from:"Jason"

Hi Simon  Folks,

Currently when dnsmasq processes server=/.../, address=/.../, local=/.../,
ipset=/.../, and similar, it find the nearest match for a domain name by
iterating through all the keys, and keeping track of which one had the
largest match length. This gets the job done and is fairly, simple. But it
also could be optimized quite a bit.

This might be a bit verbose for dnsmasq's tastes, and maybe the notion
smells a bit too much of My First Computer Science Data Structure kind of
thing, but perhaps this might be a welcome optimization. I present you with
domain-lookup-tree, a simple set of C functions that store domain names in
a tree structure:

http://git.zx2c4.com/domain-lookup-tree/about/

It should be relatively straightforward. I wrote it specifically with
dnsmasq in mind, so if you're interested, I'd be thrilled to see it replace
the current nieve matching technique.

Thoughts? Comments? Ideas?

Jason
___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] [Request for Comments] Optimized Nearest-Domain Lookup

On Wed, Feb 20, 2013 at 3:17 PM, Kaspar Schleiser kas...@schleiser.dewrote:

 Could you elaborate on how your tree works? Did you do any benchmarks?


Each node represents a domain component.

* - [com - [zx2c4 - [data, blog ], kexec ], org - [slashdot ] ]

It splits the domain string by the period, and then walks the components
backward.
___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] [Request for Comments] Optimized Nearest-Domain Lookup

On Wed, Feb 20, 2013 at 3:17 PM, Kaspar Schleiser kas...@schleiser.dewrote:

 Did you do any benchmarks?


Okie dokie, benchmark time! 2012 Intel Core i7, gcc 4.7.2.

With gcc's -O3:

zx2c4@thinkpad ~/Projects/domain-lookup-tree $ ./benchmark
New method took 0.43 seconds.
Old method took 2.75 seconds.


Without -O3:

zx2c4@thinkpad ~/Projects/domain-lookup-tree $ ./benchmark
New method took 0.41 seconds.
Old method took 325.94 seconds.


Benchmarking code is in previously linked git repository.
___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] [Request for Comments] Optimized Nearest-Domain Lookup

On Wed, Feb 20, 2013 at 5:46 PM, Simon Kelley si...@thekelleys.org.ukwrote:

 I'm
 currently snowed under (at least partially with your earlier good work)
 so I may not get to this for a while.


No problem. Upstreaming the ipset code is a much bigger priority in my
book. This optimization code is mainly just something to play around with.
___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] [PATCH] Netfilter IPSet Support

On Sun, Feb 17, 2013 at 6:28 PM, Simon Kelley si...@thekelleys.org.ukwrote:

Fantastic! I'm beating my way though my my inbox and just caught up with
you. I was intending to put this off to the first thing in 2.67, rather
than the last thing in 2.66, but having got this far, I'm not so sure.

Wonderful!

You even wrote the man-page text!

Queries which arise mainly from a fresh pair of eyes:

1) Do we need to support HAVE_OLD_IPSET? I can see more reason for 2.4
kernels that 2.6, but I think most routers are using modern kernels now?

We really do need to support old ipset. Lots of broadcom-based routers run
2.6.22, because that's the kernel version broadcom has released their
drivers for. They're extremely widespread, so supporting it is really a
must.

If we do need to support both, I'd like to do both in one binary, just to
reduce the potential build confusion.

This shouldn't be _too big_ of a problem. I'm rewriting things now to check
utsname on the first invocation of the function, and then route
accordingly. The only potential problem is that since we can't rely on
the existence of the ipset-netlink headers on older systems, I'll have to
import some of those constant values.

Personally I think it's much much much cleaner to have them separate
compile time options, but I understand the build confusion issue too.

Am I right that the setsockopt method only supports IPv4? So we can't
support just that.

Older ipsets only support IPv4. They're still extremely useful, but it's a
limitation.

2) Can we get by without adding a dependency on libmnl? Do we want to?
even if we don't, we can replace the code which starts

The ipset userland tool uses libmnl, so it's already on the user's system
if they're using ipset. However, this isn't the case if they're using old
ipset, so it might be best to move away from libmnl. I'm investigating that
right now.

mnl = mnl_socket_open(NETLINK_**NETFILTER);

and ends

mnl_socket_close(mnl);

with something which uses the already-existing netlink socket created in
src/netlink.c, and avoid the overhead of making a new netlink socket on
each iteration? Worry about process_reply() being called from the
TCP-request code-path, from a forked process. I think the netlink socket
inherited by the forked process will still be OK.

If we do stick with libmnl, implementing this will be no problem.

3)
(af == AF_INET ? sizeof(ipaddr-addr.addr4) : sizeof(ipaddr-addr.addr4)),

second addr4 should be addr6?

Good catch.

4) The code should compile if HAVE_IPV6 is not set even if the headers
don't define AF_INET6

Roger that.

5) Compile-time options need to be added to the prepocessor stuff defining
the compile_opts string in src/config.c

I actually added this after the initial email in the git repository --
http://git.zx2c4.com/dnsmasq-ipset/ .

Cheers,

Simon.

__**_
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.**thekelleys.org.ukDnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.**uk/mailman/listinfo/dnsmasq-**discusshttp://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

[Dnsmasq-discuss] [PATCH v2 3/3] ipset: Update man page and example config to reflect new option.

