The following patch does these things:
1. bumps unbound to version 1.4.20.
2. adds uci support via /etc/config/unbound. The entirety of unbound.conf has
been implemented here.
3. removes the existing patch which applied a memory optimized config to
/etc/unbound/unbound.conf. This has been migrated to /etc/config/unbound as
"option lowmem '1'" under "config server". This is the default. Disabling
"lowmem" opens up the relevant parameters for individual tuning, if desired.
4. The other portions of the existing /etc/unbound/unbound.conf have been
migrated to the default /etc/config/unbound, yielding the same operation.
5. The old /etc/unbound/unbound.conf has been renamed to
/etc/unbound/unbound.conf.example to avoid confusion.
This is my first attempt at a uci configuration port. Any feedback and/or
suggestions are greatly appreciated.
Signed-off-by: Adam Gensler <open...@kristenandadam.net>
---
Index: net/unbound/files/unbound.init
===================================================================
--- net/unbound/files/unbound.init (revision 36569)
+++ net/unbound/files/unbound.init (working copy)
@@ -1,14 +1,355 @@
#!/bin/sh /etc/rc.common
-#Copyright (C) 2010 Ondrej Caletka <o.cale...@sh.cvut.cz>
-START=61
+# Copyright (C) 2007-2013 OpenWrt.org
-start () {
- unbound
+START=60
+
+SERVICE_USE_PID=1
+
+CONFIGFILE="/var/etc/unbound.conf"
+
+writeconf() {
+ local opt="$1"
+ local val="$2"
+ local extra="$3"
+
+ # wrap values with spaces or / in quotes
+ if [ `echo $val | grep -c "[.[:space:]/]"` -gt 0 ]; then
+ val="\"$val\""
+ fi
+
+ if [ -z "$val" ]; then
+ echo "${opt}: ${val} ${extra}" >> $CONFIGFILE
+ else
+ echo " ${opt}: ${val} ${extra}" >> $CONFIGFILE
+ fi
}
-stop () {
- PIDFILE='/var/run/unbound.pid'
- if [ -f $PIDFILE ] ; then
- kill $(cat $PIDFILE)
+add_bool() {
+ local section="$1"
+ local option="$2"
+
+ if [ -z "$3" ]; then
+ local config="$2"
+ else
+ local config="$3"
fi
+
+ config_get value "$section" "$option"
+ [ -z "$value" ] && return 0
+
+ if [ "$value" -eq 0 ]; then
+ value="no"
+ elif [ "$value" -eq 1 ]; then
+ value="yes"
+ else
+ return 0
+ fi
+
+ writeconf "$config" "$value"
}
+
+add_param() {
+ local section="$1"
+ local option="$2"
+
+ if [ -z "$3" ]; then
+ local config="$2"
+ else
+ local config="$3"
+ fi
+
+ config_get value "$section" "$option"
+ [ -z "$value" ] && return 0
+
+ writeconf "$config" "$value"
+}
+
+add_server() {
+ local cfg="$1"
+
+ add_param "$cfg" "include"
+
+ writeconf "server"
+ add_param "$cfg" "verbosity"
+ add_param "$cfg" "statistics_interval" "statistics-interval"
+ add_bool "$cfg" "statistics_cumulative" "statistics-cumulative"
+ add_bool "$cfg" "extended_statistics" "extended-statistics"
+ add_param "$cfg" "port"
+ config_list_foreach "$cfg" "interface" add_list "interface"
+ add_param "$cfg" "interface_automatic" "interface-automatic"
+ config_list_foreach "$cfg" "outgoing_interface" add_list
"outgoing-interface"
+ add_param "$cfg" "outgoing_port_permit" "outgoing-port-permit"
+ add_param "$cfg" "outgoing_port_avoid" "outgoing-port-avoid"
+ add_param "$cfg" "edns_buffer_size" "edns-buffer-size"
