--- /dev/null
+#!/usr/bin/perl
+###############################################################################
+# #
+# IPFire.org - A linux based firewall #
+# Copyright (C) 2013 IPFire Development Team #
+# #
+# This program is free software: you can redistribute it and/or modify #
+# it under the terms of the GNU General Public License as published by #
+# the Free Software Foundation, either version 3 of the License, or #
+# (at your option) any later version. #
+# #
+# This program is distributed in the hope that it will be useful, #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
+# GNU General Public License for more details. #
+# #
+# You should have received a copy of the GNU General Public License #
+# along with this program. If not, see <http://www.gnu.org/licenses/>. #
+# #
+###############################################################################
+
+use strict;
+
+# enable only the following on debugging purpose
+#use warnings;
+#use CGI::Carp 'fatalsToBrowser';
+
+require '/var/ipfire/general-functions.pl';
+require "${General::swroot}/lang.pl";
+require "${General::swroot}/header.pl";
+
+#workaround to suppress a warning when a variable is used only once
+my @dummy = ( ${Header::colouryellow} );
+undef (@dummy);
+
+my %cgiparams=();
+my %checked=();
+my %selected=();
+my $errormessage = '';
+my $tlsconfig = "${General::swroot}/dns/tlsconfig";
+my $changed = 'no';
+my %color = ();
+my %mainsettings = ();
+&General::readhash("${General::swroot}/main/settings", \%mainsettings);
+&General::readhash("/srv/web/ipfire/html/themes/".$mainsettings{'THEME'}."/include/colors.txt", \%color);
+&Header::showhttpheaders();
+
+$cgiparams{'ENABLED'} = 'off';
+$cgiparams{'ACTION'} = '';
+$cgiparams{'HOSTNAME'} = '';
+$cgiparams{'SERVER_IP'} = '';
+$cgiparams{'PORT'} = '853';
+$cgiparams{'REMARK'} ='';
+&Header::getcgihash(\%cgiparams);
+open(FILE, ">>$tlsconfig") or die 'Unable to create file.';
+open(FILE, $tlsconfig) or die 'Unable to open config file.';
+my @current = <FILE>;
+close(FILE);
+
+###
+# Add / Edit entries.
+#
+if ($cgiparams{'ACTION'} eq $Lang::tr{'add'})
+{
+
+ # Check if the entered domainname is valid.
+ unless(&General::validfqdn($cgiparams{'HOSTNAME'})) {
+ $errormessage = $Lang::tr{'invalid domain name'};
+ goto ERROR;
+ }
+
+ # Check if the settings for the forward server are valid.
+ unless(&General::validip($cgiparams{'SERVER_IP'})) {
+ $errormessage = $Lang::tr{'invalid ip'};
+ goto ERROR;
+ }
+
+ # Check if the settings for the port are valid.
+ unless(&General::validport($cgiparams{'PORT'})) {
+ $errormessage = $Lang::tr{'invalid port'};
+ goto ERROR;
+ }
+
+ # Go further if there was no error.
+ if ( ! $errormessage)
+ {
+ # Check if a remark has been entered.
+ $cgiparams{'REMARK'} = &Header::cleanhtml($cgiparams{'REMARK'});
+
+ # Check if we want to edit an existing or add a new entry.
