<?php
/*
 * unbound.inc
 *
 * part of pfSense (https://www.pfsense.org)
 * Copyright (c) 2015 Warren Baker <warren@percol8.co.za>
 * Copyright (c) 2015-2016 Electric Sheep Fencing, LLC
 * All rights reserved.
 *
 * originally part of m0n0wall (http://m0n0.ch/wall)
 * Copyright (c) 2003-2004 Manuel Kasper <mk@neon1.net>.
 * All rights reserved.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 * http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

/* include all configuration functions */
require_once("config.inc");
require_once("functions.inc");
require_once("filter.inc");
require_once("shaper.inc");

function create_unbound_chroot_path($cfgsubdir = "") {
	global $config, $g;

	// Configure chroot
	if (!is_dir($g['unbound_chroot_path'])) {
		mkdir($g['unbound_chroot_path']);
		chown($g['unbound_chroot_path'], "unbound");
		chgrp($g['unbound_chroot_path'], "unbound");
	}

	if ($cfgsubdir != "") {
		$cfgdir = $g['unbound_chroot_path'] . $cfgsubdir;
		if (!is_dir($cfgdir)) {
			mkdir($cfgdir);
			chown($cfgdir, "unbound");
			chgrp($cfgdir, "unbound");
		}
	}
}

/* Optimize Unbound for environment */
function unbound_optimization() {
	global $config;

	$optimization_settings = array();

	/*
	 * Set the number of threads equal to number of CPUs.
	 * Use 1 to disable threading, if for some reason this sysctl fails.
	 */
	$numprocs = intval(get_single_sysctl('kern.smp.cpus'));
	if ($numprocs > 1) {
		$optimization['number_threads'] = "num-threads: {$numprocs}";
		$optimize_num = pow(2, floor(log($numprocs, 2)));
	} else {
		$optimization['number_threads'] = "num-threads: 1";
		$optimize_num = 4;
	}

	// Slabs to help reduce lock contention.
	$optimization['msg_cache_slabs'] = "msg-cache-slabs: {$optimize_num}";
	$optimization['rrset_cache_slabs'] = "rrset-cache-slabs: {$optimize_num}";
	$optimization['infra_cache_slabs'] = "infra-cache-slabs: {$optimize_num}";
	$optimization['key_cache_slabs'] = "key-cache-slabs: {$optimize_num}";

	/*
	 * Larger socket buffer for busy servers
	 * Check that it is set to 4MB (by default the OS has it configured to 4MB)
	 */
	if (is_array($config['sysctl']) && is_array($config['sysctl']['item'])) {
		foreach ($config['sysctl']['item'] as $tunable) {
			if ($tunable['tunable'] == 'kern.ipc.maxsockbuf') {
				$so = floor(($tunable['value']/1024/1024)-4);
				// Check to ensure that the number is not a negative
				if ($so >= 4) {
					// Limit to 32MB, users might set maxsockbuf very high for other reasons.
					// We do not want unbound to fail because of that.
					$so = min($so, 32);
					$optimization['so_rcvbuf'] = "so-rcvbuf: {$so}m";
				} else {
					unset($optimization['so_rcvbuf']);
				}
			}
		}
	}
	// Safety check in case kern.ipc.maxsockbuf is not available.
	if (!isset($optimization['so_rcvbuf'])) {
		$optimization['so_rcvbuf'] = "#so-rcvbuf: 4m";
	}

	return $optimization;

}

function test_unbound_config($unboundcfg, &$output) {
	global $g;

	$cfgsubdir = "/test";
	unbound_generate_config($unboundcfg, $cfgsubdir);
	unbound_remote_control_setup($cfgsubdir);
	do_as_unbound_user("unbound-anchor", $cfgsubdir);

	$cfgdir = "{$g['unbound_chroot_path']}{$cfgsubdir}";

	$rv = 0;
	exec("/usr/local/sbin/unbound-checkconf {$cfgdir}/unbound.conf 2>&1", $output, $rv);
	rmdir_recursive($cfgdir);

	return $rv;
}


function unbound_generate_config($unboundcfg = NULL, $cfgsubdir = "") {
	global $g;

