This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree".
The branch, master has been updated via b3bc092dad71cf4034d6f0d59708cfa47e8a3404 (commit) via 233141c6c9983b39a2d385f781e0d787b8f315de (commit) via 9700617aeb4051f845e3f261da2829201a2b6fe9 (commit) via 0f0f3ae7dc5da502c1aaf4bb295778d7657a0af5 (commit) via e737776db5edaca90a22c7aaeb11e8fbb7c0d9fa (commit) via 80bed5817d176e728cca6077dcefa7821f5c16ef (commit) via 0bdb63924b13d4e47db7cd03c6714cdfdd9280a9 (commit) via a344d3c902417a21b619c6e4f2a1aaf38e3044fe (commit) from e53c38aea14132da0fff15655735f673aab33c4a (commit)
Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below.
- Log ----------------------------------------------------------------- commit b3bc092dad71cf4034d6f0d59708cfa47e8a3404 Author: Arne Fitzenreiter arne_f@ipfire.org Date: Thu Mar 5 05:54:09 2020 +0000
core142: start suricata before unbound after update
Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 233141c6c9983b39a2d385f781e0d787b8f315de Author: Arne Fitzenreiter arne_f@ipfire.org Date: Wed Mar 4 21:49:05 2020 +0000
core142: add unbound.conf to updater
Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 9700617aeb4051f845e3f261da2829201a2b6fe9 Author: Michael Tremer michael.tremer@ipfire.org Date: Wed Mar 4 21:11:53 2020 +0000
unbound: Disable using mixed case for DNS queries
This seems to cause that some resolvers do not respond to queries any more until unbound falls back.
To ensure better DNS performance, we disabled this.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 0f0f3ae7dc5da502c1aaf4bb295778d7657a0af5 Author: Michael Tremer michael.tremer@ipfire.org Date: Wed Mar 4 21:11:52 2020 +0000
unbound: Only launch one process
When unbound is running multiple threads, we have observed that queries where sent for each thread.
Since no user should have so much DNS traffic that more than one processor core is being saturated, this is a safe change.
Signed-off-by: Peter Müller peter.mueller@ipfire.org Signed-off-by: Arne Fitzenreiter arne.fitzenreiter@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit e737776db5edaca90a22c7aaeb11e8fbb7c0d9fa Author: Peter Müller peter.mueller@ipfire.org Date: Mon Jan 20 19:36:00 2020 +0000
unbound.conf: Do not set defaults explicitly
In order to keep configuration files small and easy to review/audit, omitting defaults makes more sense than configure them explicitly (have changed my mind here).
Unbound comes with a good default confiuration, and we should only make changes when they are necessary. In addition, this patch updates the documentation's URL to the current one.
Signed-off-by: Peter Müller peter.mueller@ipfire.org Cc: Michael Tremer michael.tremer@ipfire.org Reviewed-by: Michael Tremer michael.tremer@ipfire.org Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 80bed5817d176e728cca6077dcefa7821f5c16ef Author: Arne Fitzenreiter arne_f@ipfire.org Date: Wed Mar 4 21:38:24 2020 +0000
dns.cgi: restart suricata before unbound reload
if unbound is reloaded it start a bunch of dns queries so suricata needs to now which servers should used.
Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 0bdb63924b13d4e47db7cd03c6714cdfdd9280a9 Author: Michael Tremer michael.tremer@ipfire.org Date: Wed Mar 4 10:44:50 2020 +0000
backup: Fix saving DNS settings
There was a typo in /var/ipfire/dns/servers and the settings file was not explicitely included in the backup.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit a344d3c902417a21b619c6e4f2a1aaf38e3044fe Author: Arne Fitzenreiter arne_f@ipfire.org Date: Wed Mar 4 08:52:56 2020 +0100
unbound/red.up: run unbound update-forwarders after suricata init.
The old suricata instance blocks dns requests if the red ip has changed.
Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
-----------------------------------------------------------------------
Summary of changes: config/backup/include | 2 +- config/rootfiles/common/aarch64/initscripts | 2 +- config/rootfiles/common/armv5tel/initscripts | 2 +- config/rootfiles/common/i586/initscripts | 2 +- config/rootfiles/common/x86_64/initscripts | 2 +- config/rootfiles/core/142/filelists/files | 1 + config/rootfiles/core/142/update.sh | 8 ++++---- config/unbound/unbound.conf | 23 ++-------------------- html/cgi-bin/dns.cgi | 5 ++--- ...ate-dns-forwarders => 25-update-dns-forwarders} | 0 src/initscripts/system/unbound | 19 ------------------ 11 files changed, 14 insertions(+), 52 deletions(-) rename src/initscripts/networking/red.up/{22-update-dns-forwarders => 25-update-dns-forwarders} (100%)
Difference in files: diff --git a/config/backup/include b/config/backup/include index d33dcf099..0153272f7 100644 --- a/config/backup/include +++ b/config/backup/include @@ -31,7 +31,7 @@ /var/ipfire/*/*.conf /var/ipfire/*/config /var/ipfire/dhcp/* -/var/ipfire/dns/server +/var/ipfire/dns /var/ipfire/dnsforward/* /var/ipfire/*/enable /var/ipfire/*/*enable* diff --git a/config/rootfiles/common/aarch64/initscripts b/config/rootfiles/common/aarch64/initscripts index 3c8dfc70a..4f7465791 100644 --- a/config/rootfiles/common/aarch64/initscripts +++ b/config/rootfiles/common/aarch64/initscripts @@ -54,9 +54,9 @@ etc/rc.d/init.d/networking/red.up/10-miniupnpd etc/rc.d/init.d/networking/red.up/10-multicast etc/rc.d/init.d/networking/red.up/10-static-routes etc/rc.d/init.d/networking/red.up/20-firewall -etc/rc.d/init.d/networking/red.up/22-update-dns-forwarders etc/rc.d/init.d/networking/red.up/23-suricata etc/rc.d/init.d/networking/red.up/24-RS-qos +etc/rc.d/init.d/networking/red.up/25-update-dns-forwarders etc/rc.d/init.d/networking/red.up/27-RS-squid etc/rc.d/init.d/networking/red.up/30-ddns #etc/rc.d/init.d/networking/red.up/35-guardian diff --git a/config/rootfiles/common/armv5tel/initscripts b/config/rootfiles/common/armv5tel/initscripts index 3c8dfc70a..4f7465791 100644 --- a/config/rootfiles/common/armv5tel/initscripts +++ b/config/rootfiles/common/armv5tel/initscripts @@ -54,9 +54,9 @@ etc/rc.d/init.d/networking/red.up/10-miniupnpd etc/rc.d/init.d/networking/red.up/10-multicast etc/rc.d/init.d/networking/red.up/10-static-routes etc/rc.d/init.d/networking/red.up/20-firewall -etc/rc.d/init.d/networking/red.up/22-update-dns-forwarders etc/rc.d/init.d/networking/red.up/23-suricata etc/rc.d/init.d/networking/red.up/24-RS-qos +etc/rc.d/init.d/networking/red.up/25-update-dns-forwarders etc/rc.d/init.d/networking/red.up/27-RS-squid etc/rc.d/init.d/networking/red.up/30-ddns #etc/rc.d/init.d/networking/red.up/35-guardian diff --git a/config/rootfiles/common/i586/initscripts b/config/rootfiles/common/i586/initscripts index 3f56c49cc..9db445a69 100644 --- a/config/rootfiles/common/i586/initscripts +++ b/config/rootfiles/common/i586/initscripts @@ -54,9 +54,9 @@ etc/rc.d/init.d/networking/red.up/10-miniupnpd etc/rc.d/init.d/networking/red.up/10-multicast etc/rc.d/init.d/networking/red.up/10-static-routes etc/rc.d/init.d/networking/red.up/20-firewall -etc/rc.d/init.d/networking/red.up/22-update-dns-forwarders etc/rc.d/init.d/networking/red.up/23-suricata etc/rc.d/init.d/networking/red.up/24-RS-qos +etc/rc.d/init.d/networking/red.up/25-update-dns-forwarders etc/rc.d/init.d/networking/red.up/27-RS-squid etc/rc.d/init.d/networking/red.up/30-ddns #etc/rc.d/init.d/networking/red.up/35-guardian diff --git a/config/rootfiles/common/x86_64/initscripts b/config/rootfiles/common/x86_64/initscripts index 3f56c49cc..9db445a69 100644 --- a/config/rootfiles/common/x86_64/initscripts +++ b/config/rootfiles/common/x86_64/initscripts @@ -54,9 +54,9 @@ etc/rc.d/init.d/networking/red.up/10-miniupnpd etc/rc.d/init.d/networking/red.up/10-multicast etc/rc.d/init.d/networking/red.up/10-static-routes etc/rc.d/init.d/networking/red.up/20-firewall -etc/rc.d/init.d/networking/red.up/22-update-dns-forwarders etc/rc.d/init.d/networking/red.up/23-suricata etc/rc.d/init.d/networking/red.up/24-RS-qos +etc/rc.d/init.d/networking/red.up/25-update-dns-forwarders etc/rc.d/init.d/networking/red.up/27-RS-squid etc/rc.d/init.d/networking/red.up/30-ddns #etc/rc.d/init.d/networking/red.up/35-guardian diff --git a/config/rootfiles/core/142/filelists/files b/config/rootfiles/core/142/filelists/files index 0ac4861cd..11daea4b5 100644 --- a/config/rootfiles/core/142/filelists/files +++ b/config/rootfiles/core/142/filelists/files @@ -2,6 +2,7 @@ etc/system-release etc/issue srv/web/ipfire/cgi-bin/credits.cgi var/ipfire/langs +etc/unbound/unbound.conf etc/rc.d/helper/aws-setup etc/rc.d/helper/azure-setup etc/rc.d/init.d/unbound diff --git a/config/rootfiles/core/142/update.sh b/config/rootfiles/core/142/update.sh index dd1377c1c..e46bdf2ea 100644 --- a/config/rootfiles/core/142/update.sh +++ b/config/rootfiles/core/142/update.sh @@ -97,9 +97,9 @@ rm -f /etc/rc.d/init.d/networking/red.down/05-*-dns-forwarders # Extract files extract_files