+ add_param "$cfg" "jostle_timeout" "jostle-timeout"
+ add_param "$cfg" "so_rcvbuf" "so-rcvbuf"
+ add_param "$cfg" "so_sndbuf" "so-sndbuf"
+ add_param "$cfg" "cache_min_ttl" "cache-min-ttl"
+ add_param "$cfg" "cache_max_ttl" "cache-max-ttl"
+ add_param "$cfg" "infra_host_ttl" "infra-host-ttl"
+ add_bool "$cfg" "do_ip4" "do-ip4"
+ add_bool "$cfg" "do_ip6" "do-ip6"
+ add_bool "$cfg" "do_udp" "do-udp"
+ add_bool "$cfg" "do_tcp" "do-tcp"
+ add_bool "$cfg" "tcp_upstream" "tcp-upstream"
+ add_bool "$cfg" "ssl_upstream" "ssl-upstream"
+ add_param "$cfg" "ssl_service_key" "ssl-service-key"
+ add_param "$cfg" "ssl_service_pem" "ssl-service-pem"
+ add_param "$cfg" "ssl_port" "ssl-port"
+ add_bool "$cfg" "do_daemonize" "do-daemonize"
+ add_param "$cfg" "chroot"
+ add_param "$cfg" "username"
+ add_param "$cfg" "directory"
+ add_param "$cfg" "logfile"
+ add_bool "$cfg" "use_syslog" "use-syslog"
+ add_bool "$cfg" "log_time_ascii" "log-time-ascii"
+ add_bool "$cfg" "log_queries" "log-queries"
+ config_get tmpval "$cfg" pidfile "/var/run/unbound.pid"
+ writeconf "pidfile" "$tmpval"
+
+ config_get tmpfile "$cfg" "root_hints"
+ if [ ! -z "$tmpfile" ]; then
+ if [ -s $tmpfile ]; then
+ writeconf "root-hints" "$tmpfile"
+ else
+ logger -t unbound "Using built-in root-hints list, this
may be out of date."
+ fi
+ fi
+
+ add_bool "$cfg" "hide_identity" "hide-identity"
+ add_param "$cfg" "identity"
+ add_bool "$cfg" "hide_version" "hide-version"
+ add_param "$cfg" "version"
+ add_bool "$cfg" "harden_glue" "harden-glue"
+ add_bool "$cfg" "harden_dnssec_stripped" "harden-dnssec-stripped"
+ add_bool "$cfg" "harden_below_nxdomain" "harden-below-nxdomain"
+ add_bool "$cfg" "harden_referral_path" "harden-referral-path"
+ add_bool "$cfg" "use_caps_for_id" "use-caps-for-id"
+ config_list_foreach "$cfg" "private_address" add_list "private-address"
+ config_list_foreach "$cfg" "private_domain" add_list "private-domain"
+ add_param "$cfg" "unwanted_reply_threshold" "unwanted-reply-threshold"
+ add_param "$cfg" "do_not_query_address" "do-not-query-address"
+ add_bool "$cfg" "do_not_query_localhost" "do-not-query-localhost"
+ add_bool "$cfg" "prefetch"
+ add_bool "$cfg" "prefetch_key" "prefetch-key"
+ add_bool "$cfg" "rrset_roundrobin" "rrset-roundrobin"
+ add_bool "$cfg" "minimal_responses" "minimal-responses"
+ add_param "$cfg" "module_config" "module-config"
+ add_param "$cfg" "trust_anchor_file" "trust-anchor-file"
+
+ # make sure the root.key file exists
+ config_get tmpval "$cfg" "root_key"
+ if [ -n $tmpval ]; then
+ if [ ! -e "$tmpval" ] || [ ! -s "$tmpval" ]; then
+ getanchor=`which unbound-anchor`
+ if [ -n "$getanchor" ]; then
+ logger -t unbound "Anchor file is missing,
attempting to create one."
+ $getanchor -a "$tmpval"
+ if [ -s "$tmpval" ]; then
+ logger -t unbound "Anchor file created,
will attempt to use it."
+ writeconf "auto-trust-anchor-file"
"/etc/unbound/root.key"
+ else
+ logger -t unbound "Unable to create
anchor file, dnssec will not be validated!"
+ fi
+ else
+ logger -t unbound "Unable to locate or empty
root key file, $tmpval, dnssec will not be validated!"