	$unboundcfgtxt = unbound_generate_config_text($unboundcfg, $cfgsubdir);

	// Configure static Host entries
	unbound_add_host_entries($cfgsubdir);

	// Configure Domain Overrides
	unbound_add_domain_overrides("", $cfgsubdir);

	// Configure Unbound access-lists
	unbound_acls_config($cfgsubdir);

	create_unbound_chroot_path($cfgsubdir);
	file_put_contents("{$g['unbound_chroot_path']}{$cfgsubdir}/unbound.conf", $unboundcfgtxt);
}


function unbound_generate_config_text($unboundcfg = NULL, $cfgsubdir = "") {

	global $config, $g;
	if (is_null($unboundcfg)) {
		$unboundcfg = $config['unbound'];
	}

	// Setup optimization
	$optimization = unbound_optimization();

	// Setup DNSSEC support
	if (isset($unboundcfg['dnssec'])) {
		$module_config = "validator iterator";
		$anchor_file = "auto-trust-anchor-file: {$g['unbound_chroot_path']}{$cfgsubdir}/root.key";
	} else {
		$module_config = "iterator";
	}

	// Setup DNS Rebinding
	if (!isset($config['system']['webgui']['nodnsrebindcheck'])) {
		// Private-addresses for DNS Rebinding
		$private_addr = <<<EOF
# For DNS Rebinding prevention
private-address: 10.0.0.0/8
private-address: 172.16.0.0/12
private-address: 169.254.0.0/16
private-address: 192.168.0.0/16
private-address: fd00::/8
private-address: fe80::/10
EOF;
	}

	// Determine interfaces to run on
	$bindints = "";
	if (!empty($unboundcfg['active_interface'])) {
		$active_interfaces = explode(",", $unboundcfg['active_interface']);
		if (in_array("all", $active_interfaces, true)) {
			$bindints .= "interface: 0.0.0.0\n";
			$bindints .= "interface: ::0\n";
			$bindints .= "interface-automatic: yes\n";
		} else {
			foreach ($active_interfaces as $ubif) {
				if (is_ipaddr($ubif)) {
					$bindints .= "interface: $ubif\n";
				} else {
					$intip = get_interface_ip($ubif);
					if (is_ipaddrv4($intip)) {
						$bindints .= "interface: $intip\n";
					}
					$intip = get_interface_ipv6($ubif);
					if (is_ipaddrv6($intip)) {
						$bindints .= "interface: $intip\n";
					}
				}
			}
		}
	} else {
		$bindints .= "interface: 0.0.0.0\n";
		$bindints .= "interface: ::0\n";
		/* If the active interface array is empty, treat it the same as "All" as is done above. Otherwise it breaks CARP with a default config. */
		$bindints .= "interface-automatic: yes\n";
	}

	// Determine interfaces to run on
	$outgoingints = "";
	if (!empty($unboundcfg['outgoing_interface'])) {
		$outgoingints = "# Outgoing interfaces to be used\n";
		$outgoing_interfaces = explode(",", $unboundcfg['outgoing_interface']);
		foreach ($outgoing_interfaces as $outif) {
			$outip = get_interface_ip($outif);
			if (is_ipaddr($outip)) {
				$outgoingints .= "outgoing-interface: $outip\n";
			}
			$outip = get_interface_ipv6($outif);
			if (is_ipaddrv6($outip)) {
				$outgoingints .= "outgoing-interface: $outip\n";
			}
		}
	}

	// Allow DNS Rebind for forwarded domains
	if (isset($unboundcfg['domainoverrides']) && is_array($unboundcfg['domainoverrides'])) {
		if (!isset($config['system']['webgui']['nodnsrebindcheck'])) {
			$private_domains = "# Set private domains in case authoritative name server returns a Private IP address\n";
			$private_domains .= unbound_add_domain_overrides("private");
		}
		$reverse_zones .= unbound_add_domain_overrides("reverse");
	}

	// Configure Unbound statistics
	$statistics = unbound_statistics();