From: Jason A. Donenfeld ja...@zx2c4.com

---
 dnsmasq.conf.example | 4 
 man/dnsmasq.8| 6 ++
 2 files changed, 10 insertions(+)

diff --git a/dnsmasq.conf.example b/dnsmasq.conf.example
index 5215c2a..9a0dbd7 100644
--- a/dnsmasq.conf.example
+++ b/dnsmasq.conf.example
@@ -69,6 +69,10 @@
 # --address (and --server) work with IPv6 addresses too.
 #address=/www.thekelleys.org.uk/fe80::20d:60ff:fe36:f83
 
+# Add the IPs of all queries to yahoo.com, google.com, and their
+# subdomains to the vpn and search ipsets:
+#ipset=/yahoo.com/google.com/vpn,search
+
 # You can control how dnsmasq talks to a server: this forces
 # queries to 10.1.2.3 to be routed via eth1
 # server=10.1.2.3@eth1
diff --git a/man/dnsmasq.8 b/man/dnsmasq.8
index b8dcfc7..941e84d 100644
--- a/man/dnsmasq.8
+++ b/man/dnsmasq.8
@@ -412,6 +412,12 @@ additional facility that /#/ matches any domain. Thus
 answered from /etc/hosts or DHCP and not sent to an upstream
 nameserver by a more specific --server directive.
 .TP
+.B --ipset=/domain/[domain/]ipset[,ipset]
+Places the resolved IP addresses of queries for the specified domains
+in the specified netfilter ip sets. Domains and subdomains are matched
+in the same way as --address. These ip sets must already exist. See
+ipset(8) for more details.
+.TP
 .B \-m, --mx-host=mx name[[,hostname],preference]
 Return an MX record named mx name pointing to the given hostname (if
 given), or
-- 
1.8.1.2


___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

[Dnsmasq-discuss] [PATCH v2 2/3] ipset: Parse new --ipset option and match domains in forward.c

From: Jason A. Donenfeld ja...@zx2c4.com

The matching logic is the same as for --address. extract_address is
responsible for calling out to add_to_ipset.
---
 src/dnsmasq.h | 10 +-
 src/forward.c | 20 ++-
 src/option.c  | 64 +++
 src/rfc1035.c | 24 +-
 4 files changed, 115 insertions(+), 3 deletions(-)

diff --git a/src/dnsmasq.h b/src/dnsmasq.h
index 832e04a..9732487 100644
--- a/src/dnsmasq.h
+++ b/src/dnsmasq.h
@@ -430,6 +430,12 @@ struct server {
   struct server *next; 
 };
 
+struct ipsets {
+  char **sets;
+  char *domain;
+  struct ipsets *next;
+};
+
 struct irec {
   union mysockaddr addr;
   struct in_addr netmask; /* only valid for IPv4 */
@@ -779,6 +785,7 @@ extern struct daemon {
   struct iname *if_names, *if_addrs, *if_except, *dhcp_except, *auth_peers;
   struct bogus_addr *bogus_addr;
   struct server *servers;
+  struct ipsets *ipsets;
   int log_fac; /* log facility */
   char *log_file; /* optional log file */
   int max_logs;  /* queue limit */
@@ -903,7 +910,8 @@ size_t setup_reply(struct dns_header *header, size_t  qlen,
   struct all_addr *addrp, unsigned int flags,
   unsigned long local_ttl);
 int extract_addresses(struct dns_header *header, size_t qlen, char *namebuff, 
- time_t now, int is_sign, int checkrebind, int 
checking_disabled);
+ time_t now, char **ipsets, int is_sign, int checkrebind,
+ int checking_disabled);
 size_t answer_request(struct dns_header *header, char *limit, size_t qlen,  
   struct in_addr local_addr, struct in_addr local_netmask, 
time_t now);
 int check_for_bogus_wildcard(struct dns_header *header, size_t qlen, char 
*name, 
diff --git a/src/forward.c b/src/forward.c
index fb0b4c4..f5e95a1 100644
--- a/src/forward.c
+++ b/src/forward.c
@@ -439,9 +439,27 @@ static size_t process_reply(struct dns_header *header, 
time_t now,
struct server *server, size_t n, int check_rebind, 
int checking_disabled)
 {
   unsigned char *pheader, *sizep;
+  char **sets = 0;
   int munged = 0, is_sign;
   size_t plen; 
 
+#ifdef HAVE_IPSET
+  /* Similar algorithm to search_servers. */
+  struct ipsets *ipset_pos;
+  unsigned int namelen = strlen(daemon-namebuff);
+  unsigned int matchlen = 0;
+  for (ipset_pos = daemon-ipsets; ipset_pos; ipset_pos = ipset_pos-next) {
+ unsigned int domainlen = strlen(ipset_pos-domain);
+ char *matchstart = daemon-namebuff + namelen - domainlen;
+ if (namelen = domainlen  hostname_isequal(matchstart, 
ipset_pos-domain) 
+(domainlen == 0 || namelen == domainlen || *(matchstart - 1) == 
'.' ) 
+domainlen = matchlen) {
+   matchlen = domainlen;
+   sets = ipset_pos-sets;
+ }
+  }
+#endif
+
   /* If upstream is advertising a larger UDP packet size
  than we allow, trim it so that we don't get overlarge
  requests for the client. We can't do this for signed packets. */
@@ -494,7 +512,7 @@ static size_t process_reply(struct dns_header *header, 
time_t now,
  SET_RCODE(header, NOERROR);
}
   
