On 13/09/18 10:08, Wojtek Swiatek wrote: > > > Le sam. 8 sept. 2018 à 15:45, Simon Kelley <si...@thekelleys.org.uk > <mailto:si...@thekelleys.org.uk>> a écrit : > > No, that's a different problem. your target name "vpnin.swtk.info > <http://vpnin.swtk.info>" is > coming from the DHCP subsystem, because you have a DHCP lease for a host > called "vpnin" and have set the domain to swtk.info <http://swtk.info>. > > > It would be possible, to fix this, and may be even sensible, but it's > not the same that the OPs problem with CNAMES. > > Given that when the result comes from DHCP, it's pretty much guaranteed > to be within the firewall, does it make sense to have such names checked > by the ipset system? Genuine question. I'm unsure what people are using > the ipsets facility for, so I don't know the answer. > > > The real added value of ipset for me is the capacity to configure my > firewall via names and not IPs. > This is extremely useful for DHCP hosts (all of my hosts - mobiles, > desktops, laptops and servers - are managed by dnsmasq's DHCP). > > Having the capacity to update an ipset from within dnsmasq (as the lease > changes) would be great. The only alternative today is to > manually set some hosts as infinite lease. >
Even making DHCP-derived names part of the existing ipset system doesn't seem to be a good solution to this. The ipset only gets updated when a DNS lookup happens, not when the lease is created, and there definitely isn't a way to remove ipset entries at all, which you'd need as leases change. What's needed is a different system, to populate ipsets based on the DHCP lease database, and the dhcp-script system gives you the tools to do exactly that. Any change to the DHCP lease database runs a process (as root) which has access to the IP address, hostname, MAC address, and anything else you might need. A suitable script can be written that directly manipulates the relevant ipsets in any way you might want. Cheers, Simon _______________________________________________ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss