Project

General

Profile

Actions

Bug #15071

closed

Applying interface changes may not update default ACLs for the DNS Resolver

Added by George Phillips 12 months ago. Updated 10 months ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
DNS Resolver
Target version:
Start date:
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
24.03
Release Notes:
Default
Affected Version:
Affected Architecture:
All

Description

To reproduce:

1. Base install of pfSense Plus 23.09 with 1 LAN and 1 WAN
2. Activate an OPT interface and give it an IP/mask (in our case, 172.17.2.1/24)
3. cat /var/unbound/access_lists.conf
4. Notice that the network 172.17.2.0/24 is not present.

Attempted to restart unbound, but that did not fix it.

Manually adding the network to access-list via GUI creates the entry in access_lists.conf

After removing the access-list entry via GUI, the network entry remains in access_lists.conf


Files


Related issues

Has duplicate Bug #14631: ACL on DNS Resolver is not updated list after IPs changed on interfacesDuplicate

Actions
Actions #1

Updated by Steve Wheeler 12 months ago

  • Target version set to 24.03
  • Affected Architecture All added

Resaving the Unbound config in the gui correctly creates the ACL file with the new subnet.

It appears to not be triggered as expected by the addition of the new subnet.

Actions #2

Updated by Jim Pingle 12 months ago

Steve Wheeler wrote in #note-1:

Resaving the Unbound config in the gui correctly creates the ACL file with the new subnet.

It appears to not be triggered as expected by the addition of the new subnet.

IIRC that's been the case for a while. There were similar behaviors noted in other areas like OpenVPN (#12991). Though if it worked in the past, it's also possible interface behavior regressed more recently as a consequence of other changes (e.g. DHCP registration changes due to Kea integration).

Actions #3

Updated by Marcos M 12 months ago

  • Project changed from pfSense Plus to pfSense
  • Subject changed from New interfaces are not added to default ACL in Unbound to Applying interface changes may not update unbound's default ACL
  • Category changed from DNS Resolver to DNS Resolver
  • Assignee set to Marcos M
  • Target version changed from 24.03 to 2.8.0
  • Affected Plus Version deleted (23.09)
  • Plus Target Version set to 24.03
Actions #4

Updated by Marcos M 12 months ago

  • Status changed from New to Feedback

Fixed in fbc8d7d04dc5f7cbec65381b81dc5f4eed06a714.

Actions #5

Updated by Marcos M 12 months ago

  • % Done changed from 0 to 100
Actions #6

Updated by Danilo Zrenjanin 12 months ago

  • Status changed from Feedback to Resolved

Tested the patch on 23.09.

The patch fixes all reported misbehavior.

I am marking this ticket reslvoed.

Actions #7

Updated by Lev Prokofev 12 months ago

Tested the patch on

23.09.1-RELEASE (arm64)
built on Wed Dec 6 23:22:00 MSK 2023
FreeBSD 14.0-CURRENT

Saving the Interface now triggers the ACL to rewrite,

Actions #8

Updated by Marcos M 11 months ago

  • Has duplicate Bug #14631: ACL on DNS Resolver is not updated list after IPs changed on interfaces added
Actions #9

Updated by Jim Pingle 10 months ago

  • Subject changed from Applying interface changes may not update unbound's default ACL to Applying interface changes may not update default ACLs for the DNS Resolver
Actions

Also available in: Atom PDF