[Dnsmasq-discuss] [PATCH] Connection track mark based DNS query filtering.
This extends query filtering support beyond what is currently possible with the `--ipset` configuration option, by adding support for: 1) Specifying allowlists on a per-client basis, based on their associated Linux connection track mark. 2) Dynamic configuration of allowlists via Ubus. 3) Reporting when a DNS query resolves or is rejected via Ubus. 4) DNS name patterns containing wildcards. Disallowed queries are not forwarded; they are rejected with a REFUSED error code. Signed-off-by: Etan Kissling --- Makefile | 2 +- man/dnsmasq.8 | 31 +++- src/dnsmasq.h | 25 +++- src/forward.c | 121 +++- src/option.c | 134 ++ src/pattern.c | 386 ++ src/rfc1035.c | 82 +++ src/ubus.c| 182 8 files changed, 955 insertions(+), 8 deletions(-) create mode 100644 src/pattern.c diff --git a/Makefile b/Makefile index 7d2afd1..cf41bc2 100644 --- a/Makefile +++ b/Makefile @@ -77,7 +77,7 @@ copts_conf = .copts_$(sum) objs = cache.o rfc1035.o util.o option.o forward.o network.o \ dnsmasq.o dhcp.o lease.o rfc2131.o netlink.o dbus.o bpf.o \ helper.o tftp.o log.o conntrack.o dhcp6.o rfc3315.o \ - dhcp-common.o outpacket.o radv.o slaac.o auth.o ipset.o \ + dhcp-common.o outpacket.o radv.o slaac.o auth.o ipset.o pattern.o \ domain.o dnssec.o blockdata.o tables.o loop.o inotify.o \ poll.o rrfilter.o edns0.o arp.o crypto.o dump.o ubus.o \ metrics.o hash_questions.o diff --git a/man/dnsmasq.8 b/man/dnsmasq.8 index ac7c9fa..04d666d 100644 --- a/man/dnsmasq.8 +++ b/man/dnsmasq.8 @@ -368,7 +368,10 @@ provides service at that name, rather than the default which is .TP .B --enable-ubus[=] Enable dnsmasq UBus interface. It sends notifications via UBus on -DHCPACK and DHCPRELEASE events. Furthermore it offers metrics. +DHCPACK and DHCPRELEASE events. Furthermore it offers metrics +and allows configuration of Linux connection track mark based filtering. +When DNS query filtering based on Linux connection track marks is enabled +UBus notifications are generated for each resolved or filtered DNS query. Requires that dnsmasq has been built with UBus support. If the service name is given, dnsmasq provides service at that namespace, rather than the default which is @@ -533,6 +536,32 @@ These IP sets must already exist. See .BR ipset (8) for more details. .TP +.B --connmark-allowlist-enable[=] +Enables filtering of incoming DNS queries with associated Linux connection track marks +according to individual allowlists configured via a series of \fB--connmark-allowlist\fP +options. Disallowed queries are not forwarded; they are rejected with a REFUSED error code. +DNS queries are only allowed if they do not have an associated Linux connection +track mark, or if the queried domains match the configured DNS patterns for the +associated Linux connection track mark. If no allowlist is configured for a +Linux connection track mark, all DNS queries associated with that mark are rejected. +If a mask is specified, Linux connection track marks are first bitwise ANDed +with the given mask before being processed. +.TP +.B --connmark-allowlist=[/][,[/...]] +Configures the DNS patterns that are allowed in DNS queries associated with +the given Linux connection track mark. +If a mask is specified, Linux connection track marks are first bitwise ANDed +with the given mask before they are compared to the given connection track mark. +Patterns follow the syntax of DNS names, but additionally allow the wildcard +character "*" to be used up to twice per label to match 0 or more characters +within that label. Note that the wildcard never matches a dot (e.g., "*.example.com" +matches "api.example.com" but not "api.us.example.com"). Patterns must be +fully qualified, i.e., consist of at least two labels. The final label must not be +fully numeric, and must not be the "local" pseudo-TLD. A pattern must end with at least +two literal (non-wildcard) labels. +Instead of a pattern, "*" can be specified to disable allowlist filtering +for a given Linux connection track mark entirely. +.TP .B \-m, --mx-host=[[,],] Return an MX record named pointing to the given hostname (if given), or diff --git a/src/dnsmasq.h b/src/dnsmasq.h index 914f469..852424d 100644 --- a/src/dnsmasq.h +++ b/src/dnsmasq.h @@ -269,7 +269,8 @@ struct event_desc { #define OPT_IGNORE_CLID59 #define OPT_SINGLE_PORT60 #define OPT_LEASE_RENEW61 -#define OPT_LAST 62 +#define OPT_CMARK_ALST_EN 62 +#define OPT_LAST 63 #define OPTION_BITS (sizeof(unsigned int)*8) #define OPTION_SIZE ( (OPT_LAST/OPTION_BITS)+((OPT_LAST%OPTION_BITS)!=0) ) @@ -563,6 +564,12 @@ struct ipsets { struct ipsets *next; }; +struct allowlist { + uint32_t mark, mask; + char **patterns; + struct allowlist *next; +}; + struct irec {
[Dnsmasq-discuss] [PATCH] Connection track mark based DNS query filtering.
This extends query filtering support beyond what is currently possible with the `--ipset` configuration option, by adding support for: 1) Specifying allowlists on a per-client basis, based on their associated Linux connection track mark. 2) Dynamic configuration of allowlists via Ubus. 3) Reporting when a DNS query resolves or is rejected via Ubus. 4) DNS name patterns containing wildcards. Disallowed queries are not forwarded; they are rejected with a REFUSED error code. Signed-off-by: Etan Kissling --- Makefile | 2 +- man/dnsmasq.8 | 31 +++- src/dnsmasq.h | 25 +++- src/forward.c | 125 +++- src/option.c | 134 ++ src/pattern.c | 386 ++ src/rfc1035.c | 82 +++ src/ubus.c| 182 8 files changed, 959 insertions(+), 8 deletions(-) create mode 100644 src/pattern.c diff --git a/Makefile b/Makefile index 78e25f0..8c64438 100644 --- a/Makefile +++ b/Makefile @@ -75,7 +75,7 @@ copts_conf = .copts_$(sum) objs = cache.o rfc1035.o util.o option.o forward.o network.o \ dnsmasq.o dhcp.o lease.o rfc2131.o netlink.o dbus.o bpf.o \ helper.o tftp.o log.o conntrack.o dhcp6.o rfc3315.o \ - dhcp-common.o outpacket.o radv.o slaac.o auth.o ipset.o \ + dhcp-common.o outpacket.o radv.o slaac.o auth.o ipset.o pattern.o \ domain.o dnssec.o blockdata.o tables.o loop.o inotify.o \ poll.o rrfilter.o edns0.o arp.o crypto.o dump.o ubus.o metrics.o diff --git a/man/dnsmasq.8 b/man/dnsmasq.8 index 7c6b405..a0dfe96 100644 --- a/man/dnsmasq.8 +++ b/man/dnsmasq.8 @@ -368,7 +368,10 @@ provides service at that name, rather than the default which is .TP .B --enable-ubus[=] Enable dnsmasq UBus interface. It sends notifications via UBus on -DHCPACK and DHCPRELEASE events. Furthermore it offers metrics. +DHCPACK and DHCPRELEASE events. Furthermore it offers metrics +and allows configuration of Linux connection track mark based filtering. +When DNS query filtering based on Linux connection track marks is enabled +UBus notifications are generated for each resolved or filtered DNS query. Requires that dnsmasq has been built with UBus support. If the service name is given, dnsmasq provides service at that namespace, rather than the default which is @@ -533,6 +536,32 @@ These IP sets must already exist. See .BR ipset (8) for more details. .TP +.B --connmark-allowlist-enable[=] +Enables filtering of incoming DNS queries with associated Linux connection track marks +according to individual allowlists configured via a series of \fB--connmark-allowlist\fP +options. Disallowed queries are not forwarded; they are rejected with a REFUSED error code. +DNS queries are only allowed if they do not have an associated Linux connection +track mark, or if the queried domains match the configured DNS patterns for the +associated Linux connection track mark. If no allowlist is configured for a +Linux connection track mark, all DNS queries associated with that mark are rejected. +If a mask is specified, Linux connection track marks are first bitwise ANDed +with the given mask before being processed. +.TP +.B --connmark-allowlist=[/][,[/...]] +Configures the DNS patterns that are allowed in DNS queries associated with +the given Linux connection track mark. +If a mask is specified, Linux connection track marks are first bitwise ANDed +with the given mask before they are compared to the given connection track mark. +Patterns follow the syntax of DNS names, but additionally allow the wildcard +character "*" to be used up to twice per label to match 0 or more characters +within that label. Note that the wildcard never matches a dot (e.g., "*.example.com" +matches "api.example.com" but not "api.us.example.com"). Patterns must be +fully qualified, i.e., consist of at least two labels. The final label must not be +fully numeric, and must not be the "local" pseudo-TLD. A pattern must end with at least +two literal (non-wildcard) labels. +Instead of a pattern, "*" can be specified to disable allowlist filtering +for a given Linux connection track mark entirely. +.TP .B \-m, --mx-host=[[,],] Return an MX record named pointing to the given hostname (if given), or diff --git a/src/dnsmasq.h b/src/dnsmasq.h index 4d78c37..dcbe0ef 100644 --- a/src/dnsmasq.h +++ b/src/dnsmasq.h @@ -269,7 +269,8 @@ struct event_desc { #define OPT_IGNORE_CLID59 #define OPT_SINGLE_PORT60 #define OPT_LEASE_RENEW61 -#define OPT_LAST 62 +#define OPT_CMARK_ALST_EN 62 +#define OPT_LAST 63 #define OPTION_BITS (sizeof(unsigned int)*8) #define OPTION_SIZE ( (OPT_LAST/OPTION_BITS)+((OPT_LAST%OPTION_BITS)!=0) ) @@ -563,6 +564,12 @@ struct ipsets { struct ipsets *next; }; +struct allowlist { + uint32_t mark, mask; + char **patterns; + struct allowlist *next; +}; + struct irec { union mysock
[Dnsmasq-discuss] [PATCH] Connection track mark based DNS query filtering.
This extends query filtering support beyond what is currently possible with the `--ipset` configuration option, by adding support for: 1) Specifying allowlists on a per-client basis, based on their associated Linux connection track mark. 2) Dynamic configuration of allowlists via Ubus. 3) Reporting when a DNS query resolves or is rejected via Ubus. 4) DNS name patterns containing wildcards. Disallowed queries are not forwarded; they are rejected with a REFUSED error code. Signed-off-by: Etan Kissling --- Makefile | 2 +- man/dnsmasq.8 | 31 +++- src/dnsmasq.h | 25 +++- src/forward.c | 123 +++- src/option.c | 134 ++ src/pattern.c | 386 ++ src/rfc1035.c | 82 +++ src/ubus.c| 182 8 files changed, 956 insertions(+), 9 deletions(-) create mode 100644 src/pattern.c diff --git a/Makefile b/Makefile index 7d2afd1..cf41bc2 100644 --- a/Makefile +++ b/Makefile @@ -77,7 +77,7 @@ copts_conf = .copts_$(sum) objs = cache.o rfc1035.o util.o option.o forward.o network.o \ dnsmasq.o dhcp.o lease.o rfc2131.o netlink.o dbus.o bpf.o \ helper.o tftp.o log.o conntrack.o dhcp6.o rfc3315.o \ - dhcp-common.o outpacket.o radv.o slaac.o auth.o ipset.o \ + dhcp-common.o outpacket.o radv.o slaac.o auth.o ipset.o pattern.o \ domain.o dnssec.o blockdata.o tables.o loop.o inotify.o \ poll.o rrfilter.o edns0.o arp.o crypto.o dump.o ubus.o \ metrics.o hash_questions.o diff --git a/man/dnsmasq.8 b/man/dnsmasq.8 index ac7c9fa..04d666d 100644 --- a/man/dnsmasq.8 +++ b/man/dnsmasq.8 @@ -368,7 +368,10 @@ provides service at that name, rather than the default which is .TP .B --enable-ubus[=] Enable dnsmasq UBus interface. It sends notifications via UBus on -DHCPACK and DHCPRELEASE events. Furthermore it offers metrics. +DHCPACK and DHCPRELEASE events. Furthermore it offers metrics +and allows configuration of Linux connection track mark based filtering. +When DNS query filtering based on Linux connection track marks is enabled +UBus notifications are generated for each resolved or filtered DNS query. Requires that dnsmasq has been built with UBus support. If the service name is given, dnsmasq provides service at that namespace, rather than the default which is @@ -533,6 +536,32 @@ These IP sets must already exist. See .BR ipset (8) for more details. .TP +.B --connmark-allowlist-enable[=] +Enables filtering of incoming DNS queries with associated Linux connection track marks +according to individual allowlists configured via a series of \fB--connmark-allowlist\fP +options. Disallowed queries are not forwarded; they are rejected with a REFUSED error code. +DNS queries are only allowed if they do not have an associated Linux connection +track mark, or if the queried domains match the configured DNS patterns for the +associated Linux connection track mark. If no allowlist is configured for a +Linux connection track mark, all DNS queries associated with that mark are rejected. +If a mask is specified, Linux connection track marks are first bitwise ANDed +with the given mask before being processed. +.TP +.B --connmark-allowlist=[/][,[/...]] +Configures the DNS patterns that are allowed in DNS queries associated with +the given Linux connection track mark. +If a mask is specified, Linux connection track marks are first bitwise ANDed +with the given mask before they are compared to the given connection track mark. +Patterns follow the syntax of DNS names, but additionally allow the wildcard +character "*" to be used up to twice per label to match 0 or more characters +within that label. Note that the wildcard never matches a dot (e.g., "*.example.com" +matches "api.example.com" but not "api.us.example.com"). Patterns must be +fully qualified, i.e., consist of at least two labels. The final label must not be +fully numeric, and must not be the "local" pseudo-TLD. A pattern must end with at least +two literal (non-wildcard) labels. +Instead of a pattern, "*" can be specified to disable allowlist filtering +for a given Linux connection track mark entirely. +.TP .B \-m, --mx-host=[[,],] Return an MX record named pointing to the given hostname (if given), or diff --git a/src/dnsmasq.h b/src/dnsmasq.h index 360c226..975cc2b 100644 --- a/src/dnsmasq.h +++ b/src/dnsmasq.h @@ -269,7 +269,8 @@ struct event_desc { #define OPT_IGNORE_CLID59 #define OPT_SINGLE_PORT60 #define OPT_LEASE_RENEW61 -#define OPT_LAST 62 +#define OPT_CMARK_ALST_EN 62 +#define OPT_LAST 63 #define OPTION_BITS (sizeof(unsigned int)*8) #define OPTION_SIZE ( (OPT_LAST/OPTION_BITS)+((OPT_LAST%OPTION_BITS)!=0) ) @@ -563,6 +564,12 @@ struct ipsets { struct ipsets *next; }; +struct allowlist { + uint32_t mark, mask; + char **patterns; + struct allowlist *next; +}; + struct irec {
[Dnsmasq-discuss] [PATCH v4] Connection track mark based DNS query filtering.
