mirror of
https://github.com/openwrt/openwrt.git
synced 2025-01-13 00:10:21 +00:00
dnsmasq: Support nftables nftsets
Add build option for nftables sets. By default disable iptables ipset support. By default enable nftable nftset support since this is what fw4 uses. Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk> dnsmasq: nftset: serve from ipset config Use existing ipset configs as source for nftsets to be compatible with existing configs. As the OS can either have iptables XOR nftables support, it's fine to provide both to dnsmasq. dnsmasq will silently fail for the present one. Depending on the dnsmasq compile time options, the ipsets or nftsets option will not be added to the dnsmasq config file. dnsmasq will try to add the IP addresses to all sets, regardless of the IP version defined for the set. Adding an IPv6 to an IPv4 set and vice versa will silently fail. Signed-off-by: Mathias Kresin <dev@kresin.me> dnsmasq: support populating nftsets in addition to ipsets Tell dnsmasq to populate nftsets instead of ipsets, if firewall4 is present in the system. Keep the same configuration syntax in /etc/config/dhcp, for compatibility purposes. Huge thanks to Jo-Philipp Wich for basically writing the function. Signed-off-by: Jo-Philipp Wich <jo@mein.io> Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com> dnsmasq: obtain nftset ip family from nft Unfortunately dnsmasq nft is noisy if an attempt to add a mismatched ip address family to an nft set is made. Heuristic to guess which ip family a nft set might belong by inferring from the set name. In order of preference: If setname ends with standalone '4' or '6' use that, else if setname has '4' or '6' delimited by '-' or '_' use that (eg foo-4-bar) else If setname begins with '4' or '6' standalone use that. By standalone I mean not as part of a larger number eg. 24 If the above fails then use the existing nft set query mechanism and if that fails, well you're stuffed! With-thanks-to: Jo-Philipp Wich <jo@mein.io> who improved my regexp knowledge. Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk> dnsmasq: specify firewall table for nftset Permit ipsets to specify an nftables table for the set. New config parameter is 'table'. If not specified the default of 'fw4' is used. config ipset list name 'BK_4,BK_6' option table 'dscpclassify' option table_family 'ip' option family '4' list domain 'ms-acdc.office.com' list domain 'windowsupdate.com' list domain 'update.microsoft.com' list domain 'graph.microsoft.com' list domain '1drv.ms' list domain '1drv.com' The table family can also be specified, usually 'ip' or 'ip6' else the default 'inet' capable of both ipv4 & ipv6 is used. If the table family is not specified then finally a family option is available to specify either '4' or '6' for ipv4 or ipv6 respectively. This is all in addition to the existing heuristic that will look in the nftset name for an ip family clue, or in total desperation, query the value from the nftset itself. Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
This commit is contained in:
parent
7cdf74e163
commit
d7f378796f
@ -30,6 +30,7 @@ PKG_CONFIG_DEPENDS:= CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_dhcp \
|
|||||||
CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_dnssec \
|
CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_dnssec \
|
||||||
CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_auth \
|
CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_auth \
|
||||||
CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_ipset \
|
CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_ipset \
|
||||||
|
CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_nftset \
|
||||||
CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_conntrack \
|
CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_conntrack \
|
||||||
CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_noid \
|
CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_noid \
|
||||||
CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_broken_rtc \
|
CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_broken_rtc \
|
||||||
@ -61,10 +62,11 @@ endef
|
|||||||
|
|
||||||
define Package/dnsmasq-full
|
define Package/dnsmasq-full
|
||||||
$(call Package/dnsmasq/Default)
|
$(call Package/dnsmasq/Default)
|
||||||
TITLE += (with DNSSEC, DHCPv6, Auth DNS, IPset, Conntrack, NO_ID enabled by default)
|
TITLE += (with DNSSEC, DHCPv6, Auth DNS, IPset, Nftset, Conntrack, NO_ID enabled by default)
|
||||||
DEPENDS+=+PACKAGE_dnsmasq_full_dnssec:libnettle \
|
DEPENDS+=+PACKAGE_dnsmasq_full_dnssec:libnettle \
|
||||||
+PACKAGE_dnsmasq_full_ipset:kmod-ipt-ipset \
|
+PACKAGE_dnsmasq_full_ipset:kmod-ipt-ipset \
|
||||||
+PACKAGE_dnsmasq_full_conntrack:libnetfilter-conntrack
|
+PACKAGE_dnsmasq_full_conntrack:libnetfilter-conntrack \
|
||||||
|
+PACKAGE_dnsmasq_full_nftset:nftables-json
|
||||||
VARIANT:=full
|
VARIANT:=full
|
||||||
PROVIDES:=dnsmasq
|
PROVIDES:=dnsmasq
|
||||||
endef
|
endef
|
||||||
@ -83,7 +85,7 @@ define Package/dnsmasq-full/description
|
|||||||
$(call Package/dnsmasq/description)
|
$(call Package/dnsmasq/description)
|
||||||
|
|
||||||
This is a fully configurable variant with DHCPv4, DHCPv6, DNSSEC, Authoritative DNS
|
This is a fully configurable variant with DHCPv4, DHCPv6, DNSSEC, Authoritative DNS
|
||||||
and IPset, Conntrack support & NO_ID enabled by default.
