Add option to disable auto-added access-control entries for users who want to manually manage ACLs. Ticket #4023

1 files changed, 40 insertions, 38 deletions

diff --git a/etc/inc/unbound.inc b/etc/inc/unbound.inc
index acc803b..e7f12f0 100644
--- a/etc/inc/unbound.inc
+++ b/etc/inc/unbound.inc
@@ -593,47 +593,49 @@ EOF;
 function unbound_acls_config() {
 	global $g, $config;
 
-	$aclcfg = "access-control: 127.0.0.1/32 allow\n";
-	$aclcfg .= "access-control: ::1 allow\n";
-	// Add our networks for active interfaces including localhost
-	if (!empty($config['unbound']['active_interface']))
-		$active_interfaces = array_flip(explode(",", $config['unbound']['active_interface']));
-	else
-		$active_interfaces = get_configured_interface_with_descr();
-
-	$bindints = "";
-	foreach($active_interfaces as $ubif => $ifdesc) {
-		$ifip = get_interface_ip($ubif);
-		if (is_ipaddrv4($ifip)) {
-			// IPv4 is handled via NAT networks below
-			continue;
-		}
-		$ifip = get_interface_ipv6($ubif);
-		if (is_ipaddrv6($ifip)) {
-			$subnet_bits = get_interface_subnetv6($ubif);
-			$subnet_ip = gen_subnetv6($ifip, $subnet_bits);
-			$aclcfg .= "access-control: {$subnet_ip}/{$subnet_bits} allow\n";
-			// add for IPv6 static routes to local networks
-			// for safety, we include only routes reachable on an interface with no
-			// gateway specified - read: not an Internet connection. 
-			$static_routes = get_staticroutes();
-			foreach ($static_routes as $route) {
-				if ((lookup_gateway_interface_by_name($route['gateway']) == $ubif) && !interface_has_gateway($ubif)) {
-					// route is on this interface, interface doesn't have gateway, add it
-					$aclcfg .= "access-control: {$route['network']} allow\n";
+	if (!isset($config['unbound']['disable_auto_added_access_control'])) {
+		$aclcfg = "access-control: 127.0.0.1/32 allow\n";
+		$aclcfg .= "access-control: ::1 allow\n";
+		// Add our networks for active interfaces including localhost
+		if (!empty($config['unbound']['active_interface']))
+			$active_interfaces = array_flip(explode(",", $config['unbound']['active_interface']));
+		else
+			$active_interfaces = get_configured_interface_with_descr();
+	
+		$bindints = "";
+		foreach($active_interfaces as $ubif => $ifdesc) {
+			$ifip = get_interface_ip($ubif);
+			if (is_ipaddrv4($ifip)) {
+				// IPv4 is handled via NAT networks below
+				continue;
+			}
+			$ifip = get_interface_ipv6($ubif);
+			if (is_ipaddrv6($ifip)) {
+				$subnet_bits = get_interface_subnetv6($ubif);
+				$subnet_ip = gen_subnetv6($ifip, $subnet_bits);
+				$aclcfg .= "access-control: {$subnet_ip}/{$subnet_bits} allow\n";
+				// add for IPv6 static routes to local networks
+				// for safety, we include only routes reachable on an interface with no
+				// gateway specified - read: not an Internet connection. 
+				$static_routes = get_staticroutes();
+				foreach ($static_routes as $route) {
+					if ((lookup_gateway_interface_by_name($route['gateway']) == $ubif) && !interface_has_gateway($ubif)) {
+						// route is on this interface, interface doesn't have gateway, add it
+						$aclcfg .= "access-control: {$route['network']} allow\n";
+					}
 				}
 			}
 		}
-	}
-	
-	// Generate IPv4 access-control entries using the same logic as automatic outbound NAT
-	if (empty($FilterIflist)) {
-		filter_generate_optcfg_array();
-	}
-	$natnetworks_array = array();
-	$natnetworks_array = filter_nat_rules_automatic_tonathosts();
-	foreach ($natnetworks_array as $allowednet) {
-		$aclcfg .= "access-control: $allowednet allow \n";	
+		
+		// Generate IPv4 access-control entries using the same logic as automatic outbound NAT
+		if (empty($FilterIflist)) {
+			filter_generate_optcfg_array();
+		}
+		$natnetworks_array = array();
+		$natnetworks_array = filter_nat_rules_automatic_tonathosts();
+		foreach ($natnetworks_array as $allowednet) {
+			$aclcfg .= "access-control: $allowednet allow \n";	
+		}	
 	}
 
 	// Configure the custom ACLs