This extends query filtering support beyond what is currently possible with the `--ipset` configuration option, by adding support for: 1) Specifying allowlists on a per-client basis, based on their associated Linux connection track mark. 2) Dynamic configuration of allowlists via Ubus. 3) Reporting when a DNS query resolves or is rejected via Ubus. 4) DNS name patterns containing wildcards. Disallowed queries are not forwarded; they are rejected with a REFUSED error code. Signed-off-by: Etan Kissling --- v2: Rebase to v2.83, and fix compilation when HAVE_UBUS not present. v3: Rebase to v2.84test2. v4: Rebase to v2.84rc2 (update copyright notice). Makefile | 2 +- man/dnsmasq.8 | 31 +++- src/dnsmasq.h | 25 +++- src/forward.c | 121 +++- src/option.c | 134 ++ src/pattern.c | 386 ++ src/rfc1035.c | 82 +++ src/ubus.c| 182 8 files changed, 955 insertions(+), 8 deletions(-) create mode 100644 src/pattern.c diff --git a/Makefile b/Makefile index e4c3f5c..506e56b 100644 --- a/Makefile +++ b/Makefile @@ -79,7 +79,7 @@ copts_conf = .copts_$(sum) objs = cache.o rfc1035.o util.o option.o forward.o network.o \ dnsmasq.o dhcp.o lease.o rfc2131.o netlink.o dbus.o bpf.o \ helper.o tftp.o log.o conntrack.o dhcp6.o rfc3315.o \ - dhcp-common.o outpacket.o radv.o slaac.o auth.o ipset.o \ + dhcp-common.o outpacket.o radv.o slaac.o auth.o ipset.o pattern.o \ domain.o dnssec.o blockdata.o tables.o loop.o inotify.o \ poll.o rrfilter.o edns0.o arp.o crypto.o dump.o ubus.o \ metrics.o hash_questions.o diff --git a/man/dnsmasq.8 b/man/dnsmasq.8 index ac7c9fa..04d666d 100644 --- a/man/dnsmasq.8 +++ b/man/dnsmasq.8 @@ -368,7 +368,10 @@ provides service at that name, rather than the default which is .TP .B --enable-ubus[=] Enable dnsmasq UBus interface. It sends notifications via UBus on -DHCPACK and DHCPRELEASE events. Furthermore it offers metrics. +DHCPACK and DHCPRELEASE events. Furthermore it offers metrics +and allows configuration of Linux connection track mark based filtering. +When DNS query filtering based on Linux connection track marks is enabled +UBus notifications are generated for each resolved or filtered DNS query. Requires that dnsmasq has been built with UBus support. If the service name is given, dnsmasq provides service at that namespace, rather than the default which is @@ -533,6 +536,32 @@ These IP sets must already exist. See .BR ipset (8) for more details. .TP +.B --connmark-allowlist-enable[=] +Enables filtering of incoming DNS queries with associated Linux connection track marks +according to individual allowlists configured via a series of \fB--connmark-allowlist\fP +options. Disallowed queries are not forwarded; they are rejected with a REFUSED error code. +DNS queries are only allowed if they do not have an associated Linux connection +track mark, or if the queried domains match the configured DNS patterns for the +associated Linux connection track mark. If no allowlist is configured for a +Linux connection track mark, all DNS queries associated with that mark are rejected. +If a mask is specified, Linux connection track marks are first bitwise ANDed +with the given mask before being processed. +.TP +.B --connmark-allowlist=[/][,[/...]] +Configures the DNS patterns that are allowed in DNS queries associated with +the given Linux connection track mark. +If a mask is specified, Linux connection track marks are first bitwise ANDed +with the given mask before they are compared to the given connection track mark. +Patterns follow the syntax of DNS names, but additionally allow the wildcard +character "*" to be used up to twice per label to match 0 or more characters +within that label. Note that the wildcard never matches a dot (e.g., "*.example.com" +matches "api.example.com" but not "api.us.example.com"). Patterns must be +fully qualified, i.e., consist of at least two labels. The final label must not be +fully numeric, and must not be the "local" pseudo-TLD. A pattern must end with at least +two literal (non-wildcard) labels. +Instead of a pattern, "*" can be specified to disable allowlist filtering +for a given Linux connection track mark entirely. +.TP .B \-m, --mx-host=[[,],] Return an MX record named pointing to the given hostname (if given), or diff --git a/src/dnsmasq.h b/src/dnsmasq.h index e770454..b48e433 100644 --- a/src/dnsmasq.h +++ b/src/dnsmasq.h @@ -273,7 +273,8 @@ struct event_desc { #define OPT_IGNORE_CLID59 #define OPT_SINGLE_PORT60 #define OPT_LEASE_RENEW61 -#define OPT_LAST 62 +#define OPT_CMARK_ALST_EN 62 +#define OPT_LAST 63 #define OPTION_BITS (sizeof(unsigned int)*8) #define OPTION_SIZE ( (OPT_LAST/OPTION_BITS)+((OPT_LAST%OPTION_BITS)!=0) ) @@ -567,6 +568,12 @@ str
[Dnsmasq-discuss] [PATCH v4] Connection track mark based DNS query filtering.
This extends query filtering support beyond what is currently possible with the `--ipset` configuration option, by adding support for: 1) Specifying allowlists on a per-client basis, based on their associated Linux connection track mark. 2) Dynamic configuration of allowlists via Ubus. 3) Reporting when a DNS query resolves or is rejected via Ubus. 4) DNS name patterns containing wildcards. Disallowed queries are not forwarded; they are rejected with a REFUSED error code. Signed-off-by: Etan Kissling --- v2: Rebase to v2.83, and fix compilation when HAVE_UBUS not present. v3: Rebase to v2.84test2. v4: Rebase to v2.84rc2 (update copyright notice). Makefile | 2 +- man/dnsmasq.8 | 31 +++- src/dnsmasq.h | 25 +++- src/forward.c | 121 +++- src/option.c | 134 ++ src/pattern.c | 386 ++ src/rfc1035.c | 82 +++ src/ubus.c| 182 8 files changed, 955 insertions(+), 8 deletions(-) create mode 100644 src/pattern.c diff --git a/Makefile b/Makefile index e4c3f5c..506e56b 100644 --- a/Makefile +++ b/Makefile @@ -79,7 +79,7 @@ copts_conf = .copts_$(sum) objs = cache.o rfc1035.o util.o option.o forward.o network.o \ dnsmasq.o dhcp.o lease.o rfc2131.o netlink.o dbus.o bpf.o \ helper.o tftp.o log.o conntrack.o dhcp6.o rfc3315.o \ - dhcp-common.o outpacket.o radv.o slaac.o auth.o ipset.o \ + dhcp-common.o outpacket.o radv.o slaac.o auth.o ipset.o pattern.o \ domain.o dnssec.o blockdata.o tables.o loop.o inotify.o \ poll.o rrfilter.o edns0.o arp.o crypto.o dump.o ubus.o \ metrics.o hash_questions.o diff --git a/man/dnsmasq.8 b/man/dnsmasq.8 index ac7c9fa..04d666d 100644 --- a/man/dnsmasq.8 +++ b/man/dnsmasq.8 @@ -368,7 +368,10 @@ provides service at that name, rather than the default which is .TP .B --enable-ubus[=] Enable dnsmasq UBus interface. It sends notifications via UBus on -DHCPACK and DHCPRELEASE events. Furthermore it offers metrics. +DHCPACK and DHCPRELEASE events. Furthermore it offers metrics +and allows configuration of Linux connection track mark based filtering. +When DNS query filtering based on Linux connection track marks is enabled +UBus notifications are generated for each resolved or filtered DNS query. Requires that dnsmasq has been built with UBus support. If the service name is given, dnsmasq provides service at that namespace, rather than the default which is @@ -533,6 +536,32 @@ These IP sets must already exist. See .BR ipset (8) for more details. .TP +.B --connmark-allowlist-enable[=] +Enables filtering of incoming DNS queries with associated Linux connection track marks +according to individual allowlists configured via a series of \fB--connmark-allowlist\fP +options. Disallowed queries are not forwarded; they are rejected with a REFUSED error code. +DNS queries are only allowed if they do not have an associated Linux connection +track mark, or if the queried domains match the configured DNS patterns for the +associated Linux connection track mark. If no allowlist is configured for a +Linux connection track mark, all DNS queries associated with that mark are rejected. +If a mask is specified, Linux connection track marks are first bitwise ANDed +with the given mask before being processed. +.TP +.B --connmark-allowlist=[/][,[/...]] +Configures the DNS patterns that are allowed in DNS queries associated with +the given Linux connection track mark. +If a mask is specified, Linux connection track marks are first bitwise ANDed +with the given mask before they are compared to the given connection track mark. +Patterns follow the syntax of DNS names, but additionally allow the wildcard +character "*" to be used up to twice per label to match 0 or more characters +within that label. Note that the wildcard never matches a dot (e.g., "*.example.com" +matches "api.example.com" but not "api.us.example.com"). Patterns must be +fully qualified, i.e., consist of at least two labels. The final label must not be +fully numeric, and must not be the "local" pseudo-TLD. A pattern must end with at least +two literal (non-wildcard) labels. +Instead of a pattern, "*" can be specified to disable allowlist filtering +for a given Linux connection track mark entirely. +.TP .B \-m, --mx-host=[[,],] Return an MX record named pointing to the given hostname (if given), or diff --git a/src/dnsmasq.h b/src/dnsmasq.h index e770454..b48e433 100644 --- a/src/dnsmasq.h +++ b/src/dnsmasq.h @@ -273,7 +273,8 @@ struct event_desc { #define OPT_IGNORE_CLID59 #define OPT_SINGLE_PORT60 #define OPT_LEASE_RENEW61 -#define OPT_LAST 62 +#define OPT_CMARK_ALST_EN 62 +#define OPT_LAST 63 #define OPTION_BITS (sizeof(unsigned int)*8) #define OPTION_SIZE ( (OPT_LAST/OPTION_BITS)+((OPT_LAST%OPTION_BITS)!=0) ) @@ -567,6 +568,12 @@ st
[Dnsmasq-discuss] [PATCH v8] Connection track mark based DNS query filtering.