	// Add custom Unbound options
	if ($unboundcfg['custom_options']) {
		$custom_options_source = explode("\n", base64_decode($unboundcfg['custom_options']));
		$custom_options = "# Unbound custom options\n";
		foreach ($custom_options_source as $ent) {
			$custom_options .= $ent."\n";
		}
	}

	// Server configuration variables
	$port = (is_port($unboundcfg['port'])) ? $unboundcfg['port'] : "53";
	$hide_identity = isset($unboundcfg['hideidentity']) ? "yes" : "no";
	$hide_version = isset($unboundcfg['hideversion']) ? "yes" : "no";
	$harden_dnssec_stripped = isset($unboundcfg['dnssecstripped']) ? "yes" : "no";
	$prefetch = isset($unboundcfg['prefetch']) ? "yes" : "no";
	$prefetch_key = isset($unboundcfg['prefetchkey']) ? "yes" : "no";
	$outgoing_num_tcp = isset($unboundcfg['outgoing_num_tcp']) ? $unboundcfg['outgoing_num_tcp'] : "10";
	$incoming_num_tcp = isset($unboundcfg['incoming_num_tcp']) ? $unboundcfg['incoming_num_tcp'] : "10";
	$edns_buffer_size = (!empty($unboundcfg['edns_buffer_size'])) ? $unboundcfg['edns_buffer_size'] : "4096";
	$num_queries_per_thread = (!empty($unboundcfg['num_queries_per_thread'])) ? $unboundcfg['num_queries_per_thread'] : "4096";
	$jostle_timeout = (!empty($unboundcfg['jostle_timeout'])) ? $unboundcfg['jostle_timeout'] : "200";
	$cache_max_ttl = (!empty($unboundcfg['cache_max_ttl'])) ? $unboundcfg['cache_max_ttl'] : "86400";
	$cache_min_ttl = (!empty($unboundcfg['cache_min_ttl'])) ? $unboundcfg['cache_min_ttl'] : "0";
	$infra_host_ttl = (!empty($unboundcfg['infra_host_ttl'])) ? $unboundcfg['infra_host_ttl'] : "900";
	$infra_cache_numhosts = (!empty($unboundcfg['infra_cache_numhosts'])) ? $unboundcfg['infra_cache_numhosts'] : "10000";
	$unwanted_reply_threshold = (!empty($unboundcfg['unwanted_reply_threshold'])) ? $unboundcfg['unwanted_reply_threshold'] : "0";
	if ($unwanted_reply_threshold == "disabled") {
		$unwanted_reply_threshold = "0";
	}
	$msg_cache_size = (!empty($unboundcfg['msgcachesize'])) ? $unboundcfg['msgcachesize'] : "4";
	$verbosity = isset($unboundcfg['log_verbosity']) ? $unboundcfg['log_verbosity'] : 1;
	$use_caps = isset($unboundcfg['use_caps']) ? "yes" : "no";

	// Set up forwarding if it is configured
	if (isset($unboundcfg['forwarding'])) {
		$dnsservers = array();
		if (isset($config['system']['dnsallowoverride'])) {
			$ns = array_unique(get_nameservers());
			foreach ($ns as $nameserver) {
				if ($nameserver) {
					$dnsservers[] = $nameserver;
				}
			}
		} else {
			$ns = array();
		}
		$sys_dnsservers = array_unique(get_dns_servers());
		foreach ($sys_dnsservers as $sys_dnsserver) {
			if ($sys_dnsserver && (!in_array($sys_dnsserver, $ns))) {
				$dnsservers[] = $sys_dnsserver;
			}
		}

		if (!empty($dnsservers)) {
			$forward_conf .=<<<EOD
# Forwarding
forward-zone:
	name: "."

