Hello, I have spent some time playing with libunbound in libreswan, and while I found the ability to change logging verbosity and logfile directly in the /etc/unbound/unbound.conf file without the need to rebuild libreswan quite handy for debug purposes, there are some downsides in using it:
- The use of /etc/unbound/unbound.conf does require a change to SELinux policy itself, and so does opening a non-standard logfile, etc. - When "unbound" DNS server would be co-located with libreswan on a single host, using the server's configuration file for libreswan may bring undesired side effects. And regarding "outgoing-port-permit" and "outgoing-port-avoid" settings, those configuration options are being read by the DNS server application only (in daemon.c), the library does not respect those neither from the unbound.conf file, or setting them directly using ub_ctx_set_option(). A code change in libunbound would be required. I have tested this using unbound-libs-1.7.3, but couldn't find a relevant change in more recent versions either. Random UDP src ports are selected manually in the code, it is not the OS assigning those. If you need some unbound configuration options, set them directly via the API. If those options should be user-configurable, appropriate configuration options should be introduced to ipsec.conf in my opinion. Respectfully, Stepan _______________________________________________ Swan-dev mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan-dev