|
and nftset, Conntrack support & NO_ID enabled by default.
|
||||||
endef
|
endef
|
||||||
|
|
||||||
define Package/dnsmasq/conffiles
|
define Package/dnsmasq/conffiles
|
||||||
@ -109,6 +111,9 @@ define Package/dnsmasq-full/config
|
|||||||
default y
|
default y
|
||||||
config PACKAGE_dnsmasq_full_ipset
|
config PACKAGE_dnsmasq_full_ipset
|
||||||
bool "Build with IPset support."
|
bool "Build with IPset support."
|
||||||
|
default n
|
||||||
|
config PACKAGE_dnsmasq_full_nftset
|
||||||
|
bool "Build with Nftset support."
|
||||||
default y
|
default y
|
||||||
config PACKAGE_dnsmasq_full_conntrack
|
config PACKAGE_dnsmasq_full_conntrack
|
||||||
bool "Build with Conntrack support."
|
bool "Build with Conntrack support."
|
||||||
@ -144,6 +149,7 @@ ifeq ($(BUILD_VARIANT),full)
|
|||||||
$(if $(CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_dnssec),-DHAVE_DNSSEC) \
|
$(if $(CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_dnssec),-DHAVE_DNSSEC) \
|
||||||
$(if $(CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_auth),,-DNO_AUTH) \
|
$(if $(CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_auth),,-DNO_AUTH) \
|
||||||
$(if $(CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_ipset),,-DNO_IPSET) \
|
$(if $(CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_ipset),,-DNO_IPSET) \
|
||||||
|
$(if $(CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_nftset),-DHAVE_NFTSET,) \
|
||||||
$(if $(CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_conntrack),-DHAVE_CONNTRACK,) \
|
$(if $(CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_conntrack),-DHAVE_CONNTRACK,) \
|
||||||
$(if $(CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_noid),-DNO_ID,) \
|
$(if $(CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_noid),-DNO_ID,) \
|
||||||
$(if $(CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_broken_rtc),-DHAVE_BROKEN_RTC) \
|
$(if $(CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_broken_rtc),-DHAVE_BROKEN_RTC) \
|
||||||
|
@ -33,6 +33,7 @@ dnsmasq_ignore_opt() {
|
|||||||
[ "${dnsmasq_features#* DNSSEC }" = "$dnsmasq_features" ] || dnsmasq_has_dnssec=1
|
[ "${dnsmasq_features#* DNSSEC }" = "$dnsmasq_features" ] || dnsmasq_has_dnssec=1
|
||||||
[ "${dnsmasq_features#* TFTP }" = "$dnsmasq_features" ] || dnsmasq_has_tftp=1
|
[ "${dnsmasq_features#* TFTP }" = "$dnsmasq_features" ] || dnsmasq_has_tftp=1
|
||||||
[ "${dnsmasq_features#* ipset }" = "$dnsmasq_features" ] || dnsmasq_has_ipset=1
|
[ "${dnsmasq_features#* ipset }" = "$dnsmasq_features" ] || dnsmasq_has_ipset=1
|
||||||
|
[ "${dnsmasq_features#* nftset }" = "$dnsmasq_features" ] || dnsmasq_has_nftset=1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
case "$opt" in
|
case "$opt" in
|
||||||
@ -55,6 +56,8 @@ dnsmasq_ignore_opt() {
|
|||||||
[ -z "$dnsmasq_has_tftp" ] ;;
|
[ -z "$dnsmasq_has_tftp" ] ;;
|
||||||
ipset)
|
ipset)
|
||||||
[ -z "$dnsmasq_has_ipset" ] ;;
|
[ -z "$dnsmasq_has_ipset" ] ;;
|
||||||
|
nftset)
|
||||||
|
[ -z "$dnsmasq_has_nftset" ] ;;
|
||||||
*)
|
*)
|
||||||
return 1
|
return 1
|
||||||
esac
|
esac
|
||||||
@ -169,10 +172,6 @@ append_address() {
|
|||||||
xappend "--address=$1"
|
xappend "--address=$1"
|
||||||
}
|
}
|
||||||
|
|
||||||
append_ipset() {
|
|
||||||
xappend "--ipset=$1"
|
|
||||||
}
|
|
||||||
|
|
||||||
append_connmark_allowlist() {
|
append_connmark_allowlist() {
|
||||||
xappend "--connmark-allowlist=$1"
|
xappend "--connmark-allowlist=$1"