-  if (extract_addresses(header, n, daemon-namebuff, now, is_sign, 
check_rebind, checking_disabled))
+  if (extract_addresses(header, n, daemon-namebuff, now, sets, is_sign, 
check_rebind, checking_disabled))
{
  my_syslog(LOG_WARNING, _(possible DNS-rebind attack detected: %s), 
daemon-namebuff);
  munged = 1;
diff --git a/src/option.c b/src/option.c
index 3fc3e03..899f4a1 100644
--- a/src/option.c
+++ b/src/option.c
@@ -127,6 +127,7 @@ struct myoption {
 #define LOPT_AUTHSOA   316
 #define LOPT_AUTHSFS   317
 #define LOPT_AUTHPEER  318
+#define LOPT_IPSET 319
 
 #ifdef HAVE_GETOPT_LONG
 static const struct option opts[] =  
@@ -259,6 +260,7 @@ static const struct myoption opts[] =
 { auth-soa, 1, 0, LOPT_AUTHSOA },
 { auth-sec-servers, 1, 0, LOPT_AUTHSFS },
 { auth-peer, 1, 0, LOPT_AUTHPEER }, 
+{ ipset, 1, 0, LOPT_IPSET },
 { NULL, 0, 0, 0 }
   };
 
@@ -397,6 +399,7 @@ static struct {
   { LOPT_AUTHSOA, ARG_ONE, serial[,...], gettext_noop(Set authoritive 
zone information), NULL },
   { LOPT_AUTHSFS, ARG_DUP, NS[,NS...], gettext_noop(Secondary 
authoritative nameservers for forward domains), NULL },
   { LOPT_AUTHPEER, ARG_DUP, ipaddr[,ipaddr...], gettext_noop(Peers 
which are allowed to do zone transfer), NULL },
+  { LOPT_IPSET, ARG_DUP, /domain/ipset[,ipset...], 
gettext_noop(Specify ipsets to which matching domains should be added), NULL 
},
   { 0, 0, NULL, NULL, NULL }
 }; 
 
@@ -2021,6 +2024,67 @@ static int one_opt(int option, char *arg, char *errstr, 
char *gen_err, int comma
daemon-servers = newlist;
break;
   }
+case LOPT_IPSET:
+#ifndef HAVE_IPSET
+  ret_err(_(recompile with HAVE_IPSET defined to enable ipset 
directives

[Dnsmasq-discuss] [PATCH v2 0/3] ipset: Add Netfilter IPSet Support to DNSMasq

From: Jason A. Donenfeld ja...@zx2c4.com

This version 2 of the ipset patchset makes a few important changes:

- No HAVE_OLD_IPSET anymore. HAVE_IPSET will enable both, and the
  correct code will then be called depending on the running kernel.

- libmnl is no longer used. All this code was replaced with
  something even more lightweight that should build on old systems.

- The netfilter socket is reused between ipset insertions. Note
  that other netlink sockets used in dnsmasq cannot be reused
  because they're part of a different netlink class, but we're
  smart about reusing the one we do allocate.

- HAVE_IPV6 is now respected, so new code paths won't break on non-
  ipv6 systems.

- compile_opts and various other small fixes

Jason A. Donenfeld (3):
  ipset: Integrate ipset.c into build system.
  ipset: Parse new --ipset option and match domains in forward.c
  ipset: Update man page and example config to reflect new option.

 Makefile |   2 +-
 dnsmasq.conf.example |   4 +
 man/dnsmasq.8|   6 ++
 src/config.h |  14 +++-
 src/dnsmasq.h|  15 +++-
 src/forward.c|  20 -
 src/ipset.c  | 220 +++
 src/option.c |  64 +++
 src/rfc1035.c|  24 +-
 9 files changed, 364 insertions(+), 5 deletions(-)
 create mode 100644 src/ipset.c

-- 
1.8.1.2


___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

[Dnsmasq-discuss] [PATCH v2 1/3] ipset: Integrate ipset.c into build system.

From: Jason A. Donenfeld ja...@zx2c4.com

---
 Makefile  |   2 +-
 src/config.h  |  14 +++-
 src/dnsmasq.h |   5 ++
 src/ipset.c   | 220 ++
 4 files changed, 239 insertions(+), 2 deletions(-)
 create mode 100644 src/ipset.c

diff --git a/Makefile b/Makefile
index c9cdb90..7240fbf 100644
--- a/Makefile
+++ b/Makefile
@@ -65,7 +65,7 @@ version = -DVERSION='\`$(top)/bld/get-version $(top)`\'
 objs = cache.o rfc1035.o util.o option.o forward.o network.o \
dnsmasq.o dhcp.o lease.o rfc2131.o netlink.o dbus.o bpf.o \
helper.o tftp.o log.o conntrack.o dhcp6.o rfc3315.o \
-   dhcp-common.o outpacket.o radv.o slaac.o auth.o
+   dhcp-common.o outpacket.o radv.o slaac.o auth.o ipset.o
 
 hdrs = dnsmasq.h config.h dhcp-protocol.h dhcp6-protocol.h \
dns-protocol.h radv-protocol.h
diff --git a/src/config.h b/src/config.h
index cff278d..9c8e785 100644
--- a/src/config.h
+++ b/src/config.h
@@ -97,6 +97,10 @@ HAVE_CONNTRACK
a build-dependency on libnetfilter_conntrack, but the resulting binary will
still run happily on a kernel without conntrack support.
 
