webadmin/bpfire
1
0
Fork 0
mirror of https://github.com/vincentmli/bpfire.git synced 2026-04-25 18:32:57 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'ms/next-dns-ng' into next

Browse Source
This commit is contained in:
Arne Fitzenreiter
2020-01-13 21:42:49 +00:00
parent 23dc6e0b23 7be4822f3d
commit 61cc563558
45 changed files with 1688 additions and 1117 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
src/initscripts/networking/dhcpcd.exe
View File

@@ -14,9 +14,7 @@
. /etc/sysconfig/rc
. $rc_functions
eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
eval $(/usr/local/bin/readhash /var/ipfire/dns/settings)
dhcpcd_up()
{
@@ -30,8 +28,7 @@ dhcpcd_up()
# Only if RED_TYPE=DHCP update /var/ipfire/red
if [ "$RED_TYPE" == "DHCP" ]; then
#Check if we have to restart the services at update
# Check if we have to restart the services at update
[ ! -e "/var/ipfire/red/active" ] && update=1;
if [ "$old_domain_name_service" != "$new_domain_name_service" ]; then
update=1;
@@ -43,15 +40,9 @@ dhcpcd_up()
update=1;
fi
#Get DNS from dhcp
if [ -n "$DNS0" ] && [ -n "$DNS1" ]; then
logger -p local0.info -t dhcpcd.exe[$$] "Overwritting DNS-Server addresses with ${DNS0},${DNS1}"
echo -n ${DNS0} > /var/ipfire/red/dns1
echo -n ${DNS1} > /var/ipfire/red/dns2
else
echo -n `/etc/rc.d/helper/getdnsfromdhcpc.pl 1` > /var/ipfire/red/dns1
echo -n `/etc/rc.d/helper/getdnsfromdhcpc.pl 2` > /var/ipfire/red/dns2
fi
# Get DNS from dhcp
/etc/rc.d/helper/getdnsfromdhcpc.pl 1 > /var/run/dns1
/etc/rc.d/helper/getdnsfromdhcpc.pl 2 > /var/run/dns2
#Get IP Address
echo -n "$new_ip_address" > /var/ipfire/red/local-ipaddress
@@ -76,6 +67,9 @@ dhcpcd_down()
set | grep "^new_" | sed "s|^new_||g" | \
sort > /var/ipfire/dhcpc/dhcpcd-$interface.info
# Remove DNS servers
rm -f /var/run/dns1 /var/run/dns2
# Only if RED_TYPE=DHCP update /var/ipfire/red
if [ "$RED_TYPE" == "DHCP" ]; then
rm -f /var/ipfire/red/active

2
src/initscripts/networking/red
View File

@@ -120,8 +120,6 @@ case "${1}" in
grep -v -E "\<gateway\>" /etc/hosts > /tmp/hosts
echo "$GATEWAY gateway" >> /tmp/hosts
mv /tmp/hosts /etc/hosts
echo -n "${DNS1}" > /var/ipfire/red/dns1
echo -n "${DNS2}" > /var/ipfire/red/dns2
touch /var/ipfire/red/active
# Create route to default gateway

13
src/initscripts/networking/red.up/05-update-dns-forwarders
View File

@@ -1,13 +1,4 @@
#!/bin/bash
# If network has not fully been brought up here, we start unbound
# so that all following scripts can rely on DNS resolution
pidof unbound > /dev/null
if [ "${?}" = "0" ]; then
# unbound is run so update the forwarders
/etc/init.d/unbound update-forwarders
else
# Start unbound if it is not running, yet
/etc/init.d/unbound start
fi
# Update DNS forwarders
exec /etc/init.d/unbound update-forwarders

