diff options
| author | Rosen Penev <rosenp@gmail.com> | 2020-06-27 14:40:56 -0700 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2020-06-27 14:40:56 -0700 |
| commit | 96c5b83b644b012cb2fdc008566a17922161bb9d (patch) | |
| tree | 5a842e4f99851c0f67984a7ac0f73b5457370391 | |
| parent | e2fe9bda3d6a2755f36031d8d69c6ea8e08ba715 (diff) | |
| parent | 9c655aed3a4645fa58e478d784db261ad8d921f5 (diff) | |
Merge pull request #12581 from EricLuehrsen/unbound_20200623
unbound: reduced to one package with selectable options
| -rw-r--r-- | net/libreswan/Makefile | 4 | ||||
| -rw-r--r-- | net/unbound/Makefile | 135 | ||||
| -rw-r--r-- | net/unbound/files/README.md | 10 | ||||
| -rw-r--r-- | net/unbound/files/defaults.sh | 1 | ||||
| -rw-r--r-- | net/unbound/files/unbound.sh | 86 |
5 files changed, 155 insertions, 81 deletions
diff --git a/net/libreswan/Makefile b/net/libreswan/Makefile index c040039c4..d45f79326 100644 --- a/net/libreswan/Makefile +++ b/net/libreswan/Makefile @@ -8,7 +8,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=libreswan PKG_VERSION:=3.32 -PKG_RELEASE:=2 +PKG_RELEASE:=3 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://download.libreswan.org/ @@ -45,7 +45,7 @@ $(call Package/libreswan/Default) +kmod-crypto-aead +kmod-crypto-authenc +kmod-crypto-gcm \ +kmod-crypto-hash +kmod-crypto-rng +kmod-ip-vti +kmod-ipsec \ +kmod-ipsec4 +kmod-ipt-ipsec +libevent2 +libevent2-pthreads \ - +libldns +librt +libunbound-heavy +nss-utils +nspr +libcap-ng + +libldns +librt +libunbound +nss-utils +nspr +libcap-ng PROVIDES:=openswan CONFLICTS:=strongswan TITLE+= IPsec Server diff --git a/net/unbound/Makefile b/net/unbound/Makefile index fff82d1d1..12f0e3a8f 100644 --- a/net/unbound/Makefile +++ b/net/unbound/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=unbound PKG_VERSION:=1.10.1 -PKG_RELEASE:=3 +PKG_RELEASE:=4 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://nlnetlabs.nl/downloads/unbound @@ -24,6 +24,13 @@ PKG_BUILD_PARALLEL:=1 PKG_FIXUP:=autoreconf PKG_INSTALL:=1 +PKG_CONFIG_DEPENDS:=CONFIG_PACKAGE_libunbound_dnscrypt \ + CONFIG_PACKAGE_libunbound_ipset \ + CONFIG_PACKAGE_libunbound_libevent \ + CONFIG_PACKAGE_libunbound_libpthread \ + CONFIG_PACKAGE_libunbound_pythonmodule \ + CONFIG_PACKAGE_libunbound_subnet + include $(INCLUDE_DIR)/package.mk define Package/unbound/Default @@ -38,63 +45,34 @@ endef define Package/unbound-daemon $(call Package/unbound/Default) - TITLE+= (daemon, light traffic) - DEPENDS+= +libunbound-light - VARIANT:=light + TITLE+= (daemon) + DEPENDS+= +libunbound endef define Package/unbound-daemon/description - This package contains the Unbound daemon with basic includes - necessary to meet the needs of UCI/LuCI configuration optoins. + This package contains the Unbound daemon including 'libevent', 'libmnl', and + 'libpthread' to better handle large networks with heavy query loads. Options + are available under libraries/network/libunbound to custom trim Unbound for + smaller targets. endef -define Package/unbound-daemon-heavy - $(call Package/unbound/Default) - TITLE+= (daemon, heavy traffic) - URL:=https://nlnetlabs.nl/documentation/unbound/howto-optimise - DEPENDS+= +libunbound-heavy +libpthread +libevent2 +libevent2-pthreads +libmnl - VARIANT:=heavy - PROVIDES:=unbound-daemon -endef - -define Package/unbound-daemon-heavy/description - This package contains the Unbound daemon including 'libevent' and - 'libpthread' to better handle large networks with heavy query loads. - It also offers ipset support. -endef - -define Package/libunbound-light +define Package/libunbound $(call Package/unbound/Default) SECTION:=libs CATEGORY:=Libraries SUBMENU:=Networking - TITLE+= (library, light traffic) - VARIANT:=light - PROVIDES:=libunbound - DEFAULT_VARIANT:=1 + TITLE+= (library) + DEPENDS+=+PACKAGE_libunbound_dnscrypt:libsodium \ + +PACKAGE_libunbound_ipset:libmnl \ + +PACKAGE_libunbound_libevent:libevent2 \ + +PACKAGE_libunbound_libpthread:libpthread \ + +PACKAGE_libunbound_pythonmodule:python3-base endef -define Package/libunbound-light/description - This package contains the Unbound shared library with basic includes - necessary to meet the needs of UCI/LuCI configuration options. -endef - -define Package/libunbound-heavy - $(call Package/unbound/Default) - SECTION:=libs - CATEGORY:=Libraries - SUBMENU:=Networking - TITLE+= (library, heavy traffic) - URL:=https://nlnetlabs.nl/documentation/unbound/howto-optimise - DEPENDS+= +libpthread +libevent2 +libevent2-pthreads +libmnl - VARIANT:=heavy - PROVIDES:=libunbound -endef - -define Package/libunbound-heavy/description - This package contains the Unbound shared library including 'libevent' and - 'libpthread' to better handle large networks with heavy query loads. It - also offers ipset support. +define Package/libunbound/description + This package contains the Unbound library including 'libevent', 'libmnl', and + 'libpthread' to better handle large networks with heavy query loads. Options + are available to custom trim Unbound for smaller targets. endef define Package/unbound-anchor @@ -147,6 +125,29 @@ define Package/unbound-host/description This package contains the Unbound DNS lookup utility. endef +define Package/libunbound/config + if PACKAGE_libunbound + config PACKAGE_libunbound_dnscrypt + bool "Build with DNSCRYPT support." + default n + config PACKAGE_libunbound_ipset + bool "Build with IPSET (libmnl) support." + default y + config PACKAGE_libunbound_libevent + bool "Build with expanded network resource (libevent) support." + default y + config PACKAGE_libunbound_libpthread + bool "Build with POSIX threading (libpthread) support." + default y + config PACKAGE_libunbound_pythonmodule + bool "Build with PYTHON module for prototyping and data analysis." + default n + config PACKAGE_libunbound_subnet + bool "Build with SUBNET cache module support." + default n + endif +endef + CONFIGURE_ARGS += \ --disable-dsa \ --disable-gost \ @@ -159,21 +160,17 @@ CONFIGURE_ARGS += \ --with-user=unbound \ --with-run-dir=/var/lib/unbound \ --with-conf-file=/var/lib/unbound/unbound.conf \ - --with-pidfile=/var/run/unbound.pid - -ifeq ($(BUILD_VARIANT),heavy) - CONFIGURE_ARGS += \ - --enable-ipset \ - --with-pthreads \ - --with-libevent="$(STAGING_DIR)/usr" \ - --with-libmnl="$(STAGING_DIR)/usr" \ - --enable-event-api -else - CONFIGURE_ARGS += \ - --without-pthreads \ - --without-solaris-threads \ - --without-libevent -endif + --with-pidfile=/var/run/unbound.pid \ + $(if $(CONFIG_PACKAGE_libunbound_dnscrypt), \ + --enable-dnscrypt --with-libsodium="$(STAGING_DIR)/usr",) \ + $(if $(CONFIG_PACKAGE_libunbound_ipset), \ + --enable-ipset --with-libmnl="$(STAGING_DIR)/usr",) \ + $(if $(CONFIG_PACKAGE_libunbound_libevent), \ + --enable-event-api --with-libevent="$(STAGING_DIR)/usr",--without-libevent) \ + $(if $(CONFIG_PACKAGE_libunbound_libpthread), \ + --with-pthreads,--without-pthreads --without-solaris-threads) \ + $(if $(CONFIG_PACKAGE_libunbound_python),--with-pythonmodule,) \ + $(if $(CONFIG_PACKAGE_libunbound_subnet),--enable-subnet,) \ define Package/unbound-daemon/conffiles /etc/config/unbound @@ -182,14 +179,12 @@ define Package/unbound-daemon/conffiles /etc/unbound/unbound_srv.conf endef -Package/unbound-daemon-heavy/conffiles = $(Package/unbound-daemon/conffiles) - define Build/InstallDev $(INSTALL_DIR) $(1)/usr/lib $(INSTALL_DATA) $(PKG_INSTALL_DIR)/usr/lib/libunbound.