+HAVE_IPSET
+define this to include the ability to selectively add resolved ip addresses
+to given ipsets.
+
 HAVE_AUTH
define this to include the facility to act as an authoritative DNS
server for one or more zones.
@@ -136,7 +140,7 @@ RESOLVFILE
 /* #define HAVE_DBUS */
 /* #define HAVE_IDN */
 /* #define HAVE_CONNTRACK */
-
+/* #define HAVE_IPSET */
 
 
 /* Default locations for important system files. */
@@ -323,6 +327,10 @@ HAVE_SOCKADDR_SA_LEN
 #undef HAVE_AUTH
 #endif
 
+#ifndef HAVE_LINUX_NETWORK
+#undef HAVE_IPSET
+#endif
+
 /* Define a string indicating which options are in use.
DNSMASQP_COMPILE_OPTS is only defined in dnsmasq.c */
 
@@ -381,6 +389,10 @@ static char *compile_opts =
 no-
 #endif
 conntrack 
+#ifndef HAVE_IPSET
+no-
+#endif
+ipset 
 #ifndef HAVE_AUTH
 no-
 #endif
diff --git a/src/dnsmasq.h b/src/dnsmasq.h
index 21a309c..832e04a 100644
--- a/src/dnsmasq.h
+++ b/src/dnsmasq.h
@@ -1117,6 +1117,11 @@ void emit_dbus_signal(int action, struct dhcp_lease 
*lease, char *hostname);
 #  endif
 #endif
 
+/* ipset.c */
+#ifdef HAVE_IPSET
+int add_to_ipset(const char *setname, const struct all_addr *ipaddr, int af, 
int remove);
+#endif
+
 /* helper.c */
 #if defined(HAVE_SCRIPT)
 int create_helper(int event_fd, int err_fd, uid_t uid, gid_t gid, long max_fd);
diff --git a/src/ipset.c b/src/ipset.c
new file mode 100644
index 000..fcf6e25
--- /dev/null
+++ b/src/ipset.c
@@ -0,0 +1,220 @@
+/* ipset.c is Copyright (c) 2013 Jason A. Donenfeld ja...@zx2c4.com. All 
Rights Reserved.
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; version 2 dated June, 1991, or
+   (at your option) version 3 dated 29 June, 2007.
+ 
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+ 
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see http://www.gnu.org/licenses/.
+*/
+
+#include dnsmasq.h
+#include string.h
+#include errno.h
+#include sys/types.h
+#include sys/socket.h
+#include sys/utsname.h
+#include arpa/inet.h
+#include linux/version.h
+#include linux/netlink.h
+#include linux/netfilter/nfnetlink.h
+#ifndef NFNL_SUBSYS_IPSET
+#define NFNL_SUBSYS_IPSET 6
+#define IPSET_ATTR_DATA 7
+#define IPSET_ATTR_IP 1
+#define IPSET_ATTR_IPADDR_IPV4 1
+#define IPSET_ATTR_IPADDR_IPV6 2
+#define IPSET_ATTR_PROTOCOL 1
+#define IPSET_ATTR_SETNAME 2
+#define IPSET_CMD_ADD 9
+#define IPSET_CMD_DEL 10
+#define IPSET_MAXNAMELEN 32
+#define IPSET_PROTOCOL 6
+#else
+#include linux/netfilter/ipset/ip_set.h
+#endif
+#ifdef HAVE_IPSET
+
+#define NL_ALIGN(len) (((len)+3)  ~(3))
+static const struct sockaddr_nl snl = { .nl_family = AF_NETLINK };
+
+static inline void add_attr(struct nlmsghdr *nlh, uint16_t type, size_t len, 
const void *data)
+{
+   struct nlattr *attr = (void *)nlh + NL_ALIGN(nlh-nlmsg_len);
+   uint16_t payload_len = NL_ALIGN(sizeof(struct nlattr)) + len;
+   attr-nla_type = type;
+   attr-nla_len = payload_len;
+   memcpy((void *)attr + NL_ALIGN(sizeof(struct nlattr)), data, len);
+   nlh-nlmsg_len += NL_ALIGN(payload_len);
+}
+
+static int netlink_netfilter_sock()
+{
+   static int fd = -2;
+   if (fd == -2) {
+   fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_NETFILTER);
+   if (fd  0)
+   return -1;
+   if (bind(fd, (struct sockaddr *)snl, sizeof(snl))  0) {
+   fd = -1;
+   return -1;
+   }
+   }
+   return fd;
+}
+
+static int

Re: [Dnsmasq-discuss] ipset-dns: Integrate Netfilter IPSet Support

2013-02-16 Thread Jason A. Donenfeld

On Sat, Feb 16, 2013 at 5:28 PM, Mr Dash Four
mr.dash.f...@googlemail.com wrote:
 If the set is of type hash:net, then you can use nomatch. In other words:

In an effort to prevent this thread from going off-topic, it's worth
noting that the hash:net functionality of ipset has nothing to do with
and does not replace the dnsmasq-ipset patches. It is very frequently
the case that it is not possible to know aprioi the IP ranges used by
a particular service, and instead the best way is via DNS lookup; see
prior emails for more detail.

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] ipset-dns: Integrate Netfilter IPSet Support

Hi Simon,

On Fri, Feb 15, 2013 at 3:05 PM, Simon Kelley si...@thekelleys.org.uk wrote:
 It looks like the extra code is quite small, so I'd certainly consider
 it.

Wonderful! I've extracted heavy lifting code into a separate file
(attached as ipset.c), and licensed it under the same license as
dnsmasq so that you can just copy and paste. Given that the
server=/.../ matching already exists and that the difficult netlink
part has already been written, adding this to dnsmasq should be very
trivial.

 Do you take account of the time-to-live of DNS records, or are
 ipsets create-only?