3
src/initscripts/networking/red.up/06-safe-search
View File

@@ -1,3 +0,0 @@
#!/bin/bash
exec /etc/init.d/unbound update-safe-search

559
src/initscripts/system/unbound
View File

@@ -7,30 +7,12 @@
. /etc/sysconfig/rc
. ${rc_functions}
TEST_DOMAIN="ipfire.org"
# This domain will never validate
TEST_DOMAIN_FAIL="dnssec-failed.org"
INSECURE_ZONES=
USE_FORWARDERS=1
ENABLE_SAFE_SEARCH=off
FORCE_TCP=off
# Cache any local zones for 60 seconds
LOCAL_TTL=60
# EDNS buffer size
EDNS_DEFAULT_BUFFER_SIZE=4096
# Load optional configuration
[ -e "/etc/sysconfig/unbound" ] && . /etc/sysconfig/unbound
DIG_ARGS=()
if [ "${FORCE_TCP}" = "on" ]; then
DIG_ARGS+=( "+tcp" )
fi
# Load configuration
eval $(/usr/local/bin/readhash /var/ipfire/dns/settings)
eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
ip_address_revptr() {
local addr=${1}
@@ -42,26 +24,27 @@ ip_address_revptr() {
}
read_name_servers() {
local i
for i in 1 2; do
echo "$(</var/ipfire/red/dns${i})"
done 2>/dev/null | xargs echo
}
# Read name servers from ISP
if [ "${USE_ISP_NAMESERVERS}" = "on" -a "${PROTO}" != "TLS" ]; then
local i
for i in 1 2; do
echo "$(</var/run/dns${i})"
done 2>/dev/null
fi
check_red_has_carrier_and_ip() {
# Interface configured ?
[ ! -e "/var/ipfire/red/iface" ] && return 0;
# Read configured name servers
local id address tls_hostname enabled remark
while IFS="," read -r id address tls_hostname enabled remark; do
[ "${enabled}" != "enabled" ] && continue
# Interface present ?
[ ! -e "/sys/class/net/$(</var/ipfire/red/iface)" ] && return 0;
# has carrier ?
[ ! "$(</sys/class/net/$(</var/ipfire/red/iface)/carrier)" = "1" ] && return 0;
# has ip ?
[ "$(ip address show dev $(</var/ipfire/red/iface) | grep "inet")" = "" ] && return 0;
return 1;
if [ "${PROTO}" = "TLS" ]; then
if [ -n "${tls_hostname}" ]; then
echo "${address}@853#${tls_hostname}"
fi
else
echo "${address}"
fi
done < /var/ipfire/dns/servers
}
config_header() {
@@ -70,151 +53,67 @@ config_header() {
echo
}
update_forwarders() {
check_red_has_carrier_and_ip
if [ "${USE_FORWARDERS}" = "1" -a "${?}" = "1" ]; then
local forwarders
local broken_forwarders
write_hosts_conf() {
(
config_header
local ns
for ns in $(read_name_servers); do
test_name_server ${ns} &>/dev/null
case "$?" in
# Only use DNSSEC-validating or DNSSEC-aware name servers
0|2)
forwarders="${forwarders} ${ns}"
;;
*)
broken_forwarders="${broken_forwarders} ${ns}"
;;
esac
# Make own hostname resolveable
# 1.1.1.1 is reserved for unused green, skip this
if [ -n "${GREEN_ADDRESS}" -a "${GREEN_ADDRESS}" != "1.1.1.1" ]; then
echo "local-data: \"${HOSTNAME} ${LOCAL_TTL} IN A ${GREEN_ADDRESS}\""
fi
local address
for address in ${GREEN_ADDRESS} ${BLUE_ADDRESS} ${ORANGE_ADDRESS}; do
[ -n "${address}" ] || continue
[ "${address}" = "1.1.1.1" ] && continue
address=$(ip_address_revptr ${address})
echo "local-data: \"${address} ${LOCAL_TTL} IN PTR ${HOSTNAME}\""
done
# Determine EDNS buffer size
local new_edns_buffer_size=${EDNS_DEFAULT_BUFFER_SIZE}
# Add all hosts
local enabled address hostname domainname generateptr
while IFS="," read -r enabled address hostname domainname generateptr; do
[ "${enabled}" = "on" ] || continue
for ns in ${forwarders}; do
local edns_buffer_size=$(ns_determine_edns_buffer_size ${ns})
if [ -n "${edns_buffer_size}" ]; then
if [ ${edns_buffer_size} -lt ${new_edns_buffer_size} ]; then
new_edns_buffer_size=${edns_buffer_size}
fi
fi
done
# Build FQDN
local fqdn="${hostname}.${domainname}"
echo "local-data: \"${fqdn} ${LOCAL_TTL} IN A ${address}\""
if [ ${new_edns_buffer_size} -lt ${EDNS_DEFAULT_BUFFER_SIZE} ]; then
boot_mesg "EDNS buffer size reduced to ${new_edns_buffer_size}" ${WARNING}
echo_warning
# Skip reverse resolution if the address equals the GREEN address
[ "${address}" = "${GREEN_ADDRESS}" ] && continue