+ fi
+ else
+ writeconf "auto-trust-anchor-file"
"/etc/unbound/root.key"
+ fi
+ fi
+
+ add_param "$cfg" "trust_anchor" "trust-anchor"
+ add_param "$cfg" "trusted_keys_file" "trusted-keys-file"
+ add_param "$cfg" "dlv_anchor_file" "dlv-anchor-file"
+ add_param "$cfg" "dlv_anchor" "dlv-anchor"
+ config_list_foreach "$cfg" "domain_insecure" add_list "domain-insecure"
+ add_param "$cfg" "val_override_date" "val-override-date"
+ add_param "$cfg" "val_sig_skew_min" "val-sig-skew-min"
+ add_param "$cfg" "val_sig_skew_max" "val-sig-skew-max"
+ add_param "$cfg" "val_bogus_ttl" "val-bogus-ttl"
+ add_bool "$cfg" "val_clean_additional" "val-clean-additional"
+ add_param "$cfg" "val_log_level" "val-log-level"
+ add_bool "$cfg" "val_permissive_mode" "val-permissive-mode"
+ add_bool "$cfg" "ignore_cd_flag" "ignore-cd-flag"
+ add_param "$cfg" "val_nsec3_keysize_iterations"
"val-nsec3-keysize-iterations"
+ add_param "$cfg" "add_holddown" "add-holddown"
+ add_param "$cfg" "del_holddown" "del-holddown"
+ add_param "$cfg" "keep_missing" "keep-missing"
+
+ # check to see if unbound should run with low memory optimizations
+ config_get_bool lowmem "$cfg" "lowmem" 1
+ if [ $lowmem -eq 1 ]; then
+ writeconf "num-threads" "1"
+ writeconf "outgoing-num-tcp" "1"
+ writeconf "incoming-num-tcp" "1"
+ writeconf "outgoing-range" "60"
+ writeconf "msg-buffer-size" "8192"
+ writeconf "msg-cache-size" "100k"
+ writeconf "msg-cache-slabs" "1"
+ writeconf "rrset-cache-size" "100k"
+ writeconf "rrset-cache-slabs" "1"
+ writeconf "infra-cache-numhosts" "200"
+ writeconf "infra-cache-slabs" "1"
+ writeconf "key-cache-size" "100k"
+ writeconf "key-cache-slabs" "1"
+ writeconf "neg-cache-size" "10k"
+ writeconf "num-queries-per-thread" "30"
+ writeconf "target-fetch-policy" "2 1 0 0 0 0"
+ writeconf "harden-large-queries" "yes"
+ writeconf "harden-short-bufsize" "yes"
+ else
+ add_param "$cfg" "num_threads" "num-threads"
+ add_param "$cfg" "outgoing_num_tcp" "outgoing-num-tcp"
+ add_param "$cfg" "incoming_num_tcp" "incoming-num-tcp"
+ add_param "$cfg" "outgoing_range" "outgoing-range"
+ add_param "$cfg" "msg_buffer_size" "msg-buffer-size"
+ add_param "$cfg" "msg_cache_size" "msg-cache-size"
+ add_param "$cfg" "msg_cache_slabs" "msg-cache-slabs"
+ add_param "$cfg" "rrset_cache_size" "rrset-cache-size"
+ add_param "$cfg" "rrset_cache_slabs" "rrset-cache-slabs"
+ add_param "$cfg" "infra_cache_numhosts" "infra-cache-numhosts"
+ add_param "$cfg" "infra_cache_slabs" "infra-cache-slabs"
+ add_param "$cfg" "key_cache_size" "key-cache-size"
+ add_param "$cfg" "key_cache_slabs" "key-cache-slabs"
+ add_param "$cfg" "neg_cache_size" "neg-cache-size"
+ add_param "$cfg" "num_queries_per_thread"
"num-queries-per-thread"
+ add_param "$cfg" "target_fetch_policy" "target-fetch-policy"
+ add_bool "$cfg" "harden_large_queries" "harden-large-queries"
+ add_bool "$cfg" "harden_short_bufsize" "harden-short-bufsize"
+ fi
+
+
+}
+
+add_remote() {
+ local cfg="$1"
+
+ writeconf "remote-control"
+ add_bool "$cfg" "control_enable" "control-enable"
+ config_list_foreach "$cfg" "control_interface" add_list
"control-interface"
+ add_param "$cfg" "control_port" "control-port"
+ add_param "$cfg" "server_key_file" "server-key-file"
+ add_param "$cfg" "server_cert_file" "server-cert-file"
