Blob Blame History Raw
diff -up libreswan-3.27/lib/libswan/unbound.c.orig libreswan-3.27/lib/libswan/unbound.c
--- libreswan-3.27/lib/libswan/unbound.c.orig	2019-01-24 16:28:27.191695613 +0100
+++ libreswan-3.27/lib/libswan/unbound.c	2019-02-01 12:16:36.029309870 +0100
@@ -95,6 +95,25 @@ static void unbound_ctx_config(bool do_d
 		DBG(DBG_DNS, DBG_log("/etc/resolv.conf usage activated"));
 	}
 
+	/* Set a limit on outgoing ports, some ports are prohibited by SELinux policy */
+	errno = 0;
+    ugh = ub_ctx_set_option(dns_ctx, "outgoing-port-avoid:", "0-65535");
+	if (ugh != 0) {
+		loglog(RC_LOG_SERIOUS, "error setting outgoing-port-avoid: %s: %s",
+			ub_strerror(ugh), strerror(errno));
+	} else {
+		DBG(DBG_DNS, DBG_log("outgoing-port-avoid set 0-65535"));
+	}
+
+	errno = 0;
+    ugh = ub_ctx_set_option(dns_ctx, "outgoing-port-permit:", "32768-60999");
+		if (ugh != 0) {
+		loglog(RC_LOG_SERIOUS, "error setting outgoing-port-permit: %s: %s",
+			ub_strerror(ugh), strerror(errno));
+	} else {
+		DBG(DBG_DNS, DBG_log("outgoing-port-permit set 32768-60999"));
+	}
+
 	if (!do_dnssec) {
 		/* No DNSSEC - nothing more to configure */
 		DBG(DBG_DNS, DBG_log("dnssec validation disabled by configuration"));