unbound-control -q set_option edns-buffer-size: ${new_edns_buffer_size}
fi
# Skip reverse resolution if user requested not to do so
[ "${generateptr}" = "off" ] && continue
# Show warning for any broken upstream name servers
if [ -n "${broken_forwarders}" ]; then
boot_mesg "Ignoring broken upstream name server(s): ${broken_forwarders:1}" ${WARNING}
echo_warning
fi
if [ -n "${forwarders}" ]; then
boot_mesg "Configuring upstream name server(s): ${forwarders:1}" ${INFO}
echo_ok
# Make sure DNSSEC is activated
enable_dnssec
echo "${forwarders}" > /var/ipfire/red/dns
unbound-control -q forward ${forwarders}
return 0
# In case we have found no working forwarders
else
# Test if the recursor mode is available
if can_resolve_root +bufsize=${new_edns_buffer_size}; then
# Make sure DNSSEC is activated
enable_dnssec
boot_mesg "Falling back to recursor mode" ${WARNING}
echo_warning
# If not, we set DNSSEC in permissive mode and allow using all recursors
elif [ -n "${broken_forwarders}" ]; then
disable_dnssec
boot_mesg "DNSSEC has been set to permissive mode" ${FAILURE}
echo_failure
echo "${broken_forwarders}" > /var/ipfire/red/dns
unbound-control -q forward ${broken_forwarders}
return 0
fi
fi
fi
# If forwarders cannot be used we run in recursor mode
echo "local recursor" > /var/ipfire/red/dns
unbound-control -q forward off
}
remove_forwarders() {
enable_dnssec
echo "local recursor" > /var/ipfire/red/dns
unbound-control -q forward off
}
own_hostname() {
local hostname=$(hostname -f)
# 1.1.1.1 is reserved for unused green, skip this
if [ -n "${GREEN_ADDRESS}" -a "${GREEN_ADDRESS}" != "1.1.1.1" ]; then
unbound-control -q local_data "${hostname} ${LOCAL_TTL} IN A ${GREEN_ADDRESS}"
fi
local address
for address in ${GREEN_ADDRESS} ${BLUE_ADDRESS} ${ORANGE_ADDRESS}; do
[ -n "${address}" ] || continue
[ "${address}" = "1.1.1.1" ] && continue
address=$(ip_address_revptr ${address})
unbound-control -q local_data "${address} ${LOCAL_TTL} IN PTR ${hostname}"
done
}
update_hosts() {
local enabled address hostname domainname generateptr
while IFS="," read -r enabled address hostname domainname generateptr; do
[ "${enabled}" = "on" ] || continue
# Build FQDN
local fqdn="${hostname}.${domainname}"
unbound-control -q local_data "${fqdn} ${LOCAL_TTL} IN A ${address}"
# Skip reverse resolution if the address equals the GREEN address
[ "${address}" = "${GREEN_ADDRESS}" ] && continue
# Skip reverse resolution if user requested not to do so
[ "${generateptr}" = "off" ] && continue
# Add RDNS
address=$(ip_address_revptr ${address})
unbound-control -q local_data "${address} ${LOCAL_TTL} IN PTR ${fqdn}"
done < /var/ipfire/main/hosts
# Add RDNS
address=$(ip_address_revptr ${address})
echo "local-data: \"${address} ${LOCAL_TTL} IN PTR ${fqdn}\""
done < /var/ipfire/main/hosts
) > /etc/unbound/hosts.conf
}
write_forward_conf() {
(
config_header
# Enable strict QNAME minimisation
if [ "${QNAME_MIN}" = "strict" ]; then
echo "server:"
echo " qname-minimisation-strict: yes"
echo
fi
# Force using TCP for upstream servers only
if [ "${FORCE_TCP}" = "on" ]; then
if [ "${PROTO}" = "TCP" ]; then
echo "# Force using TCP for upstream servers only"
echo "server:"
echo " tcp-upstream: yes"
echo
fi
local insecure_zones="${INSECURE_ZONES}"
local insecure_zones=""
local enabled zone server servers remark disable_dnssec rest
while IFS="," read -r enabled zone servers remark disable_dnssec rest; do
@@ -234,35 +133,24 @@ write_forward_conf() {
;;
esac
# Reverse-lookup zones must be stubs
echo "stub-zone:"
echo " name: ${zone}"
for server in ${servers//|/ }; do
if [[ ${server} =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
echo " stub-addr: ${server}"
else
echo " stub-host: ${server}"
fi
done
echo
# Make all reverse lookup zones transparent
case "${zone}" in
*.in-addr.arpa)
echo "stub-zone:"
echo " name: ${zone}"