This extends query filtering support beyond what is currently possible with the `--ipset` configuration option, by adding support for: 1) Specifying allowlists on a per-client basis, based on their associated Linux connection track mark. 2) Dynamic configuration of allowlists via Ubus. 3) Reporting when a DNS query resolves or is rejected via Ubus. 4) DNS name patterns containing wildcards. Disallowed queries are not forwarded; they are rejected with a REFUSED error code. Signed-off-by: Etan Kissling (addressed reviewer feedback) Signed-off-by: Etan Kissling --- v2: Rebase to v2.83, and fix compilation when HAVE_UBUS not present. v3: Rebase to v2.84test2. v4: Rebase to v2.84rc2 (update copyright notice). v5: Correct logging of `ubus_notify` errors (also in existing code). Etan Kissling : v6: Integrate checks for weird queries into `extract_request`. Skip Ubus reporting when daemon->namebuff is not initialized. Fix options parsing for mark / mask with bit 31 set. Disable filtering for external queries (`auth_dns && !local_auth`). Report all CNAME RRs via Ubus instead of just a (potential) subset. Avoid redundant `is_valid_dns_name` evaluations. Unify DNS name pattern matching logic across transports (UDP / TCP). v7: Fix typos and adjust code style to project. v8: Rebase to v2.85 (update options numbers). Makefile | 2 +- man/dnsmasq.8 | 31 +++- src/dnsmasq.h | 25 +++- src/forward.c | 134 +- src/option.c | 151 src/pattern.c | 386 ++ src/rfc1035.c | 77 +- src/ubus.c| 184 +++- 8 files changed, 980 insertions(+), 10 deletions(-) create mode 100644 src/pattern.c diff --git a/Makefile b/Makefile index e4c3f5c..506e56b 100644 --- a/Makefile +++ b/Makefile @@ -79,7 +79,7 @@ copts_conf = .copts_$(sum) objs = cache.o rfc1035.o util.o option.o forward.o network.o \ dnsmasq.o dhcp.o lease.o rfc2131.o netlink.o dbus.o bpf.o \ helper.o tftp.o log.o conntrack.o dhcp6.o rfc3315.o \ - dhcp-common.o outpacket.o radv.o slaac.o auth.o ipset.o \ + dhcp-common.o outpacket.o radv.o slaac.o auth.o ipset.o pattern.o \ domain.o dnssec.o blockdata.o tables.o loop.o inotify.o \ poll.o rrfilter.o edns0.o arp.o crypto.o dump.o ubus.o \ metrics.o hash_questions.o diff --git a/man/dnsmasq.8 b/man/dnsmasq.8 index fce580f..8fe2534 100644 --- a/man/dnsmasq.8 +++ b/man/dnsmasq.8 @@ -371,7 +371,10 @@ provides service at that name, rather than the default which is .TP .B --enable-ubus[=] Enable dnsmasq UBus interface. It sends notifications via UBus on -DHCPACK and DHCPRELEASE events. Furthermore it offers metrics. +DHCPACK and DHCPRELEASE events. Furthermore it offers metrics +and allows configuration of Linux connection track mark based filtering. +When DNS query filtering based on Linux connection track marks is enabled +UBus notifications are generated for each resolved or filtered DNS query. Requires that dnsmasq has been built with UBus support. If the service name is given, dnsmasq provides service at that namespace, rather than the default which is @@ -536,6 +539,32 @@ These IP sets must already exist. See .BR ipset (8) for more details. .TP +.B --connmark-allowlist-enable[=] +Enables filtering of incoming DNS queries with associated Linux connection track marks +according to individual allowlists configured via a series of \fB--connmark-allowlist\fP +options. Disallowed queries are not forwarded; they are rejected with a REFUSED error code. +DNS queries are only allowed if they do not have an associated Linux connection +track mark, or if the queried domains match the configured DNS patterns for the +associated Linux connection track mark. If no allowlist is configured for a +Linux connection track mark, all DNS queries associated with that mark are rejected. +If a mask is specified, Linux connection track marks are first bitwise ANDed +with the given mask before being processed. +.TP +.B --connmark-allowlist=[/][,[/...]] +Configures the DNS patterns that are allowed in DNS queries associated with +the given Linux connection track mark. +If a mask is specified, Linux connection track marks are first bitwise ANDed +with the given mask before they are compared to the given connection track mark. +Patterns follow the syntax of DNS names, but additionally allow the wildcard +character "*" to be used up to twice per label to match 0 or more characters +within that label. Note that the wildcard never matches a dot (e.g., "*.example.com" +matches "api.example.com" but not "api.us.example.com"). Patterns must be +fully qualified, i.e., consist of at least two labels. The final label must not be +fully numeric, and must not be the "local" pseudo-TLD. A pattern must end with at least +two literal (non-wildcard) labels. +Instead of a pattern, &qu
[Dnsmasq-discuss] [PATCH v4] openwrt: Integration of connmark based DNS filtering
This integrates the proposed Dnsmasq patch from email: - [PATCH v5] dnsmasq: connection track mark based DNS query filtering into OpenWrt 21.02. Signed-off-by: Etan Kissling (updated to latest patch) Signed-off-by: Etan Kissling --- Etan Kissling : v2: Update to v6 of underlying dnsmasq patch. v3: Update to v7 of underlying dnsmasq patch. v4: Update to v8 of underlying dnsmasq patch. .../services/dnsmasq/files/dnsmasq.init | 12 + ...track-mark-based-DNS-query-filtering.patch | 1321 + 2 files changed, 1333 insertions(+) create mode 100644 package/network/services/dnsmasq/patches/300-Connection-track-mark-based-DNS-query-filtering.patch diff --git a/package/network/services/dnsmasq/files/dnsmasq.init b/package/network/services/dnsmasq/files/dnsmasq.init index 680e72f..b46988f 100644 --- a/package/network/services/dnsmasq/files/dnsmasq.init +++ b/package/network/services/dnsmasq/files/dnsmasq.init @@ -172,6 +172,10 @@ append_ipset() { xappend "--ipset=$1" } +append_connmark_allowlist() { + xappend "--connmark-allowlist=$1" +} + append_interface() { network_get_device ifname "$1" || ifname="$1" xappend "--interface=$ifname" @@ -913,6 +917,14 @@ dnsmasq_start() config_list_foreach "$cfg" "rev_server" append_rev_server config_list_foreach "$cfg" "address" append_address config_list_foreach "$cfg" "ipset" append_ipset + + local connmark_allowlist_enable + config_get connmark_allowlist_enable "$cfg" connmark_allowlist_enable 0 + [ "$connmark_allowlist_enable" -gt 0 ] && { + append_parm "$cfg" "connmark_allowlist_enable" "--connmark-allowlist-enable" + config_list_foreach "$cfg" "connmark_allowlist" append_connmark_allowlist + } + [ -n "$BOOT" ] || { config_list_foreach "$cfg" "interface" append_interface config_list_foreach "$cfg" "notinterface" append_notinterface diff --git a/package/network/services/dnsmasq/patches/300-Connection-track-mark-based-DNS-query-filtering.patch b/package/network/services/dnsmasq/patches/300-Connection-track-mark-based-DNS-query-filtering.patch new file mode 100644 index 000..3e592b5 --- /dev/null +++ b/package/network/services/dnsmasq/patches/300-Connection-track-mark-based-DNS-query-filtering.patch @@ -0,0 +1,1321 @@ +From 01673a781ed5f9a9e3d431a9f45ce5cc85ac52a6 Mon Sep 17 00:00:00 2001 +From: Etan Kissling +Date: Tue, 12 Jan 2021 10:51:21 +0100 +Subject: [PATCH v8] Connection track mark based DNS query filtering. + +This extends query filtering support beyond what is currently possible +with the `--ipset` configuration option, by adding support for: +1) Specifying allowlists on a per-client basis, based on their + associated Linux connection track mark. +2) Dynamic configuration of allowlists via Ubus. +3) Reporting when a DNS query resolves or is rejected via Ubus. +4) DNS name patterns containing wildcards. + +Disallowed queries are not forwarded; they are rejected +with a REFUSED error code. + +Signed-off-by: Etan Kissling +(addressed reviewer feedback) +Signed-off-by: Etan Kissling +--- +v2: Rebase to v2.83, and fix compilation when HAVE_UBUS not present. +v3: Rebase to v2.84test2. +v4: Rebase to v2.84rc2 (update copyright notice). +v5: Correct logging of `ubus_notify` errors (also in existing code). + +Etan Kissling : +v6: Integrate checks for weird queries into `extract_request`. +Skip Ubus reporting when daemon->namebuff is not initialized. +Fix options parsing for mark / mask with bit 31 set. +Disable filtering for external queries (`auth_dns && !local_auth`). +Report all CNAME RRs via Ubus instead of just a (potential) subset. +Avoid redundant `is_valid_dns_name` evaluations. +Unify DNS name pattern matching logic across transports (UDP / TCP). +v7: Fix typos and adjust code style to project. +v8: Rebase to v2.85 (update options numbers). + + Makefile | 2 +- + man/dnsmasq.8 | 31 +++- + src/dnsmasq.h | 25 +++- + src/forward.c | 134 +- + src/option.c | 151 + src/pattern.c | 386 ++ + src/rfc1035.c | 77 +- + src/ubus.c| 184 +++- + 8 files changed, 980 insertions(+), 10 deletions(-) + create mode 100644 src/pattern.c + +diff --git a/Makefile b/Makefile +index e4c3f5c..506e56b 100644 +--- a/Makefile b/Makefile +@@ -79,7 +79,7 @@ copts_conf = .copts_$(sum) + objs = cache.o rfc1035.o util.o option.o forward.o network.o \ +dnsmasq.o dhcp.o lease.o rfc2131.o netlink.o dbus.o bpf.o \ +helper.o tftp.o log.o conntrack.o dhcp6.o rfc3315.o \ +- dhcp-common.o ou
Re: [Dnsmasq-discuss] [PATCH v8] Connection track mark based DNS query filtering.
> On 16 Jun 2021, at 10:45, john doe wrote: > > Where's the v1? Full history: v1: https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2021q1/014595.html v2: https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2021q1/014601.html v3: https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2021q1/014631.html v4: https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2021q1/014660.html v5: https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2021q1/014726.html v6: https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2021q2/015037.html v7: https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2021q2/015039.html v8: https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2021q2/015140.html Etan ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] [PATCH v9] Connection track mark based DNS query filtering.
This extends query filtering support beyond what is currently possible with the `--ipset` configuration option, by adding support for: 1) Specifying allowlists on a per-client basis, based on their associated Linux connection track mark. 2) Dynamic configuration of allowlists via Ubus. 3) Reporting when a DNS query resolves or is rejected via Ubus. 4) DNS name patterns containing wildcards. Disallowed queries are not forwarded; they are rejected with a REFUSED error code. Signed-off-by: Etan Kissling (addressed reviewer feedback) Signed-off-by: Etan Kissling --- v2: Rebase to v2.83, and fix compilation when HAVE_UBUS not present. v3: Rebase to v2.84test2. v4: Rebase to v2.84rc2 (update copyright notice). v5: Correct logging of `ubus_notify` errors (also in existing code). Etan Kissling : v6: Integrate checks for weird queries into `extract_request`. Skip Ubus reporting when daemon->namebuff is not initialized. Fix options parsing for mark / mask with bit 31 set. Disable filtering for external queries (`auth_dns && !local_auth`). Report all CNAME RRs via Ubus instead of just a (potential) subset. Avoid redundant `is_valid_dns_name` evaluations. Unify DNS name pattern matching logic across transports (UDP / TCP). v7: Fix typos and adjust code style to project. v8: Rebase to v2.85 (update options numbers). v9: Rebase to v2.86test2 (options, setup_reply, uint32_t -> u32). Fix strtoul_check for sizeof(long) > sizeof(u32), and generic errno. Makefile | 2 +- man/dnsmasq.8 | 31 +++- src/dnsmasq.h | 25 +++- src/forward.c | 143 ++- src/option.c | 142 ++- src/pattern.c | 386 ++ src/rfc1035.c | 77 +- src/ubus.c| 184 +++- 8 files changed, 978 insertions(+), 12 deletions(-) create mode 100644 src/pattern.c diff --git a/Makefile b/Makefile index 367cd26..0cd592e 100644 --- a/Makefile +++ b/Makefile @@ -79,7 +79,7 @@ copts_conf = .copts_$(sum) objs = cache.o rfc1035.o util.o option.o forward.o network.o \ dnsmasq.o dhcp.o lease.o rfc2131.o netlink.o dbus.o bpf.o \ helper.o tftp.o log.o conntrack.o dhcp6.o rfc3315.o \ - dhcp-common.o outpacket.o radv.o slaac.o auth.o ipset.o \ + dhcp-common.o outpacket.o radv.o slaac.o auth.o ipset.o pattern.o \ domain.o dnssec.o blockdata.o tables.o loop.o inotify.o \ poll.o rrfilter.o edns0.o arp.o crypto.o dump.o ubus.o \ metrics.o hash-questions.o domain-match.o diff --git a/man/dnsmasq.8 b/man/dnsmasq.8 index e6bc6f0..ea8457b 100644 --- a/man/dnsmasq.8 +++ b/man/dnsmasq.8 @@ -371,7 +371,10 @@ provides service at that name, rather than the default which is .TP .B --enable-ubus[=] Enable dnsmasq UBus interface. It sends notifications via UBus on -DHCPACK and DHCPRELEASE events. Furthermore it offers metrics. +DHCPACK and DHCPRELEASE events. Furthermore it offers metrics +and allows configuration of Linux connection track mark based filtering. +When DNS query filtering based on Linux connection track marks is enabled +UBus notifications are generated for each resolved or filtered DNS query. Requires that dnsmasq has been built with UBus support. If the service name is given, dnsmasq provides service at that namespace, rather than the default which is @@ -536,6 +539,32 @@ These IP sets must already exist. See .BR ipset (8) for more details. .TP +.B --connmark-allowlist-enable[=] +Enables filtering of incoming DNS queries with associated Linux connection track marks +according to individual allowlists configured via a series of \fB--connmark-allowlist\fP +options. Disallowed queries are not forwarded; they are rejected with a REFUSED error code. +DNS queries are only allowed if they do not have an associated Linux connection +track mark, or if the queried domains match the configured DNS patterns for the +associated Linux connection track mark. If no allowlist is configured for a +Linux connection track mark, all DNS queries associated with that mark are rejected. +If a mask is specified, Linux connection track marks are first bitwise ANDed +with the given mask before being processed. +.TP +.B --connmark-allowlist=[/][,[/...]] +Configures the DNS patterns that are allowed in DNS queries associated with +the given Linux connection track mark. +If a mask is specified, Linux connection track marks are first bitwise ANDed +with the given mask before they are compared to the given connection track mark. +Patterns follow the syntax of DNS names, but additionally allow the wildcard +character "*" to be used up to twice per label to match 0 or more characters +within that label. Note that the wildcard never matches a dot (e.g., "*.example.com" +matches "api.example.com" but not "api.us.example.com"). Patterns must be +fully qualified, i.e., consist of at least two labels. The final label must not
[Dnsmasq-discuss] [PATCH v5] openwrt: Integration of connmark based DNS filtering
This integrates the proposed Dnsmasq patch from email: - [PATCH v5] dnsmasq: connection track mark based DNS query filtering into OpenWrt 21.02. Signed-off-by: Etan Kissling (updated to latest patch) Signed-off-by: Etan Kissling --- Etan Kissling : v2: Update to v6 of underlying dnsmasq patch. v3: Update to v7 of underlying dnsmasq patch. v4: Update to v8 of underlying dnsmasq patch. v5: Update to v9 of underlying dnsmasq patch (requires v2.86test2). .../services/dnsmasq/files/dnsmasq.init | 12 + ...track-mark-based-DNS-query-filtering.patch | 1328 + 2 files changed, 1340 insertions(+) create mode 100644 package/network/services/dnsmasq/patches/300-Connection-track-mark-based-DNS-query-filtering.patch diff --git a/package/network/services/dnsmasq/files/dnsmasq.init b/package/network/services/dnsmasq/files/dnsmasq.init index 680e72f..b46988f 100644 --- a/package/network/services/dnsmasq/files/dnsmasq.init +++ b/package/network/services/dnsmasq/files/dnsmasq.init @@ -172,6 +172,10 @@ append_ipset() { xappend "--ipset=$1" } +append_connmark_allowlist() { + xappend "--connmark-allowlist=$1" +} + append_interface() { network_get_device ifname "$1" || ifname="$1" xappend "--interface=$ifname" @@ -913,6 +917,14 @@ dnsmasq_start() config_list_foreach "$cfg" "rev_server" append_rev_server config_list_foreach "$cfg" "address" append_address config_list_foreach "$cfg" "ipset" append_ipset + + local connmark_allowlist_enable + config_get connmark_allowlist_enable "$cfg" connmark_allowlist_enable 0 + [ "$connmark_allowlist_enable" -gt 0 ] && { + append_parm "$cfg" "connmark_allowlist_enable" "--connmark-allowlist-enable" + config_list_foreach "$cfg" "connmark_allowlist" append_connmark_allowlist + } + [ -n "$BOOT" ] || { config_list_foreach "$cfg" "interface" append_interface config_list_foreach "$cfg" "notinterface" append_notinterface diff --git a/package/network/services/dnsmasq/patches/300-Connection-track-mark-based-DNS-query-filtering.patch b/package/network/services/dnsmasq/patches/300-Connection-track-mark-based-DNS-query-filtering.patch new file mode 100644 index 000..5a141a9 --- /dev/null +++ b/package/network/services/dnsmasq/patches/300-Connection-track-mark-based-DNS-query-filtering.patch @@ -0,0 +1,1328 @@ +From 59d2c8997037affe99c5d58da95ef8cb663e10e7 Mon Sep 17 00:00:00 2001 +From: Etan Kissling +Date: Tue, 12 Jan 2021 10:51:21 +0100 +Subject: [PATCH v9] Connection track mark based DNS query filtering. + +This extends query filtering support beyond what is currently possible +with the `--ipset` configuration option, by adding support for: +1) Specifying allowlists on a per-client basis, based on their + associated Linux connection track mark. +2) Dynamic configuration of allowlists via Ubus. +3) Reporting when a DNS query resolves or is rejected via Ubus. +4) DNS name patterns containing wildcards. + +Disallowed queries are not forwarded; they are rejected +with a REFUSED error code. + +Signed-off-by: Etan Kissling +(addressed reviewer feedback) +Signed-off-by: Etan Kissling +--- +v2: Rebase to v2.83, and fix compilation when HAVE_UBUS not present. +v3: Rebase to v2.84test2. +v4: Rebase to v2.84rc2 (update copyright notice). +v5: Correct logging of `ubus_notify` errors (also in existing code). + +Etan Kissling : +v6: Integrate checks for weird queries into `extract_request`. +Skip Ubus reporting when daemon->namebuff is not initialized. +Fix options parsing for mark / mask with bit 31 set. +Disable filtering for external queries (`auth_dns && !local_auth`). +Report all CNAME RRs via Ubus instead of just a (potential) subset. +Avoid redundant `is_valid_dns_name` evaluations. +Unify DNS name pattern matching logic across transports (UDP / TCP). +v7: Fix typos and adjust code style to project. +v8: Rebase to v2.85 (update options numbers). +v9: Rebase to v2.86test2 (options, setup_reply, uint32_t -> u32). +Fix strtoul_check for sizeof(long) > sizeof(u32), and generic errno. + + Makefile | 2 +- + man/dnsmasq.8 | 31 +++- + src/dnsmasq.h | 25 +++- + src/forward.c | 143 ++- + src/option.c | 142 ++- + src/pattern.c | 386 ++ + src/rfc1035.c | 77 +- + src/ubus.c| 184 +++- + 8 files changed, 978 insertions(+), 12 deletions(-) + create mode 100644 src/pattern.c + +diff --git a/Makefile b/Makefile +index 367cd26..0cd592e 100644 +--- a/Makefile b/Makefile +@@ -79,7 +79,7 @@ copts_conf = .copts_$(sum) + objs
Re: [Dnsmasq-discuss] Can not add query results to ipset after v2.86test2
From: Dnsmasq-discuss on behalf of Xingcong Li > Hello, I found the commit 627056febbf1b08e3028700184ee2f6c7ae799c6 breaks the > legacy support of ipset. Thanks for catching this! Appreciate it. > In commit 627056febb there is no "searching ipset now" in running logs. The > return value of extract_request() is 0. It is possible that forwarded DNS > queries are not allowed to be added to ipset. This was an unintended regression because of some incorrect assumptions regarding the callers of `extract_request`. I'll submit a patch to fix. Etan ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] [PATCH] Fix ipset support.