+ add_param "$cfg" "control_key_file" "control-key-file"
+ add_param "$cfg" "control_cert_file" "control-cert-file"
+}
+
+add_list() {
+ local value="$1"
+ local config="$2"
+ writeconf "$config" "$value"
+}
+
+add_access() {
+ local cfg="$1"
+
+ config_get tmpip "$cfg" ipaddr
+ [ -z "$tmpip" ] && return 0
+
+ config_get tmppolicy "$cfg" policy
+ [ -z "$tmppolicy" ] && return 0
+
+ writeconf "access-control" "$tmpip" "$tmppolicy"
+}
+
+add_zone() {
+ local cfg="$1"
+
+ config_get tmpname "$cfg" name
+ [ -z "$tmpname" ] && return 0
+
+ config_get tmptype "$cfg" type "static"
+
+ writeconf "local-zone" "$tmpname." "$tmptype"
+}
+
+add_host() {
+ local cfg="$1"
+
+ config_get tmpname "$cfg" name
+ [ -z "$tmpname" ] && return 0
+
+ config_get tmpip "$cfg" ipaddr
+ if [ -n $tmpip ]; then
+ writeconf "local-data" "${tmpname}. IN A ${tmpip}"
+ writeconf "local-data-ptr" "${tmpip} ${tmpname}."
+ fi
+
+ config_get tmpip6 "$cfg" ip6addr
+ if [ -n $tmpip6 ]; then
+ writeconf "local-data" "${tmpname}. IN AAAA ${tmpip6}"
+ writeconf "local-data-ptr" "${tmpip6} ${tmpname}."
+ fi
+}
+
+add_forward_stub() {
+ local cfg="$1"
+ local mode="$2"
+
+ config_get tmpname "$cfg" "name"
+ if [ -z "$tmpname" ]; then
+ logger -t unbound "${mode} zone specified but no name provided!"
+ return 0
+ fi
+
+ # should we use resolv.conf?
+ config_get_bool tmpval "$cfg" "useresolv" 0
+ if [ $tmpval -eq 1 ]; then
+ config_get tmpfile "$cfg" "resolvfile"
+ if [ -z "$tmpfile" ]; then
+ logger -t unbound "resolvfile not specified but
\"useresolv\" enabled!"
+ return 0
+ else
+ if [ -s $tmpfile ]; then
+ tmpaddrs=$(grep nameserver ${tmpfile} | awk '{
print $2 }')
+ fi
+ fi
+ else
+ config_get tmpaddrs "$cfg" "ipaddr"
+ config_get tmphosts "$cfg" "hostname"
+
+ if [ -z "$tmpaddrs" ] && [ -z "$tmphosts" ]; then
+ logger -t unbound "No ipaddr or hostname specified!"
+ return 0
+ fi
+ fi
+
+ writeconf "${mode}-zone"
+ writeconf "name" "$tmpname"
+
+ for tmpaddr in $tmpaddrs
+ do
+ writeconf "${mode}-addr" "$tmpaddr"
+ done
+
+ for tmphost in $tmphosts
+ do
+ writeconf "${mode}-host" "$tmphost"
+ done
+
+ add_bool "$cfg" "${mode}_prime" "${mode}-prime"
+ add_bool "$cfg" "${mode}_first" "${mode}-first"
+}
+
+start() {
+ config_load unbound
+
+ mkdir -p $(dirname $CONFIGFILE)
+ echo "# Auto generated from /etc/config/unbound" > $CONFIGFILE
+
+ config_foreach add_server server
+ config_foreach add_access access
+ config_foreach add_zone zone
+ config_foreach add_host host
+ config_foreach add_forward_stub forward "forward"
+ config_foreach add_forward_stub stub "stub"
+ config_foreach add_remote remote
+
+ service_start /usr/sbin/unbound -c $CONFIGFILE
+}
+
+stop() {
+ service_stop /usr/sbin/unbound
+}
+
Index: net/unbound/patches/001-conf.patch
===================================================================
--- net/unbound/patches/001-conf.patch (revision 36569)
+++ net/unbound/patches/001-conf.patch (working copy)
@@ -1,154 +0,0 @@
---- a/doc/example.conf.in
-+++ b/doc/example.conf.in
-@@ -38,6 +38,8 @@ server:
- # interface: 192.0.2.154
- # interface: 192.0.2.154@5003
- # interface: 2001:DB8::5
-+ interface: 0.0.0.0
-+ interface: ::0
-
- # enable this feature to copy the source address of queries to reply.
