diff options
author | Chris Buechler <cmb@pfsense.org> | 2014-11-27 22:10:48 -0600 |
---|---|---|
committer | Chris Buechler <cmb@pfsense.org> | 2014-11-27 22:10:48 -0600 |
commit | f8f5ba1a1f9f15b3fc7e1fb3a806ed40daeb9023 (patch) | |
tree | 776cca7ecee2f252453586a6696f927c0a38ddc2 /etc/inc/unbound.inc | |
parent | 5d4b88306803580646d2e6cfcf11535e6899a387 (diff) | |
download | pfsense-f8f5ba1a1f9f15b3fc7e1fb3a806ed40daeb9023.zip pfsense-f8f5ba1a1f9f15b3fc7e1fb3a806ed40daeb9023.tar.gz |
Add option to disable auto-added access-control entries for users who want to manually manage ACLs. Ticket #4023
Diffstat (limited to 'etc/inc/unbound.inc')
-rw-r--r-- | etc/inc/unbound.inc | 78 |
1 files changed, 40 insertions, 38 deletions
diff --git a/etc/inc/unbound.inc b/etc/inc/unbound.inc index acc803b..e7f12f0 100644 --- a/etc/inc/unbound.inc +++ b/etc/inc/unbound.inc @@ -593,47 +593,49 @@ EOF; function unbound_acls_config() { global $g, $config; - $aclcfg = "access-control: 127.0.0.1/32 allow\n"; - $aclcfg .= "access-control: ::1 allow\n"; - // Add our networks for active interfaces including localhost - if (!empty($config['unbound']['active_interface'])) - $active_interfaces = array_flip(explode(",", $config['unbound']['active_interface'])); - else - $active_interfaces = get_configured_interface_with_descr(); - - $bindints = ""; - foreach($active_interfaces as $ubif => $ifdesc) { - $ifip = get_interface_ip($ubif); - if (is_ipaddrv4($ifip)) { - // IPv4 is handled via NAT networks below - continue; - } - $ifip = get_interface_ipv6($ubif); - if (is_ipaddrv6($ifip)) { - $subnet_bits = get_interface_subnetv6($ubif); - $subnet_ip = gen_subnetv6($ifip, $subnet_bits); - $aclcfg .= "access-control: {$subnet_ip}/{$subnet_bits} allow\n"; - // add for IPv6 static routes to local networks - // for safety, we include only routes reachable on an interface with no - // gateway specified - read: not an Internet connection. - $static_routes = get_staticroutes(); - foreach ($static_routes as $route) { - if ((lookup_gateway_interface_by_name($route['gateway']) == $ubif) && !interface_has_gateway($ubif)) { - // route is on this interface, interface doesn't have gateway, add it - $aclcfg .= "access-control: {$route['network']} allow\n"; + if (!isset($config['unbound']['disable_auto_added_access_control'])) { + $aclcfg = "access-control: 127.0.0.1/32 allow\n"; + $aclcfg .= "access-control: ::1 allow\n"; + // Add our networks for active interfaces including localhost + if (!empty($config['unbound']['active_interface'])) + $active_interfaces = array_flip(explode(",", $config['unbound']['active_interface'])); + else + $active_interfaces = get_configured_interface_with_descr(); + + $bindints = ""; + foreach($active_interfaces as $ubif => $ifdesc) { + $ifip = get_interface_ip($ubif); + if (is_ipaddrv4($ifip)) { + // IPv4 is handled via NAT networks below + continue; + } + $ifip = get_interface_ipv6($ubif); + if (is_ipaddrv6($ifip)) { + $subnet_bits = get_interface_subnetv6($ubif); + $subnet_ip = gen_subnetv6($ifip, $subnet_bits); + $aclcfg .= "access-control: {$subnet_ip}/{$subnet_bits} allow\n"; + // add for IPv6 static routes to local networks + // for safety, we include only routes reachable on an interface with no + // gateway specified - read: not an Internet connection. + $static_routes = get_staticroutes(); + foreach ($static_routes as $route) { + if ((lookup_gateway_interface_by_name($route['gateway']) == $ubif) && !interface_has_gateway($ubif)) { + // route is on this interface, interface doesn't have gateway, add it + $aclcfg .= "access-control: {$route['network']} allow\n"; + } } } } - } - - // Generate IPv4 access-control entries using the same logic as automatic outbound NAT - if (empty($FilterIflist)) { - filter_generate_optcfg_array(); - } - $natnetworks_array = array(); - $natnetworks_array = filter_nat_rules_automatic_tonathosts(); - foreach ($natnetworks_array as $allowednet) { - $aclcfg .= "access-control: $allowednet allow \n"; + + // Generate IPv4 access-control entries using the same logic as automatic outbound NAT + if (empty($FilterIflist)) { + filter_generate_optcfg_array(); + } + $natnetworks_array = array(); + $natnetworks_array = filter_nat_rules_automatic_tonathosts(); + foreach ($natnetworks_array as $allowednet) { + $aclcfg .= "access-control: $allowednet allow \n"; + } } // Configure the custom ACLs |