diff -up libreswan-3.27/lib/libswan/unbound.c.orig libreswan-3.27/lib/libswan/unbound.c
--- libreswan-3.27/lib/libswan/unbound.c.orig 2019-01-24 16:28:27.191695613 +0100
+++ libreswan-3.27/lib/libswan/unbound.c 2019-02-01 12:16:36.029309870 +0100
@@ -95,6 +95,25 @@ static void unbound_ctx_config(bool do_d
DBG(DBG_DNS, DBG_log("/etc/resolv.conf usage activated"));
}
+ /* Set a limit on outgoing ports, some ports are prohibited by SELinux policy */
+ errno = 0;
+ ugh = ub_ctx_set_option(dns_ctx, "outgoing-port-avoid:", "0-65535");
+ if (ugh != 0) {
+ loglog(RC_LOG_SERIOUS, "error setting outgoing-port-avoid: %s: %s",
+ ub_strerror(ugh), strerror(errno));
+ } else {
+ DBG(DBG_DNS, DBG_log("outgoing-port-avoid set 0-65535"));
+ }
+
+ errno = 0;
+ ugh = ub_ctx_set_option(dns_ctx, "outgoing-port-permit:", "32768-60999");
+ if (ugh != 0) {
+ loglog(RC_LOG_SERIOUS, "error setting outgoing-port-permit: %s: %s",
+ ub_strerror(ugh), strerror(errno));
+ } else {
+ DBG(DBG_DNS, DBG_log("outgoing-port-permit set 32768-60999"));
+ }
+
if (!do_dnssec) {
/* No DNSSEC - nothing more to configure */
DBG(DBG_DNS, DBG_log("dnssec validation disabled by configuration"));