From e3045c51fcc069f084291b60f735d982c3dbf74d Mon Sep 17 00:00:00 2001
From: Chris Buechler <cmb@pfsense.org>
Date: Wed, 26 Nov 2014 01:00:52 -0600
Subject: include Unbound access-control entries for local IPv6 networks
 reachable via static route. Ticket #4023

---
 etc/inc/unbound.inc | 11 +++++++++++
 1 file changed, 11 insertions(+)

(limited to 'etc')

diff --git a/etc/inc/unbound.inc b/etc/inc/unbound.inc
index 05667ad..513b53c 100644
--- a/etc/inc/unbound.inc
+++ b/etc/inc/unbound.inc
@@ -600,9 +600,20 @@ function unbound_acls_config() {
 			$subnet_bits = get_interface_subnetv6($ubif);
 			$subnet_ip = gen_subnetv6($ifip, $subnet_bits);
 			$aclcfg .= "access-control: {$subnet_ip}/{$subnet_bits} allow\n";
+			// add for IPv6 static routes to local networks
+			// for safety, we include only routes reachable on an interface with no
+			// gateway specified - read: not an Internet connection. 
+			$static_routes = get_staticroutes();
+			foreach ($static_routes as $route) {
+				if ((lookup_gateway_interface_by_name($route['gateway']) == $ubif) && !interface_has_gateway($ubif)) {
+					// route is on this interface, interface doesn't have gateway, add it
+					$aclcfg .= "access-control: {$route['network']} allow\n";
+				}
+			}
 		}
 	}
 	
+	// Generate IPv4 access-control entries using the same logic as automatic outbound NAT
 	if (empty($FilterIflist)) {
 		filter_generate_optcfg_array();
 	}
-- 
cgit v1.1