Hi,
so I have been working on this for a bit over the weekend and started a branch with those changes.
http://cgit.ipfire.org/people/ms/ipfire-2.x.git/log/?h=unbound
I rewrote the Python code which I didn't find clean enough and good enough for our standards. My solution is lacking some minor things (the domain is always .local) but those should be easily fixable. I am just running out of time here.
However I wanted to share my changes for you to review and test because despite these small things and some other issues for which I created bug reports on Bugzilla, I think this is rather close to be finished.
https://bugzilla.ipfire.org/showdependencytree.cgi?id=11163&hide_resolve...
So, please have a look and test. I won't be able to work much on this over the next few weeks, hence I would be happy if some people take over a small part and get that fixed. I will be responding to emails though.
Best, -Michael
On Tue, 2016-08-02 at 20:48 +0200, Marcel Lorenz wrote:
Unbound is a validating, recursive, and caching DNS resolver. https://www.unbound.net
Signed-off-by: Marcel Lorenz marcel.lorenz@ipfire.org
config/rootfiles/packages/unbound | 70 ++++++++ config/unbound/blocklists/ms-telemetry.conf | 49 ++++++ config/unbound/forward.conf | 6 + config/unbound/root.hints | 90 ++++++++++ config/unbound/root.key | 9 + config/unbound/site-packages/daemonize.py | 247 +++++++++++++++++++++++++++ config/unbound/site-packages/dhcpd.py | 108 ++++++++++++ config/unbound/site-packages/params.py | 46 +++++ config/unbound/site-packages/watcherdhcpd.py | 107 ++++++++++++ config/unbound/unbound-dhcpd.py | 145 ++++++++++++++++ config/unbound/unbound-switch | 80 +++++++++ config/unbound/unbound-zone | 78 +++++++++ config/unbound/unbound.conf | 123 +++++++++++++ lfs/unbound | 103 +++++++++++ make.sh | 1 + src/initscripts/init.d/network-unbound | 114 +++++++++++++ src/initscripts/init.d/unbound | 178 +++++++++++++++++++ src/initscripts/init.d/unbound-dhcpd | 61 +++++++ src/paks/unbound/install.sh | 70 ++++++++ src/paks/unbound/uninstall.sh | 27 +++ src/paks/unbound/update.sh | 26 +++ 21 files changed, 1738 insertions(+) create mode 100644 config/rootfiles/packages/unbound create mode 100644 config/unbound/blocklists/ms-telemetry.conf create mode 100644 config/unbound/forward.conf create mode 100644 config/unbound/root.hints create mode 100644 config/unbound/root.key create mode 100644 config/unbound/site-packages/daemonize.py create mode 100644 config/unbound/site-packages/dhcpd.py create mode 100644 config/unbound/site-packages/params.py create mode 100644 config/unbound/site-packages/watcherdhcpd.py create mode 100644 config/unbound/unbound-dhcpd.py create mode 100755 config/unbound/unbound-switch create mode 100644 config/unbound/unbound-zone create mode 100644 config/unbound/unbound.conf create mode 100644 lfs/unbound create mode 100644 src/initscripts/init.d/network-unbound create mode 100644 src/initscripts/init.d/unbound create mode 100644 src/initscripts/init.d/unbound-dhcpd create mode 100644 src/paks/unbound/install.sh create mode 100644 src/paks/unbound/uninstall.sh create mode 100644 src/paks/unbound/update.sh
diff --git a/config/rootfiles/packages/unbound b/config/rootfiles/packages/unbound new file mode 100644 index 0000000..c468167 --- /dev/null +++ b/config/rootfiles/packages/unbound @@ -0,0 +1,70 @@ +etc/rc.d/init.d/network-unbound +etc/rc.d/init.d/unbound +etc/rc.d/init.d/unbound-dhcpd +#etc/unbound +#etc/unbound/blocklists +etc/unbound/blocklists/ms-telemetry.conf +etc/unbound/forward.conf +etc/unbound/root.hints +etc/unbound/root.key +etc/unbound/unbound.conf +etc/unbound/unbound_org.conf +usr/bin/unbound-host +#usr/include/unbound.h +#usr/lib/libunbound.la +usr/lib/libunbound.so +usr/lib/libunbound.so.2 +usr/lib/libunbound.so.2.4.1 +#usr/lib/python2.7/site-packages/_unbound.la +usr/lib/python2.7/site-packages/_unbound.so +usr/lib/python2.7/site-packages/daemonize.py +usr/lib/python2.7/site-packages/dhcpd.py +usr/lib/python2.7/site-packages/params.py +usr/lib/python2.7/site-packages/unbound.py +usr/lib/python2.7/site-packages/watcherdhcpd.py +usr/sbin/unbound +usr/sbin/unbound-anchor +usr/sbin/unbound-checkconf +usr/sbin/unbound-dhcpd.py +usr/sbin/unbound-control +usr/sbin/unbound-control-setup +usr/sbin/unbound-switch +usr/sbin/unbound-zone +#usr/share/man/man1/unbound-host.1 +#usr/share/man/man3/libunbound.3 +#usr/share/man/man3/ub_cancel.3 +#usr/share/man/man3/ub_ctx.3 +#usr/share/man/man3/ub_ctx_add_ta.3 +#usr/share/man/man3/ub_ctx_add_ta_file.3 +#usr/share/man/man3/ub_ctx_async.3 +#usr/share/man/man3/ub_ctx_config.3 +#usr/share/man/man3/ub_ctx_create.3 +#usr/share/man/man3/ub_ctx_data_add.3 +#usr/share/man/man3/ub_ctx_data_remove.3 +#usr/share/man/man3/ub_ctx_debuglevel.3 +#usr/share/man/man3/ub_ctx_debugout.3 +#usr/share/man/man3/ub_ctx_delete.3 +#usr/share/man/man3/ub_ctx_get_option.3 +#usr/share/man/man3/ub_ctx_hosts.3 +#usr/share/man/man3/ub_ctx_print_local_zones.3 +#usr/share/man/man3/ub_ctx_resolvconf.3 +#usr/share/man/man3/ub_ctx_set_fwd.3 +#usr/share/man/man3/ub_ctx_set_option.3 +#usr/share/man/man3/ub_ctx_trustedkeys.3 +#usr/share/man/man3/ub_ctx_zone_add.3 +#usr/share/man/man3/ub_ctx_zone_remove.3 +#usr/share/man/man3/ub_fd.3 +#usr/share/man/man3/ub_poll.3 +#usr/share/man/man3/ub_process.3 +#usr/share/man/man3/ub_resolve.3 +#usr/share/man/man3/ub_resolve_async.3 +#usr/share/man/man3/ub_resolve_free.3 +#usr/share/man/man3/ub_result.3 +#usr/share/man/man3/ub_strerror.3 +#usr/share/man/man3/ub_wait.3 +#usr/share/man/man5/unbound.conf.5 +#usr/share/man/man8/unbound-anchor.8 +#usr/share/man/man8/unbound-checkconf.8 +#usr/share/man/man8/unbound-control-setup.8 +#usr/share/man/man8/unbound-control.8 +#usr/share/man/man8/unbound.8 diff --git a/config/unbound/blocklists/ms-telemetry.conf b/config/unbound/blocklists/ms-telemetry.conf new file mode 100644 index 0000000..7801e76 --- /dev/null +++ b/config/unbound/blocklists/ms-telemetry.conf @@ -0,0 +1,49 @@ +# Windows telemetry +local-data: "a-0001.a-msedge.net A 127.0.0.1" +local-data: "asimov-win.settings.data.microsoft.com.akadns.net. A 127.0.0.1" +local-data: "asimov-win.vortex.data.microsoft.com.akadns.net. A 127.0.0.1" +local-data: "choice.microsoft.com A 127.0.0.1" +local-data: "choice.microsoft.com.nsatc.net A 127.0.0.1" +local-data: "compatexchange.cloudapp.net A 127.0.0.1" +local-data: "corpext.msitadfs.glbdns2.microsoft.com A 127.0.0.1" +local-data: "corp.sts.microsoft.com A 127.0.0.1" +local-data: "cs1.wpc.v0cdn.net A 127.0.0.1" +local-data: "df.telemetry.microsoft.com A 127.0.0.1" +local-data: "diagnostics.support.microsoft.com A 127.0.0.1" +local-data: "fe2.update.microsoft.com.akadns.net A 127.0.0.1" +local-data: "feedback.microsoft-hohm.com A 127.0.0.1" +local-data: "feedback.search.microsoft.com A 127.0.0.1" +local-data: "feedback.windows.com A 127.0.0.1" +local-data: "i1.services.social.microsoft.com A 127.0.0.1" +local-data: "i1.services.social.microsoft.com.nsatc.net A 127.0.0.1" +local-data: "nexus.officeapps.live.com A 127.0.0.1" +local-data: "oca.telemetry.microsoft.com A 127.0.0.1" +local-data: "oca.telemetry.microsoft.com.nsatc.net A 127.0.0.1" +local-data: "pre.footprintpredict.com A 127.0.0.1" +local-data: "redir.metaservices.microsoft.com A 127.0.0.1" +local-data: "reports.wes.df.telemetry.microsoft.com A 127.0.0.1" +local-data: "services.wes.df.telemetry.microsoft.com A 127.0.0.1" +local-data: "settings-sandbox.data.microsoft.com A 127.0.0.1" +local-data: "settings-win.data.microsoft.com A 127.0.0.1" +local-data: "sls.update.microsoft.com.akadns.net A 127.0.0.1" +local-data: "sqm.df.telemetry.microsoft.com A 127.0.0.1" +local-data: "sqm.telemetry.microsoft.com A 127.0.0.1" +local-data: "sqm.telemetry.microsoft.com.nsatc.net A 127.0.0.1" +local-data: "statsfe1.ws.microsoft.com A 127.0.0.1" +local-data: "statsfe2.update.microsoft.com.akadns.net A 127.0.0.1" +local-data: "statsfe2.ws.microsoft.com A 127.0.0.1" +local-data: "survey.watson.microsoft.com A 127.0.0.1" +local-data: "telecommand.telemetry.microsoft.com A 127.0.0.1" +local-data: "telecommand.telemetry.microsoft.com.nsatc.net A 127.0.0.1" +local-data: "telemetry.appex.bing.net A 127.0.0.1" +local-data: "telemetry.microsoft.com A 127.0.0.1" +local-data: "telemetry.urs.microsoft.com A 127.0.0.1" +local-data: "vortex.data.microsoft.com A 127.0.0.1" +local-data: "vortex-sandbox.data.microsoft.com A 127.0.0.1" +local-data: "vortex-win.data.microsoft.com A 127.0.0.1" +local-data: "watson.live.com A 127.0.0.1" +local-data: "watson.microsoft.com A 127.0.0.1" +local-data: "watson.ppe.telemetry.microsoft.com A 127.0.0.1" +local-data: "watson.telemetry.microsoft.com A 127.0.0.1" +local-data: "watson.telemetry.microsoft.com.nsatc.net A 127.0.0.1" +local-data: "wes.df.telemetry.microsoft.com A 127.0.0.1" diff --git a/config/unbound/forward.conf b/config/unbound/forward.conf new file mode 100644 index 0000000..5784f9f --- /dev/null +++ b/config/unbound/forward.conf @@ -0,0 +1,6 @@ +forward-zone: + name: "." + forward-addr: 85.214.20.141 + forward-addr: 194.150.168.168 + forward-addr: 208.67.222.222 + forward-addr: 208.67.220.220 diff --git a/config/unbound/root.hints b/config/unbound/root.hints new file mode 100644 index 0000000..3c82146 --- /dev/null +++ b/config/unbound/root.hints @@ -0,0 +1,90 @@ +; This file holds the information on root name servers needed to +; initialize cache of Internet domain name servers +; (e.g. reference this file in the "cache . <file>" +; configuration file of BIND domain name servers). +; +; This file is made available by InterNIC +; under anonymous FTP as +; file /domain/named.cache +; on server FTP.INTERNIC.NET +; -OR- RS.INTERNIC.NET +; +; last update: March 23, 2016 +; related version of root zone: 2016032301 +; +; formerly NS.INTERNIC.NET +; +. 3600000 NS A.ROOT-SERVERS.NET. +A.ROOT-SERVERS.NET. 3600000 A 198.41.0.4 +A.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:ba3e::2:30 +; +; FORMERLY NS1.ISI.EDU +; +. 3600000 NS B.ROOT-SERVERS.NET. +B.ROOT-SERVERS.NET. 3600000 A 192.228.79.201 +B.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:84::b +; +; FORMERLY C.PSI.NET +; +. 3600000 NS C.ROOT-SERVERS.NET. +C.ROOT-SERVERS.NET. 3600000 A 192.33.4.12 +C.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2::c +; +; FORMERLY TERP.UMD.EDU +; +. 3600000 NS D.ROOT-SERVERS.NET. +D.ROOT-SERVERS.NET. 3600000 A 199.7.91.13 +D.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2d::d +; +; FORMERLY NS.NASA.GOV +; +. 3600000 NS E.ROOT-SERVERS.NET. +E.ROOT-SERVERS.NET. 3600000 A 192.203.230.10 +; +; FORMERLY NS.ISC.ORG +; +. 3600000 NS F.ROOT-SERVERS.NET. +F.ROOT-SERVERS.NET. 3600000 A 192.5.5.241 +F.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2f::f +; +; FORMERLY NS.NIC.DDN.MIL +; +. 3600000 NS G.ROOT-SERVERS.NET. +G.ROOT-SERVERS.NET. 3600000 A 192.112.36.4 +; +; FORMERLY AOS.ARL.ARMY.MIL +; +. 3600000 NS H.ROOT-SERVERS.NET. +H.ROOT-SERVERS.NET. 3600000 A 198.97.190.53 +H.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:1::53 +; +; FORMERLY NIC.NORDU.NET +; +. 3600000 NS I.ROOT-SERVERS.NET. +I.ROOT-SERVERS.NET. 3600000 A 192.36.148.17 +I.ROOT-SERVERS.NET. 3600000 AAAA 2001:7fe::53 +; +; OPERATED BY VERISIGN, INC. +; +. 3600000 NS J.ROOT-SERVERS.NET. +J.ROOT-SERVERS.NET. 3600000 A 192.58.128.30 +J.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:c27::2:30 +; +; OPERATED BY RIPE NCC +; +. 3600000 NS K.ROOT-SERVERS.NET. +K.ROOT-SERVERS.NET. 3600000 A 193.0.14.129 +K.ROOT-SERVERS.NET. 3600000 AAAA 2001:7fd::1 +; +; OPERATED BY ICANN +; +. 3600000 NS L.ROOT-SERVERS.NET. +L.ROOT-SERVERS.NET. 3600000 A 199.7.83.42 +L.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:9f::42 +; +; OPERATED BY WIDE +; +. 3600000 NS M.ROOT-SERVERS.NET. +M.ROOT-SERVERS.NET. 3600000 A 202.12.27.33 +M.ROOT-SERVERS.NET. 3600000 AAAA 2001:dc3::35 +; End of file diff --git a/config/unbound/root.key b/config/unbound/root.key new file mode 100644 index 0000000..fb540e3 --- /dev/null +++ b/config/unbound/root.key @@ -0,0 +1,9 @@ +; autotrust trust anchor file +;;id: . 1 +;;last_queried: 1467576595 ;;Sun Jul 3 22:09:55 2016 +;;last_success: 1467576595 ;;Sun Jul 3 22:09:55 2016 +;;next_probe_time: 1467616562 ;;Mon Jul 4 09:16:02 2016 +;;query_failed: 0 +;;query_interval: 43200 +;;retry_time: 8640 +. 172800 IN DNSKEY 257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0Ez rAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkj f5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCT MjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqr AmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0= ;{id = 19036 (ksk), size = 2048b} ;;state=2 [ VALID ] ;;count=0 ;;lastchange=1467575383 ;;Sun Jul 3 21:49:43 2016 diff --git a/config/unbound/site-packages/daemonize.py b/config/unbound/site- packages/daemonize.py new file mode 100644 index 0000000..e083feb --- /dev/null +++ b/config/unbound/site-packages/daemonize.py @@ -0,0 +1,247 @@ +# #!/usr/bin/python
+import fcntl +import os +import pwd +import grp +import sys +import signal +import resource +import logging +import atexit +from logging import handlers +import traceback
+__version__ = "2.4.6"
+class Daemonize(object): + """ + Daemonize object.
