Project

General

Profile

Actions
Copy link

Bug #15071

closed

Applying interface changes may not update default ACLs for the DNS Resolver

Added by George Phillips 5 months ago. Updated 3 months ago.

Status:
Resolved
Priority:
Normal
Assignee:
Marcos M
Category:
DNS Resolver
Target version:
2.8.0
Start date:
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
24.03
Release Notes:
Default
Affected Version:
Affected Architecture:
All

Description

To reproduce:

1. Base install of pfSense Plus 23.09 with 1 LAN and 1 WAN
2. Activate an OPT interface and give it an IP/mask (in our case, 172.17.2.1/24)
3. cat /var/unbound/access_lists.conf
4. Notice that the network 172.17.2.0/24 is not present.

Attempted to restart unbound, but that did not fix it.

Manually adding the network to access-list via GUI creates the entry in access_lists.conf

After removing the access-list entry via GUI, the network entry remains in access_lists.conf

Files

Download all files
Screenshot 2023-12-06 at 12.09.13 PM.png (133 KB) Screenshot 2023-12-06 at 12.09.13 PM.png George Phillips, 12/06/2023 05:09 PM
clipboard-202312091440-orqxk.png (15 KB) clipboard-202312091440-orqxk.png Lev Prokofev, 12/09/2023 07:40 AM

Related issues

Has duplicate Bug #14631: ACL on DNS Resolver is not updated list after IPs changed on interfacesDuplicate

Actions
Actions
Copy link
 #1

Updated by Steve Wheeler 5 months ago

  • Target version set to 24.03
  • Affected Architecture All added

Resaving the Unbound config in the gui correctly creates the ACL file with the new subnet.

It appears to not be triggered as expected by the addition of the new subnet.

Actions
Copy link
 #2

Updated by Jim Pingle 5 months ago

Steve Wheeler wrote in #note-1:

Resaving the Unbound config in the gui correctly creates the ACL file with the new subnet.

It appears to not be triggered as expected by the addition of the new subnet.

IIRC that's been the case for a while. There were similar behaviors noted in other areas like OpenVPN (#12991). Though if it worked in the past, it's also possible interface behavior regressed more recently as a consequence of other changes (e.g. DHCP registration changes due to Kea integration).

Actions
Copy link
 #3

Updated by Marcos M 5 months ago

  • Project changed from pfSense Plus to pfSense
  • Subject changed from New interfaces are not added to default ACL in Unbound to Applying interface changes may not update unbound's default ACL
  • Category changed from DNS Resolver to DNS Resolver
  • Assignee set to Marcos M
  • Target version changed from 24.03 to 2.8.0
  • Affected Plus Version deleted (23.09)
  • Plus Target Version set to 24.03
Actions
Copy link
 #4

Updated by Marcos M 5 months ago

  • Status changed from New to Feedback

Fixed in fbc8d7d04dc5f7cbec65381b81dc5f4eed06a714.

Actions
Copy link
 #5

Updated by Marcos M 5 months ago

  • % Done changed from 0 to 100
Actions
Copy link
 #6

Updated by Danilo Zrenjanin 5 months ago

  • Status changed from Feedback to Resolved

Tested the patch on 23.09.

The patch fixes all reported misbehavior.

I am marking this ticket reslvoed.

Actions
Copy link
 #7

Updated by Lev Prokofev 5 months ago

Tested the patch on

23.09.1-RELEASE (arm64)
built on Wed Dec 6 23:22:00 MSK 2023
FreeBSD 14.0-CURRENT

Saving the Interface now triggers the ACL to rewrite,

Actions
Copy link
 #8

Updated by Marcos M 4 months ago

  • Has duplicate Bug #14631: ACL on DNS Resolver is not updated list after IPs changed on interfaces added
Actions
Copy link
 #9

Updated by Jim Pingle 3 months ago

  • Subject changed from Applying interface changes may not update unbound's default ACL to Applying interface changes may not update default ACLs for the DNS Resolver
Actions
Copy link

Also available in: Atom PDF