for server in ${servers//|/ }; do
if [[ ${server} =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
echo " stub-addr: ${server}"
else
echo " stub-host: ${server}"
fi
done
echo
echo "server:"
echo " local-zone: \"${zone}\" transparent"
echo
;;
*)
echo "forward-zone:"
echo " name: ${zone}"
for server in ${servers//|/ }; do
if [[ ${server} =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
echo " forward-addr: ${server}"
else
echo " forward-host: ${server}"
fi
done
echo
;;
esac
done < /var/ipfire/dnsforward/config
@@ -273,6 +161,20 @@ write_forward_conf() {
echo " domain-insecure: ${zone}"
done
fi
echo "forward-zone:"
echo " name: \".\""
# Force using TLS only
if [ "${PROTO}" = "TLS" ]; then
echo " forward-tls-upstream: yes"
fi
# Add upstream name servers
local ns
for ns in $(read_name_servers); do
echo " forward-addr: ${ns}"
done
) > /etc/unbound/forward.conf
}
@@ -361,190 +263,26 @@ get_memory_amount() {
done < /proc/meminfo
}
test_name_server() {
local ns=${1}
local args
# Return codes:
# 0 DNSSEC validating
# 1 Error: unreachable, etc.
# 2 DNSSEC aware
# 3 NOT DNSSEC-aware
# Exit when the server is not reachable
ns_is_online ${ns} || return 1
# Determine the maximum edns buffer size that works
local edns_buffer_size=$(ns_determine_edns_buffer_size ${ns})
if [ -n "${edns_buffer_size}" ]; then
args="${args} +bufsize=${edns_buffer_size}"
fi
local errors
for rr in DNSKEY DS RRSIG; do
if ! ns_forwards_${rr} ${ns} ${args}; then
errors="${errors} ${rr}"
fi
done
if [ -n "${errors}" ]; then
echo >&2 "Unable to retrieve the following resource records from ${ns}: ${errors:1}"
return 3
fi
if ns_is_validating ${ns} ${args}; then
# Return 0 if validating
return 0
else
# Is DNSSEC-aware
return 2
fi
}
# Sends an A query to the nameserver w/o DNSSEC
ns_is_online() {
local ns=${1}
shift
dig "${DIG_ARGS[@]}" @${ns} +nodnssec A ${TEST_DOMAIN} $@ >/dev/null
}
# Resolving ${TEST_DOMAIN_FAIL} will fail if the nameserver is validating
ns_is_validating() {
local ns=${1}
shift
if ! dig "${DIG_ARGS[@]}" @${ns} A ${TEST_DOMAIN_FAIL} $@ | grep -q SERVFAIL; then
return 1
else
# Determine if NS replies with "ad" data flag if DNSSEC enabled
dig "${DIG_ARGS[@]}" @${ns} +dnssec SOA ${TEST_DOMAIN} $@ | awk -F: '/\;\;\ flags\:/ { s=1; if (/\ ad/) s=0; exit s }'
fi
}
# Checks if we can retrieve the DNSKEY for this domain.
# dig will print the SOA if nothing was found
ns_forwards_DNSKEY() {
local ns=${1}
shift
dig "${DIG_ARGS[@]}" @${ns} DNSKEY ${TEST_DOMAIN} $@ | grep -qv SOA
}
ns_forwards_DS() {
local ns=${1}
shift
dig "${DIG_ARGS[@]}" @${ns} DS ${TEST_DOMAIN} $@ | grep -qv SOA
}
ns_forwards_RRSIG() {
local ns=${1}
shift
dig "${DIG_ARGS[@]}" @${ns} +dnssec A ${TEST_DOMAIN} $@ | grep -q RRSIG
}
ns_supports_tcp() {
local ns=${1}
shift
# If TCP is forced we know by now if the server responds to it
if [ "${FORCE_TCP}" = "on" ]; then
fix_time_if_dns_fails() {
# If DNS is working, everything is fine
if resolve "ping.ipfire.org" &>/dev/null; then
return 0
fi
dig "${DIG_ARGS[@]}" @${ns} +tcp A ${TEST_DOMAIN} $@ >/dev/null || return 1
}
ns_determine_edns_buffer_size() {
local ns=${1}
shift
local b
for b in 4096 2048 1500 1480 1464 1400 1280 512; do
if dig "${DIG_ARGS[@]}" @${ns} +dnssec +bufsize=${b} A ${TEST_DOMAIN} $@ >/dev/null; then
echo "${b}"
return 0
fi
done
return 1
}
get_root_nameservers() {
while read -r hostname ttl record address; do
# Searching for A records
[ "${record}" = "A" ] || continue
echo "${address}"
done < /etc/unbound/root.hints
}
can_resolve_root() {
local ns
for ns in $(get_root_nameservers); do
if dig "${DIG_ARGS[@]}" @${ns} +dnssec SOA . $@ >/dev/null; then
return 0
fi
done
# none of the servers was reachable
return 1
}
enable_dnssec() {
local status=$(unbound-control get_option val-permissive-mode)
# Log DNSSEC status
echo "on" > /var/ipfire/red/dnssec-status