+ Object constructor expects three arguments.
+ :param app: contains the application name which will be sent to syslog. + :param pid: path to the pidfile. + :param action: your custom function which will be executed after daemonization. + :param keep_fds: optional list of fds which should not be closed. + :param auto_close_fds: optional parameter to not close opened fds. + :param privileged_action: action that will be executed before drop privileges if user or + group parameter is provided. + If you want to transfer anything from privileged_action to action, such as + opened privileged file descriptor, you should return it from + privileged_action function and catch it inside action function. + :param user: drop privileges to this user if provided. + :param group: drop privileges to this group if provided. + :param verbose: send debug messages to logger if provided. + :param logger: use this logger object instead of creating new one, if provided. + :param foreground: stay in foreground; do not fork (for debugging) + :param chdir: change working directory if provided or / + """ + def __init__(self, app, pid, action, + keep_fds=None, auto_close_fds=True, privileged_action=None, + user=None, group=None, verbose=False, logger=None, + foreground=False, chdir="/"): + self.app = app + self.pid = os.path.abspath(pid) + self.action = action + self.keep_fds = keep_fds or [] + self.privileged_action = privileged_action or (lambda: ()) + self.user = user + self.group = group + self.logger = logger + self.verbose = verbose + self.auto_close_fds = auto_close_fds + self.foreground = foreground + self.chdir = chdir
+ def sigterm(self, signum, frame): + """ + These actions will be done after SIGTERM. + """ + self.logger.warn("Caught signal %s. Stopping daemon." % signum) + sys.exit(0)
+ def exit(self): + """ + Cleanup pid file at exit. + """ + self.logger.warn("Stopping daemon.") + os.remove(self.pid) + sys.exit(0)
+ def start(self): + """ + Start daemonization process. + """ + # If pidfile already exists, we should read pid from there; to overwrite it, if locking + # will fail, because locking attempt somehow purges the file contents. + if os.path.isfile(self.pid): + with open(self.pid, "r") as old_pidfile: + old_pid = old_pidfile.read() + # Create a lockfile so that only one instance of this daemon is running at any time. + try: + lockfile = open(self.pid, "w") + except IOError: + print("Unable to create the pidfile.") + sys.exit(1) + try: + # Try to get an exclusive lock on the file. This will fail if another process has the file + # locked. + fcntl.flock(lockfile, fcntl.LOCK_EX | fcntl.LOCK_NB) + except IOError: + print("Unable to lock on the pidfile.") + # We need to overwrite the pidfile if we got here. + with open(self.pid, "w") as pidfile: + pidfile.write(old_pid) + sys.exit(1)
+ # skip fork if foreground is specified + if not self.foreground: + # Fork, creating a new process for the child. + try: + process_id = os.fork() + except OSError as e: + self.logger.error("Unable to fork, errno: {0}".format(e.errno)) + sys.exit(1) + if process_id != 0: + # This is the parent process. Exit without cleanup, + # see https://github.com/thesharp/daemonize/issues/46 + os._exit(0) + # This is the child process. Continue.
+ # Stop listening for signals that the parent process receives. + # This is done by getting a new process id. + # setpgrp() is an alternative to setsid(). + # setsid puts the process in a new parent group and detaches its controlling terminal. + process_id = os.setsid() + if process_id == -1: + # Uh oh, there was a problem. + sys.exit(1)
+ # Add lockfile to self.keep_fds. + self.keep_fds.append(lockfile.fileno())
+ # Close all file descriptors, except the ones mentioned in self.keep_fds. + devnull = "/dev/null" + if hasattr(os, "devnull"): + # Python has set os.devnull on this system, use it instead as it might be different + # than /dev/null. + devnull = os.devnull
+ if self.auto_close_fds: + for fd in range(3, resource.getrlimit(resource.RLIMIT_NOFILE)[0]): + if fd not in self.keep_fds: + try: + os.close(fd) + except OSError: + pass
+ devnull_fd = os.open(devnull, os.O_RDWR) + os.dup2(devnull_fd, 0) + os.dup2(devnull_fd, 1) + os.dup2(devnull_fd, 2)
+ if self.logger is None: + # Initialize logging. + self.logger = logging.getLogger(self.app) + self.logger.setLevel(logging.DEBUG) + # Display log messages only on defined handlers. + self.logger.propagate = False
+ # Initialize syslog. + # It will correctly work on OS X, Linux and FreeBSD. + if sys.platform == "darwin": + syslog_address = "/var/run/syslog" + else: + syslog_address = "/dev/log"
+ # We will continue with syslog initialization only if actually have such capabilities + # on the machine we are running this. + if os.path.exists(syslog_address): + syslog = handlers.SysLogHandler(syslog_address) + if self.verbose: + syslog.setLevel(logging.DEBUG) + else: + syslog.setLevel(logging.INFO) + # Try to mimic to normal syslog messages. + formatter = logging.Formatter("%(asctime)s %(name)s: %(message)s", + "%b %e %H:%M:%S") + syslog.setFormatter(formatter)
+ self.logger.addHandler(syslog)
+ # Set umask to default to safe file permissions when running as a root daemon. 027 is an + # octal number which we are typing as 0o27 for Python3 compatibility. + os.umask(0o27)
+ # Change to a known directory. If this isn't done, starting a daemon in a subdirectory that + # needs to be deleted results in "directory busy" errors. + os.chdir(self.chdir)
+ # Execute privileged action + privileged_action_result = self.privileged_action() + if not privileged_action_result: + privileged_action_result = []
+ # Change owner of pid file, it's required because pid file will be removed at exit. + uid, gid = -1, -1
+ if self.group: + try: + gid = grp.getgrnam(self.group).gr_gid + except KeyError: + self.logger.error("Group {0} not found".format(self.group)) + sys.exit(1)
+ if self.user: + try: + uid = pwd.getpwnam(self.user).pw_uid + except KeyError: + self.logger.error("User {0} not found.".format(self.user)) + sys.exit(1)
+ if uid != -1 or gid != -1: + os.chown(self.pid, uid, gid)
+ # Change gid + if self.group: + try: + os.setgid(gid) + except OSError: + self.logger.error("Unable to change gid.") + sys.exit(1)
+ # Change uid + if self.user: + try: + uid = pwd.getpwnam(self.user).pw_uid + except KeyError: + self.logger.error("User {0} not found.".format(self.user)) + sys.exit(1) + try: + os.setuid(uid) + except OSError: + self.logger.error("Unable to change uid.") + sys.exit(1)
+ try: + lockfile.write("%s" % (os.getpid())) + lockfile.flush() + except IOError: + self.logger.error("Unable to write pid to the pidfile.") + print("Unable to write pid to the pidfile.") + sys.exit(1)
+ # Set custom action on SIGTERM. + signal.signal(signal.SIGTERM, self.sigterm) + atexit.register(self.exit)
+ self.logger.warn("Starting daemon.")
+ try: + self.action(*privileged_action_result) + except Exception as e: + for line in traceback.format_exc(e).split("\n"): + self.logger.error(line) diff --git a/config/unbound/site-packages/dhcpd.py b/config/unbound/site- packages/dhcpd.py new file mode 100644 index 0000000..6d586c7 --- /dev/null +++ b/config/unbound/site-packages/dhcpd.py @@ -0,0 +1,108 @@ +""" + Copyright (c) 2016 Ad Schellevis + All rights reserved.
+ Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met:
+ 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer.
+ 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution.
+ THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +""" +import os +import time +import datetime
+class DHCPDLease(object): + watch_file = '/var/dhcpd/var/db/dhcpd.leases'
+ def __init__(self): + """ init watcher + :return: watcher object + """ + self._section_data = [] + self._fhandle = None + self._last_pos = None + self._open()
+ def _open(self): + """ (re)open watched file + :return: watcher object + """ + try: + self._fhandle = open(self.watch_file, 'r') + self._last_pos = None + self._section_data = [] + return True + except IOError: + self._fhandle = None + return False
+ @staticmethod + def parse_lease(lines): + """ parse dhcp lease + :param lines: lease section as list item + :return: dictionary + """ + lease = dict() + lease['address'] = lines[0].split()[1] + for line in lines: + parts = line.split() + field_name = parts[0] + field_value = None + if field_name in ('starts', 'ends', 'tstp', 'tsfp', 'atsfp', 'cltt') and len(parts) >= 3: + dt = '%s %s'%(parts[2], parts[3]) + try: + field_value = time.mktime(datetime.datetime.strptime(dt, "%Y/%m/%d %H:%M:%S;").timetuple()) + except ValueError: + field_value = None + elif field_name == 'hardware' and len(parts) >= 3: + field_value = {'hardware-type': parts[1], 'mac-address': parts[2]} + elif field_name in('uid', 'client-hostname') and len(parts) >= 2 and parts[1].find('"') > -1: + field_value = parts[1].split('"')[1]
+ if field_value is not None: + lease[field_name] = field_value
+ return lease
+ def watch(self): + """ watch file, return lease dictionaries + :return: iterator for leases + """ + if self._fhandle is None or os.fstat(self._fhandle.fileno()).st_nlink == 0: + # nothing to watch, try to (re)open return when failed + if not self._open(): + return + elif self._last_pos is not None: + self._fhandle.seek(self._last_pos)
+ while True: + line = self._fhandle.readline() + if line: + if len(line) > 5 and line[0:5] == 'lease': + self._section_data.append(line) + elif len(line) > 1 and line[0] == '}': + self._section_data.append(line) + yield self.parse_lease(self._section_data) + self._section_data = [] + elif len(self._section_data) > 0: + self._section_data.append(line) + else: + break
+ self._last_pos = self._fhandle.tell() diff --git a/config/unbound/site-packages/params.py b/config/unbound/site- packages/params.py new file mode 100644 index 0000000..6be3244 --- /dev/null +++ b/config/unbound/site-packages/params.py @@ -0,0 +1,46 @@ +""" + Copyright (c) 2015-2016 Ad Schellevis + All rights reserved.
+ Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met:
+ 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer.
+ 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution.
+ THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +"""
+import sys
+def update_params(parameters): + """ update predefined parameters with given list from shell (as switches) + for example /a valA /b valB + converts to + {'a':'valA','b':'valB'} + (assuming parameters contains both a and b) + :param parameters: parameter dictionary + :return: + """ + cmd = None + for arg in sys.argv[1:]: + if cmd is None: + cmd = arg[1:] + else: + if cmd in parameters and arg.strip() != '': + parameters[cmd] = arg.strip() + cmd = None diff --git a/config/unbound/site-packages/watcherdhcpd.py b/config/unbound/site-packages/watcherdhcpd.py new file mode 100644 index 0000000..c726d5c --- /dev/null +++ b/config/unbound/site-packages/watcherdhcpd.py @@ -0,0 +1,107 @@ +""" + Copyright (c) 2016 Ad Schellevis + All rights reserved.
+ Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met:
+ 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer.
+ 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution.
+ THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +""" +import os +import time +import datetime
+class DHCPDLease(object): + watch_file = '/var/state/dhcp/dhcpd.leases'
+ def __init__(self): + """ init watcher + :return: watcher object + """ + self._section_data = [] + self._fhandle = None + self._last_pos = None + self._open()
+ def _open(self): + """ (re)open watched file + :return: watcher object + """ + try: + self._fhandle = open(self.watch_file, 'r') + self._last_pos = None + self._section_data = [] + return True + except IOError: + self._fhandle = None + return False
+ @staticmethod + def parse_lease(lines): + """ parse dhcp lease + :param lines: lease section as list item + :return: dictionary + """ + lease = dict() + lease['address'] = lines[0].split()[1] + for line in lines: + parts = line.split() + field_name = parts[0] + field_value = None + if field_name in ('starts', 'ends', 'tstp', 'tsfp', 'atsfp', 'cltt') and len(parts) >= 3: + dt = '%s %s'%(parts[2], parts[3]) + try: + field_value = time.mktime(datetime.datetime.strptime(dt, "%Y/%m/%d %H:%M:%S;").timetuple()) + except ValueError: + field_value = None + elif field_name == 'hardware' and len(parts) >= 3: + field_value = {'hardware-type': parts[1], 'mac-address': parts[2]} + elif field_name in('uid', 'client-hostname') and len(parts) >= 2 and parts[1].find('"') > -1: + field_value = parts[1].split('"')[1]
+ if field_value is not None: + lease[field_name] = field_value + return lease
+ def watch(self): + """ watch file, return lease dictionaries + :return: iterator for leases + """ + if self._fhandle is None or os.fstat(self._fhandle.fileno()).st_nlink == 0: + # nothing to watch, try to (re)open return when failed + if not self._open(): + return + elif self._last_pos is not None: + self._fhandle.seek(self._last_pos)
+ while True: + line = self._fhandle.readline() + if line: + if len(line) > 5 and line[0:5] == 'lease': + self._section_data.append(line) + elif len(line) > 1 and line[0] == '}': + self._section_data.append(line) + yield self.parse_lease(self._section_data) + self._section_data = [] + elif len(self._section_data) > 0: + self._section_data.append(line) + else: + break
+ self._last_pos = self._fhandle.tell() diff --git a/config/unbound/unbound-dhcpd.py b/config/unbound/unbound-dhcpd.py new file mode 100644 index 0000000..0afedc9 --- /dev/null +++ b/config/unbound/unbound-dhcpd.py @@ -0,0 +1,145 @@ +#!/usr/bin/python2.7
+""" + Copyright (c) 2016 Ad Schellevis + All rights reserved.
+ Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met:
+ 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer.
+ 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution.
+ THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE.
+ -------------------------------------------------------------------------
+ watch dhcp lease file and build include file for unbound +""" +import os +import sys
+sys.path.insert(0, "/usr/lib/python2.7/site-packages") +import subprocess +import time +import tempfile +from daemonize import Daemonize +import watcherdhcpd +import params
+def unbound_control(commands, output_stream=None): + """ execute (chrooted) unbound-control command + :param commands: command list (parameters) + :param output_stream: (optional)output stream + :return: None + """ + output_stream = open(os.devnull, 'w') + subprocess.check_call(['/usr/sbin/chroot', '--userspec=unbound:unbound', '/', + '/usr/sbin/unbound-control', '-c', '/etc/unbound/unbound.conf'] + commands, + stdout=output_stream, stderr=subprocess.STDOUT) + output_stream.seek(0)
+def unbound_known_addresses(): + """ fetch known addresses + :return: list + """ + result = list() + with tempfile.NamedTemporaryFile() as output_stream: + unbound_control(['list_local_data'], output_stream) + for line in output_stream.read().split('\n'): + parts = line.split() + if len(parts) > 4 and parts[3] == 'A': + result.append(parts[4]) + print result + return result
+# parse input params +app_params = {'pid': '/var/run/unbound_dhcpd.pid', + 'domain': 'local', + 'target': '/etc/unbound/dhcpleases.conf', + 'background': '1'} +params.update_params(app_params)
+def main(): + # cleanup interval (seconds) + cleanup_interval = 60
+ # All times in the lease database are in Coordinated Universal Time (UTC), not local time! + tzone = 0 + if app_params['background'] <> 1: + print "Add leases for domian:",app_params['domain']
+ # initiate lease watcher and setup cache + dhcpdleases = watcherdhcpd.DHCPDLease() + cached_leases = dict() + known_addresses = unbound_known_addresses()
+ # start watching dhcp leases + last_cleanup = time.time() + while True: + dhcpd_changed = False + if time.daylight <> 0: + utctime = time.time() + time.altzone + else: + utctime = time.time() + time.timezone
+ for lease in dhcpdleases.watch(): + if 'ends' in lease and lease['ends'] > utctime and 'client- hostname' in lease and 'address' in lease: + cached_leases[lease['address']] = lease + dhcpd_changed = True + if app_params['background'] <> 1: + print "IP:",lease['address'],"Hostname:",lease['client- hostname'],"Start:",lease['starts'],"End:",lease['ends']