EOD;
			foreach ($dnsservers as $dnsserver) {
				if (is_ipaddr($dnsserver) && !ip_in_subnet($dnsserver, "127.0.0.0/8")) {
					$forward_conf .= "\tforward-addr: $dnsserver\n";
				}
			}
		}
	} else {
		$forward_conf = "";
	}

	// Size of the RRset cache == 2 * msg-cache-size per Unbound's recommendations
	$rrset_cache_size = $msg_cache_size * 2;

	$unboundconf = <<<EOD
##########################
# Unbound Configuration
##########################

##
# Server configuration
##
server:
{$reverse_zones}
chroot: {$g['unbound_chroot_path']}
username: "unbound"
directory: "{$g['unbound_chroot_path']}"
pidfile: "/var/run/unbound.pid"
use-syslog: yes
port: {$port}
verbosity: {$verbosity}
hide-identity: {$hide_identity}
hide-version: {$hide_version}
harden-glue: yes
do-ip4: yes
do-ip6: yes
do-udp: yes
do-tcp: yes
do-daemonize: yes
module-config: "{$module_config}"
unwanted-reply-threshold: {$unwanted_reply_threshold}
num-queries-per-thread: {$num_queries_per_thread}
jostle-timeout: {$jostle_timeout}
infra-host-ttl: {$infra_host_ttl}
infra-cache-numhosts: {$infra_cache_numhosts}
outgoing-num-tcp: {$outgoing_num_tcp}
incoming-num-tcp: {$incoming_num_tcp}
edns-buffer-size: {$edns_buffer_size}
cache-max-ttl: {$cache_max_ttl}
cache-min-ttl: {$cache_min_ttl}
harden-dnssec-stripped: {$harden_dnssec_stripped}
msg-cache-size: {$msg_cache_size}m
rrset-cache-size: {$rrset_cache_size}m

{$optimization['number_threads']}
{$optimization['msg_cache_slabs']}
{$optimization['rrset_cache_slabs']}
{$optimization['infra_cache_slabs']}
{$optimization['key_cache_slabs']}
outgoing-range: 4096
{$optimization['so_rcvbuf']}
{$anchor_file}
prefetch: {$prefetch}
prefetch-key: {$prefetch_key}
use-caps-for-id: {$use_caps}
# Statistics
{$statistics}
# Interface IP(s) to bind to
{$bindints}
{$outgoingints}

# DNS Rebinding
{$private_addr}
{$private_domains}

# Access lists
include: {$g['unbound_chroot_path']}{$cfgsubdir}/access_lists.conf

# Static host entries
include: {$g['unbound_chroot_path']}{$cfgsubdir}/host_entries.conf

# dhcp lease entries
include: {$g['unbound_chroot_path']}{$cfgsubdir}/dhcpleases_entries.conf

# Domain overrides
include: {$g['unbound_chroot_path']}{$cfgsubdir}/domainoverrides.conf
{$forward_conf}

{$custom_options}

###
# Remote Control Config
###
include: {$g['unbound_chroot_path']}{$cfgsubdir}/remotecontrol.conf

EOD;

	return $unboundconf;
}

function unbound_remote_control_setup($cfgsubdir = "") {
	global $g;

	if (!file_exists("{$g['unbound_chroot_path']}{$cfgsubdir}/remotecontrol.conf") || !file_exists("{$g['unbound_chroot_path']}{$cfgsubdir}/unbound_control.key")) {
		$remotcfg = <<<EOF
remote-control:
	control-enable: yes
	control-interface: 127.0.0.1
	control-port: 953
	server-key-file: "{$g['unbound_chroot_path']}{$cfgsubdir}/unbound_server.key"
	server-cert-file: "{$g['unbound_chroot_path']}{$cfgsubdir}/unbound_server.pem"
	control-key-file: "{$g['unbound_chroot_path']}{$cfgsubdir}/unbound_control.key"
	control-cert-file: "{$g['unbound_chroot_path']}{$cfgsubdir}/unbound_control.pem"

EOF;

		create_unbound_chroot_path($cfgsubdir);
		file_put_contents("{$g['unbound_chroot_path']}{$cfgsubdir}/remotecontrol.conf", $remotcfg);

		// Generate our keys
		do_as_unbound_user("unbound-control-setup", $cfgsubdir);