- # Socket options are not supported on all platforms. experimental.
-@@ -57,6 +59,7 @@ server:
- # port range that can be open simultaneously. About double the
- # num-queries-per-thread, or, use as many as the OS will allow you.
- # outgoing-range: 4096
-+ outgoing-range: 60
-
- # permit unbound to use this port number or port range for
- # making outgoing queries, using an outgoing interface.
-@@ -71,9 +74,11 @@ server:
-
- # number of outgoing simultaneous tcp buffers to hold per thread.
- # outgoing-num-tcp: 10
-+ outgoing-num-tcp: 1
-
- # number of incoming simultaneous tcp buffers to hold per thread.
- # incoming-num-tcp: 10
-+ incoming-num-tcp: 1
-
- # buffer size for UDP port 53 incoming (SO_RCVBUF socket option).
- # 0 is system default. Use 4m to catch query spikes for busy servers.
-@@ -90,18 +95,22 @@ server:
- # buffer size for handling DNS data. No messages larger than this
- # size can be sent or received, by UDP or TCP. In bytes.
- # msg-buffer-size: 65552
-+ msg-buffer-size: 8192
-
- # the amount of memory to use for the message cache.
- # plain value in bytes or you can append k, m or G. default is "4Mb".
- # msg-cache-size: 4m
-+ msg-cache-size: 100k
-
- # the number of slabs to use for the message cache.
- # the number of slabs must be a power of 2.
- # more slabs reduce lock contention, but fragment memory usage.
- # msg-cache-slabs: 4
-+ msg-cache-slabs: 1
-
- # the number of queries that a thread gets to service.
- # num-queries-per-thread: 1024
-+ num-queries-per-thread: 30
-
- # if very busy, 50% queries run to completion, 50% get timeout in msec
- # jostle-timeout: 200
-@@ -109,11 +118,13 @@ server:
- # the amount of memory to use for the RRset cache.
- # plain value in bytes or you can append k, m or G. default is "4Mb".
- # rrset-cache-size: 4m
-+ rrset-cache-size: 100k
-
- # the number of slabs to use for the RRset cache.
- # the number of slabs must be a power of 2.
- # more slabs reduce lock contention, but fragment memory usage.
- # rrset-cache-slabs: 4
-+ rrset-cache-slabs: 1
-
- # the time to live (TTL) value lower bound, in seconds. Default 0.
- # If more than an hour could easily give trouble due to stale data.
-@@ -131,9 +142,11 @@ server:
- # the number of slabs must be a power of 2.
- # more slabs reduce lock contention, but fragment memory usage.
- # infra-cache-slabs: 4
-+ infra-cache-slabs: 1
-
- # the maximum number of hosts that are cached (roundtrip, EDNS, lame).
- # infra-cache-numhosts: 10000
-+ infra-cache-numhosts: 200
-
- # Enable IPv4, "yes" or "no".
- # do-ip4: yes
-@@ -164,6 +177,8 @@ server:
- # access-control: ::0/0 refuse
- # access-control: ::1 allow
- # access-control: ::ffff:127.0.0.1 allow
-+ access-control: 0.0.0.0/0 allow
-+ access-control: ::0/0 allow
-
- # if given, a chroot(2) is done to the given directory.
- # i.e. you can chroot to the working directory, for example,
-@@ -194,6 +209,7 @@ server:
- # and the given username is assumed. Default is user "unbound".