# Don't do anything if DNSSEC is already activated
[ "${status}" = "no" ] && return 0
# Activate DNSSEC and flush cache with any stale and unvalidated data
unbound-control -q set_option val-permissive-mode: no
unbound-control -q flush_zone .
}
disable_dnssec() {
# Log DNSSEC status
echo "off" > /var/ipfire/red/dnssec-status
unbound-control -q set_option val-permissive-mode: yes
}
fix_time_if_dns_fail() {
# If DNS still not work try to init ntp with
# hardcoded ntp.ipfire.org (81.3.27.46)
check_red_has_carrier_and_ip
if [ -e "/var/ipfire/red/iface" -a "${?}" = "1" ]; then
host 0.ipfire.pool.ntp.org > /dev/null 2>&1
if [ "${?}" != "0" ]; then
boot_mesg "DNS still not functioning... Trying to sync time with ntp.ipfire.org (81.3.27.46)..."
loadproc /usr/local/bin/settime 81.3.27.46
fi
fi
# Try to sync time with a known time server
boot_mesg "DNS not functioning... Trying to sync time with ntp.ipfire.org (81.3.27.46)..."
loadproc /usr/local/bin/settime 81.3.27.46
}
resolve() {
local hostname="${1}"
local found=0
local ns
for ns in $(read_name_servers); do
local answer
for answer in $(dig "${DIG_ARGS[@]}" +short "@${ns}" A "${hostname}"); do
found=1
# Filter out non-IP addresses
if [[ ! "${answer}" =~ \.$ ]]; then
echo "${answer}"
fi
done
# End loop when we have got something
[ ${found} -eq 1 ] && break
local answer
for answer in $(dig +short A "${hostname}"); do
# Filter out non-IP addresses
if [[ ! "${answer}" =~ \.$ ]]; then
echo "${answer}"
fi
done
}
@@ -809,30 +547,18 @@ case "$1" in
exit 0
fi
eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
# Update configuration files
write_tuning_conf
write_hosts_conf
write_forward_conf
boot_mesg "Starting Unbound DNS Proxy..."
loadproc /usr/sbin/unbound || exit $?
# Make own hostname resolveable
own_hostname
# Update any known forwarding name servers
update_forwarders
# Install Safe Search rules when the system is already online
if [ -e "/var/ipfire/red/active" ]; then
update_safe_search
fi
# Update hosts
update_hosts
fix_time_if_dns_fail
;;
stop)
@@ -845,84 +571,37 @@ case "$1" in
sleep 1
$0 start
;;
reload|remove-forwarders)
# Update configuration files
write_forward_conf
write_hosts_conf
# Update Safe Search rules if the system is online.
if [ -e "/var/ipfire/red/active" ]; then
update_safe_search
fi
# Call unbound-control and perform the reload
/usr/sbin/unbound-control -q reload
;;
status)
statusproc /usr/sbin/unbound
;;
update-forwarders)
# Do not try updating forwarders when unbound is not running
if ! pgrep unbound &>/dev/null; then
exit 0
fi
$0 reload
update_forwarders
unbound-control flush_negative > /dev/null
unbound-control flush_bogus > /dev/null
fix_time_if_dns_fail
;;
remove-forwarders)
# Do not try updating forwarders when unbound is not running
if ! pgrep unbound &>/dev/null; then
exit 0
fi
remove_forwarders
unbound-control flush_negative > /dev/null
unbound-control flush_bogus > /dev/null
;;
test-name-server)
ns=${2}
test_name_server ${ns}
ret=${?}
case "${ret}" in
0)
echo "${ns} is validating"
;;
2)
echo "${ns} is DNSSEC-aware"
;;
3)
echo "${ns} is NOT DNSSEC-aware"
;;
*)
echo "Test failed for an unknown reason"
exit ${ret}
;;
esac
if ns_supports_tcp ${ns}; then
echo "${ns} supports TCP fallback"
else
echo "${ns} does not support TCP fallback"
fi
edns_buffer_size=$(ns_determine_edns_buffer_size ${ns})
if [ -n "${edns_buffer_size}" ]; then
echo "EDNS buffer size for ${ns}: ${edns_buffer_size}"
fi
exit ${ret}
# Make sure DNS works at this point
fix_time_if_dns_fails
;;
resolve)
resolve "${2}"
;;
update-safe-search)
update_safe_search
;;
*)
echo "Usage: $0 {start|stop|restart|status|update-forwarders|remove-forwarders|test-name-server|resolve|update-safe-search}"
echo "Usage: $0 {start|stop|restart|reload|status|resolve|update-forwarders|remove-forwarders}"
exit 1
;;
esac