This fixes a problem with ipset processing that got recently introduced when `extract_request` filtering was tightened. During the recent change an incorrect assumption was made that `extract_request` was only called for requests but with ipset it is also called when processing responses. The fix ensures that the new filters only apply to requests (QR=0 @ hdr) Signed-off-by: Etan Kissling --- src/rfc1035.c | 6 -- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/src/rfc1035.c b/src/rfc1035.c index a163919..9f4504e 100644 --- a/src/rfc1035.c +++ b/src/rfc1035.c @@ -982,10 +982,12 @@ unsigned int extract_request(struct dns_header *header, size_t qlen, char *name, *name = 0; /* return empty name if no query found. */ - if (ntohs(header->qdcount) != 1 || OPCODE(header) != QUERY || - ntohs(header->ancount) != 0 || ntohs(header->nscount) != 0) + if (ntohs(header->qdcount) != 1 || OPCODE(header) != QUERY) return 0; /* must be exactly one query. */ + if (!(header->hb3 & HB3_QR) && (ntohs(header->ancount) != 0 || ntohs(header->nscount) != 0)) +return 0; /* non-standard query. */ + if (!extract_name(header, qlen, , name, 1, 4)) return 0; /* bad packet */ -- 2.30.1 (Apple Git-130) ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] [PATCH v5] openwrt: Integration of connmark based DNS filtering
> On 16 Jun 2021, at 23:56, Etan Kissling wrote: > > This integrates the proposed Dnsmasq patch from email: > - [PATCH v5] dnsmasq: connection track mark based DNS query filtering > into OpenWrt 21.02. > > Signed-off-by: Etan Kissling > (updated to latest patch) > Signed-off-by: Etan Kissling > --- > Etan Kissling : > v2: Update to v6 of underlying dnsmasq patch. > v3: Update to v7 of underlying dnsmasq patch. > v4: Update to v8 of underlying dnsmasq patch. > v5: Update to v9 of underlying dnsmasq patch (requires v2.86test2). This has been accepted into OpenWrt master. https://git.openwrt.org/?p=openwrt/openwrt.git;a=commitdiff;h=dea4bae7c2b963af02e1e3e3bdb5cd656a5ea3d3 Etan ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] [PATCH] Do not crash when Ubus connection fails.
When using multiple dnsmasq instances Ubus only connects on one of them. Since 3c93e8eb41952a9c91699386132d6fe83050e9be dnsmasq crashes instead. This change avoids the crash, leading to a graceful retry + error log. Signed-off-by: Etan Kissling --- src/dnsmasq.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/src/dnsmasq.c b/src/dnsmasq.c index 04582da..2b4291b 100644 --- a/src/dnsmasq.c +++ b/src/dnsmasq.c @@ -449,10 +449,8 @@ int main (int argc, char **argv) if (option_bool(OPT_UBUS)) #ifdef HAVE_UBUS { - char *err; daemon->ubus = NULL; - if ((err = ubus_init())) - die(_("UBus error: %s"), err, EC_MISC); + (void) ubus_init(); /* Logging not set up yet. */ } #else die(_("UBus not available: set HAVE_UBUS in src/config.h"), NULL, EC_BADCONF); -- 2.30.1 (Apple Git-130) ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] [PATCH] Do not crash when Ubus connection fails.
On 27.06.21, 19:48, "Simon Kelley" wrote: > My change made the ubus code work in the same way as DBus. It expects > that ubus_init() will return a non-NULL error report if something > unexpected and nasty happened. (maybe a configuration that can never > work.) If the Ubus connection cannot be made, but that's expected to > change then ubus_init() should return NULL, and leave daemon->ubus set > to NULL. In that case ubus_init() will be called again, and can either > succeed, leave daemon->ubus still as NULL (in which case it will be > called again and again) or return a fatal error, which can by now > only be logged. ubus_init() will continue to be called each time through > the event loop. Thanks for the really detailed explanations behind the change. It seems to me that basically, trying to run multiple dnsmasq instances with the same Ubus is not something that ever was supposed to work. Technically, as some of the instances quit, a different one could take over the Ubus connection, but this smells like "doing it incorrectly" in many ways. I will try to get the embedding project fixed to no longer try register multiple dnsmasq instances with the same Ubus instance name. This does not seem to have been right to begin with, entering "undefined behavior" territory, and now with the change it seems said "undefined behavior" decided to change. It makes totally sense to me to pick consistency with DBus over trying to preserve bug compatibility with client projects, so I no longer see a reason that this patch should be applied to dnsmasq. > Looking in src/ubus.c, there seems to be a mechanism to reconnect to the > ubus, and if that fails, daemon->ubus can end up as NULL again, having > been set up correctly beforehand, so that ubus_init() will start to get > called again. That code path feels dodgy, and it would be nice to see > what actually happens when it's run. > > Looking again, there's also a code path in check_ubus_listeners() that > can delete the ubus connection and set daemon->ubus back to NULL. That > will start calls to ubus_init() again. I wonder if that is correct? I'm not familiar enough with that area to comment on this. Thanks! Etan ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] [PATCH] Do not crash when Ubus connection fails.
On 27.06.21, 22:56, "Simon Kelley" wrote: > I've committed 8a1ef367e27e570cac40d3b09920a4a60c5f7e0b which has the > same effect as your patch, but modifies the ubus code, and contains a > note that this needs to be looked at by someone who knows. It > more-or-less restores the status-quo ante, which helps the immediate > problem. In looking at the the long term fix, please submit or cause to > be submitted, better patches if they exist. Thanks for this. While this is indeed more like fixing "symptoms" it still gives more time to find better solutions on the client side. > It might be worth pointing out that you can change the instance name > > --enable-ubus=dnsmasq-2 > > if that helps. This is very useful. Thanks! Etan ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] [PATCH v6] Connection track mark based DNS query filtering.
This extends query filtering support beyond what is currently possible with the `--ipset` configuration option, by adding support for: 1) Specifying allowlists on a per-client basis, based on their associated Linux connection track mark. 2) Dynamic configuration of allowlists via Ubus. 3) Reporting when a DNS query resolves or is rejected via Ubus. 4) DNS name patterns containing wildcards. Disallowed queries are not forwarded; they are rejected with a REFUSED error code. Signed-off-by: Etan Kissling (addressed reviewer feedback) Signed-off-by: Etan Kissling --- v2: Rebase to v2.83, and fix compilation when HAVE_UBUS not present. v3: Rebase to v2.84test2. v4: Rebase to v2.84rc2 (update copyright notice). v5: Correct logging of `ubus_notify` errors (also in existing code). Etan Kissling : v6: Integrate checks for weird queries into `extract_request`. Skip Ubus reporting when daemon->namebuff is not initialized. Fix options parsing for mark / mask with bit 31 set. Disable filtering for external queries (`auth_dns && !local_auth`). Report all CNAME RRs via Ubus instead of just a (potential) subset. Avoid redundant `is_valid_dns_name` evaluations. Unify DNS name pattern matching logic across transports (UDP / TCP). Makefile | 2 +- man/dnsmasq.8 | 31 +++- src/dnsmasq.h | 25 +++- src/forward.c | 134 +- src/option.c | 151 src/pattern.c | 386 ++ src/rfc1035.c | 77 +- src/ubus.c| 184 +++- 8 files changed, 980 insertions(+), 10 deletions(-) create mode 100644 src/pattern.c diff --git a/Makefile b/Makefile index e4c3f5c..506e56b 100644 --- a/Makefile +++ b/Makefile @@ -79,7 +79,7 @@ copts_conf = .copts_$(sum) objs = cache.o rfc1035.o util.o option.o forward.o network.o \ dnsmasq.o dhcp.o lease.o rfc2131.o netlink.o dbus.o bpf.o \ helper.o tftp.o log.o conntrack.o dhcp6.o rfc3315.o \ - dhcp-common.o outpacket.o radv.o slaac.o auth.o ipset.o \ + dhcp-common.o outpacket.o radv.o slaac.o auth.o ipset.o pattern.o \ domain.o dnssec.o blockdata.o tables.o loop.o inotify.o \ poll.o rrfilter.o edns0.o arp.o crypto.o dump.o ubus.o \ metrics.o hash_questions.o diff --git a/man/dnsmasq.8 b/man/dnsmasq.8 index ac7c9fa..04d666d 100644 --- a/man/dnsmasq.8 +++ b/man/dnsmasq.8 @@ -368,7 +368,10 @@ provides service at that name, rather than the default which is .TP .B --enable-ubus[=] Enable dnsmasq UBus interface. It sends notifications via UBus on -DHCPACK and DHCPRELEASE events. Furthermore it offers metrics. +DHCPACK and DHCPRELEASE events. Furthermore it offers metrics +and allows configuration of Linux connection track mark based filtering. +When DNS query filtering based on Linux connection track marks is enabled +UBus notifications are generated for each resolved or filtered DNS query. Requires that dnsmasq has been built with UBus support. If the service name is given, dnsmasq provides service at that namespace, rather than the default which is @@ -533,6 +536,32 @@ These IP sets must already exist. See .BR ipset (8) for more details. .TP +.B --connmark-allowlist-enable[=] +Enables filtering of incoming DNS queries with associated Linux connection track marks +according to individual allowlists configured via a series of \fB--connmark-allowlist\fP +options. Disallowed queries are not forwarded; they are rejected with a REFUSED error code. +DNS queries are only allowed if they do not have an associated Linux connection +track mark, or if the queried domains match the configured DNS patterns for the +associated Linux connection track mark. If no allowlist is configured for a +Linux connection track mark, all DNS queries associated with that mark are rejected. +If a mask is specified, Linux connection track marks are first bitwise ANDed +with the given mask before being processed. +.TP +.B --connmark-allowlist=[/][,[/...]] +Configures the DNS patterns that are allowed in DNS queries associated with +the given Linux connection track mark. +If a mask is specified, Linux connection track marks are first bitwise ANDed +with the given mask before they are compared to the given connection track mark. +Patterns follow the syntax of DNS names, but additionally allow the wildcard +character "*" to be used up to twice per label to match 0 or more characters +within that label. Note that the wildcard never matches a dot (e.g., "*.example.com" +matches "api.example.com" but not "api.us.example.com"). Patterns must be +fully qualified, i.e., consist of at least two labels. The final label must not be +fully numeric, and must not be the "local" pseudo-TLD. A pattern must end with at least +two literal (non-wildcard) labels. +Instead of a pattern, "*" can be specified to disable allowlist filtering +for a given Linux connection t
[Dnsmasq-discuss] [PATCH v3] openwrt: Integration of connmark based DNS filtering
This integrates the proposed Dnsmasq patch from email: - [PATCH v5] dnsmasq: connection track mark based DNS query filtering into OpenWrt 21.02. Signed-off-by: Etan Kissling (updated to latest patch) Signed-off-by: Etan Kissling --- Etan Kissling : v2: Update to v6 of underlying dnsmasq patch. v3: Update to v7 of underlying dnsmasq patch. .../services/dnsmasq/files/dnsmasq.init | 12 + ...track-mark-based-DNS-query-filtering.patch | 1320 + 2 files changed, 1332 insertions(+) create mode 100644 package/network/services/dnsmasq/patches/300-Connection-track-mark-based-DNS-query-filtering.patch diff --git a/package/network/services/dnsmasq/files/dnsmasq.init b/package/network/services/dnsmasq/files/dnsmasq.init index 680e72f..b46988f 100644 --- a/package/network/services/dnsmasq/files/dnsmasq.init +++ b/package/network/services/dnsmasq/files/dnsmasq.init @@ -172,6 +172,10 @@ append_ipset() { xappend "--ipset=$1" } +append_connmark_allowlist() { + xappend "--connmark-allowlist=$1" +} + append_interface() { network_get_device ifname "$1" || ifname="$1" xappend "--interface=$ifname" @@ -913,6 +917,14 @@ dnsmasq_start() config_list_foreach "$cfg" "rev_server" append_rev_server config_list_foreach "$cfg" "address" append_address config_list_foreach "$cfg" "ipset" append_ipset + + local connmark_allowlist_enable + config_get connmark_allowlist_enable "$cfg" connmark_allowlist_enable 0 + [ "$connmark_allowlist_enable" -gt 0 ] && { + append_parm "$cfg" "connmark_allowlist_enable" "--connmark-allowlist-enable" + config_list_foreach "$cfg" "connmark_allowlist" append_connmark_allowlist + } + [ -n "$BOOT" ] || { config_list_foreach "$cfg" "interface" append_interface config_list_foreach "$cfg" "notinterface" append_notinterface diff --git a/package/network/services/dnsmasq/patches/300-Connection-track-mark-based-DNS-query-filtering.patch b/package/network/services/dnsmasq/patches/300-Connection-track-mark-based-DNS-query-filtering.patch new file mode 100644 index 000..bb3533e --- /dev/null +++ b/package/network/services/dnsmasq/patches/300-Connection-track-mark-based-DNS-query-filtering.patch @@ -0,0 +1,1320 @@ +From 462371dc003ac17f2fb36935c68314063e2c5dfd Mon Sep 17 00:00:00 2001 +From: Etan Kissling +Date: Tue, 12 Jan 2021 10:51:21 +0100 +Subject: [PATCH v7] Connection track mark based DNS query filtering. + +This extends query filtering support beyond what is currently possible +with the `--ipset` configuration option, by adding support for: +1) Specifying allowlists on a per-client basis, based on their + associated Linux connection track mark. +2) Dynamic configuration of allowlists via Ubus. +3) Reporting when a DNS query resolves or is rejected via Ubus. +4) DNS name patterns containing wildcards. + +Disallowed queries are not forwarded; they are rejected +with a REFUSED error code. + +Signed-off-by: Etan Kissling +(addressed reviewer feedback) +Signed-off-by: Etan Kissling +--- +v2: Rebase to v2.83, and fix compilation when HAVE_UBUS not present. +v3: Rebase to v2.84test2. +v4: Rebase to v2.84rc2 (update copyright notice). +v5: Correct logging of `ubus_notify` errors (also in existing code). + +Etan Kissling : +v6: Integrate checks for weird queries into `extract_request`. +Skip Ubus reporting when daemon->namebuff is not initialized. +Fix options parsing for mark / mask with bit 31 set. +Disable filtering for external queries (`auth_dns && !local_auth`). +Report all CNAME RRs via Ubus instead of just a (potential) subset. +Avoid redundant `is_valid_dns_name` evaluations. +Unify DNS name pattern matching logic across transports (UDP / TCP). +v7: Fix typos and adjust code style to project. + + Makefile | 2 +- + man/dnsmasq.8 | 31 +++- + src/dnsmasq.h | 25 +++- + src/forward.c | 134 +- + src/option.c | 151 + src/pattern.c | 386 ++ + src/rfc1035.c | 77 +- + src/ubus.c| 184 +++- + 8 files changed, 980 insertions(+), 10 deletions(-) + create mode 100644 src/pattern.c + +diff --git a/Makefile b/Makefile +index e4c3f5c..506e56b 100644 +--- a/Makefile b/Makefile +@@ -79,7 +79,7 @@ copts_conf = .copts_$(sum) + objs = cache.o rfc1035.o util.o option.o forward.o network.o \ +dnsmasq.o dhcp.o lease.o rfc2131.o netlink.o dbus.o bpf.o \ +helper.o tftp.o log.o conntrack.o dhcp6.o rfc3315.o \ +- dhcp-common.o outpacket.o radv.o slaac.o auth.o ipset.o \ ++ dhcp-common.o outpacket.o radv.o slaac.o auth.