IPs can be both added and removed to and from ipsets. Ipset itself
doesn't have a built-in TTL mechanism, but it would be trivial to just
remove IPs from the ipset at the sametime dnsmasq purges its cache.
This isn't always the desired behavior, however -- if I have connected
to an IP address that was added to an ipset via its DNS lookup, I
don't want it to be removed from the ipset while I'm still connected
to it, even if the DNS TTL is up. In any case, I've added a remove
argument to the ipset function so that you can easily add this
functionality behind a switch.

Looking forward! Thanks Simon.

Jason
/* ipset.c: add or remove an ip address to an ipset.
 * 
 * Copyright (C) 2013 Jason A. Donenfeld ja...@zx2c4.com. All Rights Reserved.
 * 
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation; version 2 dated June, 1991, or
 *  (at your option) version 3 dated 29 June, 2007.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *   
 * You should have received a copy of the GNU General Public License
 * along with this program.  If not, see http://www.gnu.org/licenses/.
 * 
 * For Linux = 2.6.32, compile with -lmnl. For Linux = 2.6.16 or = 2.4.36, compile with -DOLD_IPSET.
 */

#include string.h
#include errno.h
#include sys/types.h
#include sys/socket.h
#include arpa/inet.h
#ifndef OLD_IPSET
#include libmnl/libmnl.h
#include linux/netfilter/nfnetlink.h
#include linux/netfilter/ipset/ip_set.h
#endif

/* ipaddr should be either in_addr or in6_addr in network byte order.
 * In other words, verbatium of what is in the DNS record. If remove
 * is non-zero, the requested ipaddr is removed instead of added. */
int add_to_ipset(const char *setname, const void *ipaddr, int af, int remove)
{
#ifndef OLD_IPSET
	struct nlmsghdr *nlh;
	struct nfgenmsg *nfg;
	struct mnl_socket *mnl;
	struct nlattr *nested[2];
	char buffer[256];
	ssize_t received;
	int port, rc;
	
	rc = 0;

	if (strlen(setname) = IPSET_MAXNAMELEN) {
		errno = ENAMETOOLONG;
		return -1;
	}
	if (af != AF_INET  af != AF_INET6) {
		errno = EAFNOSUPPORT;
		return -1;
	}

	nlh = mnl_nlmsg_put_header(buffer);
	nlh-nlmsg_type = (remove ? IPSET_CMD_DEL : IPSET_CMD_ADD) | (NFNL_SUBSYS_IPSET  8);
	nlh-nlmsg_flags = NLM_F_REQUEST;

	nfg = mnl_nlmsg_put_extra_header(nlh, sizeof(struct nfgenmsg));
	nfg-nfgen_family = af;
	nfg-version = NFNETLINK_V0;
	nfg-res_id = htons(0);

	mnl_attr_put_u8(nlh, IPSET_ATTR_PROTOCOL, IPSET_PROTOCOL);
	mnl_attr_put(nlh, IPSET_ATTR_SETNAME, strlen(setname) + 1, setname);
	nested[0] = mnl_attr_nest_start(nlh, IPSET_ATTR_DATA);
	nested[1] = mnl_attr_nest_start(nlh, IPSET_ATTR_IP);
	mnl_attr_put(nlh, (af == AF_INET ? IPSET_ATTR_IPADDR_IPV4 : IPSET_ATTR_IPADDR_IPV6)
			| NLA_F_NET_BYTEORDER, (af == AF_INET ? sizeof(struct in_addr) : sizeof(struct in6_addr)), ipaddr);
	mnl_attr_nest_end(nlh, nested[1]);	
	mnl_attr_nest_end(nlh, nested[0]);

	mnl = mnl_socket_open(NETLINK_NETFILTER);
	if (mnl = 0)
		return -1;
	if (mnl_socket_bind(mnl, 0, MNL_SOCKET_AUTOPID)  0) {
		rc = -1;
		goto close;
	}
	if (mnl_socket_sendto(mnl, nlh, nlh-nlmsg_len)  0) {
		rc = -1;
		goto close;
	}
close:
	mnl_socket_close(mnl);
	return rc;
#else
	int sock, rc;
	socklen_t size;
	struct ip_set_req_adt_get {
		unsigned op;
		unsigned version;
		union {
			char name[32];
			uint16_t index;
		} set;
		char typename[32];
	} req_adt_get;
	struct ip_set_req_adt {
		unsigned op;
		uint16_t index;
		uint32_t ip;
	} req_adt;
	
	rc = 0;
	
	if (strlen(setname) = sizeof(req_adt_get.set.name)) {
		errno = ENAMETOOLONG;
		return -1;
	}
	if (af != AF_INET) {
		errno = EAFNOSUPPORT;
		return -1;
	}
	
	sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
	if (sock  0)
		return -1;
	
	req_adt_get.op = 0x10;
	req_adt_get.version = 3;
	strcpy(req_adt_get.set.name, setname);
	size = sizeof(req_adt_get);
	if (getsockopt(sock, SOL_IP, 83, req_adt_get, size)  0) {
		rc = -1;
		goto close;
	}
	req_adt.op = remove ? 0x102 : 0x101;
	req_adt.index = req_adt_get.set.index;
	req_adt.ip = ntohl(*(uint32_t *)ipaddr);
	if (setsockopt(sock, SOL_IP, 83, req_adt, sizeof(req_adt))  0) {
		rc = -1;
		goto close

Re: [Dnsmasq-discuss] ipset-dns: Integrate Netfilter IPSet Support

On Fri, Feb 15, 2013 at 10:42 PM, sven falempin sven.falem...@gmail.com wrote:
 Previsouly i propose a patch to filter out some domain,
 i understand filtering should be done by iptables, but only if you think
 linux.

