Blame SOURCES/libreswan-3.27-outgoing-ports-1668342.patch
|
 |
89d32f |
diff -up libreswan-3.27/lib/libswan/unbound.c.orig libreswan-3.27/lib/libswan/unbound.c
|
|
|
89d32f |
--- libreswan-3.27/lib/libswan/unbound.c.orig 2019-01-24 16:28:27.191695613 +0100
|
|
|
89d32f |
+++ libreswan-3.27/lib/libswan/unbound.c 2019-02-01 12:16:36.029309870 +0100
|
|
|
89d32f |
@@ -95,6 +95,25 @@ static void unbound_ctx_config(bool do_d
|
|
|
89d32f |
DBG(DBG_DNS, DBG_log("/etc/resolv.conf usage activated"));
|
|
|
89d32f |
}
|
|
|
89d32f |
|
|
|
89d32f |
+ /* Set a limit on outgoing ports, some ports are prohibited by SELinux policy */
|
|
|
89d32f |
+ errno = 0;
|
|
|
89d32f |
+ ugh = ub_ctx_set_option(dns_ctx, "outgoing-port-avoid:", "0-65535");
|
|
|
89d32f |
+ if (ugh != 0) {
|
|
|
89d32f |
+ loglog(RC_LOG_SERIOUS, "error setting outgoing-port-avoid: %s: %s",
|
|
|
89d32f |
+ ub_strerror(ugh), strerror(errno));
|
|
|
89d32f |
+ } else {
|
|
|
89d32f |
+ DBG(DBG_DNS, DBG_log("outgoing-port-avoid set 0-65535"));
|
|
|
89d32f |
+ }
|
|
|
89d32f |
+
|
|
|
89d32f |
+ errno = 0;
|
|
|
89d32f |
+ ugh = ub_ctx_set_option(dns_ctx, "outgoing-port-permit:", "32768-60999");
|
|
|
89d32f |
+ if (ugh != 0) {
|
|
|
89d32f |
+ loglog(RC_LOG_SERIOUS, "error setting outgoing-port-permit: %s: %s",
|
|
|
89d32f |
+ ub_strerror(ugh), strerror(errno));
|
|
|
89d32f |
+ } else {
|
|
|
89d32f |
+ DBG(DBG_DNS, DBG_log("outgoing-port-permit set 32768-60999"));
|
|
|
89d32f |
+ }
|
|
|
89d32f |
+
|
|
|
89d32f |
if (!do_dnssec) {
|
|
|
89d32f |
/* No DNSSEC - nothing more to configure */
|
|
|
89d32f |
DBG(DBG_DNS, DBG_log("dnssec validation disabled by configuration"));
|