-# move update forwarders below firewall -mv -f /etc/rc.d/init.d/networking/red.up/05-update-dns-forwarders \ - /etc/rc.d/init.d/networking/red.up/22-update-dns-forwarders +# move update forwarders below suricata +mv -f /etc/rc.d/init.d/networking/red.up/*-update-dns-forwarders \ + /etc/rc.d/init.d/networking/red.up/25-update-dns-forwarders
# update linker config ldconfig @@ -126,8 +126,8 @@ done /usr/local/bin/filesystem-cleanup
# Start services -/etc/init.d/unbound restart /etc/init.d/suricata start +/etc/init.d/unbound restart /etc/init.d/squid start
# remove lm_sensor config after collectd was started diff --git a/config/unbound/unbound.conf b/config/unbound/unbound.conf index 24822ee67..3aab6ea46 100644 --- a/config/unbound/unbound.conf +++ b/config/unbound/unbound.conf @@ -2,7 +2,7 @@ # Unbound configuration file for IPFire # # The full documentation is available at: -# https://www.unbound.net/documentation/unbound.conf.html +# https://nlnetlabs.nl/documentation/unbound/unbound.conf/ #
server: @@ -10,26 +10,17 @@ server: chroot: "" directory: "/etc/unbound" username: "nobody" - port: 53 - do-ip4: yes do-ip6: no - do-udp: yes - do-tcp: yes - so-reuseport: yes - do-not-query-localhost: yes
# System Tuning include: "/etc/unbound/tuning.conf"
# Logging Options - verbosity: 1 use-syslog: yes log-time-ascii: yes - log-queries: no
# Unbound Statistics statistics-interval: 86400 - statistics-cumulative: yes extended-statistics: yes
# Prefetching @@ -42,26 +33,16 @@ server: # Privacy Options hide-identity: yes hide-version: yes - qname-minimisation: yes - minimal-responses: yes
# DNSSEC auto-trust-anchor-file: "/var/lib/unbound/root.key" - val-permissive-mode: no - val-clean-additional: yes val-log-level: 1 + log-servfail: yes
# Hardening Options - harden-glue: yes - harden-short-bufsize: no harden-large-queries: yes - harden-dnssec-stripped: yes - harden-below-nxdomain: yes harden-referral-path: yes - harden-algo-downgrade: no - use-caps-for-id: yes aggressive-nsec: yes - qname-minimisation: yes
# TLS tls-cert-bundle: /etc/ssl/certs/ca-bundle.crt diff --git a/html/cgi-bin/dns.cgi b/html/cgi-bin/dns.cgi index 09fd50206..676d95f8a 100755 --- a/html/cgi-bin/dns.cgi +++ b/html/cgi-bin/dns.cgi @@ -815,9 +815,6 @@ END
# Private function to handle the restart of unbound and more. sub _handle_unbound_and_more () { - # Restart unbound - system('/usr/local/bin/unboundctrl reload >/dev/null'); - # Check if the IDS is running. if(&IDS::ids_is_running()) { # Re-generate the file which contains the DNS Server @@ -827,6 +824,8 @@ sub _handle_unbound_and_more () { # Call suricatactrl to perform a reload. &IDS::call_suricatactrl("restart"); } + # Restart unbound + system('/usr/local/bin/unboundctrl reload >/dev/null'); }
# Check if the system is online (RED is connected). diff --git a/src/initscripts/networking/red.up/22-update-dns-forwarders b/src/initscripts/networking/red.up/25-update-dns-forwarders similarity index 100% rename from src/initscripts/networking/red.up/22-update-dns-forwarders rename to src/initscripts/networking/red.up/25-update-dns-forwarders diff --git a/src/initscripts/system/unbound b/src/initscripts/system/unbound index c845c436f..1cf26ec0e 100644 --- a/src/initscripts/system/unbound +++ b/src/initscripts/system/unbound @@ -191,15 +191,6 @@ write_forward_conf() { write_tuning_conf() { # https://www.unbound.net/documentation/howto_optimise.html
- # Determine number of online processors - local processors=$(getconf _NPROCESSORS_ONLN) - - # Determine number of slabs - local slabs=1 - while [ ${slabs} -lt ${processors} ]; do - slabs=$(( ${slabs} * 2 )) - done - # Determine amount of system memory local mem=$(get_memory_amount)
@@ -234,16 +225,6 @@ write_tuning_conf() { ( config_header
- # We run one thread per processor - echo "num-threads: ${processors}" - echo "so-reuseport: yes" - - # Adjust number of slabs - echo "infra-cache-slabs: ${slabs}" - echo "key-cache-slabs: ${slabs}" - echo "msg-cache-slabs: ${slabs}" - echo "rrset-cache-slabs: ${slabs}" - # Slice up the cache echo "rrset-cache-size: $(( ${mem} / 2 ))m" echo "msg-cache-size: $(( ${mem} / 4 ))m"
hooks/post-receive -- IPFire 2.x development tree