 Is it possible to use a version of this code to filter some domain out
 and/or to allow just a subset of domains ?

I'm sure it's possible to warp ipset to do all sorts of things for
you. It's pretty generic and flexible.

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] ipset-dns: Integrate Netfilter IPSet Support

Simon,

The attached patch wires ipset into the dnsmasq build system. I'm
assuming the integration and config syntax is something you want to do
yourself rather than have me do it.

After applying the patch, you will be able to call:

int add_to_ipset(const char *setname, const void *ipaddr, int af, int remove);

Hope this helps!

Jason


0001-Wire-up-ipset-to-build-system.patch
Description: Binary data
___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] ipset-dns: Integrate Netfilter IPSet Support

On Fri, Feb 15, 2013 at 11:30 PM, John Brendler brendle...@gmail.com wrote:
 I use ipsets and have written scripts for handling them dynamically.
 I think this is a very interesting idea.  I'd benefit from hearing some
 elaboration on the use cases you have in mind.  I think this might also
 help Simon understand how best to integrate.

Sure. There are some decent examples on
http://git.zx2c4.com/ipset-dns/about/. Check out the Why? section
as well as the sample script.

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

[Dnsmasq-discuss] [PATCH] Netfilter IPSet Support

Hi Simon,

Another update to reduce the amount of work for you. This thread
should supersede the other one.

I made ipset.c a bit nicer for dnsmasq by using struct all_addr. New
patch to replace all old ones:

View: 
http://git.zx2c4.com/dnsmasq-ipset/commit/?id=b93018649a533a341b724e3323011714a84d5ef0
Patch: 
http://git.zx2c4.com/dnsmasq-ipset/patch/?id=b93018649a533a341b724e3323011714a84d5ef0


I added some sample code for where it could be successfully integrated
with a simple /* TODO */ that should be filled out with the server
lookup / matching logic, which I'll leave to you:

View: 
http://git.zx2c4.com/dnsmasq-ipset/commit/?id=954a63cda0fa08e5ed0f18a81a226669c3dc5039
Patch: 
http://git.zx2c4.com/dnsmasq-ipset/patch/?id=954a63cda0fa08e5ed0f18a81a226669c3dc5039

If I do further work on this, the code will be found at:
http://git.zx2c4.com/dnsmasq-ipset/


Looking forward.

Jason

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] [PATCH] Netfilter IPSet Support

Hah, forget that. I just wrote the entire thing, including configuration,
and it works great. I'll send full patches to the mailing list shortly.
___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

[Dnsmasq-discuss] [PATCH 0/3] ipset: Add Netfilter IPSet Support do DNSMasq

Services like YouTube and Netflix use tons of ranges of IP addresses
that fluctuate wildly and aren't predictable. However, they're always
from a given subdomain using DNS, like *.c.youtube.com. I'd like to
have firewall rules for these IP addresses -- route them over this
interface, that interface, rate limit them like this, or that, etc. An
efficient way to do this is by adding IP addresses to a netfilter
ipset and using iptables' ipset match support. With services that use
lots of IPs spread out over ranges but instead use DNS, the only way
to do this is to have the DNS forwarder add the resolved IPs to an
ipset before returning the IP to the client.

This series of patches adds an --ipset option to dnsmasq which adds
resolved ips for specified domains to a given list of ipsets using the
netlink on newer kernels and setsockopt on older kernels.

--ipset=/google.com/yahoo.com/search,vpn

That option will add all resolved IPs for Google and Yahoo domains and
subdomains to two ipsets -- search and vpn. (Sub)-domain matching is
conducted in the same way as with --address.

--ipset=resolved
--ipset=/#/resolved

These two options are identical. They each add all resolved domains to
the resolved ipset.

If this mailing list post becomes stale, the latest series of patches
may be found at http://git.zx2c4.com/dnsmasq-ipset.

Jason A. Donenfeld (3):
  ipset: Integrate ipset.c into build system.
  ipset: Parse new --ipset option and match domains in forward.c
  ipset: Update man page and example config to reflect new option.

 Makefile |   5 +-
 dnsmasq.conf.example |   4 ++
 man/dnsmasq.8|   6 +++
 src/config.h |   6 +++
 src/dnsmasq.h|  17 +-
 src/forward.c|  20 ++-
 src/ipset.c  | 143 +++
 src/option.c |  64 +++
 src/rfc1035.c|  14 -
 9 files changed, 274 insertions(+), 5 deletions(-)
 create mode 100644 src/ipset.c

-- 
1.8.1.2


___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

[Dnsmasq-discuss] [PATCH 2/3] ipset: Parse new --ipset option and match domains in forward.c

The matching logic is the same as for --address. extract_address is
responsible for calling out to add_to_ipset.
---
 src/dnsmasq.h | 12 ++-
 src/forward.c | 20 ++-
 src/option.c  | 64 +++
 src/rfc1035.c | 14 -
 4 files changed, 107 insertions(+), 3 deletions(-)

diff --git a/src/dnsmasq.h b/src/dnsmasq.h
index f1dffe8..95bd464 100644
--- a/src/dnsmasq.h
+++ b/src/dnsmasq.h
@@ -430,6 +430,14 @@ struct server {
   struct server *next; 
 };
 