+ if($cgiparams{'EDITING'} eq 'no') {
+ # Check in 'ADD' mode if IP is already in usage
+ foreach my $line (@current) {
+ chomp($line);
+ my @temp=split(/\,/,$line);
+ if ($temp[2] eq $cgiparams{'SERVER_IP'}) {
+ $errormessage = $Lang::tr{'fwhost err ipcheck'};
+ goto ERROR;
+ }
+ }
+
+ open(FILE,">>$tlsconfig") or die 'Unable to open config file.';
+ flock FILE, 2;
+ print FILE "$cgiparams{'ENABLED'},$cgiparams{'HOSTNAME'},$cgiparams{'SERVER_IP'},$cgiparams{'PORT'},$cgiparams{'REMARK'}\n";
+ } else {
+ open(FILE, ">$tlsconfig") or die 'Unable to open config file.';
+ flock FILE, 2;
+ my $id = 0;
+ foreach my $line (@current)
+ {
+ $id++;
+ if ($cgiparams{'EDITING'} eq $id) {
+ print FILE "$cgiparams{'ENABLED'},$cgiparams{'HOSTNAME'},$cgiparams{'SERVER_IP'},$cgiparams{'PORT'},$cgiparams{'REMARK'}\n";
+ } else { print FILE "$line"; }
+ }
+ }
+
+ close(FILE);
+ undef %cgiparams;
+ $changed = 'yes';
+ } else {
+ # stay on edit mode if an error occur
+ if ($cgiparams{'EDITING'} ne 'no')
+ {
+ $cgiparams{'ACTION'} = $Lang::tr{'edit'};
+ $cgiparams{'ID'} = $cgiparams{'EDITING'};
+ }
+ }
+ # Restart unbound
+ system('/usr/local/bin/unboundctrl restart >/dev/null');
+}
+
+ERROR:
+
+
+###
+# Remove existing entries.
+#
+if ($cgiparams{'ACTION'} eq $Lang::tr{'delete'})
+{
+ my $id = 0;
+ open(FILE, ">$tlsconfig") or die 'Unable to open config file.';
+ flock FILE, 2;
+ foreach my $line (@current)
+ {
+ $id++;
+ unless ($cgiparams{'ID'} eq $id) { print FILE "$line"; }
+ }
+ close(FILE);
+ # Restart unbound.
+ system('/usr/local/bin/unboundctrl restart >/dev/null');
+}
+
+###
+# Toggle Enable/Disable for entries.
+#
+if ($cgiparams{'ACTION'} eq $Lang::tr{'toggle enable disable'})
+{
+ open(FILE, ">$tlsconfig") or die 'Unable to open config file.';
+ flock FILE, 2;
+ my $id = 0;
+ foreach my $line (@current)
+ {
+ $id++;
+ unless ($cgiparams{'ID'} eq $id) { print FILE "$line"; }
+ else
+ {
+ chomp($line);
+ my @temp = split(/\,/,$line);
+ print FILE "$cgiparams{'ENABLE'},$temp[1],$temp[2],$temp[3],$temp[4]\n";
+ }
+ }
+ close(FILE);
+ # Restart unbound.
+ system('/usr/local/bin/unboundctrl restart >/dev/null');
+}
+
+###
+# Read items for edit mode.
+#
+if ($cgiparams{'ACTION'} eq $Lang::tr{'edit'})
+{
+ my $id = 0;
+ foreach my $line (@current)
+ {
+ $id++;
+ if ($cgiparams{'ID'} eq $id)
+ {
+ chomp($line);
+ my @temp = split(/\,/,$line);
+ $cgiparams{'ENABLED'} = $temp[0];
+ $cgiparams{'HOSTNAME'} = $temp[1];
+ $cgiparams{'SERVER_IP'} = $temp[2];
+ $cgiparams{'PORT'} = $temp[3];
+ $cgiparams{'REMARK'} = $temp[4];
+ }
+ }
+}
+
+$checked{'ENABLED'}{'off'} = '';
+$checked{'ENABLED'}{'on'} = '';
+$checked{'ENABLED'}{$cgiparams{'ENABLED'}} = "checked='checked'";
+
+&Header::openpage($Lang::tr{'dnsovertls configuration'}, 1, '');
+
+&Header::openbigbox('100%', 'left', '', $errormessage);
+
+
+###
+# Error messages layout.