{so*,a,la} $(1)/usr/lib/ $(INSTALL_DIR) $(1)/usr/include $(INSTALL_DATA) $(PKG_INSTALL_DIR)/usr/include/unbound.h $(1)/usr/include/ -ifeq ($(BUILD_VARIANT),heavy) +ifneq ($(CONFIG_PACKAGE_libunbound_libevent),) $(INSTALL_DATA) $(PKG_INSTALL_DIR)/usr/include/unbound-event.h $(1)/usr/include/ endif endef @@ -221,15 +216,11 @@ define Package/unbound-daemon/install $(INSTALL_DATA) ./files/unbound.sh $(1)/usr/lib/unbound/unbound.sh endef -Package/unbound-daemon-heavy/install = $(Package/unbound-daemon/install) - -define Package/libunbound-light/install +define Package/libunbound/install $(INSTALL_DIR) $(1)/usr/lib $(CP) $(PKG_INSTALL_DIR)/usr/lib/libunbound.so.* $(1)/usr/lib/ endef -Package/libunbound-heavy/install = $(Package/libunbound-light/install) - define Package/unbound-anchor/install $(INSTALL_DIR) $(1)/usr/sbin $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/unbound-anchor $(1)/usr/sbin/ @@ -256,9 +247,7 @@ define Package/unbound-host/install endef $(eval $(call BuildPackage,unbound-daemon)) -$(eval $(call BuildPackage,unbound-daemon-heavy)) -$(eval $(call BuildPackage,libunbound-light)) -$(eval $(call BuildPackage,libunbound-heavy)) +$(eval $(call BuildPackage,libunbound)) $(eval $(call BuildPackage,unbound-anchor)) $(eval $(call BuildPackage,unbound-checkconf)) $(eval $(call BuildPackage,unbound-control)) diff --git a/net/unbound/files/README.md b/net/unbound/files/README.md index ec06de5a0..ca9692e0b 100644 --- a/net/unbound/files/README.md +++ b/net/unbound/files/README.md @@ -190,6 +190,11 @@ config zone list zone_name '.' ``` +## Optional Compile Switches +Unbound can be changed by toggling switches within `make menuconfig` Libraries/Network/libunbound. Disable libevent, libpthread, and ipset to attempt to gain performance and size on small single core targets. These downgrade options are well tested, but they are not needed unless Unbound will not fit. Take care before enabling subnetcache, dnscrypt, and python options. These enhancements are not fully tested within OpenWrt and python is a large dependency. These enhancements are default off and they do not have UCI. You will need to use the files `/etc/unbound/unbound_srv.conf` and `/etc/unbound/unbound_ext.conf` to configure these modules. The `server:` clause line `module: subnetcache validator python iterator` will be filled out if the modules are compiled in. + +Note: if you use python, then you will need to manual configure and you cannot use chroot. The scripts are not yet enhanced enough to set up the directory binding. + ## Complete List of UCI Options **/etc/config/unbound**: ``` @@ -217,6 +222,11 @@ config unbound Level. Same as previous option only this applies to the WAN. WAN are inferred by a UCI `config dhcp` entry that contains the 'option ignore 1'. + option dns_assist 'none' + Program Name. Use DNS helpers found on local host and match to their UCI. + Only program 'ipset-dns' is supported so far. NSD and Bind might be useful + but they don't have UCI to parse. + option dns64 '0' Boolean. Enable DNS64 through Unbound in order to bridge networks that are IPV6 only and IPV4 only (see RFC6052). diff --git a/net/unbound/files/defaults.sh b/net/unbound/files/defaults.sh index c26511941..ffbd00336 100644 --- a/net/unbound/files/defaults.sh +++ b/net/unbound/files/defaults.sh @@ -26,6 +26,7 @@ UB_HOST_CONF=$UB_VARDIR/host.conf.tmp UB_DHCP_CONF=$UB_VARDIR/dhcp.conf UB_ZONE_CONF=$UB_VARDIR/zone.conf.tmp UB_CTRL_CONF=$UB_VARDIR/ctrl.conf.tmp +UB_ASSIST_CONF=$UB_VARDIR/assist.conf.tmp UB_SRVMASQ_CONF=$UB_VARDIR/dnsmasq_srv.conf.tmp UB_EXTMASQ_CONF=$UB_VARDIR/dnsmasq_ext.conf.tmp UB_SRV_CONF=$UB_VARDIR/unbound_srv.conf diff --git a/net/unbound/files/unbound.sh b/net/unbound/files/unbound.sh index a57d81d4e..71bb2fd9f 100644 --- a/net/unbound/files/unbound.sh +++ b/net/unbound/files/unbound.sh @@ -41,6 +41,7 @@ UB_B_IF_AUTO=1 UB_D_CONTROL=0 UB_D_DOMAIN_TYPE=static UB_D_DHCP_LINK=none +UB_D_DNS_ASSIST=none UB_D_EXTRA_DNS=0 UB_D_LAN_FQDN=0 UB_D_PRIV_BLCK=1 @@ -375,6 +376,37 @@ unbound_control() { ############################################################################## +unbound_assistant() { + local port=53000 + + case "$UB_D_DNS_ASSIST" in + ipset-dns) + port=$( uci_get ipset-dns.