diff --git a/package/network/services/dnsmasq/Makefile b/package/network/services/dnsmasq/Makefile index e2902ed8753..d4aa2984501 100644 --- a/package/network/services/dnsmasq/Makefile +++ b/package/network/services/dnsmasq/Makefile @@ -30,6 +30,7 @@ PKG_CONFIG_DEPENDS:= CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_dhcp \ CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_dnssec \ CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_auth \ CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_ipset \ + CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_nftset \ CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_conntrack \ CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_noid \ CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_broken_rtc \ @@ -61,10 +62,11 @@ endef define Package/dnsmasq-full $(call Package/dnsmasq/Default) - TITLE += (with DNSSEC, DHCPv6, Auth DNS, IPset, Conntrack, NO_ID enabled by default) + TITLE += (with DNSSEC, DHCPv6, Auth DNS, IPset, Nftset, Conntrack, NO_ID enabled by default) DEPENDS+=+PACKAGE_dnsmasq_full_dnssec:libnettle \ +PACKAGE_dnsmasq_full_ipset:kmod-ipt-ipset \ - +PACKAGE_dnsmasq_full_conntrack:libnetfilter-conntrack + +PACKAGE_dnsmasq_full_conntrack:libnetfilter-conntrack \ + +PACKAGE_dnsmasq_full_nftset:nftables-json VARIANT:=full PROVIDES:=dnsmasq endef @@ -83,7 +85,7 @@ define Package/dnsmasq-full/description $(call Package/dnsmasq/description) This is a fully configurable variant with DHCPv4, DHCPv6, DNSSEC, Authoritative DNS -and IPset, Conntrack support & NO_ID enabled by default. +and nftset, Conntrack support & NO_ID enabled by default. endef define Package/dnsmasq/conffiles @@ -109,6 +111,9 @@ define Package/dnsmasq-full/config default y config PACKAGE_dnsmasq_full_ipset bool "Build with IPset support." + default n + config PACKAGE_dnsmasq_full_nftset + bool "Build with Nftset support." default y config PACKAGE_dnsmasq_full_conntrack bool "Build with Conntrack support." @@ -144,6 +149,7 @@ ifeq ($(BUILD_VARIANT),full) $(if $(CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_dnssec),-DHAVE_DNSSEC) \ $(if $(CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_auth),,-DNO_AUTH) \ $(if $(CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_ipset),,-DNO_IPSET) \ + $(if $(CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_nftset),-DHAVE_NFTSET,) \ $(if $(CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_conntrack),-DHAVE_CONNTRACK,) \ $(if $(CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_noid),-DNO_ID,) \ $(if $(CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_broken_rtc),-DHAVE_BROKEN_RTC) \ diff --git a/package/network/services/dnsmasq/files/dnsmasq.init b/package/network/services/dnsmasq/files/dnsmasq.init index c4ca3eb2db3..386b47616e7 100755 --- a/package/network/services/dnsmasq/files/dnsmasq.init +++ b/package/network/services/dnsmasq/files/dnsmasq.init @@ -33,6 +33,7 @@ dnsmasq_ignore_opt() { [ "${dnsmasq_features#* DNSSEC }" = "$dnsmasq_features" ] || dnsmasq_has_dnssec=1 [ "${dnsmasq_features#* TFTP }" = "$dnsmasq_features" ] || dnsmasq_has_tftp=1 [ "${dnsmasq_features#* ipset }" = "$dnsmasq_features" ] || dnsmasq_has_ipset=1 + [ "${dnsmasq_features#* nftset }" = "$dnsmasq_features" ] || dnsmasq_has_nftset=1 fi case "$opt" in @@ -55,6 +56,8 @@ dnsmasq_ignore_opt() { [ -z "$dnsmasq_has_tftp" ] ;; ipset) [ -z "$dnsmasq_has_ipset" ] ;; + nftset) + [ -z "$dnsmasq_has_nftset" ] ;; *) return 1 esac @@ -169,10 +172,6 @@ append_address() { xappend "--address=$1" } -append_ipset() { - xappend "--ipset=$1" -} - append_connmark_allowlist() { xappend "--connmark-allowlist=$1" } @@ -796,25 +795,54 @@ dhcp_relay_add() { dnsmasq_ipset_add() { local cfg="$1" - local ipsets domains + local ipsets nftsets domains add_ipset() { ipsets="${ipsets:+$ipsets,}$1" } + add_nftset() { + local IFS=, + for set in $1; do + local fam="$family" + [ -n "$fam" ] || fam=$(echo "$set" | sed -nre \ + 's#^.*[^0-9]([46])$|^.*[-_]([46])[-_].*$|^([46])[^0-9].*$#\1\2\3#p') + [ -n "$fam" ] || \ + fam=$(nft -t list set "$table_family" "$table" "$set" 2>&1 | sed -nre \ + 's#^\t\ttype .*\bipv([46])_addr\b.*$#\1#p') + + [ -n "$fam" ] || \ + logger -t dnsmasq "Cannot infer address family from non-existent nftables set '$set'" + + nftsets="${nftsets:+$nftsets,}${fam:+$fam#}$table_family#$table#$set" + done + } + add_domain() { # leading '/' is expected domains="$domains/$1" } + config_get table "$cfg" table 'fw4' + config_get table_family "$cfg" table_family 'inet' + if [ "$table_family" = "ip" ] ; then + family="4" + elif [ "$table_family" = "ip6" ] ; then + family="6" + else + config_get family "$cfg" family + fi + config_list_foreach "$cfg" "name" add_ipset + config_list_foreach "$cfg" "name" add_nftset config_list_foreach "$cfg" "domain" add_domain - if [ -z "$ipsets" ] || [ -z "$domains" ]; then + if [ -z "$ipsets" ] || [ -z "$nftsets" ] || [ -z "$domains" ]; then return 0 fi xappend "--ipset=$domains/$ipsets" + xappend "--nftset=$domains/$nftsets" } dnsmasq_start() @@ -948,7 +976,6 @@ dnsmasq_start() config_list_foreach "$cfg" "server" append_server config_list_foreach "$cfg" "rev_server" append_rev_server config_list_foreach "$cfg" "address" append_address - config_list_foreach "$cfg" "ipset" append_ipset local connmark_allowlist_enable config_get connmark_allowlist_enable "$cfg" connmark_allowlist_enable 0 @@ -1141,7 +1168,6 @@ dnsmasq_start() config_foreach filter_dnsmasq ipset dnsmasq_ipset_add "$cfg" echo >> $CONFIGFILE_TMP - echo >> $CONFIGFILE_TMP mv -f $CONFIGFILE_TMP $CONFIGFILE mv -f $HOSTFILE_TMP $HOSTFILE