6
src/misc-progs/unboundctrl.c
View File

@@ -19,14 +19,16 @@ int main(int argc, char *argv[]) {
exit(1);
if (argc < 2) {
fprintf(stderr, "\nNo argument given.\n\nunboundctrl (restart)\n\n");
fprintf(stderr, "\nNo argument given.\n\nunboundctrl restart|reload\n\n");
exit(1);
}
if (strcmp(argv[1], "restart") == 0) {
safe_system("/etc/rc.d/init.d/unbound restart");
} else if (strcmp(argv[1], "reload") == 0) {
safe_system("/etc/rc.d/init.d/unbound reload");
} else {
fprintf(stderr, "\nBad argument given.\n\nunboundctrl (restart)\n\n");
fprintf(stderr, "\nBad argument given.\n\nunboundctrl restart|reload\n\n");
exit(1);
}

5
src/ppp/ip-down
View File

@@ -22,9 +22,8 @@
. /etc/sysconfig/rc
. $rc_functions
eval $(/usr/local/bin/readhash /var/ipfire/ppp/settings)
rm -f /var/ipfire/red/active
rm -f /var/ipfire/red/active \
/var/run/dns1 /var/run/dns2
run_subdir ${rc_base}/init.d/networking/red.down/

29
src/ppp/ip-up
View File

@@ -22,32 +22,17 @@
. /etc/sysconfig/rc
. $rc_functions
PRIMARY_DNS=$DNS1
SECONDARY_DNS=$DNS2
eval $(/usr/local/bin/readhash /var/ipfire/ppp/settings)
if [ "$DNS" == "Automatic" ]; then
if [ "$TYPE" == "isdn" ]; then
echo -n "$MS_DNS1" > /var/ipfire/red/dns1
echo -n "$MS_DNS2" > /var/ipfire/red/dns2
else
if [ "$PRIMARY_DNS" == "10.11.12.13" ]; then
echo -n "$DNS1" > /var/ipfire/red/dns1
else
echo -n "$PRIMARY_DNS" > /var/ipfire/red/dns1
fi
if [ "$SECONDARY_DNS" == "10.11.12.14" ]; then
echo -n "$DNS2" > /var/ipfire/red/dns2
else
echo -n "$SECONDARY_DNS" > /var/ipfire/red/dns2
fi
fi
else
echo -n "$DNS1" > /var/ipfire/red/dns1
echo -n "$DNS2" > /var/ipfire/red/dns2
if [ "$TYPE" = "isdn" ]; then
DNS1="${MS_DNS1}"
DNS2="${MS_DNS2}"
fi
# Write DNS servers to configuration
echo "${DNS1}" > /var/run/dns1
echo "${DNS2}" > /var/run/dns2
echo -n "$1" > /var/ipfire/red/iface
echo -n "$4" > /var/ipfire/red/local-ipaddress
echo -n "$5" > /var/ipfire/red/remote-ipaddress

95
src/scripts/convert-dns-settings Executable file
View File

@@ -0,0 +1,95 @@
#!/bin/bash
###############################################################################
# #
# IPFire.org - A Linux-based firewall #
# Copyright (C) 2020 IPFire Team <info@ipfire.org> #
# #
# This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
# the Free Software Foundation, either version 3 of the License, or #
# (at your option) any later version. #
# #
# This program is distributed in the hope that it will be useful, #
# but WITHOUT ANY WARRANTY; without even the implied warranty of #
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
# GNU General Public License for more details. #
# #
# You should have received a copy of the GNU General Public License #
# along with this program. If not, see <http://www.gnu.org/licenses/>. #
# #
###############################################################################
main() {
# Do not convert anything if we already have some servers set
if [ ! -s "/var/ipfire/dns/servers" ]; then
local DNS0 DNS1 DNS2
eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
if [ -s "/var/ipfire/ppp/settings" ]; then
eval $(/usr/local/bin/readhash /var/ipfire/ppp/settings)
# Remove DNS, DNS1 and DNS2
sed -i "/^DNS[12]?=/d" /var/ipfire/ppp/settings
elif [ -s "/var/ipfire/dns/settings" ]; then
eval $(/usr/local/bin/readhash /var/ipfire/dns/settings)
fi
local var
local i=3
for var in DNS0 DNS1 DNS2; do
if [ -n "${!var}" ]; then
echo "${i},${!var},,enabled,"
(( i++ ))
fi
done > /var/ipfire/dns/servers
# Empty the old settings file
: > /var/ipfire/dns/settings
# Disable using ISP name servers when we already have some configured
if [ ${i} -gt 3 ]; then
echo "USE_ISP_NAMESERVERS=off" \
>> /var/ipfire/dns/settings
fi
fi
# Set correct ownership.
chown nobody:nobody /var/ipfire/dns/settings
# Convert old unbound settings file
if [ -e "/etc/sysconfig/unbound" ]; then
local USE_FORWARDERS
local ENABLE_SAFE_SEARCH
local FORCE_TCP
# Read settings
eval $(/usr/local/bin/readhash /etc/sysconfig/unbound)
# Safe Search
if [ "${ENABLE_SAFE_SEARCH}" = "on" ]; then
echo "ENABLE_SAFE_SEARCH=${ENABLE_SAFE_SEARCH}" \
>> /var/ipfire/dns/settings
fi
# Force TCP
if [ "${FORCE_TCP}" = "on" ]; then
echo "PROTO=TCP" >> /var/ipfire/dns/settings
fi
# Run in recursor mode
if [ "${USE_FORWARDERS}" = "0" ]; then
# Remove all servers
: > /var/ipfire/dns/servers
fi
rm -f "/etc/sysconfig/unbound"
fi
# Set correct ownership.
chown nobody:nobody /var/ipfire/dns/servers
# Make DHCP leases readable for nobody
chown 644 /etc/unbound/dhcp-leases.conf
}
main "$@" || exit $?

45
src/scripts/update-location-database Normal file
View File

@@ -0,0 +1,45 @@
#!/bin/bash
###############################################################################
# #
# IPFire.org - A linux based firewall #
# Copyright (C) 2019 IPFire Development Team <info@ipfire.org> #
# #
# This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
# the Free Software Foundation, either version 3 of the License, or #
# (at your option) any later version. #
# #
# This program is distributed in the hope that it will be useful, #
# but WITHOUT ANY WARRANTY; without even the implied warranty of #
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
# GNU General Public License for more details. #
# #
# You should have received a copy of the GNU General Public License #
# along with this program. If not, see <http://www.gnu.org/licenses/>. #
# #
###############################################################################
eval $(/usr/local/bin/readhash /var/ipfire/proxy/settings)
# Proxy settings.
# Check if a proxy should be used.
if [[ $UPSTREAM_PROXY ]]; then
PROXYSETTINGS="https_proxy=http://"
# Check if authentication against the proxy is configured.
if [[ $UPSTREAM_USER && $UPSTREAM_PASSWORD ]]; then
PROXYSETTINGS="$PROXYSETTINGS$UPSTREAM_USER:$UPSTREAM_PASSWORD@"
fi
# Add proxy server.
PROXYSETTINGS="$PROXYSETTINGS$UPSTREAM_PROXY"
# Export proxy settings.
export HTTPS_PROXY="$PROXYSETTINGS"
fi
# Get the latest location database from server.
/usr/bin/location-downloader update
# Call initscript to reload the firewall.
/etc/init.d/firewall reload