+#if defined(HAVE_IPSET) || defined(HAVE_OLD_IPSET)
+struct ipsets {
+  char **sets;
+  char *domain;
+  struct ipsets *next;
+};
+#endif
+
 struct irec {
   union mysockaddr addr;
   struct in_addr netmask; /* only valid for IPv4 */
@@ -779,6 +787,7 @@ extern struct daemon {
   struct iname *if_names, *if_addrs, *if_except, *dhcp_except, *auth_peers;
   struct bogus_addr *bogus_addr;
   struct server *servers;
+  struct ipsets *ipsets;
   int log_fac; /* log facility */
   char *log_file; /* optional log file */
   int max_logs;  /* queue limit */
@@ -903,7 +912,8 @@ size_t setup_reply(struct dns_header *header, size_t  qlen,
   struct all_addr *addrp, unsigned int flags,
   unsigned long local_ttl);
 int extract_addresses(struct dns_header *header, size_t qlen, char *namebuff, 
- time_t now, int is_sign, int checkrebind, int 
checking_disabled);
+ time_t now, char **ipsets, int is_sign, int checkrebind,
+ int checking_disabled);
 size_t answer_request(struct dns_header *header, char *limit, size_t qlen,  
   struct in_addr local_addr, struct in_addr local_netmask, 
time_t now);
 int check_for_bogus_wildcard(struct dns_header *header, size_t qlen, char 
*name, 
diff --git a/src/forward.c b/src/forward.c
index fb0b4c4..ea0bdf4 100644
--- a/src/forward.c
+++ b/src/forward.c
@@ -439,9 +439,27 @@ static size_t process_reply(struct dns_header *header, 
time_t now,
struct server *server, size_t n, int check_rebind, 
int checking_disabled)
 {
   unsigned char *pheader, *sizep;
+  char **sets = 0;
   int munged = 0, is_sign;
   size_t plen; 
 
+#if defined(HAVE_IPSET) || defined(HAVE_OLD_IPSET)
+  /* Similar algorithm to search_servers. */
+  struct ipsets *ipset_pos;
+  unsigned int namelen = strlen(daemon-namebuff);
+  unsigned int matchlen = 0;
+  for (ipset_pos = daemon-ipsets; ipset_pos; ipset_pos = ipset_pos-next) {
+ unsigned int domainlen = strlen(ipset_pos-domain);
+ char *matchstart = daemon-namebuff + namelen - domainlen;
+ if (namelen = domainlen  hostname_isequal(matchstart, 
ipset_pos-domain) 
+(domainlen == 0 || namelen == domainlen || *(matchstart - 1) == 
'.' ) 
+domainlen = matchlen) {
+   matchlen = domainlen;
+   sets = ipset_pos-sets;
+ }
+  }
+#endif
+
   /* If upstream is advertising a larger UDP packet size
  than we allow, trim it so that we don't get overlarge
  requests for the client. We can't do this for signed packets. */
@@ -494,7 +512,7 @@ static size_t process_reply(struct dns_header *header, 
time_t now,
  SET_RCODE(header, NOERROR);
}
   
-  if (extract_addresses(header, n, daemon-namebuff, now, is_sign, 
check_rebind, checking_disabled))
+  if (extract_addresses(header, n, daemon-namebuff, now, sets, is_sign, 
check_rebind, checking_disabled))
{
  my_syslog(LOG_WARNING, _(possible DNS-rebind attack detected: %s), 
daemon-namebuff);
  munged = 1;
diff --git a/src/option.c b/src/option.c
index 3fc3e03..15fbd41 100644
--- a/src/option.c
+++ b/src/option.c
@@ -127,6 +127,7 @@ struct myoption {
 #define LOPT_AUTHSOA   316
 #define LOPT_AUTHSFS   317
 #define LOPT_AUTHPEER  318
+#define LOPT_IPSET 319
 
 #ifdef HAVE_GETOPT_LONG
 static const struct option opts[] =  
@@ -259,6 +260,7 @@ static const struct myoption opts[] =
 { auth-soa, 1, 0, LOPT_AUTHSOA },
 { auth-sec-servers, 1, 0, LOPT_AUTHSFS },
 { auth-peer, 1, 0, LOPT_AUTHPEER }, 
+{ ipset, 1, 0, LOPT_IPSET },
 { NULL, 0, 0, 0 }
   };
 
@@ -397,6 +399,7 @@ static struct {
   { LOPT_AUTHSOA, ARG_ONE, serial[,...], gettext_noop(Set authoritive 
zone information), NULL },
   { LOPT_AUTHSFS, ARG_DUP, NS[,NS...], gettext_noop(Secondary 
authoritative nameservers for forward domains), NULL },
   { LOPT_AUTHPEER, ARG_DUP, ipaddr[,ipaddr...], gettext_noop(Peers 
which are allowed to do zone transfer), NULL },
+  { LOPT_IPSET, ARG_DUP, /domain/ipset[,ipset...], 
gettext_noop(Specify ipsets to which matching domains should be added), NULL 
},
   { 0, 0, NULL, NULL, NULL }
 }; 
 
@@ -2021,6 +2024,67 @@ static int one_opt(int option, char *arg, char *errstr, 
char *gen_err, int comma
daemon-servers = newlist;
break;
   }
+case LOPT_IPSET:
+#if !defined(HAVE_IPSET)  !defined(HAVE_OLD_IPSET)
+

[Dnsmasq-discuss] [PATCH 1/3] ipset: Integrate ipset.c into build system.

