From afb03e5f7fbe77e01d2e9ce19a3b6f40b08c674783582e4ff8a0211a629eb22f Mon Sep 17 00:00:00 2001
From: Jorik Cronenberg <jorik.cronenberg@suse.com>
Date: Tue, 5 Mar 2024 15:13:11 +0000
Subject: [PATCH] Accepting request 1144618 from home:seife:branches:server:dns

disable outgoing-port-permit and outgoing-port-avoid in config file to
suppress the related unbound-checkconf warnings on every start

OBS-URL: https://build.opensuse.org/request/show/1144618
OBS-URL: https://build.opensuse.org/package/show/server:dns/unbound?expand=0&rev=172
---
 libunbound-devel-mini.changes |  7 +++++++
 unbound.changes               |  7 +++++++
 unbound.conf                  | 13 -------------
 unbound.spec                  |  1 +
 4 files changed, 15 insertions(+), 13 deletions(-)

diff --git a/libunbound-devel-mini.changes b/libunbound-devel-mini.changes
index 1a74815..96d4415 100644
--- a/libunbound-devel-mini.changes
+++ b/libunbound-devel-mini.changes
@@ -7,6 +7,13 @@ Wed Feb 28 13:35:31 UTC 2024 - Pedro Monreal <pmonreal@suse.com>
       exploited to exhaust CPU resources and stall DNS resolvers.
     - Fix CVE-2023-50868, NSEC3 closest encloser proof can exhaust CPU.
 
+-------------------------------------------------------------------
+Tue Feb  6 13:27:06 UTC 2024 - Stefan Seyfried <seife+obs@b1-systems.com>
+
+- as we use --disable-explicit-port-randomisation, also disable
+  outgoing-port-permit and outgoing-port-avoid in config file to
+  suppress the related unbound-checkconf warnings on every start
+
 -------------------------------------------------------------------
 Fri Nov 17 09:50:18 UTC 2023 - Pedro Monreal <pmonreal@suse.com>
 
diff --git a/unbound.changes b/unbound.changes
index ca1e363..cb3459b 100644
--- a/unbound.changes
+++ b/unbound.changes
@@ -7,6 +7,13 @@ Wed Feb 28 13:35:31 UTC 2024 - Pedro Monreal <pmonreal@suse.com>
       exploited to exhaust CPU resources and stall DNS resolvers.
     - Fix CVE-2023-50868, NSEC3 closest encloser proof can exhaust CPU.
 
+-------------------------------------------------------------------
+Tue Feb  6 13:27:06 UTC 2024 - Stefan Seyfried <seife+obs@b1-systems.com>
+
+- as we use --disable-explicit-port-randomisation, also disable
+  outgoing-port-permit and outgoing-port-avoid in config file to
+  suppress the related unbound-checkconf warnings on every start
+
 -------------------------------------------------------------------
 Tue Jan 23 09:32:21 UTC 2024 - Jakob Lorenz <onlyjak0b@mailbox.org>
 
diff --git a/unbound.conf b/unbound.conf
index 89e3829..1579a1c 100644
--- a/unbound.conf
+++ b/unbound.conf
@@ -70,19 +70,6 @@ server:
 	# port range that can be open simultaneously.
 	# outgoing-range: 4096
 
-	# permit unbound to use this port number or port range for
-	# making outgoing queries, using an outgoing interface.
-	# Only ephemeral ports are allowed by SElinux
-	outgoing-port-permit: 32768-65535
-
-	# deny unbound the use this of port number or port range for
-	# making outgoing queries, using an outgoing interface.
-	# Use this to make sure unbound does not grab a UDP port that some
-	# other server on this computer needs. The default is to avoid
-	# IANA-assigned port numbers.
-	# Our SElinux policy does not allow non-ephemeral ports to be used
-	outgoing-port-avoid: 0-32767
-
 	# number of outgoing simultaneous tcp buffers to hold per thread.
 	# outgoing-num-tcp: 10
 
diff --git a/unbound.spec b/unbound.spec
index adcca8f..29a1963 100644
--- a/unbound.spec
+++ b/unbound.spec
@@ -174,6 +174,7 @@ This package holds the Python modules and extensions for unbound.
 
 %build
 %sysusers_generate_pre %{SOURCE19} anchor unbound.conf
+
 export CFLAGS="%{optflags}"
 export CXXFLAGS="%{optflags}"