diff options
| author | Chris Buechler <cmb@pfsense.org> | 2014-11-26 01:00:52 -0600 |
|---|---|---|
| committer | Chris Buechler <cmb@pfsense.org> | 2014-11-26 01:00:52 -0600 |
| commit | e3045c51fcc069f084291b60f735d982c3dbf74d (patch) | |
| tree | eb7cc37491d8d4a6632df9d2e9c8f9c22324222a /etc/inc/unbound.inc | |
| parent | edee528c53d3927aaaa8c3ab52594338afc4c08b (diff) | |
| download | pfsense-e3045c51fcc069f084291b60f735d982c3dbf74d.zip pfsense-e3045c51fcc069f084291b60f735d982c3dbf74d.tar.gz | |
include Unbound access-control entries for local IPv6 networks reachable via static route. Ticket #4023
Diffstat (limited to 'etc/inc/unbound.inc')
| -rw-r--r-- | etc/inc/unbound.inc | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/etc/inc/unbound.inc b/etc/inc/unbound.inc index 05667ad..513b53c 100644 --- a/etc/inc/unbound.inc +++ b/etc/inc/unbound.inc @@ -600,9 +600,20 @@ function unbound_acls_config() { $subnet_bits = get_interface_subnetv6($ubif); $subnet_ip = gen_subnetv6($ifip, $subnet_bits); $aclcfg .= "access-control: {$subnet_ip}/{$subnet_bits} allow\n"; + // add for IPv6 static routes to local networks + // for safety, we include only routes reachable on an interface with no + // gateway specified - read: not an Internet connection. + $static_routes = get_staticroutes(); + foreach ($static_routes as $route) { + if ((lookup_gateway_interface_by_name($route['gateway']) == $ubif) && !interface_has_gateway($ubif)) { + // route is on this interface, interface doesn't have gateway, add it + $aclcfg .= "access-control: {$route['network']} allow\n"; + } + } } } + // Generate IPv4 access-control entries using the same logic as automatic outbound NAT if (empty($FilterIflist)) { filter_generate_optcfg_array(); } |