[Dnsmasq-discuss] [PATCH v7] Connection track mark based DNS query filtering.
This extends query filtering support beyond what is currently possible with the `--ipset` configuration option, by adding support for: 1) Specifying allowlists on a per-client basis, based on their associated Linux connection track mark. 2) Dynamic configuration of allowlists via Ubus. 3) Reporting when a DNS query resolves or is rejected via Ubus. 4) DNS name patterns containing wildcards. Disallowed queries are not forwarded; they are rejected with a REFUSED error code. Signed-off-by: Etan Kissling (addressed reviewer feedback) Signed-off-by: Etan Kissling --- v2: Rebase to v2.83, and fix compilation when HAVE_UBUS not present. v3: Rebase to v2.84test2. v4: Rebase to v2.84rc2 (update copyright notice). v5: Correct logging of `ubus_notify` errors (also in existing code). Etan Kissling : v6: Integrate checks for weird queries into `extract_request`. Skip Ubus reporting when daemon->namebuff is not initialized. Fix options parsing for mark / mask with bit 31 set. Disable filtering for external queries (`auth_dns && !local_auth`). Report all CNAME RRs via Ubus instead of just a (potential) subset. Avoid redundant `is_valid_dns_name` evaluations. Unify DNS name pattern matching logic across transports (UDP / TCP). v7: Fix typos and adjust code style to project. Makefile | 2 +- man/dnsmasq.8 | 31 +++- src/dnsmasq.h | 25 +++- src/forward.c | 134 +- src/option.c | 151 src/pattern.c | 386 ++ src/rfc1035.c | 77 +- src/ubus.c| 184 +++- 8 files changed, 980 insertions(+), 10 deletions(-) create mode 100644 src/pattern.c diff --git a/Makefile b/Makefile index e4c3f5c..506e56b 100644 --- a/Makefile +++ b/Makefile @@ -79,7 +79,7 @@ copts_conf = .copts_$(sum) objs = cache.o rfc1035.o util.o option.o forward.o network.o \ dnsmasq.o dhcp.o lease.o rfc2131.o netlink.o dbus.o bpf.o \ helper.o tftp.o log.o conntrack.o dhcp6.o rfc3315.o \ - dhcp-common.o outpacket.o radv.o slaac.o auth.o ipset.o \ + dhcp-common.o outpacket.o radv.o slaac.o auth.o ipset.o pattern.o \ domain.o dnssec.o blockdata.o tables.o loop.o inotify.o \ poll.o rrfilter.o edns0.o arp.o crypto.o dump.o ubus.o \ metrics.o hash_questions.o diff --git a/man/dnsmasq.8 b/man/dnsmasq.8 index ac7c9fa..04d666d 100644 --- a/man/dnsmasq.8 +++ b/man/dnsmasq.8 @@ -368,7 +368,10 @@ provides service at that name, rather than the default which is .TP .B --enable-ubus[=] Enable dnsmasq UBus interface. It sends notifications via UBus on -DHCPACK and DHCPRELEASE events. Furthermore it offers metrics. +DHCPACK and DHCPRELEASE events. Furthermore it offers metrics +and allows configuration of Linux connection track mark based filtering. +When DNS query filtering based on Linux connection track marks is enabled +UBus notifications are generated for each resolved or filtered DNS query. Requires that dnsmasq has been built with UBus support. If the service name is given, dnsmasq provides service at that namespace, rather than the default which is @@ -533,6 +536,32 @@ These IP sets must already exist. See .BR ipset (8) for more details. .TP +.B --connmark-allowlist-enable[=] +Enables filtering of incoming DNS queries with associated Linux connection track marks +according to individual allowlists configured via a series of \fB--connmark-allowlist\fP +options. Disallowed queries are not forwarded; they are rejected with a REFUSED error code. +DNS queries are only allowed if they do not have an associated Linux connection +track mark, or if the queried domains match the configured DNS patterns for the +associated Linux connection track mark. If no allowlist is configured for a +Linux connection track mark, all DNS queries associated with that mark are rejected. +If a mask is specified, Linux connection track marks are first bitwise ANDed +with the given mask before being processed. +.TP +.B --connmark-allowlist=[/][,[/...]] +Configures the DNS patterns that are allowed in DNS queries associated with +the given Linux connection track mark. +If a mask is specified, Linux connection track marks are first bitwise ANDed +with the given mask before they are compared to the given connection track mark. +Patterns follow the syntax of DNS names, but additionally allow the wildcard +character "*" to be used up to twice per label to match 0 or more characters +within that label. Note that the wildcard never matches a dot (e.g., "*.example.com" +matches "api.example.com" but not "api.us.example.com"). Patterns must be +fully qualified, i.e., consist of at least two labels. The final label must not be +fully numeric, and must not be the "local" pseudo-TLD. A pattern must end with at least +two literal (non-wildcard) labels. +Instead of a pattern, "*" can be specified to disable allowlis
Re: [Dnsmasq-discuss] [PATCH v4] Connection track mark based DNS query filtering.
On 17.02.21, 23:41, "Dnsmasq-discuss on behalf of Geert Stappers" wrote: > > @@ -567,6 +568,12 @@ struct ipsets { > >struct ipsets *next; > > }; > > > > +struct allowlist { > > + uint32_t mark, mask; > > + char **patterns; > > + struct allowlist *next; > > +}; > > + > > I think the missing '# ifdef HAVE_CONNTRACK' will trigger "unused struct" > warnings ... > >struct ipsets *ipsets; > > + uint32_t allowlist_mask; > > I think the missing '# ifdef HAVE_CONNTRACK' will trigger "unused uint32_t" > warnings ... I have tested compilation with both no-conntrack and HAVE_CONNTRACK on Raspberry Pi OS, and encountered no compile warnings. Likewise, I have tested with both HAVE_CONNTRACK and HAVE_UBUS on OpenWrt (for Ubus). Technically, you are right that this could be guarded as you suggest. I was thinking about guarding this, but other structs that are only used optionally, such as the `struct ipsets` directly above this are not guarded with a similar check. Besides being consistent with the existing code style, this makes it a tiny bit less error-prone when having a partial re-compile where some files use a stale version of the headers with different #ifdefs, which can introduce very subtle bugs at development time when switching cfg because the memory layout in the struct would change. > > +#if defined(HAVE_CONNTRACK) && defined(HAVE_UBUS) > > One of many > > +# ifdef HAVE_CONNTRACK > > One of many Sorry, I don't understand the comment for these. As those features need libraries that are only present when the corresponding defines are set, the usage code also needs to be guarded. Also, as this introduces a new feature I wanted to minimize impact on any existing installations that do not already use optional features. Code is only compiled with -DHAVE_CONNTRACK (and -DHAVE_UBUS), and only activated when the config file enables it (default = disabled). > snip . > > > + if (0); > > +#ifdef HAVE_CONNTRACK > > + else if (!allowed) > > +{ > > + m = setup_reply(header, n, /* addrp: */ NULL, /* flags: */ 0, /* > > ttl: */ 0); > > + if (m >= 1) > > + { > > + send_from(listen->fd, option_bool(OPT_NOWILD) || > > option_bool(OPT_CLEVERBIND), > > + (char *)header, m, _addr, _addr, if_index); > > + daemon->metrics[METRIC_DNS_LOCAL_ANSWERED]++; > > + } > > +} > > +#endif > > #ifdef HAVE_AUTH > > - if (auth_dns) > > + else if (auth_dns) > > That extra elsefeels odd. You snipped one line too much at the top, I re-added it here. If (0); The previous logic was: if (auth_dns) The new intended logic is: if (!allowed) else if (auth_dns) Because the allowed case is in an #ifdef, the logic is like this: if (0); #ifdef HAVE_CONNTRACK else if (!allowed) #endif else if (auth_dns) In the case where HAVE_CONNTRACK is not defined, this becomes: if (0); else if (auth_dns) which is equivalent to: if (auth_dns) In the case where HAVE_CONNTRACK is defined, this becomes: if (0); else if (!allowed) else if (auth_dns) which is equivalent to: if (!allowed) else if (auth_dns) > > - else > > #endif > > + else > > That swap of lines feels odd. This can be explained in a similar way to the one above, it is just some trickery to stack regular C ifs and pre-processor ifs. > Do know that it is _not_ up to me to decide on this patch. > > Thing I'm saying is that it got some human attention. Thanks for taking your time to look into it. Appreciate the comments! > Regards > Geert Stappers ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] DKIM / DMARC emails.
On 17.02.21, 23:48, "Simon Kelley" wrote: > > When submitting a patch I noticed that the Dnsmasq mailing list modifies > > the subject of the email (prefix [Dnsmasq-discuss]) as well as appends > > 'Dnsmasq-discuss mailing list' information to the end of my message. > > There's no particular reason for that behaviour, I guess it was the > default on whichever antediluvian version of mailman was first used to > host the mailing list. It appears to be trivial to turn both features > off, and I can't see any particular reason not to. Anyone object? There is an interesting blog post about DMARC on mailing lists here: - https://begriffs.com/posts/2018-09-18-dmarc-mailing-list.html While we're at mailing list settings: My patch also just happens to be slightly over the 40 KB limit to enter the moderation queue. It is not consisting of multiple distinct parts, so splitting it up into multiple emails would just complicate reviews. Raising the limit to 50 KB would also be appreciated. ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] DKIM / DMARC emails.
When submitting a patch I noticed that the Dnsmasq mailing list modifies the subject of the email (prefix [Dnsmasq-discuss]) as well as appends 'Dnsmasq-discuss mailing list' information to the end of my message. These modifications break DKIM signatures of our emails, leading to them being filtered into Junk folders. DMARC is a security standard for accessing email authenticity. See my earlier patch: - [PATCH v4] Connection track mark based DNS query filtering. Other mailing lists such as netfilter-de...@vger.kernel.org do not share these DMARC problems. What is the preferred approach here to get my patch reviewed? Etan ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] [PATCH v5] Connection track mark based DNS query filtering.