138
src/scripts/xt_geoip_update
View File

@@ -1,138 +0,0 @@
#!/bin/bash
###############################################################################
# #
# IPFire.org - A linux based firewall #
# Copyright (C) 2019 IPFire Development Team <info@ipfire.org> #
# #
# This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
# the Free Software Foundation, either version 3 of the License, or #
# (at your option) any later version. #
# #
# This program is distributed in the hope that it will be useful, #
# but WITHOUT ANY WARRANTY; without even the implied warranty of #
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
# GNU General Public License for more details. #
# #
# You should have received a copy of the GNU General Public License #
# along with this program. If not, see <http://www.gnu.org/licenses/>. #
# #
###############################################################################
TMP_PATH=$(mktemp -dp /var/tmp)
TMP_FILE=$(mktemp -p $TMP_PATH)
SCRIPT_PATH=/usr/local/bin
DEST_PATH=/usr/share/xt_geoip
DB_PATH=/var/lib/GeoIP
DB1_PATH=/usr/share/GeoIP
DL_URL=https://geolite.maxmind.com/download/geoip/database
DL_FILE=GeoLite2-Country-CSV.zip
eval $(/usr/local/bin/readhash /var/ipfire/proxy/settings)
function download() {
echo "Downloading latest GeoIP ruleset..."
# Proxy settings.
# Check if a proxy should be used.
if [[ $UPSTREAM_PROXY ]]; then
PROXYSETTINGS="-e https_proxy=http://"
# Check if authentication against the proxy is configured.
if [[ $UPSTREAM_USER && $UPSTREAM_PASSWORD ]]; then
PROXYSETTINGS="$PROXYSETTINGS$UPSTREAM_USER:$UPSTREAM_PASSWORD@"
fi
# Add proxy server.
PROXYSETTINGS="$PROXYSETTINGS$UPSTREAM_PROXY"
fi
# Get the latest GeoIP database from server.
wget $DL_URL/$DL_FILE $PROXYSETTINGS -O $TMP_FILE
# Extract files to database path.
unzip $TMP_FILE -d $TMP_PATH
return 0
}
function install() {
echo "Install CSV database..."
# Check if the database dir exists.
if [ ! -e "$DB_PATH" ]; then
mkdir -p $DB_PATH &>/dev/null
fi
# Check if the directory for binary databases exists.
if [ ! -e "$DEST_PATH" ]; then
mkdir -p $DEST_PATH &>/dev/null
fi
# Install CSV databases.
if ! cp -af $TMP_PATH/*/* $DB_PATH &>/dev/null; then
echo "Could not copy files. Aborting." >&2
return 1
fi
return 0
}
function build_legacy() {
echo "Convert database to legacy GeoIP.dat ..."
cat $DB_PATH/GeoLite2-Country-Blocks-IPv4.csv | \
$DB1_PATH/bin/geolite2-to-legacy-csv.sh $DB1_PATH/bin/countryInfo.txt > \
$TMP_FILE
$DB1_PATH/bin/geoip-generator -v -4 --info="$(date -u +'GEO-106FREE %Y%m%d Build -IPFire-' \
-r $DB_PATH/GeoLite2-Country-Blocks-IPv4.csv) $(<$DB_PATH/COPYRIGHT.txt)" -o \
$DB1_PATH/GeoIP.dat $TMP_FILE
return 0
}
function build() {
echo "Convert database..."
# Run script to convert the CSV file into several xtables
# compatible binary files.
if ! $SCRIPT_PATH/xt_geoip_build -S $DB_PATH -D $DEST_PATH; then
echo "Could not convert ruleset. Aborting." >&2
return 1
fi
return 0
}
function cleanup() {
echo "Cleaning up temporary files..."
if ! rm -rf $TMP_PATH &>/dev/null; then
echo "Could not remove files. Aborting." >&2
return 1
fi
return 0
}
function main() {
local func
for func in download install build build_legacy; do
if ! ${func}; then
# Cleanup any temporary data
cleanup
return 1
fi
done
# Cleanup
cleanup || return $?
# All done
return 0
}
# Run the main function.
main || exit $?