+ if time.time() - last_cleanup > cleanup_interval: + # cleanup every x seconds + last_cleanup = time.time() + addresses = cached_leases.keys() + for address in addresses: + if cached_leases[address]['ends'] < time.time(): + del cached_leases[address] + dhcpd_changed = True
+ if dhcpd_changed: + # dump dns output to target + with open(app_params['target'], 'w') as unbound_conf: + for address in cached_leases: + unbound_conf.write('local-data-ptr: "%s %s.%s"\n' % (address, + cach ed_leases[address]['client-hostname'], + app_ params['domain']))
+ unbound_conf.write('local-data: "%s.%s IN A %s"\n' % (cached_leases[address]['client-hostname'], + app _params['domain'], + add ress)) + # signal unbound + for address in cached_leases: + if address not in known_addresses: + fqdn = '%s.%s' % (cached_leases[address]['client- hostname'], app_params['domain']) + unbound_control(['local_data', address, 'PTR', fqdn]) + unbound_control(['local_data', fqdn, 'IN A', address]) + known_addresses.append(address) + # wait for next cycle + time.sleep(5)
+# startup +if app_params['background'] == '1': + daemon = Daemonize(app="unbound_dhcpd", pid=app_params['pid'], action=main) + daemon.start() +else: + main() diff --git a/config/unbound/unbound-switch b/config/unbound/unbound-switch new file mode 100755 index 0000000..60eeb89 --- /dev/null +++ b/config/unbound/unbound-switch @@ -0,0 +1,80 @@ +#!/bin/bash +############################################################################# ## +# # +# IPFire.org - A linux based firewall # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see http://www.gnu.org/licenses/. # +# # +# Description : script to switch the DNS server/proxy in IPfire # +# rerun to easy go back to dnsmasq # +# # +# Author : Marcel Lorenz marcel.lorenz@ipfire.org # +# # +############################################################################# ##
+CGIFILE="/srv/web/ipfire/cgi-bin/services.cgi"
+install_cron_jobs() { +cat > /etc/fcron.weekly/update_unbound_anchor << "EOF" +#!/bin/bash +# allow max all 30 minutes to update files +if [[ $(( (`date +%s` - `stat -L --format %Y /etc/unbound/root.key`) > (30*60) )) != 0 ]]; then + wget -q ftp://ftp.internic.net/domain/named.cache -O /etc/unbound/root.hints + curl -sS -L --compressed "http://pgl.yoyo.org/adservers/serverlist.php?host format=unbound&showintro=0&mimetype=plaintext" > /etc/unbound/blocklists/ad- servers.conf + unbound-anchor +fi +exit 0 +EOF +chmod +x /etc/fcron.weekly/update_unbound_anchor +cat > /etc/fcron.hourly/update_unbound_zone << "EOF" +#!/bin/bash +unbound-zone +EOF +chmod +x /etc/fcron.hourly/update_unbound_zone +}
+# main switch +if [[ -e /etc/rc.d/init.d/networking/red.up/05-RS-dnsmasq ]]; then + echo -e "\033[32mActivate Unbound DNS-proxy at start...\033[0m"; + # autostart symlinks + rm -f /etc/rc.d/init.d/networking/red.up/05-RS-dnsmasq /etc/rc.d/init.d/networking/red.down/05-RS-dnsmasq + mv -f /etc/init.d/network /etc/init.d/network-dnsmasq + mv -f /etc/init.d/network-unbound /etc/init.d/network + # WebIF services.cgi + sed -i "s|$Lang::tr{'dns proxy server'} => 'dnsmasq',.*|$Lang::tr{'dns proxy server'} => 'unbound',|" ${CGIFILE} + install_cron_jobs + /etc/fcron.weekly/update_unbound_anchor + # Stop and start services + /etc/rc.d/init.d/dnsmasq stop + sleep 1 + /etc/rc.d/init.d/unbound start
+else + echo -e "\033[32mActivate dnsmasq DNS-proxy at start...\033[0m"; + # autostart symlinks + ln -sf /etc/rc.d/init.d/dnsmasq /etc/rc.d/init.d/networking/red.up/05-RS- dnsmasq + ln -sf /etc/rc.d/init.d/dnsmasq /etc/rc.d/init.d/networking/red.down/05-RS- dnsmasq + mv -f /etc/init.d/network /etc/init.d/network-unbound + mv -f /etc/init.d/network-dnsmasq /etc/init.d/network + # WebIF services.cgi + sed -i "s|$Lang::tr{'dns proxy server'} => 'unbound',.*|$Lang::tr{'dns proxy server'} => 'dnsmasq',|" ${CGIFILE} + # Stop and start services + /etc/rc.d/init.d/unbound stop + sleep 1 + /etc/rc.d/init.d/dnsmasq start + rm -f /etc/fcron.weekly/update_unbound_anchor /etc/fcron.hourly/update_unbound_zone; +fi +unset CGIFILE +echo -e "\033[32mdone...\033[0m"; +exit 0 +# end of unbound-proxy diff --git a/config/unbound/unbound-zone b/config/unbound/unbound-zone new file mode 100644 index 0000000..9a0de1f --- /dev/null +++ b/config/unbound/unbound-zone @@ -0,0 +1,78 @@ +#!/bin/bash +############################################################################# ## +# # +# IPFire.org - A linux based firewall # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see http://www.gnu.org/licenses/. # +# # +# Description : small script to create the zone file for ipfire's # +# internal domain (for example ipfire.local) # +# # +# Author : Marcel Lorenz marcel.lorenz@ipfire.org # +# # +############################################################################# ##
+ZONEFILE="/etc/unbound/zones/local.conf" +HOSTSFILE="/var/ipfire/main/hosts"
+eval $(/usr/local/bin/readhash /var/ipfire/main/settings) +eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings) +REV_GREEN=$(echo ${GREEN_ADDRESS} |awk -F. '{print $4"."$3"."$2"."$1}')
+# overwrite existing file +cat > ${ZONEFILE} << "EOF" +# This is the automatically created zone file for unbound +# please do not edit this file, use the webinterface to add or remove hosts +# if need more zones, create a new zone file and restart unbound +# +EOF
+# create zone header +echo "# Zone file created at $(date)" >> ${ZONEFILE} +echo "">> ${ZONEFILE} +echo "# zone definition " >> ${ZONEFILE} +echo "private-domain: "${DOMAINNAME}"" >> ${ZONEFILE} +echo "local-zone: "${DOMAINNAME}." static" >> ${ZONEFILE} +echo "local-data: "${HOSTNAME}.${DOMAINNAME}. IN A ${GREEN_ADDRESS}"" >> ${ZONEFILE} +echo "local-data: "wpad.${DOMAINNAME}. IN A ${GREEN_ADDRESS}"" >> ${ZONEFILE} +echo "local-data: "${REV_GREEN}.in-addr.arpa. 10800 IN PTR ${HOSTNAME}.${DOMAINNAME}."" >> ${ZONEFILE}
+# write forward entrys to zone file +echo "" >> ${ZONEFILE} +echo "# Hosts from /var/ipfire/main/hosts" >> ${ZONEFILE}
+while read line +do + if [[ $(echo ${line}|awk -F, '{print $1}') = on ]]; then + IP=$(echo ${line}|awk -F, '{print $2}') + HOST=$(echo ${line}|awk -F, '{print $3}') + DOMAIN=$(echo ${line}|awk -F, '{print $4}') + echo "local-data: "${HOST}.${DOMAIN}. IN A ${IP}"" >> ${ZONEFILE} + fi +done < ${HOSTSFILE}
+# write reverse entrys to zone file +echo "" >> ${ZONEFILE} +echo "# reverse entrys" >> ${ZONEFILE} +while read line +do + if [[ $(echo ${line}|awk -F, '{print $1}') = on ]]; then + IP=$(echo ${line}|awk -F, '{print $2}'|awk -F. '{print $4"."$3"."$2"."$1}') + HOST=$(echo ${line}|awk -F, '{print $3}') + DOMAIN=$(echo ${line}|awk -F, '{print $4}') + echo "local-data: "${IP}.in-addr.arpa. 10800 IN PTR ${HOST}.${DOMAIN}""
${ZONEFILE}
+ fi +done < ${HOSTSFILE} +unset IP HOST DOMAIN REV_GREEN; +exit 0 +# end of unbound-zone diff --git a/config/unbound/unbound.conf b/config/unbound/unbound.conf new file mode 100644 index 0000000..8dc72e6 --- /dev/null +++ b/config/unbound/unbound.conf @@ -0,0 +1,123 @@ +# +# Unbound configuration file for IPFire +# +# The full documentation is available at: +# https://www.unbound.net/documentation/unbound.conf.html +#
+server:
- # common server options
- chroot: "/etc/unbound"
- username: "unbound"
- pidfile: "/var/run/unbound.pid"
- num-threads: 2
- port: 53
- do-ip4: yes
- do-ip6: no
- do-udp: yes
- do-tcp: yes
- prefetch: yes
- so-reuseport: yes
- cache-min-ttl: 3600
- cache-max-ttl: 86400
- unwanted-reply-threshold: 10000
- do-not-query-localhost: yes
- # logging options
- logfile: "log/unbound.log"
- use-syslog: no
- verbosity: 1
- log-queries: no
- log-time-ascii: yes
- # Unbound Statistics
- statistics-interval: 3600
- statistics-cumulative: yes
- extended-statistics: yes
- # privacy options
- hide-identity: yes
- hide-version: yes
- qname-minimisation: yes
- minimal-responses: yes
- # hardening options (some experimental)
- harden-glue: yes
- harden-large-queries: yes
- harden-dnssec-stripped: yes
- harden-short-bufsize: no
- harden-below-nxdomain: no
- harden-referral-path: no
- harden-algo-downgrade: no
- use-caps-for-id: yes
- # listen on localhost interface
- interface: 127.0.0.1
- # file with ipfire interfaces
- include: "/etc/unbound/interfaces.conf"
- # control which clients are allowed to make (recursive) queries
- access-control: 0.0.0.0/0 refuse
- access-control: 127.0.0.0/8 allow
- access-control: ::0/0 refuse
- access-control: ::1 allow
- access-control: ::ffff:127.0.0.1 allow
- # file with ipfire networks
- include: "/etc/unbound/access.conf"
- # dnssec main options
- val-clean-additional: yes
- val-log-level: 1
- # file with ipfire dnssec configuration
- include: "/etc/unbound/dnssec.conf"
- # DNS Rebinding
- # For DNS Rebinding prevention
- #
- # All these addresses are either private or should not be routable in
the global IPv4 or IPv6 internet.