- # If you give "" no privileges are dropped.
- # username: "@UNBOUND_USERNAME@"
-+ username: ""
-
- # the working directory. The relative files in this config are
- # relative to this directory. If you give "" the working directory
-@@ -216,10 +232,12 @@ server:
-
- # the pid file. Can be an absolute path outside of chroot/work dir.
- # pidfile: "@UNBOUND_PIDFILE@"
-+ pidfile: "/var/run/unbound.pid"
-
- # file to read root hints from.
- # get one from ftp://FTP.INTERNIC.NET/domain/named.cache
- # root-hints: ""
-+ root-hints: "/etc/unbound/named.cache"
-
- # enable to not answer id.server and hostname.bind queries.
- # hide-identity: no
-@@ -242,12 +260,15 @@ server:
- # positive value: fetch that many targets opportunistically.
- # Enclose the list of numbers between quotes ("").
- # target-fetch-policy: "3 2 1 0 0"
-+ target-fetch-policy: "2 1 0 0 0 0"
-
- # Harden against very small EDNS buffer sizes.
- # harden-short-bufsize: no
-+ harden-short-bufsize: yes
-
- # Harden against unseemly large queries.
- # harden-large-queries: no
-+ harden-large-queries: yes
-
- # Harden against out of zone rrsets, to avoid spoofing attempts.
- # harden-glue: yes
-@@ -328,7 +349,7 @@ server:
- # you start unbound (i.e. in the system boot scripts). And enable:
- # Please note usage of unbound-anchor root anchor is at your own risk
- # and under the terms of our LICENSE (see that file in the source).
-- # auto-trust-anchor-file: "@UNBOUND_ROOTKEY_FILE@"
-+ auto-trust-anchor-file: "@UNBOUND_ROOTKEY_FILE@"
-
- # File with DLV trusted keys. Same format as trust-anchor-file.
- # There can be only one DLV configured, it is trusted from root down.
-@@ -414,15 +435,18 @@ server:
- # the amount of memory to use for the key cache.
- # plain value in bytes or you can append k, m or G. default is "4Mb".
- # key-cache-size: 4m
-+ key-cache-size: 100k
-
- # the number of slabs to use for the key cache.
- # the number of slabs must be a power of 2.
- # more slabs reduce lock contention, but fragment memory usage.
- # key-cache-slabs: 4
-+ key-cache-slabs: 1
-
- # the amount of memory to use for the negative cache (used for DLV).
- # plain value in bytes or you can append k, m or G. default is "1Mb".
- # neg-cache-size: 1m
-+ neg-cache-size: 10k
-
- # a number of locally served zones can be configured.
- # local-zone: <zone> <type>
Index: net/unbound/Makefile
===================================================================
--- net/unbound/Makefile (revision 36569)
+++ net/unbound/Makefile (working copy)
@@ -8,12 +8,12 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=unbound
-PKG_VERSION:=1.4.17
+PKG_VERSION:=1.4.20
PKG_RELEASE:=1
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=http://www.unbound.net/downloads
-PKG_MD5SUM:=812d49064a78c92765970a1364736da7
+PKG_MD5SUM:=1f2d0b490fd7928a708a326beda21948
PKG_BUILD_DEPENDS:=libexpat
PKG_BUILD_PARALLEL:=1
@@ -133,9 +133,11 @@
$(INSTALL_DIR) $(1)/etc/unbound
$(INSTALL_CONF) \
$(PKG_INSTALL_DIR)/etc/unbound/unbound.conf \
- $(1)/etc/unbound/
+ $(1)/etc/unbound/unbound.conf.example
$(INSTALL_CONF) ./files/root.key $(1)/etc/unbound/
$(INSTALL_CONF) ./files/named.cache $(1)/etc/unbound/
+ $(INSTALL_DIR) $(1)/etc/config
+ $(INSTALL_CONF) ./files/unbound.conf $(1)/etc/config/unbound
$(INSTALL_DIR) $(1)/etc/init.d
$(INSTALL_BIN) ./files/unbound.init $(1)/etc/init.d/unbound
endef
_______________________________________________
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
