPFire is free software; you can redistribute it and/or modify           # > +# it under the terms of the GNU General Public License as published by     # > +# the Free Software Foundation; either version 2 of the License, or        # > +# (at your option) any later version.                                      # > +#                                                                          # > +# IPFire is distributed in the hope that it will be useful,                # > +# but WITHOUT ANY WARRANTY; without even the implied warranty of           # > +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the            # > +# GNU General Public License for more details.                             # > +#                                                                          # > +# You should have received a copy of the GNU General Public License        # > +# along with IPFire; if not, write to the Free Software                    # > +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307 USA # > +#                                                                          # > +# Copyright (C) 2007 IPFire-Team .                        # > +#                                                                          # > +############################################################################ > +# > +. /opt/pakfire/lib/functions.sh > +/usr/sbin/resolver.sh > +make_backup ${NAME} > +remove_files > diff --git a/src/paks/unbound/update.sh b/src/paks/unbound/update.sh > new file mode 100644 > index 0000000..89c40d0 > --- /dev/null > +++ b/src/paks/unbound/update.sh > @@ -0,0 +1,26 @@ > +#!/bin/bash > +############################################################################ > +#                                                                          # > +# This file is part of the IPFire Firewall.                                # > +#                                                                          # > +# IPFire is free software; you can redistribute it and/or modify           # > +# it under the terms of the GNU General Public License as published by     # > +# the Free Software Foundation; either version 2 of the License, or        # > +# (at your option) any later version.                                      # > +#                                                                          # > +# IPFire is distributed in the hope that it will be useful,                # > +# but WITHOUT ANY WARRANTY; without even the implied warranty of           # > +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the            # > +# GNU General Public License for more details.                             # > +#                                                                          # > +# You should have received a copy of the GNU General Public License        # > +# along with IPFire; if not, write to the Free Software                    # > +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307 USA # > +#                                                                          # > +# Copyright (C) 2007 IPFire-Team .                        # > +#                                                                          # > +############################################################################ > +# > +. /opt/pakfire/lib/functions.sh > +./uninstall.sh > +./install.sh