This extends query filtering support beyond what is currently possible with the `--ipset` configuration option, by adding support for: 1) Specifying allowlists on a per-client basis, based on their associated Linux connection track mark. 2) Dynamic configuration of allowlists via Ubus. 3) Reporting when a DNS query resolves or is rejected via Ubus. 4) DNS name patterns containing wildcards. Disallowed queries are not forwarded; they are rejected with a REFUSED error code. Signed-off-by: Etan Kissling --- v2: Rebase to v2.83, and fix compilation when HAVE_UBUS not present. v3: Rebase to v2.84test2. v4: Rebase to v2.84rc2 (update copyright notice). v5: Correct logging of `ubus_notify` errors (also in existing code). Makefile | 2 +- man/dnsmasq.8 | 31 +++- src/dnsmasq.h | 25 +++- src/forward.c | 121 +++- src/option.c | 134 ++ src/pattern.c | 386 ++ src/rfc1035.c | 82 +++ src/ubus.c| 184 +++- 8 files changed, 956 insertions(+), 9 deletions(-) create mode 100644 src/pattern.c diff --git a/Makefile b/Makefile index e4c3f5c..506e56b 100644 --- a/Makefile +++ b/Makefile @@ -79,7 +79,7 @@ copts_conf = .copts_$(sum) objs = cache.o rfc1035.o util.o option.o forward.o network.o \ dnsmasq.o dhcp.o lease.o rfc2131.o netlink.o dbus.o bpf.o \ helper.o tftp.o log.o conntrack.o dhcp6.o rfc3315.o \ - dhcp-common.o outpacket.o radv.o slaac.o auth.o ipset.o \ + dhcp-common.o outpacket.o radv.o slaac.o auth.o ipset.o pattern.o \ domain.o dnssec.o blockdata.o tables.o loop.o inotify.o \ poll.o rrfilter.o edns0.o arp.o crypto.o dump.o ubus.o \ metrics.o hash_questions.o diff --git a/man/dnsmasq.8 b/man/dnsmasq.8 index ac7c9fa..04d666d 100644 --- a/man/dnsmasq.8 +++ b/man/dnsmasq.8 @@ -368,7 +368,10 @@ provides service at that name, rather than the default which is .TP .B --enable-ubus[=] Enable dnsmasq UBus interface. It sends notifications via UBus on -DHCPACK and DHCPRELEASE events. Furthermore it offers metrics. +DHCPACK and DHCPRELEASE events. Furthermore it offers metrics +and allows configuration of Linux connection track mark based filtering. +When DNS query filtering based on Linux connection track marks is enabled +UBus notifications are generated for each resolved or filtered DNS query. Requires that dnsmasq has been built with UBus support. If the service name is given, dnsmasq provides service at that namespace, rather than the default which is @@ -533,6 +536,32 @@ These IP sets must already exist. See .BR ipset (8) for more details. .TP +.B --connmark-allowlist-enable[=] +Enables filtering of incoming DNS queries with associated Linux connection track marks +according to individual allowlists configured via a series of \fB--connmark-allowlist\fP +options. Disallowed queries are not forwarded; they are rejected with a REFUSED error code. +DNS queries are only allowed if they do not have an associated Linux connection +track mark, or if the queried domains match the configured DNS patterns for the +associated Linux connection track mark. If no allowlist is configured for a +Linux connection track mark, all DNS queries associated with that mark are rejected. +If a mask is specified, Linux connection track marks are first bitwise ANDed +with the given mask before being processed. +.TP +.B --connmark-allowlist=[/][,[/...]] +Configures the DNS patterns that are allowed in DNS queries associated with +the given Linux connection track mark. +If a mask is specified, Linux connection track marks are first bitwise ANDed +with the given mask before they are compared to the given connection track mark. +Patterns follow the syntax of DNS names, but additionally allow the wildcard +character "*" to be used up to twice per label to match 0 or more characters +within that label. Note that the wildcard never matches a dot (e.g., "*.example.com" +matches "api.example.com" but not "api.us.example.com"). Patterns must be +fully qualified, i.e., consist of at least two labels. The final label must not be +fully numeric, and must not be the "local" pseudo-TLD. A pattern must end with at least +two literal (non-wildcard) labels. +Instead of a pattern, "*" can be specified to disable allowlist filtering +for a given Linux connection track mark entirely. +.TP .B \-m, --mx-host=[[,],] Return an MX record named pointing to the given hostname (if given), or diff --git a/src/dnsmasq.h b/src/dnsmasq.h index e770454..b48e433 100644 --- a/src/dnsmasq.h +++ b/src/dnsmasq.h @@ -273,7 +273,8 @@ struct event_desc { #define OPT_IGNORE_CLID59 #define OPT_SINGLE_PORT60 #define OPT_LEASE_RENEW61 -#define OPT_LAST 62 +#define OPT_CMARK_ALST_EN 62 +#define OPT_LAST 63 #define OPTION_BITS (sizeof(unsigned int)*8) #define OPTION_SIZE ( (OPT_LAST/
Re: [Dnsmasq-discuss] [PATCH v4] Connection track mark based DNS query filtering.
On 18.02.21, 22:10, "Dnsmasq-discuss on behalf of Geert Stappers" wrote: > On Thu, Feb 18, 2021 at 12:11:55AM +0100, Etan Kissling wrote: > > On 17.02.21, 23:41, Geert Stappers" wrote: > > > > +#if defined(HAVE_CONNTRACK) && defined(HAVE_UBUS) > > > > > > One of many > > > > Sorry, I don't understand the comment for these. > > The sorry should come from me. I was way too short with text. > Thing I trying to tell is that the wish is to avoid #if > conditionals. Reason I remember is reducing the amount > of different binaries. But HAVE_CONNTRACK is already > present in current source. No new binaries are created with this patch. The existing HAVE_CONNTRACK symbol is used to guard accessing Netfilter connection track marks. The existing HAVE_UBUS symbol is used to guard OpenWrt specific code. Furthermore, even when those symbols are defined, all new code only activates when the configuration option to enable the feature is set: if (option_bool(OPT_CMARK_ALST_EN)) Thanks Etan ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] [PATCH v4] Connection track mark based DNS query filtering.
This extends query filtering support beyond what is currently possible with the `--ipset` configuration option, by adding support for: 1) Specifying allowlists on a per-client basis, based on their associated Linux connection track mark. 2) Dynamic configuration of allowlists via Ubus. 3) Reporting when a DNS query resolves or is rejected via Ubus. 4) DNS name patterns containing wildcards. Disallowed queries are not forwarded; they are rejected with a REFUSED error code. Signed-off-by: Etan Kissling --- v2: Rebase to v2.83, and fix compilation when HAVE_UBUS not present. v3: Rebase to v2.84test2. v4: Rebase to v2.84rc2 (update copyright notice). Makefile | 2 +- man/dnsmasq.8 | 31 +++- src/dnsmasq.h | 25 +++- src/forward.c | 121 +++- src/option.c | 134 ++ src/pattern.c | 386 ++ src/rfc1035.c | 82 +++ src/ubus.c| 182 8 files changed, 955 insertions(+), 8 deletions(-) create mode 100644 src/pattern.c diff --git a/Makefile b/Makefile index e4c3f5c..506e56b 100644 --- a/Makefile +++ b/Makefile @@ -79,7 +79,7 @@ copts_conf = .copts_$(sum) objs = cache.o rfc1035.o util.o option.o forward.o network.o \ dnsmasq.o dhcp.o lease.o rfc2131.o netlink.o dbus.o bpf.o \ helper.o tftp.o log.o conntrack.o dhcp6.o rfc3315.o \ - dhcp-common.o outpacket.o radv.o slaac.o auth.o ipset.o \ + dhcp-common.o outpacket.o radv.o slaac.o auth.o ipset.o pattern.o \ domain.o dnssec.o blockdata.o tables.o loop.o inotify.o \ poll.o rrfilter.o edns0.o arp.o crypto.o dump.o ubus.o \ metrics.o hash_questions.o diff --git a/man/dnsmasq.8 b/man/dnsmasq.8 index ac7c9fa..04d666d 100644 --- a/man/dnsmasq.8 +++ b/man/dnsmasq.8 @@ -368,7 +368,10 @@ provides service at that name, rather than the default which is .TP .B --enable-ubus[=] Enable dnsmasq UBus interface. It sends notifications via UBus on -DHCPACK and DHCPRELEASE events. Furthermore it offers metrics. +DHCPACK and DHCPRELEASE events. Furthermore it offers metrics +and allows configuration of Linux connection track mark based filtering. +When DNS query filtering based on Linux connection track marks is enabled +UBus notifications are generated for each resolved or filtered DNS query. Requires that dnsmasq has been built with UBus support. If the service name is given, dnsmasq provides service at that namespace, rather than the default which is @@ -533,6 +536,32 @@ These IP sets must already exist. See .BR ipset (8) for more details. .TP +.B --connmark-allowlist-enable[=] +Enables filtering of incoming DNS queries with associated Linux connection track marks +according to individual allowlists configured via a series of \fB--connmark-allowlist\fP +options. Disallowed queries are not forwarded; they are rejected with a REFUSED error code. +DNS queries are only allowed if they do not have an associated Linux connection +track mark, or if the queried domains match the configured DNS patterns for the +associated Linux connection track mark. If no allowlist is configured for a +Linux connection track mark, all DNS queries associated with that mark are rejected. +If a mask is specified, Linux connection track marks are first bitwise ANDed +with the given mask before being processed. +.TP +.B --connmark-allowlist=[/][,[/...]] +Configures the DNS patterns that are allowed in DNS queries associated with +the given Linux connection track mark. +If a mask is specified, Linux connection track marks are first bitwise ANDed +with the given mask before they are compared to the given connection track mark. +Patterns follow the syntax of DNS names, but additionally allow the wildcard +character "*" to be used up to twice per label to match 0 or more characters +within that label. Note that the wildcard never matches a dot (e.g., "*.example.com" +matches "api.example.com" but not "api.us.example.com"). Patterns must be +fully qualified, i.e., consist of at least two labels. The final label must not be +fully numeric, and must not be the "local" pseudo-TLD. A pattern must end with at least +two literal (non-wildcard) labels. +Instead of a pattern, "*" can be specified to disable allowlist filtering +for a given Linux connection track mark entirely. +.TP .B \-m, --mx-host=[[,],] Return an MX record named pointing to the given hostname (if given), or diff --git a/src/dnsmasq.h b/src/dnsmasq.h index e770454..b48e433 100644 --- a/src/dnsmasq.h +++ b/src/dnsmasq.h @@ -273,7 +273,8 @@ struct event_desc { #define OPT_IGNORE_CLID59 #define OPT_SINGLE_PORT60 #define OPT_LEASE_RENEW61 -#define OPT_LAST 62 +#define OPT_CMARK_ALST_EN 62 +#define OPT_LAST 63 #define OPTION_BITS (sizeof(unsigned int)*8) #define OPTION_SIZE ( (OPT_LAST/OPTION_BITS)+((OPT_LAST%OPTION_BITS)!=0) ) @@ -567,6 +568,12 @@ st
[Dnsmasq-discuss] [PATCH] Handle UBus serialization errors.
The various blob / blobmsg commands can fail, e.g., when memory is low. Previously, those errors were silently discarded. This patch adds checks for the error conditions, logging them and exiting from the functions. Signed-off-by: Etan Kissling --- src/ubus.c | 72 +- 1 file changed, 44 insertions(+), 28 deletions(-) diff --git a/src/ubus.c b/src/ubus.c index 4d63006..296a496 100644 --- a/src/ubus.c +++ b/src/ubus.c @@ -173,6 +173,16 @@ void check_ubus_listeners() } } +#define CHECK(stmt, ret) \ + do { \ +int e = (stmt); \ +if (e) \ + { \ + my_syslog(LOG_ERR, _("UBus command failed: %d (%s)"), e, #stmt); \ + return (UBUS_STATUS_UNKNOWN_ERROR); \ + } \ + } while (0) + static int ubus_handle_metrics(struct ubus_context *ctx, struct ubus_object *obj, struct ubus_request_data *req, const char *method, struct blob_attr *msg) @@ -183,12 +193,13 @@ static int ubus_handle_metrics(struct ubus_context *ctx, struct ubus_object *obj (void)method; (void)msg; - blob_buf_init(, BLOBMSG_TYPE_TABLE); + CHECK(blob_buf_init(, BLOBMSG_TYPE_TABLE)); for (i=0; i < __METRIC_MAX; i++) -blobmsg_add_u32(, get_metric_name(i), daemon->metrics[i]); +CHECK(blobmsg_add_u32(, get_metric_name(i), daemon->metrics[i])); - return ubus_send_reply(ctx, req, b.head); + CHECK(ubus_send_reply(ctx, req, b.head)); + return UBUS_STATUS_OK; } #ifdef HAVE_CONNTRACK @@ -307,66 +318,71 @@ fail: } #endif +#undef CHECK + +#define CHECK(stmt, ret) \ + do { \ +int e = (stmt); \ +if (e) \ + { \ + my_syslog(LOG_ERR, _("UBus command failed: %d (%s)"), e, #stmt); \ + return; \ + } \ + } while (0) + void ubus_event_bcast(const char *type, const char *mac, const char *ip, const char *name, const char *interface) { struct ubus_context *ubus = (struct ubus_context *)daemon->ubus; - int ret; if (!ubus || !notify) return; - blob_buf_init(, BLOBMSG_TYPE_TABLE); + CHECK(blob_buf_init(, BLOBMSG_TYPE_TABLE)); if (mac) -blobmsg_add_string(, "mac", mac); +CHECK(blobmsg_add_string(, "mac", mac)); if (ip) -blobmsg_add_string(, "ip", ip); +CHECK(blobmsg_add_string(, "ip", ip)); if (name) -blobmsg_add_string(, "name", name); +CHECK(blobmsg_add_string(, "name", name)); if (interface) -blobmsg_add_string(, "interface", interface); +CHECK(blobmsg_add_string(, "interface", interface)); - ret = ubus_notify(ubus, _object, type, b.head, -1); - if (ret) -my_syslog(LOG_ERR, _("Failed to send UBus event: %s"), ubus_strerror(ret)); + CHECK(ubus_notify(ubus, _object, type, b.head, -1)); } #ifdef HAVE_CONNTRACK void ubus_event_bcast_connmark_allowlist_refused(u32 mark, const char *name) { struct ubus_context *ubus = (struct ubus_context *)daemon->ubus; - int ret; if (!ubus || !notify) return; - blob_buf_init(, 0); - blobmsg_add_u32(, "mark", mark); - blobmsg_add_string(, "name", name); + CHECK(blob_buf_init(, 0)); + CHECK(blobmsg_add_u32(, "mark", mark)); + CHECK(blobmsg_add_string(, "name", name)); - ret = ubus_notify(ubus, _object, "connmark-allowlist.refused", b.head, -1); - if (ret) -my_syslog(LOG_ERR, _("Failed to send UBus event: %s"), ubus_strerror(ret)); + CHECK(ubus_notify(ubus, _object, "connmark-allowlist.refused", b.head, -1)); } void ubus_event_bcast_connmark_allowlist_resolved(u32 mark, const char *name, const char *value, u32 ttl) { struct ubus_context *ubus = (struct ubus_context *)daemon->ubus; - int ret; if (!ubus || !notify) return; - blob_buf_init(, 0); - blobmsg_add_u32(, "mark", mark); - blobmsg_add_string(, "name", name); - blobmsg_add_string(, "value", value); - blobmsg_add_u32(, "ttl", ttl); + CHECK(blob_buf_init(, 0)); + CHECK(blobmsg_add_u32(, "mark", mark)); + CHECK(blobmsg_add_string(, "name", name)); + CHECK(blobmsg_add_string(, "value", value)); + CHECK(blobmsg_add_u32(, "ttl", ttl)); - ret = ubus_notify(ubus, _object, "connmark-allowlist.resolved", b.head, /* timeout: */ 1000); - if (ret) -my_syslog(LOG_ERR, _("Failed to send UBus event: %s"), ubus_strerror(ret)); + // Set timeout to allow UBus subscriber to configure firewall rules before returning. + CHECK(ubus_notify(ubus, _object, "connmark-allowlist.resolved", b.head, /* timeout: */ 1000)); } #endif +#undef CHECK #endif /* HAVE_UBUS */ -- 2.30.1 (Apple Git-130) ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] [PATCH] Eliminate redundant UBus `notify` variable.
