Bug #15071
closed
Applying interface changes may not update default ACLs for the DNS Resolver
Added by George Phillips 5 months ago.
Updated 3 months ago.
Plus Target Version:
24.03
Affected Architecture:
All
Description
To reproduce:
1. Base install of pfSense Plus 23.09 with 1 LAN and 1 WAN
2. Activate an OPT interface and give it an IP/mask (in our case, 172.17.2.1/24)
3. cat /var/unbound/access_lists.conf
4. Notice that the network 172.17.2.0/24 is not present.
Attempted to restart unbound, but that did not fix it.
Manually adding the network to access-list via GUI creates the entry in access_lists.conf
After removing the access-list entry via GUI, the network entry remains in access_lists.conf
Files
- Target version set to 24.03
- Affected Architecture All added
Resaving the Unbound config in the gui correctly creates the ACL file with the new subnet.
It appears to not be triggered as expected by the addition of the new subnet.
Steve Wheeler wrote in #note-1:
Resaving the Unbound config in the gui correctly creates the ACL file with the new subnet.
It appears to not be triggered as expected by the addition of the new subnet.
IIRC that's been the case for a while. There were similar behaviors noted in other areas like OpenVPN (#12991). Though if it worked in the past, it's also possible interface behavior regressed more recently as a consequence of other changes (e.g. DHCP registration changes due to Kea integration).
- Project changed from pfSense Plus to pfSense
- Subject changed from New interfaces are not added to default ACL in Unbound to Applying interface changes may not update unbound's default ACL
- Category changed from DNS Resolver to DNS Resolver
- Assignee set to Marcos M
- Target version changed from 24.03 to 2.8.0
- Affected Plus Version deleted (
23.09)
- Plus Target Version set to 24.03
- Status changed from New to Feedback
Fixed in fbc8d7d04dc5f7cbec65381b81dc5f4eed06a714.
- % Done changed from 0 to 100
- Status changed from Feedback to Resolved
Tested the patch on 23.09.
The patch fixes all reported misbehavior.
I am marking this ticket reslvoed.
Tested the patch on
23.09.1-RELEASE (arm64)
built on Wed Dec 6 23:22:00 MSK 2023
FreeBSD 14.0-CURRENT
Saving the Interface now triggers the ACL to rewrite,
- Has duplicate Bug #14631: ACL on DNS Resolver is not updated list after IPs changed on interfaces added
- Subject changed from Applying interface changes may not update unbound's default ACL to Applying interface changes may not update default ACLs for the DNS Resolver
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by 
Updated by 
Updated by 