Project

General

Profile

Actions

Regression #13767

closed

Refuse Nonlocal action in DNS Resolver access list breaks configuration file

Added by Gerke Max Preussner almost 2 years ago. Updated almost 2 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
DNS Resolver
Target version:
Start date:
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
23.01
Release Notes:
Force Exclusion
Affected Version:
2.7.0
Affected Architecture:
amd64

Description

2.7.0-DEVELOPMENT (amd64)
built on Fri Dec 16 06:05:53 UTC 2022
FreeBSD 14.0-CURRENT

After upgrading to the latest 2.7.0-DEVELOPMENT, the DNS Resolver fails to start if there exists at least one access list with a "Refuse Nonlocal" action. The service reports that the "nonlocal" keyword in the configuration is not known. When modifying an existing or creating a new access list with this action, the error is also displayed on the web GUI.

Repro:
1. In the Web GUI, navigate to Services > DNS Resolver > Acces Lists
2. Set the Action to "Refuse Nonlocal" on an existing or new access list
3. Press the Save button, then press Apply Changes
4. Navigate to the General Settings tab, press the Save button, then press Apply Changes

Observed Behavior:
  • An error is displayed on the Web GUI about unbound failing to parse the configuration file, because "nonlocal" is not a known keyword
  • The unbound service fails to restart
Expected Behavior:
  • The configuration is saved without errors, and unbound restarts successfully
Workaround:
  • Set the action to Allow, Deny, Refuse, or Allow Snoop, so that the "nonlocal" keyword is not added to the configuration
Actions #1

Updated by Gerke Max Preussner almost 2 years ago

Full error message:

* The generated config file cannot be parsed by unbound. Please correct the following errors:
* /var/unbound/test/access_lists.conf:19: error: unknown keyword 'nonlocal'
* read /var/unbound/test/unbound.conf failed: 1 errors in configuration file
Actions #2

Updated by Gerke Max Preussner almost 2 years ago

In `/var/unbound/access_lists.conf`, the access list entry that is generated reads as follows:

access-control: 1.2.3.4/24 refuse nonlocal

Reading the latest unbound documentation, I believe that it should be:

access-control: 1.2.3.4/24 refuse_non_local

Actions #3

Updated by Kris Phillips almost 2 years ago

I can confirm this behavior on pfSense Plus 23.01 as well. Service fails to start when "Refuse Nonlocal" is chosen in an ACL. It also appears that the deny non-local option has a similar effect.

Actions #4

Updated by Jim Pingle almost 2 years ago

  • Assignee set to Jim Pingle
  • Target version set to 2.7.0
  • Plus Target Version set to 23.01
Actions #5

Updated by Jim Pingle almost 2 years ago

Looks like when this code was changed for PHP 8.1 it was changed in a way that didn't match the original intent of what was being done here. I restructured the code to both fix it and make it more clear. Commit coming shortly.

Actions #6

Updated by Jim Pingle almost 2 years ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100
Actions #7

Updated by Jim Pingle almost 2 years ago

  • Status changed from Feedback to Resolved

All three affected actions now work properly (allow snoop, deny nonlocal, refuse nonlocal). The config is correct and the daemon is running, no errors.

Actions #8

Updated by Jim Pingle almost 2 years ago

  • Tracker changed from Bug to Regression
  • Release Notes changed from Default to Force Exclusion
Actions

Also available in: Atom PDF