93
src/setup/networking.c
View File

@@ -14,11 +14,6 @@
#include "setup.h"
#define DNS1 0
#define DNS2 1
#define DEFAULT_GATEWAY 2
#define DNSGATEWAY_TOTAL 3
extern FILE *flog;
extern char *mylog;
@@ -56,7 +51,7 @@ int drivermenu(void);
int changedrivers(void);
int greenaddressmenu(void);
int addressesmenu(void);
int dnsgatewaymenu(void);
int gatewaymenu(void);
int handlenetworking(void)
{
@@ -89,7 +84,7 @@ int handlenetworking(void)
break;
case 4:
dnsgatewaymenu();
gatewaymenu();
break;
case 0:
@@ -250,7 +245,7 @@ int firstmenu(void)
_("Network configuration type"),
_("Drivers and card assignments"),
_("Address settings"),
_("DNS and Gateway settings"),
_("Gateway settings"),
NULL
};
int rc;
@@ -708,14 +703,14 @@ int addressesmenu(void)
return 0;
}
/* DNS and default gateway.... */
int dnsgatewaymenu(void)
/* default gateway.... */
int gatewaymenu(void)
{
struct keyvalue *kv = initkeyvalues();
char message[1000];
char temp[STRING_SIZE] = "0";
struct newtWinEntry entries[DNSGATEWAY_TOTAL+1];
char *values[DNSGATEWAY_TOTAL]; /* pointers for the values. */
struct newtWinEntry entries[2];
char* values[1]; /* pointers for the values. */
int error;
int configtype;
int rc;
@@ -727,92 +722,50 @@ int dnsgatewaymenu(void)
return 0;
}
entries[DNS1].text = _("Primary DNS:");
strcpy(temp, ""); findkey(kv, "DNS1", temp);
values[DNS1] = strdup(temp);
entries[DNS1].value = &values[DNS1];
entries[DNS1].flags = 0;
entries[DNS2].text = _("Secondary DNS:");
strcpy(temp, ""); findkey(kv, "DNS2", temp);
values[DNS2] = strdup(temp);
entries[DNS2].value = &values[DNS2];
entries[DNS2].flags = 0;
entries[DEFAULT_GATEWAY].text = _("Default gateway:");
entries[0].text = _("Default gateway:");
strcpy(temp, ""); findkey(kv, "DEFAULT_GATEWAY", temp);
values[DEFAULT_GATEWAY] = strdup(temp);
entries[DEFAULT_GATEWAY].value = &values[DEFAULT_GATEWAY];
entries[DEFAULT_GATEWAY].flags = 0;
values[0] = strdup(temp);
entries[0].value = &values[0];
entries[0].flags = 0;
entries[DNSGATEWAY_TOTAL].text = NULL;
entries[DNSGATEWAY_TOTAL].value = NULL;
entries[DNSGATEWAY_TOTAL].flags = 0;
entries[1].text = NULL;
entries[1].value = NULL;
entries[1].flags = 0;
do
{
error = 0;
rc = newtWinEntries(_("DNS and Gateway settings"),
_("Enter the DNS and gateway information. "
"These settings are used only with Static IP (and DHCP if DNS set) on the RED interface."),
rc = newtWinEntries(_("Gateway settings"),
_("Enter the gateway information. "
"These settings are used only with Static IP on the RED interface."),
50, 5, 5, 18, entries, _("OK"), _("Cancel"), NULL);
if (rc == 0 || rc == 1)
{
strcpy(message, _("The following fields are invalid:"));
strcpy(message, "\n\n");
if (strlen(values[DNS1]))
if (strlen(values[0]))
{
if (inet_addr(values[DNS1]) == INADDR_NONE)
{
strcat(message, _("Primary DNS"));
strcat(message, "\n");
error = 1;
}
}
if (strlen(values[DNS2]))
{
if (inet_addr(values[DNS2]) == INADDR_NONE)
{
strcat(message, _("Secondary DNS"));
strcat(message, "\n");
error = 1;
}
}
if (strlen(values[DEFAULT_GATEWAY]))
{
if (inet_addr(values[DEFAULT_GATEWAY]) == INADDR_NONE)
if (inet_addr(values[0]) == INADDR_NONE)
{
strcat(message, _("Default gateway"));
strcat(message, "\n");
error = 1;
}
}
if (!strlen(values[DNS1]) && strlen(values[DNS2]))
{
strcpy(message, _("Secondary DNS specified without a Primary DNS"));
strcat(message, "\n");
error = 1;
}
if (error)
errorbox(message);
else
{
replacekeyvalue(kv, "DNS1", values[DNS1]);
replacekeyvalue(kv, "DNS2", values[DNS2]);
replacekeyvalue(kv, "DEFAULT_GATEWAY", values[DEFAULT_GATEWAY]);
replacekeyvalue(kv, "DEFAULT_GATEWAY", values[0]);
netaddresschange = 1;
free(values[DNS1]);
free(values[DNS2]);
free(values[DEFAULT_GATEWAY]);
free(values[0]);
writekeyvalues(kv, CONFIG_ROOT "/ethernet/settings");
}
}
}
while (error);
freekeyvalues(kv);
return 1;
}