+#
+if ($errormessage) {
+ &Header::openbox('100%', 'left', $Lang::tr{'error messages'});
+ print "<class name='base'>$errormessage\n";
+ print " </class>\n";
+ &Header::closebox();
+}
+
+print "<form method='post' action='$ENV{'SCRIPT_NAME'}'>\n";
+
+my $buttontext = $Lang::tr{'add'};
+if ($cgiparams{'ACTION'} eq $Lang::tr{'edit'}) {
+ &Header::openbox('100%', 'left', $Lang::tr{'dnsforward edit an entry'});
+ $buttontext = $Lang::tr{'update'};
+} else {
+ &Header::openbox('100%', 'left', $Lang::tr{'dnsforward add a new entry'});
+}
+
+###
+# Content of the main page.
+#
+print <<END
+<table width='100%'>
+ <tr>
+ <td width='20%' class='base'>$Lang::tr{'hostname'}: <img src='/blob.gif' alt='*' /></td>
+ <td><input type='text' name='HOSTNAME' value='$cgiparams{'HOSTNAME'}' size='24' /></td>
+ <td width='30%' class='base'>$Lang::tr{'enabled'}<input type='checkbox' name='ENABLED' $checked{'ENABLED'}{'on'} /></td>
+ </tr>
+
+ <tr>
+ <td width='20%' class='base'>$Lang::tr{'ip address'}: <img src='/blob.gif' alt='*' /></td>
+ <td><input type='text' name='SERVER_IP' value='$cgiparams{'SERVER_IP'}' size='24' /></td>
+ </tr>
+
+ <tr>
+ <td width='12%' class='base'>$Lang::tr{'port'}: <img src='/blob.gif' alt='*' /></td>
+ <td><input type='text' name='PORT' value='$cgiparams{'PORT'}' size='6' /></td>
+</table>
+
+<table width='100%'>
+ <tr>
+ <td width ='20%' class='base'>$Lang::tr{'remark'}:</td>
+ <td><input type='text' name='REMARK' value='$cgiparams{'REMARK'}' size='40' maxlength='50' /></td>
+ </tr>
+</table>
+<br>
+<hr>
+
+<table width='100%'>
+ <tr>
+ <td class='base' width='55%'><img src='/blob.gif' alt ='*' align='top' /> $Lang::tr{'required field'}</td>
+ <td width='40%' align='right'>
+ <input type='hidden' name='ACTION' value='$Lang::tr{'add'}' />
+ <input type='submit' name='SUBMIT' value='$buttontext' />
+ </td>
+ </tr>
+</table>
+END
+;
+if ($cgiparams{'ACTION'} eq $Lang::tr{'edit'}) {
+ print "<input type='hidden' name='EDITING' value='$cgiparams{'ID'}' />\n";
+} else {
+ print "<input type='hidden' name='EDITING' value='no' />\n";
+}
+
+&Header::closebox();
+print "</form>\n";
+
+###
+# Existing rules.
+#
+&Header::openbox('100%', 'left', $Lang::tr{'dnsovertls entries'});
+print <<END
+<table width='100%' cellpadding='0' class='tbl'>
+ <tr>
+ <th width='30%' class='boldbase' align='center'><b>$Lang::tr{'hostname'}</b></th>
+ <th width='25%' class='boldbase' align='center'><b>$Lang::tr{'ip address'}</b></th>
+ <th width='15%' class='boldbase' align='center'><b>$Lang::tr{'port'}</b></th>
+ <th width='35%' class='boldbase' align='center'><b>$Lang::tr{'remark'}</b></th>
+ <th width='10%' class='boldbase' colspan='7' align='center'><b>$Lang::tr{'action'}</b></th>
+ </tr>
+END
+;
+
+# If something has happened re-read config
+if($cgiparams{'ACTION'} ne '' or $changed ne 'no')
+{
+ open(FILE, $tlsconfig) or die 'Unable to open config file.';
+ @current = <FILE>;
+ close(FILE);
+ # Restart unbound.