- # IPv4 Addresses
- private-address: 0.0.0.0/8 # Broadcast address
- private-address: 10.0.0.0/8
- private-address: 127.0.0.0/8 # Loopback Localhost
- private-address: 172.16.0.0/12
- private-address: 192.168.0.0/16
- private-address: 169.254.0.0/16
- private-address: 198.18.0.0/15 # Used for testing inter-network
communications
- private-address: 198.51.100.0/24 # Documentation network TEST-NET-2
- private-address: 203.0.113.0/24 # Documentation network TEST-NET-3
- private-address: 233.252.0.0/24 # Documentation network MCAST-TEST-
NET
- # IPv6 Addresses
- private-address: ::1/128 # Loopback Localhost
- private-address: 2001:db8::/32 # Documentation network IPv6
- private-address: fc00::/8 # Unique local address (ULA) part of
"fc00::/7", not defined yet
- private-address: fd00::/8 # Unique local address (ULA) part of
"fc00::/7", "/48" prefix group
- private-address: fe80::/10 # Link-local address (LLA)
- # file with root servers
- root-hints: "/etc/unbound/root.hints"
- # custom DNS zone files
- include: "/etc/unbound/zones/*.conf"
- # DHCP leases (if configured)
- include: /etc/unbound/dhcpleases.conf
- # Blocklists
- include: "/etc/unbound/blocklists/*.conf"
+# end server config
+# enable remote control only on localhost +remote-control:
- control-enable: yes
- control-use-cert: yes
- control-interface: 127.0.0.1
- server-key-file: "/etc/unbound/unbound_server.key"
- server-cert-file: "/etc/unbound/unbound_server.pem"
- control-key-file: "/etc/unbound/unbound_control.key"
- control-cert-file: "/etc/unbound/unbound_control.pem"
+# end remote control config
+# custom DNS forward config +include: "/etc/unbound/forward.conf" diff --git a/lfs/unbound b/lfs/unbound new file mode 100644 index 0000000..d91c0f9 --- /dev/null +++ b/lfs/unbound @@ -0,0 +1,103 @@ +############################################################################# ## +# # +# IPFire.org - A linux based firewall # +# Copyright (C) 2007 Michael Tremer & Christian Schmidt # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see http://www.gnu.org/licenses/. # +# # +############################################################################# ##
+############################################################################# ## +# Definitions +############################################################################# ##
+include Config
+VER = 1.5.9 +THISAPP = unbound-$(VER) +DL_FILE = $(THISAPP).tar.gz +DL_FROM = $(URL_IPFIRE) +DIR_APP = $(DIR_SRC)/$(THISAPP) +TARGET = $(DIR_INFO)/$(THISAPP) +PROG = unbound +PAK_VER = 1 +DEPS = ""
+############################################################################# ## +# Top-level Rules +############################################################################# ##
+objects = $(DL_FILE)
+$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
+$(DL_FILE)_MD5 = 0cefa62c1690b4db18583db84bff00e3
+install : $(TARGET)
+check : $(patsubst %,$(DIR_CHK)/%,$(objects))
+download :$(patsubst %,$(DIR_DL)/%,$(objects))
+md5 : $(subst %,%_MD5,$(objects))
+dist:
- $(PAK)
+############################################################################# ## +# Downloading, checking, md5sum +############################################################################# ##
+$(patsubst %,$(DIR_CHK)/%,$(objects)) :
- @$(CHECK)
+$(patsubst %,$(DIR_DL)/%,$(objects)) :
- @$(LOAD)
+$(subst %,%_MD5,$(objects)) :
- @$(MD5)
+############################################################################# ## +# Installation Details +############################################################################# ##
+$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
- @$(PREBUILD)
- @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE)
- cd $(DIR_APP) && ./configure \
--prefix=/usr \--sysconfdir=/etc \--disable-static \--with-libevent \--with-pyunbound \--with-pidfile=/var/run/unbound.pid- cd $(DIR_APP) && make $(MAKETUNING)
- cd $(DIR_APP) && make install
- mv -v /usr/sbin/unbound-host /usr/bin/
- # add ipfire config
- mkdir -pv /etc/unbound/blocklists
- mv -v /etc/unbound/unbound.conf /etc/unbound/unbound_org.conf
- install -v -m 644 $(DIR_SRC)/config/unbound/*.conf /etc/unbound/
- install -v -m 644 $(DIR_SRC)/config/unbound/root.hints /etc/unbound/
- install -v -m 644 $(DIR_SRC)/config/unbound/root.key /etc/unbound/
- install -v -m 644 $(DIR_SRC)/config/unbound/blocklists/*.conf
/etc/unbound/blocklists/
- install -v -m 644 $(DIR_SRC)/config/unbound/site-packages/*
/usr/lib/python2.7/site-packages/
- install -v -m 754 $(DIR_SRC)/config/unbound/unbound-switch /usr/sbin/
- install -v -m 754 $(DIR_SRC)/config/unbound/unbound-zone /usr/sbin/
- install -v -m 754 $(DIR_SRC)/config/unbound/unbound-dhcpd.py
/usr/sbin/
- install -v -m 754 $(DIR_SRC)/src/initscripts/init.d/unbound
/etc/rc.d/init.d/
- install -v -m 754 $(DIR_SRC)/src/initscripts/init.d/unbound-dhcpd
/etc/rc.d/init.d/
- install -v -m 754 $(DIR_SRC)/src/initscripts/init.d/network-unbound
/etc/rc.d/init.d/
- @rm -rf $(DIR_APP)
- @$(POSTBUILD)
diff --git a/make.sh b/make.sh index a9fac52..74bc06a 100755 --- a/make.sh +++ b/make.sh @@ -870,6 +870,7 @@ buildipfire() { ipfiremake libpciaccess ipfiremake libyajl ipfiremake libvirt + ipfiremake unbound } buildinstaller() { diff --git a/src/initscripts/init.d/network-unbound b/src/initscripts/init.d/network-unbound new file mode 100644 index 0000000..31fe173 --- /dev/null +++ b/src/initscripts/init.d/network-unbound @@ -0,0 +1,114 @@ +#!/bin/sh +######################################################################## +# Begin $rc_base/init.d/network +# +# Description : Network Control Script +# +# Authors : Michael Tremer - mitch@ipfire.org +# +# Version : 01.00 +# +# Notes : Written for IPFire by its team +# +########################################################################