@ipset-dns[0].port ) + + if [ ! -f "$UB_ASSIST_CONF" ] \ + && [ $port -gt 0 ] && [ $port -lt 65535 ] ; then + { + echo "# $UB_ASSIST_CONF generated by UCI $( date -Is )" + echo "forward-zone:" + echo " name: ." + echo " forward-addr: 127.0.0.1@$port" + echo " forward-first: no" + } > $UB_ASSIST_CONF + fi + ;; + + nsd) + echo "# Sorry, NSD does not have UCI to read and link." >> $UB_ASSIST_CONF + ;; + + bind) + echo "# Sorry, Bind does not have UCI to read and link." >> $UB_ASSIST_CONF + ;; + esac +} + +############################################################################## + unbound_zone() { local cfg=$1 local servers_ip="" @@ -547,7 +579,7 @@ unbound_zone() { ############################################################################## unbound_conf() { - local rt_mem rt_conn rt_buff modulestring domain ifsubnet + local rt_mem rt_conn rt_buff modulestring domain ifsubnet moduleopts { # server: for this whole function @@ -629,6 +661,18 @@ unbound_conf() { fi + if [ "$UB_B_IF_AUTO" -gt 0 ] ; then + echo " interface-automatic: yes" >> $UB_CORE_CONF + fi + + + case "$UB_D_DNS_ASSIST" in + bind|ipset-dns|nsd) + echo " do-not-query-localhost: no" >> $UB_CORE_CONF + ;; + esac + + case "$UB_D_PROTOCOL" in ip4_only) { @@ -721,11 +765,6 @@ unbound_conf() { esac - if [ "$UB_B_IF_AUTO" -gt 0 ] ; then - echo " interface-automatic: yes" >> $UB_CORE_CONF - fi - - case "$UB_D_RESOURCE" in # Tiny - Unbound's recommended cheap hardware config tiny) rt_mem=1 ; rt_conn=2 ; rt_buff=1 ;; @@ -768,9 +807,17 @@ unbound_conf() { # Assembly of module-config: options is tricky; order matters + moduleopts="$( /usr/sbin/unbound -V )" modulestring="iterator" + case $moduleopts in + *with-python*) + modulestring="python $modulestring" + ;; + esac + + if [ "$UB_B_DNSSEC" -gt 0 ] ; then if [ "$UB_B_NTP_BOOT" -gt 0 ] ; then # DNSSEC chicken and egg with getting NTP time @@ -789,6 +836,13 @@ unbound_conf() { fi + case $moduleopts in + *enable-subnet*) + modulestring="subnetcache $modulestring" + ;; + esac + + if [ "$UB_B_DNS64" -gt 0 ] ; then echo " dns64-prefix: $UB_IP_DNS64" >> $UB_CORE_CONF @@ -1226,6 +1280,7 @@ unbound_uci() { config_get UB_D_CONTROL "$cfg" unbound_control 0 config_get UB_D_DOMAIN_TYPE "$cfg" domain_type static config_get UB_D_DHCP_LINK "$cfg" dhcp_link none + config_get UB_D_DNS_ASSIST "$cfg" dns_assist none config_get UB_D_EXTRA_DNS "$cfg" add_extra_dns 0 config_get UB_D_LAN_FQDN "$cfg" add_local_fqdn 0 config_get UB_D_PRIV_BLCK "$cfg" rebind_protection 1 @@ -1256,6 +1311,16 @@ unbound_uci() { fi + if [ "$UB_D_DNS_ASSIST" = "none" ] ; then + UB_D_DNS_ASSIST=none + + elif [ ! -x /usr/sbin/bind ] || [ ! -x /etc/init.d/bind ] \ + || [ ! -x /usr/sbin/nsd ] || [ ! -x /etc/init.d/nsd ] \ + || [ ! -x /usr/sbin/ipset-dns ] || [ ! -x /etc/init.d/ipset-dns ] ; then + UB_D_DNS_ASSIST=none + fi + + if [ "$UB_D_DHCP_LINK" = "dnsmasq" ] ; then if [ ! -x /usr/sbin/dnsmasq ] || [ ! -x /etc/init.d/dnsmasq ] ; then UB_D_DHCP_LINK=none @@ -1391,6 +1456,13 @@ unbound_include() { fi + if [ -f "$UB_ASSIST_CONF" ] ; then + # UCI found link to DNS helpers + cat $UB_ASSIST_CONF >> $UB_TOTAL_CONF + rm $UB_ASSIST_CONF + fi + + if [ -f "$UB_EXT_CONF" ] ; then { # Pull your own extend feature clauses here @@ -1453,6 +1525,8 @@ unbound_start() { unbound_hostname # control: unbound_control + # assistants + unbound_assistant # dnsmasq dnsmasq_link # merge |