+ system('/usr/local/bin/unboundctrl restart >/dev/null');
+}
+
+###
+# Re-read entries and highlight selected item for editing.
+#
+my $id = 0;
+my $col="";
+foreach my $line (@current)
+{
+ $id++;
+ chomp($line);
+ my @temp = split(/\,/,$line);
+ my $toggle = '';
+ my $gif = '';
+ my $gdesc = '';
+ my $toggle = '';
+
+ if($cgiparams{'ACTION'} eq $Lang::tr{'edit'} && $cgiparams{'ID'} eq $id) {
+ print "<tr>";
+ $col="bgcolor='${Header::colouryellow}'"; }
+ elsif ($id % 2) {
+ print "<tr>";
+ $col="bgcolor='$color{'color22'}'"; }
+ else {
+ print "<tr>";
+ $col="bgcolor='$color{'color20'}'"; }
+
+ if ($temp[0] eq 'on') { $gif='on.gif'; $toggle='off'; $gdesc=$Lang::tr{'click to disable'};}
+ else { $gif='off.gif'; $toggle='on'; $gdesc=$Lang::tr{'click to enable'}; }
+
+###
+# Display edit page.
+#
+print <<END
+ <td align='center' $col>$temp[1]</td>
+ <td align='center' $col>$temp[2]</td>
+ <td align='center' $col>$temp[3]</td>
+ <td align='center' $col>$temp[4]</td>
+ <td align='center' $col>
+ <form method='post' name='frma$id' action='$ENV{'SCRIPT_NAME'}'>
+ <input type='image' name='$Lang::tr{'toggle enable disable'}' src='/images/$gif' title='$gdesc' alt='$gdesc' />
+ <input type='hidden' name='ID' value='$id' />
+ <input type='hidden' name='ENABLE' value='$toggle' />
+ <input type='hidden' name='ACTION' value='$Lang::tr{'toggle enable disable'}' />
+ </form>
+ </td>
+ <td align='center' $col>
+ <form method='post' name='frmb$id' action='$ENV{'SCRIPT_NAME'}'>
+ <input type='image' name='$Lang::tr{'edit'}' src='/images/edit.gif' title='$Lang::tr{'edit'}' alt='$Lang::tr{'edit'}' />
+ <input type='hidden' name='ID' value='$id' />
+ <input type='hidden' name='ACTION' value='$Lang::tr{'edit'}' />
+ </form>
+ </td>
+ <td align='center' $col>
+ <form method='post' name='frmc$id' action='$ENV{'SCRIPT_NAME'}'>
+ <input type='image' name='$Lang::tr{'delete'}' src='/images/delete.gif' title='$Lang::tr{'delete'}' alt='$Lang::tr{'delete'}' onclick="return confirm('$Lang::tr{'delete item'}');" />
+ <input type='hidden' name='ID' value='$id' />
+ <input type='hidden' name='ACTION' value='$Lang::tr{'delete'}' />
+ </form>
+ </td>
+</tr>
+END
+ ;
+}
+print "</table>\n";
+
+###
+# Print the legend at the bottom if there are any configured entries.
+#
+# Check if the file size is zero - no existing entries.