There was a `notify` variable to keep track whether a subscriber is observing our UBus object. However, it was not properly cleaned up in `ubus_destroy`, potentially becoming stale over UBus reconnections. The variable was removed and the current state is examined when sending notifications, similarly as is done in other existing OpenWrt code. Signed-off-by: Etan Kissling --- src/ubus.c | 8 +++- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/src/ubus.c b/src/ubus.c index 296a496..37e36fa 100644 --- a/src/ubus.c +++ b/src/ubus.c @@ -21,7 +21,6 @@ #include static struct blob_buf b; -static int notify; static int error_logged = 0; static int ubus_handle_metrics(struct ubus_context *ctx, struct ubus_object *obj, @@ -78,7 +77,6 @@ static void ubus_subscribe_cb(struct ubus_context *ctx, struct ubus_object *obj) (void)ctx; my_syslog(LOG_DEBUG, _("UBus subscription callback: %s subscriber(s)"), obj->has_subscribers ? "1" : "0"); - notify = obj->has_subscribers; } static void ubus_destroy(struct ubus_context *ubus) @@ -334,7 +332,7 @@ void ubus_event_bcast(const char *type, const char *mac, const char *ip, const c { struct ubus_context *ubus = (struct ubus_context *)daemon->ubus; - if (!ubus || !notify) + if (!ubus || !ubus_object.has_subscribers) return; CHECK(blob_buf_init(, BLOBMSG_TYPE_TABLE)); @@ -355,7 +353,7 @@ void ubus_event_bcast_connmark_allowlist_refused(u32 mark, const char *name) { struct ubus_context *ubus = (struct ubus_context *)daemon->ubus; - if (!ubus || !notify) + if (!ubus || !ubus_object.has_subscribers) return; CHECK(blob_buf_init(, 0)); @@ -369,7 +367,7 @@ void ubus_event_bcast_connmark_allowlist_resolved(u32 mark, const char *name, co { struct ubus_context *ubus = (struct ubus_context *)daemon->ubus; - if (!ubus || !notify) + if (!ubus || !ubus_object.has_subscribers) return; CHECK(blob_buf_init(, 0)); -- 2.30.1 (Apple Git-130) ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] [PATCH] Re-order UBus teardown logic.
When destroying the UBus context, private fields of our ubus_object were being reset to 0 while UBus was still owning those objects. While this seems to work out fine, it seems cleaner to first release the object so that UBus no longer owns it, before proceding to reset those fields. Signed-off-by: Etan Kissling --- src/ubus.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/ubus.c b/src/ubus.c index 37e36fa..d8cbeca 100644 --- a/src/ubus.c +++ b/src/ubus.c @@ -81,12 +81,12 @@ static void ubus_subscribe_cb(struct ubus_context *ctx, struct ubus_object *obj) static void ubus_destroy(struct ubus_context *ubus) { + ubus_free(ubus); + daemon->ubus = NULL; + // Forces re-initialization when we're reusing the same definitions later on. ubus_object.id = 0; ubus_object_type.id = 0; - - ubus_free(ubus); - daemon->ubus = NULL; } static void ubus_disconnect_cb(struct ubus_context *ubus) -- 2.30.1 (Apple Git-130) ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] [PATCH v2] Handle UBus serialization errors.
The various blob / blobmsg commands can fail, e.g., when memory is low. Previously, those errors were silently discarded. This patch adds checks for the error conditions, logging them and exiting from the functions. Signed-off-by: Etan Kissling --- v2: Fix compile. src/ubus.c | 72 +- 1 file changed, 44 insertions(+), 28 deletions(-) diff --git a/src/ubus.c b/src/ubus.c index 4d63006..bac57cb 100644 --- a/src/ubus.c +++ b/src/ubus.c @@ -173,6 +173,16 @@ void check_ubus_listeners() } } +#define CHECK(stmt) \ + do { \ +int e = (stmt); \ +if (e) \ + { \ + my_syslog(LOG_ERR, _("UBus command failed: %d (%s)"), e, #stmt); \ + return (UBUS_STATUS_UNKNOWN_ERROR); \ + } \ + } while (0) + static int ubus_handle_metrics(struct ubus_context *ctx, struct ubus_object *obj, struct ubus_request_data *req, const char *method, struct blob_attr *msg) @@ -183,12 +193,13 @@ static int ubus_handle_metrics(struct ubus_context *ctx, struct ubus_object *obj (void)method; (void)msg; - blob_buf_init(, BLOBMSG_TYPE_TABLE); + CHECK(blob_buf_init(, BLOBMSG_TYPE_TABLE)); for (i=0; i < __METRIC_MAX; i++) -blobmsg_add_u32(, get_metric_name(i), daemon->metrics[i]); +CHECK(blobmsg_add_u32(, get_metric_name(i), daemon->metrics[i])); - return ubus_send_reply(ctx, req, b.head); + CHECK(ubus_send_reply(ctx, req, b.head)); + return UBUS_STATUS_OK; } #ifdef HAVE_CONNTRACK @@ -307,66 +318,71 @@ fail: } #endif +#undef CHECK + +#define CHECK(stmt) \ + do { \ +int e = (stmt); \ +if (e) \ + { \ + my_syslog(LOG_ERR, _("UBus command failed: %d (%s)"), e, #stmt); \ + return; \ + } \ + } while (0) + void ubus_event_bcast(const char *type, const char *mac, const char *ip, const char *name, const char *interface) { struct ubus_context *ubus = (struct ubus_context *)daemon->ubus; - int ret; if (!ubus || !notify) return; - blob_buf_init(, BLOBMSG_TYPE_TABLE); + CHECK(blob_buf_init(, BLOBMSG_TYPE_TABLE)); if (mac) -blobmsg_add_string(, "mac", mac); +CHECK(blobmsg_add_string(, "mac", mac)); if (ip) -blobmsg_add_string(, "ip", ip); +CHECK(blobmsg_add_string(, "ip", ip)); if (name) -blobmsg_add_string(, "name", name); +CHECK(blobmsg_add_string(, "name", name)); if (interface) -blobmsg_add_string(, "interface", interface); +CHECK(blobmsg_add_string(, "interface", interface)); - ret = ubus_notify(ubus, _object, type, b.head, -1); - if (ret) -my_syslog(LOG_ERR, _("Failed to send UBus event: %s"), ubus_strerror(ret)); + CHECK(ubus_notify(ubus, _object, type, b.head, -1)); } #ifdef HAVE_CONNTRACK void ubus_event_bcast_connmark_allowlist_refused(u32 mark, const char *name) { struct ubus_context *ubus = (struct ubus_context *)daemon->ubus; - int ret; if (!ubus || !notify) return; - blob_buf_init(, 0); - blobmsg_add_u32(, "mark", mark); - blobmsg_add_string(, "name", name); + CHECK(blob_buf_init(, 0)); + CHECK(blobmsg_add_u32(, "mark", mark)); + CHECK(blobmsg_add_string(, "name", name)); - ret = ubus_notify(ubus, _object, "connmark-allowlist.refused", b.head, -1); - if (ret) -my_syslog(LOG_ERR, _("Failed to send UBus event: %s"), ubus_strerror(ret)); + CHECK(ubus_notify(ubus, _object, "connmark-allowlist.refused", b.head, -1)); } void ubus_event_bcast_connmark_allowlist_resolved(u32 mark, const char *name, const char *value, u32 ttl) { struct ubus_context *ubus = (struct ubus_context *)daemon->ubus; - int ret; if (!ubus || !notify) return; - blob_buf_init(, 0); - blobmsg_add_u32(, "mark", mark); - blobmsg_add_string(, "name", name); - blobmsg_add_string(, "value", value); - blobmsg_add_u32(, "ttl", ttl); + CHECK(blob_buf_init(, 0)); + CHECK(blobmsg_add_u32(, "mark", mark)); + CHECK(blobmsg_add_string(, "name", name)); + CHECK(blobmsg_add_string(, "value", value)); + CHECK(blobmsg_add_u32(, "ttl", ttl)); - ret = ubus_notify(ubus, _object, "connmark-allowlist.resolved", b.head, /* timeout: */ 1000); - if (ret) -my_syslog(LOG_ERR, _("Failed to send UBus event: %s"), ubus_strerror(ret)); + // Set timeout to allow UBus subscriber to configure firewall rules before returning. + CHECK(ubus_notify(ubus, _object, "connmark-allowlist.resolved", b.head, /* timeout: */ 1000)); } #endif +#undef CHECK #endif /* HAVE_UBUS */ -- 2.30.1 (Apple Git-130) ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] [PATCH] Adjust logging levels for connmark patterns.
This brings the log levels emitted by connmark pattern code in line with the rest of the code base. LOG_DEBUG is used for diagnostics that may be verbose depending on the request patterns. LOG_ERR is used for problems with the implementation itself. Signed-off-by: Etan Kissling --- src/pattern.c | 44 ++-- 1 file changed, 22 insertions(+), 22 deletions(-) diff --git a/src/pattern.c b/src/pattern.c index 74f5801..ebcdf16 100644 --- a/src/pattern.c +++ b/src/pattern.c @@ -20,13 +20,13 @@ #define LOG(...) \ do { \ -my_syslog(LOG_WARNING, __VA_ARGS__); \ +my_syslog(LOG_DEBUG, __VA_ARGS__); \ } while (0) #define ASSERT(condition) \ do { \ if (!(condition)) \ - LOG("[pattern.c:%d] Assertion failure: %s", __LINE__, #condition); \ + my_syslog(LOG_ERR, _("[pattern.c:%d] Assertion failure: %s"), __LINE__, #condition); \ } while (0) /** @@ -139,7 +139,7 @@ int is_valid_dns_name(const char *value) (*c < 'A' || *c > 'Z') && (*c < 'a' || *c > 'z')) { - LOG("Invalid DNS name: Invalid character %c.", *c); + LOG(_("Invalid DNS name: Invalid character %c."), *c); return 0; } if (*c) @@ -148,12 +148,12 @@ int is_valid_dns_name(const char *value) { if (!*c || *c == '.') { - LOG("Invalid DNS name: Empty label."); + LOG(_("Invalid DNS name: Empty label.")); return 0; } if (*c == '-') { - LOG("Invalid DNS name: Label starts with hyphen."); + LOG(_("Invalid DNS name: Label starts with hyphen.")); return 0; } label = c; @@ -167,13 +167,13 @@ int is_valid_dns_name(const char *value) { if (c[-1] == '-') { - LOG("Invalid DNS name: Label ends with hyphen."); + LOG(_("Invalid DNS name: Label ends with hyphen.")); return 0; } size_t num_label_bytes = (size_t) (c - label); if (num_label_bytes > 63) { - LOG("Invalid DNS name: Label is too long (%zu).", num_label_bytes); + LOG(_("Invalid DNS name: Label is too long (%zu)."), num_label_bytes); return 0; } num_labels++; @@ -181,12 +181,12 @@ int is_valid_dns_name(const char *value) { if (num_labels < 2) { - LOG("Invalid DNS name: Not enough labels (%zu).", num_labels); + LOG(_("Invalid DNS name: Not enough labels (%zu)."), num_labels); return 0; } if (is_label_numeric) { - LOG("Invalid DNS name: Final label is fully numeric."); + LOG(_("Invalid DNS name: Final label is fully numeric.")); return 0; } if (num_label_bytes == 5 && @@ -196,12 +196,12 @@ int is_valid_dns_name(const char *value) (label[3] == 'a' || label[3] == 'A') && (label[4] == 'l' || label[4] == 'L')) { - LOG("Invalid DNS name: \"local\" pseudo-TLD."); + LOG(_("Invalid DNS name: \"local\" pseudo-TLD.")); return 0; } if (num_bytes < 1 || num_bytes > 253) { - LOG("DNS name has invalid length (%zu).", num_bytes); + LOG(_("DNS name has invalid length (%zu)."), num_bytes); return 0; } return 1; @@ -255,7 +255,7 @@ int is_valid_dns_name_pattern(const char *value) (*c < 'A' || *c > 'Z') && (*c < 'a' || *c > 'z')) { - LOG("Invalid DNS name pattern: Invalid character %c.", *c); + LOG(_("Invalid DNS name pattern: Invalid character %c."), *c); return 0; } if (*c && *c != '*') @@ -264,12 +264,12 @@ int is_valid_dns_name_pattern(const char *value) { if (!*c || *c == '.') { - LOG("Invalid DNS name pattern: Empty label."); + LOG(_("Invalid DNS name pattern: Empty label.")); return 0; } if (*c == '-') { - LOG("Invalid DNS name pattern: Label starts with hyphen."); + LOG(_("Invalid DNS name pattern: Label starts with hyphen.")); return 0; } label = c; @@ -282,7 +282,7 @@ int is_valid_dns_name_pattern(const char *value) {
[Dnsmasq-discuss] [PATCH] Make comment style consistent.
