Regression #13767
closed
Refuse Nonlocal action in DNS Resolver access list breaks configuration file
100%
Description
2.7.0-DEVELOPMENT (amd64)
built on Fri Dec 16 06:05:53 UTC 2022
FreeBSD 14.0-CURRENT
After upgrading to the latest 2.7.0-DEVELOPMENT, the DNS Resolver fails to start if there exists at least one access list with a "Refuse Nonlocal" action. The service reports that the "nonlocal" keyword in the configuration is not known. When modifying an existing or creating a new access list with this action, the error is also displayed on the web GUI.
Repro:
1. In the Web GUI, navigate to Services > DNS Resolver > Acces Lists
2. Set the Action to "Refuse Nonlocal" on an existing or new access list
3. Press the Save button, then press Apply Changes
4. Navigate to the General Settings tab, press the Save button, then press Apply Changes
- An error is displayed on the Web GUI about unbound failing to parse the configuration file, because "nonlocal" is not a known keyword
- The unbound service fails to restart
- The configuration is saved without errors, and unbound restarts successfully
- Set the action to Allow, Deny, Refuse, or Allow Snoop, so that the "nonlocal" keyword is not added to the configuration
Updated by Gerke Max Preussner almost 2 years ago
Full error message:
* The generated config file cannot be parsed by unbound. Please correct the following errors: * /var/unbound/test/access_lists.conf:19: error: unknown keyword 'nonlocal' * read /var/unbound/test/unbound.conf failed: 1 errors in configuration file
Updated by Gerke Max Preussner almost 2 years ago
In `/var/unbound/access_lists.conf`, the access list entry that is generated reads as follows:
access-control: 1.2.3.4/24 refuse nonlocal
Reading the latest unbound documentation, I believe that it should be:
access-control: 1.2.3.4/24 refuse_non_local
Updated by Kris Phillips almost 2 years ago
I can confirm this behavior on pfSense Plus 23.01 as well. Service fails to start when "Refuse Nonlocal" is chosen in an ACL. It also appears that the deny non-local option has a similar effect.
Updated by Jim Pingle almost 2 years ago
- Assignee set to Jim Pingle
- Target version set to 2.7.0
- Plus Target Version set to 23.01
Updated by Jim Pingle almost 2 years ago
Looks like when this code was changed for PHP 8.1 it was changed in a way that didn't match the original intent of what was being done here. I restructured the code to both fix it and make it more clear. Commit coming shortly.
Updated by Jim Pingle almost 2 years ago
- Status changed from New to Feedback
- % Done changed from 0 to 100
Applied in changeset ce2fe0583fda6b38f70c78892d63945b40145867.
Updated by Jim Pingle almost 2 years ago
- Status changed from Feedback to Resolved
All three affected actions now work properly (allow snoop, deny nonlocal, refuse nonlocal). The config is correct and the daemon is running, no errors.
Updated by Jim Pingle almost 2 years ago
- Tracker changed from Bug to Regression
- Release Notes changed from Default to Force Exclusion