	}
}

// Read /etc/hosts
function read_hosts() {

	/* Open /etc/hosts and extract the only dhcpleases info
	 * XXX - to convert to an unbound C library which reads /etc/hosts automatically
	 */
	$etc_hosts = array();
	foreach (file('/etc/hosts') as $line) {
		if (strpos($line, "dhcpleases automatically entered")) {
			break;
		}
		$d = preg_split('/\s+/', $line, -1, PREG_SPLIT_NO_EMPTY);
		if (empty($d) || substr(reset($d), 0, 1) == "#") {
			continue;
		}
		$ip = array_shift($d);
		$fqdn = array_shift($d);
		$name = array_shift($d);
		if (!empty($fqdn) && $fqdn != "empty") {
			if (!empty($name) && $name != "empty") {
				array_push($etc_hosts, array(ipaddr => "$ip", fqdn => "$fqdn", name => "$name"));
			} else {
				array_push($etc_hosts, array(ipaddr => "$ip", fqdn => "$fqdn"));
			}
		}
	}
	return $etc_hosts;
}

function sync_unbound_service() {
	global $config, $g;

	create_unbound_chroot_path();

	// Configure our Unbound service
	do_as_unbound_user("unbound-anchor");
	unbound_remote_control_setup();
	unbound_generate_config();
	do_as_unbound_user("start");
	require_once("service-utils.inc");
	if (is_service_running("unbound")) {
		do_as_unbound_user("restore_cache");
	}

}

function unbound_acl_id_used($id) {
	global $config;

	if (is_array($config['unbound']['acls'])) {
		foreach ($config['unbound']['acls'] as & $acls) {
			if ($id == $acls['aclid']) {
				return true;
			}
		}
	}

	return false;
}

function unbound_get_next_id() {
	$aclid = 0;
	while (unbound_acl_id_used($aclid)) {
		$aclid++;
	}
	return $aclid;
}

// Execute commands as the user unbound
function do_as_unbound_user($cmd, $param1 = "") {
	global $g;

	switch ($cmd) {
		case "start":
			mwexec("/usr/local/sbin/unbound -c {$g['unbound_chroot_path']}/unbound.conf");
			break;
		case "stop":
			mwexec("echo '/usr/local/sbin/unbound-control stop' | /usr/bin/su -m unbound", true);
			break;
		case "reload":
			mwexec("echo '/usr/local/sbin/unbound-control reload' | /usr/bin/su -m unbound", true);
			break;
		case "unbound-anchor":
			$root_key_file = "{$g['unbound_chroot_path']}{$param1}/root.key";
			// sanity check root.key because unbound-anchor will fail without manual removal otherwise. redmine #5334
			if (file_exists($root_key_file)) {
				$rootkeycheck = mwexec("/usr/bin/grep 'autotrust trust anchor file' {$root_key_file}", true);
				if ($rootkeycheck != "0") {
					log_error("Unbound {$root_key_file} file is corrupt, removing and recreating.");
					unlink_if_exists($root_key_file);
				}
			}
			mwexec("echo '/usr/local/sbin/unbound-anchor -a {$root_key_file}' | /usr/bin/su -m unbound", true);
			// Only sync the file if this is the real (default) one, not a test one.
			if ($param1 == "") {
				pfSense_fsync($root_key_file);
			}
			break;
		case "unbound-control-setup":
			mwexec("echo '/usr/local/sbin/unbound-control-setup -d {$g['unbound_chroot_path']}{$param1}' | /usr/bin/su -m unbound", true);
			break;
		default:
			break;
	}
}

function unbound_add_domain_overrides($pvt_rev="", $cfgsubdir = "") {
	global $config, $g;

	$domains = $config['unbound']['domainoverrides'];

	$sorted_domains = msort($domains, "domain");
	$result = array();
	foreach ($sorted_domains as $domain) {
		$domain_key = current($domain);
		if (!isset($result[$domain_key])) {
			$result[$domain_key] = array();
		}
		$result[$domain_key][] = $domain['ip'];
	}