+. /etc/sysconfig/rc +. ${rc_functions} +eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
+DO="${1}" +shift
+if [ -n "${1}" ]; then
- ALL=0
- for i in green red blue orange; do
eval "${i}=0"- done
+else
- ALL=1
- for i in green red blue orange; do
eval "${i}=1"- done
+fi
+while [ ! $# = 0 ]; do
- for i in green red blue orange; do
if [ "${i}" == "${1}" ]; theneval "${i}=1"shiftfi- done
+done
+case "${DO}" in
- start)
# Starting interfaces...# GREEN[ "$green" == "1" ] && /etc/rc.d/init.d/networking/greenstart
# BLUE[ "$blue" == "1" ] && [ "$CONFIG_TYPE" = "3" -o"$CONFIG_TYPE" = "4" ] && \
/etc/rc.d/init.d/networking/blue start# ORANGE[ "$orange" == "1" ] && [ "$CONFIG_TYPE" = "2" -o"$CONFIG_TYPE" = "4" ] && \
/etc/rc.d/init.d/networking/orange start# REDif [ "$red" == "1" ]; thenif [ "$CONFIG_TYPE" = "1" -o "$CONFIG_TYPE" = "2" -o"$CONFIG_TYPE" = "3" -o "$CONFIG_TYPE" = "4" ]; then
# Remove possible leftover filesrm -f /var/ipfire/red/{active,device,dial-on-demand,dns1,dns2,local-ipaddress,remote-ipaddress,resolv.conf}
[ "$AUTOCONNECT" == "off" ] ||/etc/rc.d/init.d/networking/red start
fifi/etc/rc.d/init.d/static-routes start[ "${ALL}" == "1" ] && /etc/rc.d/init.d/unbound start;;- stop)
[ "${ALL}" == "1" ] && /etc/rc.d/init.d/unbound stop# Stopping interfaces...# GREEN[ "$green" == "1" ] && /etc/rc.d/init.d/networking/green stop# BLUE[ "$blue" == "1" ] && [ "$CONFIG_TYPE" = "3" -o"$CONFIG_TYPE" = "4" ] && \
/etc/rc.d/init.d/networking/blue stop# ORANGE[ "$orange" == "1" ] && [ "$CONFIG_TYPE" = "2" -o"$CONFIG_TYPE" = "4" ] && \
/etc/rc.d/init.d/networking/orange stop# REDif [ "$red" == "1" ]; thenif [ "$CONFIG_TYPE" = "1" -o "$CONFIG_TYPE" = "2" -o"$CONFIG_TYPE" = "3" -o "$CONFIG_TYPE" = "4" ]; then
/etc/rc.d/init.d/networking/red stopfifiexit 0;;- restart)
for i in green red blue orange; doif [ "${!i}" == "1" ]; thenARGS+=" ${i}"fidone${0} stop ${ARGS}sleep 1${0} start ${ARGS};;- *)
echo "Usage: ${0} {start|stop|restart} [device(s)]"exit 1;;+esac
+# End /etc/rc.d/init.d/network diff --git a/src/initscripts/init.d/unbound b/src/initscripts/init.d/unbound new file mode 100644 index 0000000..8e6881e --- /dev/null +++ b/src/initscripts/init.d/unbound @@ -0,0 +1,178 @@ +#!/bin/sh +# Begin $rc_base/init.d/unbound
+# Description : Unbound DNS resolver boot script for IPfire +# Author : Marcel Lorenz marcel.lorenz@ipfire.org +# +# Comment : This init script additional starts the dhcpd watcher daemon +# if DNS-Update (RFC2136) in web interface enabled
+. /etc/sysconfig/rc +. ${rc_functions}
+if [[ ! -d /run/var ]]; then mkdir /run/var; fi;
+CONTROL_INTERFACE_FILE=1 +CONTROL_ACCESS_FILE=1 +USE_CUSTOM_FORWARDS=0 +ENABLE_DNSSEC=1
+# Unbound daemon pid file +PIDFILE=/var/run/unbound.pid
+# Watcher deamon pid file must be the same in unbound main init script +WAPIDFILE=/var/run/unbound_dhcpd.pid
+function cidr() { + local cidr nbits IFS; + IFS=. read -r i1 i2 i3 i4 <<< ${1} + IFS=. read -r m1 m2 m3 m4 <<< ${2} + cidr=$(printf "%d.%d.%d.%d\n" "$((i1 & m1))" "$((i2 & m2))" "$((i3 & m3))" "$((i4 & m4))") + nbits=0 + IFS=. + for dec in $2 ; do + case $dec in + 255) let nbits+=8;; + 254) let nbits+=7;; + 252) let nbits+=6;; + 248) let nbits+=5;; + 240) let nbits+=4;; + 224) let nbits+=3;; + 192) let nbits+=2;; + 128) let nbits+=1;; + 0);; + *) echo "Error: $dec is not recognised"; exit 1 + esac + done + echo "${cidr}/${nbits}" +}
+case "$1" in
- start)
- if [[ -f ${PIDFILE} ]]; then
- log_warning_msg "Unbound daemon is running with Process ID $(cat
${PIDFILE})"
- else
- eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
- #ARGS="$CUSTOM_ARGS"
- #[ "$DOMAIN_NAME_GREEN" != "" ] && ARGS="$ARGS -s
$DOMAIN_NAME_GREEN"
- echo > /var/ipfire/red/resolv.conf # Clear it
- if [ -e "/var/ipfire/red/dns1" ]; then
- DNS1=$(cat /var/ipfire/red/dns1 2>/dev/null)
- if [ ! -z ${DNS1} ]; then
echo "nameserver ${DNS1}" >> /var/ipfire/red/resolv.confNAMESERVERS="${DNS1} "- fi
- fi
- if [ -e "/var/ipfire/red/dns2" ]; then
- DNS2=$(cat /var/ipfire/red/dns2 2>/dev/null)
- if [ ! -z ${DNS2} ]; then
echo "nameserver ${DNS2}" >> /var/ipfire/red/resolv.confNAMESERVERS+="${DNS2} "- fi
- fi
- # create unbound interfaces.conf
- if [ ${CONTROL_INTERFACE_FILE} = 1 ]; then
echo -n > /etc/unbound/interfaces.conf # Clear it- if [ ! -z ${GREEN_ADDRESS} ]; then
echo "interface: ${GREEN_ADDRESS}" >>/etc/unbound/interfaces.conf
- fi
- if [ ! -z ${BLUE_ADDRESS} ]; then
echo "interface: ${BLUE_ADDRESS}" >>/etc/unbound/interfaces.conf
- fi
if [ ! -z ${ORANGE_ADDRESS} ]; thenecho "interface: ${ORANGE_ADDRESS}" >>/etc/unbound/interfaces.conf
- fi
- fi
- # create unbound access.conf
- if [ ${CONTROL_ACCESS_FILE} = 1 ]; then
- echo -n > /etc/unbound/access.conf # Clear it
- if [ ! -z ${GREEN_ADDRESS} ]; then
echo "access-control: $(cidr ${GREEN_ADDRESS}${GREEN_NETMASK}) allow" >> /etc/unbound/access.conf
- fi
- if [ ! -z ${BLUE_ADDRESS} ]; then
echo "access-control: $(cidr ${BLUE_ADDRESS} ${BLUE_NETMASK})allow" >> /etc/unbound/access.conf
- fi
- if [ ! -z ${ORANGE_ADDRESS} ]; then
echo "access-control: $(cidr ${ORANGE_ADDRESS}${ORANGE_NETMASK}) allow" >> /etc/unbound/access.conf
- fi
- fi
- # create unbound dnssec.conf
- echo -n > /etc/unbound/dnssec.conf # Clear it
- if [ ${ENABLE_DNSSEC} = 1 ]; then
- echo " # dessec enabled per default" >>
/etc/unbound/dnssec.conf
- echo " # no necessary config options in this file" >>
/etc/unbound/dnssec.conf
- else
- echo " # dnssec now disabled" >>
/etc/unbound/dnssec.conf
- echo " module-config: iterator" >>
/etc/unbound/dnssec.conf
- echo " val-permissive-mode: yes" >>
/etc/unbound/dnssec.conf
- fi
- # create zone file for internal ipfire domain
- unbound-zone
- boot_mesg "Starting Unbound DNS proxy..."