+if ( ! -z "$tlsconfig") {
+print <<END
+<table>
+ <tr>
+ <td class='boldbase'> <b>$Lang::tr{'legend'}:</b></td>
+ <td> <img src='/images/on.gif' alt='$Lang::tr{'click to disable'}' /></td>
+ <td class='base'>$Lang::tr{'click to disable'}</td>
+ <td> <img src='/images/off.gif' alt='$Lang::tr{'click to enable'}' /></td>
+ <td class='base'>$Lang::tr{'click to enable'}</td>
+ <td> <img src='/images/edit.gif' alt='$Lang::tr{'edit'}' /></td>
+ <td class='base'>$Lang::tr{'edit'}</td>
+ <td> <img src='/images/delete.gif' alt='$Lang::tr{'delete'}' onclick="return confirm('$Lang::tr{'delete item'}');" /></td>
+ <td class='base'>$Lang::tr{'delete'}</td>
+ </tr>
+</table>
+END
+;
+}
+
+&Header::closebox();
+
+&Header::closebigbox();
+
+&Header::closepage();
+
+
# EDNS buffer size
EDNS_DEFAULT_BUFFER_SIZE=4096
+# Path to other DNS configurations
+DOT="/var/ipfire/dns/tlsconfig"
+DNSFORWARD="/var/ipfire/dnsforward/config"
+
# Load optional configuration
[ -e "/etc/sysconfig/unbound" ] && . /etc/sysconfig/unbound
done 2>/dev/null | xargs echo
}
+read_dot_servers() {
+ if [ -f "/usr/bin/dot-indexCGI-check" ]; then
+ bash /usr/bin/dot-indexCGI-check
+ else
+ dot=$(unbound-control list_forwards | grep -Eo "([0-9.]+){4}" | tr '\n' ' ')
+ echo "${dot}" > /var/ipfire/red/dns
+ fi
+}
+
check_red_has_carrier_and_ip() {
# Interface configured ?
[ ! -e "/var/ipfire/red/iface" ] && return 0;
echo
;;
esac
- done < /var/ipfire/dnsforward/config
+ done < ${DNSFORWARD}
if [ -n "${insecure_zones}" ]; then
echo "server:"
echo " domain-insecure: ${zone}"
done
fi
+
+ # Add DNS-over-TLS forwarder configuration
+ if grep -q '^on,' ${DOT}; then
+ echo "# DNS-over-TLS configuration block"
+ echo "server:"
+ echo " tls-cert-bundle: /etc/ssl/certs/ca-bundle.crt"
+ echo " qname-minimisation-strict: yes"
+ echo
+ echo "forward-zone:"
+ echo " name: \".\""
+ echo " forward-tls-upstream: yes"
+ echo
+ read_dot_servers
+ else
+ echo "# DNS forward configuration block"
+ echo "forward-zone:"
+ echo " name: \".\""
+ echo
+ read_name_servers
+ fi
+
+ local enabled domain ip port remark
+ while IFS="," read -r enabled domain ip port remark; do
+ # Line must be enabled
+ [ "${enabled}" = "on" ] || continue
+ echo " forward-addr: ${ip}@${port}#${domain}"
+ done < ${DOT}
) > /etc/unbound/forward.conf
}
shift
# If TCP is forced we know by now if the server responds to it
- if [ "${FORCE_TCP}" = "on" ]; then
+ if [ "${FORCE_TCP}" = "on" ]; then
return 0
fi
# Update configuration files
write_tuning_conf
- write_forward_conf
write_safe_search_conf
boot_mesg "Starting Unbound DNS Proxy..."
# Make own hostname resolveable
own_hostname
- # Update any known forwarding name servers
- update_forwarders
+ # Use update_forwards only in case if DoT or dns forwarding is disabled
+ # otherwise use write_forward_conf
+ if ! grep -q 'on' ${DOT} && ! grep -q 'on' ${DNSFORWARD}; then
+ update_forwarders
+ else
+ read_dot_servers
+ fi
# Update hosts
update_hosts
+ # Write forward conf
+ write_forward_conf
+
fix_time_if_dns_fail
;;
exit 0
fi
- update_forwarders
+ # Use update_forwards only in case if DoT or dns forwarding is disabled
+ # otherwise use write_forward_conf
+ if ! grep -q 'on' ${DOT} && ! grep -q 'on' ${DNSFORWARD}; then
+ update_forwarders
+ else
+ write_forward_conf
+ read_dot_servers
+ fi
unbound-control flush_negative > /dev/null
unbound-control flush_bogus > /dev/null
projects / people / ummeegge / ipfire-2.x.git / commitdiff