	// Domain overrides that have multiple entries need multiple stub-addr: added
	$domain_entries = "";
	foreach ($result as $domain=>$ips) {
		if ($pvt_rev == "private") {
			$domain_entries .= "private-domain: \"$domain\"\n";
			$domain_entries .= "domain-insecure: \"$domain\"\n";
		} else if ($pvt_rev == "reverse") {
			if ((substr($domain, -14) == ".in-addr.arpa.") || (substr($domain, -13) == ".in-addr.arpa")) {
				$domain_entries .= "local-zone: \"$domain\" typetransparent\n";
			}
		} else {
			$domain_entries .= "forward-zone:\n";
			$domain_entries .= "\tname: \"$domain\"\n";
			foreach ($ips as $ip) {
				$domain_entries .= "\tforward-addr: $ip\n";
			}
		}
	}

	if ($pvt_rev != "") {
		return $domain_entries;
	} else {
		create_unbound_chroot_path($cfgsubdir);
		file_put_contents("{$g['unbound_chroot_path']}{$cfgsubdir}/domainoverrides.conf", $domain_entries);
	}
}

function unbound_add_host_entries($cfgsubdir = "") {
	global $config, $g;

	// Make sure the config setting is a valid unbound local zone type.  If not use "transparent".
	if (array_key_exists($config['unbound']['system_domain_local_zone_type'], unbound_local_zone_types())) {
		$system_domain_local_zone_type = $config['unbound']['system_domain_local_zone_type'];
	} else {
		$system_domain_local_zone_type = "transparent";
	}

	$unbound_entries = "local-zone: \"{$config['system']['domain']}\" {$system_domain_local_zone_type}\n";

	$hosts = read_hosts();
	$added_ptr = array();
	foreach ($hosts as $host) {
		if (is_ipaddrv4($host['ipaddr'])) {
			$type = 'A';
		} else if (is_ipaddrv6($host['ipaddr'])) {
			$type = 'AAAA';
		} else {
			continue;
		}

		if (!$added_ptr[$host['ipaddr']]) {
			$unbound_entries .= "local-data-ptr: \"{$host['ipaddr']} {$host['fqdn']}\"\n";
			$added_ptr[$host['ipaddr']] = true;
		}
		$unbound_entries .= "local-data: \"{$host['fqdn']} {$type} {$host['ipaddr']}\"\n";
	}

	// Write out entries
	create_unbound_chroot_path($cfgsubdir);
	file_put_contents("{$g['unbound_chroot_path']}{$cfgsubdir}/host_entries.conf", $unbound_entries);

	/* dhcpleases will write to this config file, make sure it exists */
	@touch("{$g['unbound_chroot_path']}{$cfgsubdir}/dhcpleases_entries.conf");
}

function unbound_control($action) {
	global $config, $g;

	$cache_dumpfile = "/var/tmp/unbound_cache";

	switch ($action) {
	case "start":
		// Start Unbound
		if ($config['unbound']['enable'] == "on") {
			if (!is_service_running("unbound")) {
				do_as_unbound_user("start");
			}
		}
		break;
	case "stop":
		if ($config['unbound']['enable'] == "on") {
			do_as_unbound_user("stop");
		}
		break;
	case "reload":
		if ($config['unbound']['enable'] == "on") {
			do_as_unbound_user("reload");
		}
		break;
	case "dump_cache":
		// Dump Unbound's Cache
		if ($config['unbound']['dumpcache'] == "on") {
			do_as_unbound_user("dump_cache");
		}
		break;
	case "restore_cache":
		// Restore Unbound's Cache
		if ((is_service_running("unbound")) && ($config['unbound']['dumpcache'] == "on")) {
			if (file_exists($cache_dumpfile) && filesize($cache_dumpfile) > 0) {
				do_as_unbound_user("load_cache < /var/tmp/unbound_cache");
			}
		}
		break;
	default:
		break;

	}
}

// Generation of Unbound statistics
function unbound_statistics() {
	global $config;

	if ($config['stats'] == "on") {
		$stats_interval = $config['unbound']['stats_interval'];
		$cumulative_stats = $config['cumulative_stats'];
		if ($config['extended_stats'] == "on") {
			$extended_stats = "yes";
		} else {
			$extended_stats = "no";
		}
	} else {
		$stats_interval = "0";
		$cumulative_stats = "no";
		$extended_stats = "no";
	}
	/* XXX To do - add RRD graphs */
	$stats = <<<EOF
# Unbound Statistics
statistics-interval: {$stats_interval}
extended-statistics: yes
statistics-cumulative: yes

EOF;

	return $stats;
}

// Unbound Access lists
function unbound_acls_config($cfgsubdir = "") {
	global $g, $config;

	if (!isset($config['unbound']['disable_auto_added_access_control'])) {
		$aclcfg = "access-control: 127.0.0.1/32 allow\n";
		$aclcfg .= "access-control: ::1 allow\n";
		// Add our networks for active interfaces including localhost
		if (!empty($config['unbound']['active_interface'])) {
			$active_interfaces = array_flip(explode(",", $config['unbound']['active_interface']));
			if (in_array("all", $active_interfaces)) {
				$active_interfaces = get_configured_interface_with_descr();
			}
		} else {
			$active_interfaces = get_configured_interface_with_descr();
		}

		$bindints = "";
		foreach ($active_interfaces as $ubif => $ifdesc) {
			$ifip = get_interface_ip($ubif);
			if (is_ipaddrv4($ifip)) {
				// IPv4 is handled via NAT networks below
			}
			$ifip = get_interface_ipv6($ubif);
			if (is_ipaddrv6($ifip)) {
				if (!is_linklocal($ifip)) {
					$subnet_bits = get_interface_subnetv6($ubif);
					$subnet_ip = gen_subnetv6($ifip, $subnet_bits);
					// only add LAN-type interfaces
					if (!interface_has_gateway($ubif)) {
						$aclcfg .= "access-control: {$subnet_ip}/{$subnet_bits} allow\n";
					}
				}
				// add for IPv6 static routes to local networks
				// for safety, we include only routes reachable on an interface with no
				// gateway specified - read: not an Internet connection.
				$static_routes = get_staticroutes();
				foreach ($static_routes as $route) {
					if ((lookup_gateway_interface_by_name($route['gateway']) == $ubif) && !interface_has_gateway($ubif)) {
						// route is on this interface, interface doesn't have gateway, add it
						$aclcfg .= "access-control: {$route['network']} allow\n";
					}
				}
			}
		}

		// Generate IPv4 access-control entries using the same logic as automatic outbound NAT
		if (empty($FilterIflist)) {
			filter_generate_optcfg_array();
		}
		$natnetworks_array = array();
		$natnetworks_array = filter_nat_rules_automatic_tonathosts();
		foreach ($natnetworks_array as $allowednet) {
			$aclcfg .= "access-control: $allowednet allow \n";
		}
	}

	// Configure the custom ACLs
	if (is_array($config['unbound']['acls'])) {
		foreach ($config['unbound']['acls'] as $unbound_acl) {
			$aclcfg .= "#{$unbound_acl['aclname']}\n";
			foreach ($unbound_acl['row'] as $network) {
				if ($unbound_acl['aclaction'] == "allow snoop") {
					$unbound_acl['aclaction'] = "allow_snoop";
				}
				$aclcfg .= "access-control: {$network['acl_network']}/{$network['mask']} {$unbound_acl['aclaction']}\n";
			}
		}
	}
	// Write out Access list
	create_unbound_chroot_path($cfgsubdir);
	file_put_contents("{$g['unbound_chroot_path']}{$cfgsubdir}/access_lists.conf", $aclcfg);

}

// Generate hosts and reload services
function unbound_hosts_generate() {
	// Generate our hosts file
	unbound_add_host_entries();

	// Reload our service to read the updates
	unbound_control("reload");
}

// Array of valid unbound local zone types
function unbound_local_zone_types() {
	return array(
		"deny" => gettext("Deny"),
		"refuse" => gettext("Refuse"),
		"static" => gettext("Static"),
		"transparent" => gettext("Transparent"),
		"typetransparent" => gettext("Type Transparent"),
		"redirect" => gettext("Redirect"),
		"inform" => gettext("Inform"),
		"inform_deny" => gettext("Inform Deny"),
		"nodefault" => gettext("No Default")
	);
}

?>