On 2021/02/07 17:04, Christopher Zimmermann wrote: > Hi, > > a year ago I added support for our pf tables to the unbound ipset module. > Upstream does not seem eager to merge it: > https://github.com/NLnetLabs/unbound/pull/144 > > Implementing pf tables support was pretty straightforward. It has been more > work to adjust module's privilege management to allow the modules to open > privileget files like /dev/pf and keep them open across reloads. > This is also what upstream was unsure about. > > So below you find the diff against our base unbound. > > Should this go in? Continue to wait for upstream? > Suggestions for improvement?
I would not be happy about including this in base unbound. Partly because it is a large diff to carry, partly unbound is a much more complex process than I'd be happy with having direct access to reconfigure PF. The whole approach (including for linux ipset) doesn't seem ideal to me. It would seem much better to have this done out-of-process with a communication mechanism to allow sending the addresses across, then unbound wouldn't need firewall-specific knowledge in the code, and there's a clear separation of privilege.