- unbound-anchor
- loadproc /usr/sbin/unbound
- # start dhcpd watcher daemon if DNS-Update (RFC2136) activated
- eval $(/usr/local/bin/readhash /var/ipfire/dhcp/settings)
- if [[ ${DNS_UPDATE_ENABLED} = on && ! -f ${WAPIDFILE} ]]; then
- /etc/rc.d/init.d/unbound-dhcpd start
- fi
- # use setup configured DNS servers
- if [ "${USE_CUSTOM_FORWARDS}" -eq 0 ]; then
- unbound-control forward_add +i . ${NAMESERVERS} &> /dev/null
- fi;
- FORWADRS=$(unbound-control list_forwards |sed 's|. IN forward
||g'|sed 's|+i ||g')
- if [ "${USE_CUSTOM_FORWARDS}" -eq 0 ]; then
- boot_mesg "Using DNS server(s): ${FORWADRS}"
- else
- boot_mesg "Using custom DNS server(s): ${FORWADRS}"
- fi
- if [ ${ENABLE_DNSSEC} = 1 ]; then
- boot_mesg "DNSSEC is enabled!"
- else
- boot_mesg "DNSSEC is disabled!"
- fi
- fi
- ;;
- stop)
- if [[ -f ${PIDFILE} ]]; then
- # stop dhcpd watcher daemon if activted
- if [[ -f ${WAPIDFILE} ]]; then
- /etc/rc.d/init.d/unbound-dhcpd stop
- fi
- # stop Unbound daemon
- boot_mesg "Stopping Unbound DNS proxy..."
- killproc -p "/var/run/unbound.pid" /usr/sbin/unbound
- else
- log_warning_msg "Unbound daemon is not running..."
- fi
- ;;
- restart)
- $0 stop
- sleep 1
- $0 start
- ;;
- status)
- statusproc /usr/sbin/unbound
- ;;
- *)
- echo "Usage: $0 {start|stop|restart|status}"
- exit 1
- ;;
+esac
+# End $rc_base/init.d/unbound diff --git a/src/initscripts/init.d/unbound-dhcpd b/src/initscripts/init.d/unbound-dhcpd new file mode 100644 index 0000000..4c24a3c --- /dev/null +++ b/src/initscripts/init.d/unbound-dhcpd @@ -0,0 +1,61 @@ +#!/bin/sh +# Begin $rc_base/init.d/unbound-dhcpd
+# Description : Unbound dhcpd lease file wachter daemon boot script for IPFire +# Author : Marcel Lorenz marcel.lorenz@ipfire.org
+. /etc/sysconfig/rc +. $rc_functions
+PIDFILE=/var/run/unbound_dhcpd.pid +SETFILE=/var/ipfire/main/settings
+case "$1" in
- start)
if [[ -f ${PIDFILE} ]]; thenlog_warning_msg "Unbound dhcpd watcher daemon is runningwith Process ID $(cat ${PIDFILE})"
elseeval $(/usr/local/bin/readhash ${SETFILE})boot_mesg "Starting Unbound dhcpd watcher deamon..."loadproc /usr/bin/python /usr/sbin/unbound-dhcpd.py /domain${DOMAINNAME} /pid ${PIDFILE}
fi;;- stop)
if [[ -f ${PIDFILE} ]]; thenboot_mesg "Stopping Unbound dhcpd watcher deamon..."kill $(/bin/cat ${PIDFILE})sleep 1if [[ -f ${PIDFILE} ]]; thenecho_failureelseecho_okfielselog_warning_msg "Unbound dhcpd watcher daemon is notrunning..."
fi;;- restart)
$0 stopsleep 1$0 start;;- status)
if [[ -f "$PIDFILE" ]]; thenecho -e "\\033[1;36mUnbound dhcpd watcher daemon is runningwith Process ID $(cat ${PIDFILE})\033[0;39m"
exit 0elseecho -e "\\033[1;36mUnbound dhcpd watcher daemon is notrunning...\033[0;39m"
exit 0fi;;- *)
echo "Usage: $0 {start|stop|restart|status}"exit 1;;+esac
+# End $rc_base/init.d/unbound-dhcpd \ No newline at end of file diff --git a/src/paks/unbound/install.sh b/src/paks/unbound/install.sh new file mode 100644 index 0000000..84c93f3 --- /dev/null +++ b/src/paks/unbound/install.sh @@ -0,0 +1,70 @@ +#!/bin/bash +############################################################################ +# # +# This file is part of the IPFire Firewall. # +# # +# IPFire is free software; you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation; either version 2 of the License, or # +# (at your option) any later version. # +# # +# IPFire is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with IPFire; if not, write to the Free Software # +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # +# # +# Copyright (C) 2016 IPFire-Team info@ipfire.org. # +# # +############################################################################ +# +. /opt/pakfire/lib/functions.sh +extract_files +restore_backup ${NAME}
+# add unbound user and group +groupadd -g 85 unbound +useradd -c "Unbound DNS resolver" -d /var/lib/unbound -u 85 -g unbound -s /bin/false unbound
+# create config subdir's +mkdir -pv /etc/unbound/log /etc/unbound/zones /var/log/unbound +chown unbound:unbound -R /var/log/unbound/ /etc/unbound/log/;
+echo "Add logrotate config for unbound now..." +LOGROTATE=$(grep -A 1 '/var/log/unbound/unbound.log' /etc/logrotate.conf) +if [[ ! "${LOGROTATE}" ]]; then +cat >> /etc/logrotate.conf << "EOF" +# Unbound +/var/log/unbound/unbound.log { + daily + rotate 30 + copytruncate + compress + missingok + prerotate + /bin/mv -f /etc/unbound/log/unbound.log /var/log/unbound/unbound.log + /usr/sbin/unbound-control log_reopen &> /dev/null + endscript +}
+EOF +touch /etc/unbound/dhcpleases.conf +touch /var/log/unbound/unbound.log +chown unbound:unbound /var/log/unbound/unbound.log +fi
+# create link to current logfile +ln -svf /etc/unbound/log/unbound.log /var/log/unbound/current.log
+# create remote control key files and set rights +/usr/sbin/unbound-control-setup &> /dev/null +chown unbound:unbound /etc/unbound/{unbound_control.*,unbound_server.*,root.key,root.hints}
+# at last switch the DNS-Resolver to unbound +/usr/sbin/unbound-switch
+unset LOGROTATE +exit 0 diff --git a/src/paks/unbound/uninstall.sh b/src/paks/unbound/uninstall.sh new file mode 100644 index 0000000..fc39f9f --- /dev/null +++ b/src/paks/unbound/uninstall.sh @@ -0,0 +1,27 @@ +#!/bin/bash +############################################################################ +# # +# This file is part of the IPFire Firewall. # +# # +# IPFire is free software; you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation; either version 2 of the License, or # +# (at your option) any later version. # +# # +# IPFire is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with IPFire; if not, write to the Free Software # +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # +# # +# Copyright (C) 2007 IPFire-Team info@ipfire.org. # +# # +############################################################################ +# +. /opt/pakfire/lib/functions.sh +/usr/sbin/resolver.sh +make_backup ${NAME} +remove_files diff --git a/src/paks/unbound/update.sh b/src/paks/unbound/update.sh new file mode 100644 index 0000000..89c40d0 --- /dev/null +++ b/src/paks/unbound/update.sh @@ -0,0 +1,26 @@ +#!/bin/bash +############################################################################ +# # +# This file is part of the IPFire Firewall. # +# # +# IPFire is free software; you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation; either version 2 of the License, or # +# (at your option) any later version. # +# # +# IPFire is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with IPFire; if not, write to the Free Software # +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # +# # +# Copyright (C) 2007 IPFire-Team info@ipfire.org. # +# # +############################################################################ +# +. /opt/pakfire/lib/functions.sh +./uninstall.sh +./install.sh