Old kernels use HAVE_OLD_IPSET while newer kernels use HAVE_IPSET.
---
 Makefile  |   5 +-
 src/config.h  |   6 +++
 src/dnsmasq.h |   5 ++
 src/ipset.c   | 143 ++
 4 files changed, 157 insertions(+), 2 deletions(-)
 create mode 100644 src/ipset.c

diff --git a/Makefile b/Makefile
index c9cdb90..e0f6b90 100644
--- a/Makefile
+++ b/Makefile
@@ -59,13 +59,14 @@ ct_cflags =   `echo $(COPTS) | $(top)/bld/pkg-wrapper 
HAVE_CONNTRACK $(PKG_CONFI
 ct_libs = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_CONNTRACK 
$(PKG_CONFIG) --libs libnetfilter_conntrack`
 lua_cflags =  `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_LUASCRIPT 
$(PKG_CONFIG) --cflags lua5.1` 
 lua_libs =`echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_LUASCRIPT 
$(PKG_CONFIG) --libs lua5.1` 
+ipset_libs =  `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_IPSET $(PKG_CONFIG) 
--libs libmnl`
 sunos_libs =  `if uname | grep SunOS /dev/null 21; then echo -lsocket -lnsl 
-lposix4; fi`
 version = -DVERSION='\`$(top)/bld/get-version $(top)`\'
 
 objs = cache.o rfc1035.o util.o option.o forward.o network.o \
dnsmasq.o dhcp.o lease.o rfc2131.o netlink.o dbus.o bpf.o \
helper.o tftp.o log.o conntrack.o dhcp6.o rfc3315.o \
-   dhcp-common.o outpacket.o radv.o slaac.o auth.o
+   dhcp-common.o outpacket.o radv.o slaac.o auth.o ipset.o
 
 hdrs = dnsmasq.h config.h dhcp-protocol.h dhcp6-protocol.h \
dns-protocol.h radv-protocol.h
@@ -74,7 +75,7 @@ all : $(BUILDDIR)
@cd $(BUILDDIR)  $(MAKE) \
  top=$(top) \
  build_cflags=$(version) $(dbus_cflags) $(idn_cflags) $(ct_cflags) 
$(lua_cflags) \
- build_libs=$(dbus_libs) $(idn_libs) $(ct_libs) $(lua_libs) $(sunos_libs) \
+ build_libs=$(dbus_libs) $(idn_libs) $(ct_libs) $(lua_libs) $(ipset_libs) 
$(sunos_libs) \
  -f $(top)/Makefile dnsmasq 
 
 clean :
diff --git a/src/config.h b/src/config.h
index cff278d..3959b6c 100644
--- a/src/config.h
+++ b/src/config.h
@@ -97,6 +97,12 @@ HAVE_CONNTRACK
a build-dependency on libnetfilter_conntrack, but the resulting binary will
still run happily on a kernel without conntrack support.
 
+HAVE_IPSET
+HAVE_OLD_IPSET
+define this to include the ability to selectively add resolved ip addresses
+to given ipsets. HAVE_IPSET for Linux = 2.6.32, and HAVE_OLD_IPSET for
+Linux = 2.6.16 or = 2.4.36.
+
 HAVE_AUTH
define this to include the facility to act as an authoritative DNS
server for one or more zones.
diff --git a/src/dnsmasq.h b/src/dnsmasq.h
index 21a309c..f1dffe8 100644
--- a/src/dnsmasq.h
+++ b/src/dnsmasq.h
@@ -1117,6 +1117,11 @@ void emit_dbus_signal(int action, struct dhcp_lease 
*lease, char *hostname);
 #  endif
 #endif
 
+/* ipset.c */
+#if defined(HAVE_IPSET) || defined(HAVE_OLD_IPSET)
+int add_to_ipset(const char *setname, const struct all_addr *ipaddr, int af, 
int remove);
+#endif
+
 /* helper.c */
 #if defined(HAVE_SCRIPT)
 int create_helper(int event_fd, int err_fd, uid_t uid, gid_t gid, long max_fd);
diff --git a/src/ipset.c b/src/ipset.c
new file mode 100644
index 000..b241ed4
--- /dev/null
+++ b/src/ipset.c
@@ -0,0 +1,143 @@
+/* ipset.c is Copyright (c) 2013 Jason A. Donenfeld ja...@zx2c4.com. All 
Rights Reserved.
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; version 2 dated June, 1991, or
+   (at your option) version 3 dated 29 June, 2007.
+ 
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+ 
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see http://www.gnu.org/licenses/.
+*/
+
+#include dnsmasq.h
+
+#if defined(HAVE_IPSET) || defined(HAVE_OLD_IPSET)
+#include string.h
+#include errno.h
+#include sys/types.h
+#include sys/socket.h
+#include arpa/inet.h
+#if defined(HAVE_IPSET)
+#include libmnl/libmnl.h
+#include linux/netfilter/nfnetlink.h
+#include linux/netfilter/ipset/ip_set.h
+#endif
+#endif
+
+/* ipaddr should be either in_addr or in6_addr in network byte order.
+ * In other words, verbatium of what is in the DNS record. If remove
+ * is non-zero, the requested ipaddr is removed instead of added. */
+#if defined(HAVE_IPSET)
+int add_to_ipset(const char *setname, const struct all_addr *ipaddr, int af, 
int remove)
+{
+   struct nlmsghdr *nlh;
+   struct nfgenmsg *nfg;
+   struct mnl_socket *mnl;
+   struct nlattr *nested[2];
+   char buffer[256];
+   int rc;
+   
+   rc = 0;
+
+   if (strlen(setname) = IPSET_MAXNAMELEN) {
+   errno = ENAMETOOLONG;
+   return -1;
+   }
+   if (af != AF_INET  af != AF_INET6) {
+   errno = EAFNOSUPPORT

[Dnsmasq-discuss] [PATCH 3/3] ipset: Update man page and example config to reflect new option.