Hi Paul, On 1/29/19 4:50 PM, Paul Wouters wrote: > On Mon, 28 Jan 2019, Wouter Wijngaards via Unbound-users wrote: > >>> For the unbound daemon we can set: >>> >>> outgoing-port-permit: 32768-60999 >>> outgoing-port-avoid: 0-32767 >>> >>> Is there a way for a libunbound context to put in the same limitations? >> >> Yes, you can read a config file or use ub_ctx_set_option. >> >> For your example this would be: >> ub_ctx_set_option(ctx, "outgoing-port-permit:", "32768-60999"); >> ub_ctx_set_option(ctx, "outgoing-port-avoid:", "0-32767"); > > Štěpán did some testing for us and it seems libunbound is not > honouring this. It must be specific daemon.c code that enforces this > for the unbound daemon ?
The call to set_option has to happen before the context is first used. Did you set the option too late? With a quick test, it works for me. But I did see a flaw in the locking for the error case when the config condense code fails; fixing that. But that locking issue for broken config not something that is causing you a problem, I think. It would not start anyhow, but the error is in the cleanup after failure. Best regards, Wouter > > It would be good to get libunbound to honour this as well, so it does > not get caught in SElinux denials. > > Paul
signature.asc
Description: OpenPGP digital signature