|
||||||
}
|
}
|
||||||
@ -796,25 +795,54 @@ dhcp_relay_add() {
|
|||||||
|
|
||||||
dnsmasq_ipset_add() {
|
dnsmasq_ipset_add() {
|
||||||
local cfg="$1"
|
local cfg="$1"
|
||||||
local ipsets domains
|
local ipsets nftsets domains
|
||||||
|
|
||||||
add_ipset() {
|
add_ipset() {
|
||||||
ipsets="${ipsets:+$ipsets,}$1"
|
ipsets="${ipsets:+$ipsets,}$1"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
add_nftset() {
|
||||||
|
local IFS=,
|
||||||
|
for set in $1; do
|
||||||
|
local fam="$family"
|
||||||
|
[ -n "$fam" ] || fam=$(echo "$set" | sed -nre \
|
||||||
|
's#^.*[^0-9]([46])$|^.*[-_]([46])[-_].*$|^([46])[^0-9].*$#\1\2\3#p')
|
||||||
|
[ -n "$fam" ] || \
|
||||||
|
fam=$(nft -t list set "$table_family" "$table" "$set" 2>&1 | sed -nre \
|
||||||
|
's#^\t\ttype .*\bipv([46])_addr\b.*$#\1#p')
|
||||||
|
|
||||||
|
[ -n "$fam" ] || \
|
||||||
|
logger -t dnsmasq "Cannot infer address family from non-existent nftables set '$set'"
|
||||||
|
|
||||||
|
nftsets="${nftsets:+$nftsets,}${fam:+$fam#}$table_family#$table#$set"
|
||||||
|
done
|
||||||
|
}
|
||||||
|
|
||||||
add_domain() {
|
add_domain() {
|
||||||
# leading '/' is expected
|
# leading '/' is expected
|
||||||
domains="$domains/$1"
|
domains="$domains/$1"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
config_get table "$cfg" table 'fw4'
|
||||||
|
config_get table_family "$cfg" table_family 'inet'
|
||||||
|
if [ "$table_family" = "ip" ] ; then
|
||||||
|
family="4"
|
||||||
|
elif [ "$table_family" = "ip6" ] ; then
|
||||||
|
family="6"
|
||||||
|
else
|
||||||
|
config_get family "$cfg" family
|
||||||
|
fi
|
||||||
|
|
||||||
config_list_foreach "$cfg" "name" add_ipset
|
config_list_foreach "$cfg" "name" add_ipset
|
||||||
|
config_list_foreach "$cfg" "name" add_nftset
|
||||||
config_list_foreach "$cfg" "domain" add_domain
|
config_list_foreach "$cfg" "domain" add_domain
|
||||||
|
|
||||||
if [ -z "$ipsets" ] || [ -z "$domains" ]; then
|
if [ -z "$ipsets" ] || [ -z "$nftsets" ] || [ -z "$domains" ]; then
|
||||||
return 0
|
return 0
|
||||||
fi
|
fi
|
||||||
|
|
||||||
xappend "--ipset=$domains/$ipsets"
|
xappend "--ipset=$domains/$ipsets"
|
||||||
|
xappend "--nftset=$domains/$nftsets"
|
||||||
}
|
}
|
||||||
|
|
||||||
dnsmasq_start()
|
dnsmasq_start()
|
||||||
@ -948,7 +976,6 @@ dnsmasq_start()
|
|||||||
config_list_foreach "$cfg" "server" append_server
|
config_list_foreach "$cfg" "server" append_server
|
||||||
config_list_foreach "$cfg" "rev_server" append_rev_server
|
config_list_foreach "$cfg" "rev_server" append_rev_server
|
||||||
config_list_foreach "$cfg" "address" append_address
|
config_list_foreach "$cfg" "address" append_address
|
||||||
config_list_foreach "$cfg" "ipset" append_ipset
|
|
||||||
|
|
||||||
local connmark_allowlist_enable
|
local connmark_allowlist_enable
|
||||||
config_get connmark_allowlist_enable "$cfg" connmark_allowlist_enable 0
|
config_get connmark_allowlist_enable "$cfg" connmark_allowlist_enable 0
|
||||||
@ -1141,7 +1168,6 @@ dnsmasq_start()
|
|||||||
config_foreach filter_dnsmasq ipset dnsmasq_ipset_add "$cfg"
|
config_foreach filter_dnsmasq ipset dnsmasq_ipset_add "$cfg"
|
||||||
echo >> $CONFIGFILE_TMP
|
echo >> $CONFIGFILE_TMP
|
||||||
|
|
||||||
echo >> $CONFIGFILE_TMP
|
|
||||||
mv -f $CONFIGFILE_TMP $CONFIGFILE
|
mv -f $CONFIGFILE_TMP $CONFIGFILE
|
||||||
mv -f $HOSTFILE_TMP $HOSTFILE
|
mv -f $HOSTFILE_TMP $HOSTFILE
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user