Majority of code base does not use C90-style // end of line comments. This formats the few existing exceptions using /* */ for consistency. --- NOTE: This builds on top of the other patches that I just submitted. src/hash-questions.c | 14 +++--- src/pattern.c| 8 src/ubus.c | 4 ++-- 3 files changed, 13 insertions(+), 13 deletions(-) diff --git a/src/hash-questions.c b/src/hash-questions.c index 8e1559f..f41023b 100644 --- a/src/hash-questions.c +++ b/src/hash-questions.c @@ -76,9 +76,9 @@ unsigned char *hash_questions(struct dns_header *header, size_t plen, char *name #else /* HAVE_DNSSEC || HAVE_CRYPTOHASH */ -#define SHA256_BLOCK_SIZE 32// SHA256 outputs a 32 byte digest -typedef unsigned char BYTE; // 8-bit byte -typedef unsigned int WORD; // 32-bit word, change to "long" for 16-bit machines +#define SHA256_BLOCK_SIZE 32/* SHA256 outputs a 32 byte digest */ +typedef unsigned char BYTE; /* 8-bit byte */ +typedef unsigned int WORD; /* 32-bit word, change to "long" for 16-bit machines */ typedef struct { BYTE data[64]; @@ -238,7 +238,7 @@ static void sha256_final(SHA256_CTX *ctx, BYTE hash[]) i = ctx->datalen; - // Pad whatever data is left in the buffer. + /* Pad whatever data is left in the buffer. */ if (ctx->datalen < 56) { ctx->data[i++] = 0x80; @@ -254,7 +254,7 @@ static void sha256_final(SHA256_CTX *ctx, BYTE hash[]) memset(ctx->data, 0, 56); } - // Append to the padding the total message's length in bits and transform. + /* Append to the padding the total message's length in bits and transform. */ ctx->bitlen += ctx->datalen * 8; ctx->data[63] = ctx->bitlen; ctx->data[62] = ctx->bitlen >> 8; @@ -266,8 +266,8 @@ static void sha256_final(SHA256_CTX *ctx, BYTE hash[]) ctx->data[56] = ctx->bitlen >> 56; sha256_transform(ctx, ctx->data); - // Since this implementation uses little endian byte ordering and SHA uses big endian, - // reverse all the bytes when copying the final state to the output hash. + /* Since this implementation uses little endian byte ordering and SHA uses big endian, + reverse all the bytes when copying the final state to the output hash. */ for (i = 0; i < 4; ++i) { hash[i] = (ctx->state[0] >> (24 - i * 8)) & 0x00ff; diff --git a/src/pattern.c b/src/pattern.c index ebcdf16..03e23b9 100644 --- a/src/pattern.c +++ b/src/pattern.c @@ -66,8 +66,8 @@ static int is_string_matching_glob_pattern( pattern_character -= 'a' - 'A'; if (pattern_character == '*') { - // zero-or-more-character wildcard - // Try to match at value_index, otherwise restart at value_index + 1 next. + /* zero-or-more-character wildcard */ + /* Try to match at value_index, otherwise restart at value_index + 1 next. */ next_pattern_index = pattern_index; pattern_index++; if (value_index < num_value_bytes) @@ -78,7 +78,7 @@ static int is_string_matching_glob_pattern( } else { - // ordinary character + /* ordinary character */ if (value_index < num_value_bytes) { char value_character = value[value_index]; @@ -249,7 +249,7 @@ int is_valid_dns_name_pattern(const char *value) for (const char *c = value;; c++) { if (*c && - *c != '*' && // Wildcard. + *c != '*' && /* Wildcard. */ *c != '-' && *c != '.' && (*c < '0' || *c > '9') && (*c < 'A' || *c > 'Z') && diff --git a/src/ubus.c b/src/ubus.c index f1cd63e..0c502ad 100644 --- a/src/ubus.c +++ b/src/ubus.c @@ -84,7 +84,7 @@ static void ubus_destroy(struct ubus_context *ubus) ubus_free(ubus); daemon->ubus = NULL; - // Forces re-initialization when we're reusing the same definitions later on. + /* Forces re-initialization when we're reusing the same definitions later on. */ ubus_object.id = 0; ubus_object_type.id = 0; } @@ -376,7 +376,7 @@ void ubus_event_bcast_connmark_allowlist_resolved(u32 mark, const char *name, co CHECK(blobmsg_add_string(, "value", value)); CHECK(blobmsg_add_u32(, "ttl", ttl)); - // Set timeout to allow UBus subscriber to configure firewall rules before returning. + /* Set timeout to allow UBus subscriber to configure firewall rules before returning. */ CHECK(ubus_notify(ubus, _object, "connmark-allowlist.resolved", b.head, /* timeout: */ 1000)); } #endif -- 2.30.1 (Apple Git-130) ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] [OpenWrt] Integration of connmark based DNS filtering
>From 7694255ba440a1f53faeaae6cd034d0e1256e8a9 Mon Sep 17 00:00:00 2001 From: Etan Kissling Date: Mon, 20 Apr 2020 16:39:24 +0200 Subject: [PATCH] openwrt: Integration of connmark based DNS filtering This integrates the proposed Dnsmasq patch from email: - [PATCH v5] dnsmasq: connection track mark based DNS query filtering into OpenWrt 21.02. Signed-off-by: Etan Kissling --- This patch uses OpenWrt 21.02 as basis and may be useful for testing on OpenWrt (Ubus event monitoring, and Uci based configuration). .../services/dnsmasq/files/dnsmasq.init | 12 + ...track-mark-based-DNS-query-filtering.patch | 1262 + 2 files changed, 1274 insertions(+) create mode 100644 package/network/services/dnsmasq/patches/300-Connection-track-mark-based-DNS-query-filtering.patch diff --git a/package/network/services/dnsmasq/files/dnsmasq.init b/package/network/services/dnsmasq/files/dnsmasq.init index 680e72f..b46988f 100644 --- a/package/network/services/dnsmasq/files/dnsmasq.init +++ b/package/network/services/dnsmasq/files/dnsmasq.init @@ -172,6 +172,10 @@ append_ipset() { xappend "--ipset=$1" } +append_connmark_allowlist() { + xappend "--connmark-allowlist=$1" +} + append_interface() { network_get_device ifname "$1" || ifname="$1" xappend "--interface=$ifname" @@ -913,6 +917,14 @@ dnsmasq_start() config_list_foreach "$cfg" "rev_server" append_rev_server config_list_foreach "$cfg" "address" append_address config_list_foreach "$cfg" "ipset" append_ipset + + local connmark_allowlist_enable + config_get connmark_allowlist_enable "$cfg" connmark_allowlist_enable 0 + [ "$connmark_allowlist_enable" -gt 0 ] && { + append_parm "$cfg" "connmark_allowlist_enable" "--connmark-allowlist-enable" + config_list_foreach "$cfg" "connmark_allowlist" append_connmark_allowlist + } + [ -n "$BOOT" ] || { config_list_foreach "$cfg" "interface" append_interface config_list_foreach "$cfg" "notinterface" append_notinterface diff --git a/package/network/services/dnsmasq/patches/300-Connection-track-mark-based-DNS-query-filtering.patch b/package/network/services/dnsmasq/patches/300-Connection-track-mark-based-DNS-query-filtering.patch new file mode 100644 index 000..4758100 --- /dev/null +++ b/package/network/services/dnsmasq/patches/300-Connection-track-mark-based-DNS-query-filtering.patch @@ -0,0 +1,1262 @@ +From e403e6dfabd9b9c4d4b132a940987f1cf3595278 Mon Sep 17 00:00:00 2001 +From: Etan Kissling +Date: Tue, 12 Jan 2021 10:51:21 +0100 +Subject: [PATCH v5] Connection track mark based DNS query filtering. + +This extends query filtering support beyond what is currently possible +with the `--ipset` configuration option, by adding support for: +1) Specifying allowlists on a per-client basis, based on their + associated Linux connection track mark. +2) Dynamic configuration of allowlists via Ubus. +3) Reporting when a DNS query resolves or is rejected via Ubus. +4) DNS name patterns containing wildcards. + +Disallowed queries are not forwarded; they are rejected +with a REFUSED error code. + +Signed-off-by: Etan Kissling +--- +v2: Rebase to v2.83, and fix compilation when HAVE_UBUS not present. +v3: Rebase to v2.84test2. +v4: Rebase to v2.84rc2 (update copyright notice). +v5: Correct logging of `ubus_notify` errors (also in existing code). + + Makefile | 2 +- + man/dnsmasq.8 | 31 +++- + src/dnsmasq.h | 25 +++- + src/forward.c | 121 +++- + src/option.c | 134 ++ + src/pattern.c | 386 ++ + src/rfc1035.c | 82 +++ + src/ubus.c| 184 +++- + 8 files changed, 956 insertions(+), 9 deletions(-) + create mode 100644 src/pattern.c + +diff --git a/Makefile b/Makefile +index e4c3f5c..506e56b 100644 +--- a/Makefile b/Makefile +@@ -79,7 +79,7 @@ copts_conf = .copts_$(sum) + objs = cache.o rfc1035.o util.o option.o forward.o network.o \ +dnsmasq.o dhcp.o lease.o rfc2131.o netlink.o dbus.o bpf.o \ +helper.o tftp.o log.o conntrack.o dhcp6.o rfc3315.o \ +- dhcp-common.o outpacket.o radv.o slaac.o auth.o ipset.o \ ++ dhcp-common.o outpacket.o radv.o slaac.o auth.o ipset.o pattern.o \ +domain.o dnssec.o blockdata.o tables.o loop.o inotify.o \ +poll.o rrfilter.o edns0.o arp.o crypto.o dump.o ubus.o \ +metrics.o hash_questions.o +diff --git a/man/dnsmasq.8 b/man/dnsmasq.8 +index ac7c9fa..04d666d 100644 +--- a/man/dnsmasq.8 b/man/dnsmasq.8 +@@ -368,7 +368,10 @@ provides service at that name, rather than the default which is + .TP + .B --enable-ubus[=] + Enable dnsm
[Dnsmasq-discuss] [OpenWrt] Integration of connmark based DNS filtering
>From 7694255ba440a1f53faeaae6cd034d0e1256e8a9 Mon Sep 17 00:00:00 2001 From: Etan Kissling Date: Mon, 20 Apr 2020 16:39:24 +0200 Subject: [PATCH] openwrt: Integration of connmark based DNS filtering This integrates the proposed Dnsmasq patch from email: - [PATCH v5] dnsmasq: connection track mark based DNS query filtering into OpenWrt 21.02. Signed-off-by: Etan Kissling --- This patch uses OpenWrt 21.02 as basis and may be useful for testing on OpenWrt (Ubus event monitoring, and Uci based configuration). .../services/dnsmasq/files/dnsmasq.init | 12 + ...track-mark-based-DNS-query-filtering.patch | 1262 + 2 files changed, 1274 insertions(+) create mode 100644 package/network/services/dnsmasq/patches/300-Connection-track-mark-based-DNS-query-filtering.patch diff --git a/package/network/services/dnsmasq/files/dnsmasq.init b/package/network/services/dnsmasq/files/dnsmasq.init index 680e72f..b46988f 100644 --- a/package/network/services/dnsmasq/files/dnsmasq.init +++ b/package/network/services/dnsmasq/files/dnsmasq.init @@ -172,6 +172,10 @@ append_ipset() { xappend "--ipset=$1" } +append_connmark_allowlist() { + xappend "--connmark-allowlist=$1" +} + append_interface() { network_get_device ifname "$1" || ifname="$1" xappend "--interface=$ifname" @@ -913,6 +917,14 @@ dnsmasq_start() config_list_foreach "$cfg" "rev_server" append_rev_server config_list_foreach "$cfg" "address" append_address config_list_foreach "$cfg" "ipset" append_ipset + + local connmark_allowlist_enable + config_get connmark_allowlist_enable "$cfg" connmark_allowlist_enable 0 + [ "$connmark_allowlist_enable" -gt 0 ] && { + append_parm "$cfg" "connmark_allowlist_enable" "--connmark-allowlist-enable" + config_list_foreach "$cfg" "connmark_allowlist" append_connmark_allowlist + } + [ -n "$BOOT" ] || { config_list_foreach "$cfg" "interface" append_interface config_list_foreach "$cfg" "notinterface" append_notinterface diff --git a/package/network/services/dnsmasq/patches/300-Connection-track-mark-based-DNS-query-filtering.patch b/package/network/services/dnsmasq/patches/300-Connection-track-mark-based-DNS-query-filtering.patch new file mode 100644 index 000..4758100 --- /dev/null +++ b/package/network/services/dnsmasq/patches/300-Connection-track-mark-based-DNS-query-filtering.patch @@ -0,0 +1,1262 @@ +From e403e6dfabd9b9c4d4b132a940987f1cf3595278 Mon Sep 17 00:00:00 2001 +From: Etan Kissling +Date: Tue, 12 Jan 2021 10:51:21 +0100 +Subject: [PATCH v5] Connection track mark based DNS query filtering. + +This extends query filtering support beyond what is currently possible +with the `--ipset` configuration option, by adding support for: +1) Specifying allowlists on a per-client basis, based on their + associated Linux connection track mark. +2) Dynamic configuration of allowlists via Ubus. +3) Reporting when a DNS query resolves or is rejected via Ubus. +4) DNS name patterns containing wildcards. + +Disallowed queries are not forwarded; they are rejected +with a REFUSED error code. + +Signed-off-by: Etan Kissling +--- +v2: Rebase to v2.83, and fix compilation when HAVE_UBUS not present. +v3: Rebase to v2.84test2. +v4: Rebase to v2.84rc2 (update copyright notice). +v5: Correct logging of `ubus_notify` errors (also in existing code). + + Makefile | 2 +- + man/dnsmasq.8 | 31 +++- + src/dnsmasq.h | 25 +++- + src/forward.c | 121 +++- + src/option.c | 134 ++ + src/pattern.c | 386 ++ + src/rfc1035.c | 82 +++ + src/ubus.c| 184 +++- + 8 files changed, 956 insertions(+), 9 deletions(-) + create mode 100644 src/pattern.c + +diff --git a/Makefile b/Makefile +index e4c3f5c..506e56b 100644 +--- a/Makefile b/Makefile +@@ -79,7 +79,7 @@ copts_conf = .copts_$(sum) + objs = cache.o rfc1035.o util.o option.o forward.o network.o \ +dnsmasq.o dhcp.o lease.o rfc2131.o netlink.o dbus.o bpf.o \ +helper.o tftp.o log.o conntrack.o dhcp6.o rfc3315.o \ +- dhcp-common.o outpacket.o radv.o slaac.o auth.o ipset.o \ ++ dhcp-common.o outpacket.o radv.o slaac.o auth.o ipset.o pattern.o \ +domain.o dnssec.o blockdata.o tables.o loop.o inotify.o \ +poll.o rrfilter.o edns0.o arp.o crypto.o dump.o ubus.o \ +metrics.o hash_questions.o +diff --git a/man/dnsmasq.8 b/man/dnsmasq.8 +index ac7c9fa..04d666d 100644 +--- a/man/dnsmasq.8 b/man/dnsmasq.8 +@@ -368,7 +368,10 @@ provides service at that name, rather than the default which is + .TP + .B --enable-ubus[=] + Enable dnsm
Re: [Dnsmasq-discuss] DKIM / DMARC emails.
On 21.02.21, 21:54, "Dnsmasq-discuss on behalf of Simon Kelley" wrote: > OK. It's set. Looking for feedback, good and bad. > > Simon. My latest '[PATCH v5] Connection track mark based DNS query filtering.' email did no longer get filtered into the junk folder, so I think the settings may be good now. Thanks Etan ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss