This integrates the proposed Dnsmasq patch from email:
- [PATCH v5] dnsmasq: connection track mark based DNS query filtering
into OpenWrt 21.02.
Signed-off-by: Etan Kissling <etan_kissl...@apple.com>
(updated to latest patch)
Signed-off-by: Etan Kissling <etan.kissl...@gmail.com>
---
Etan Kissling <etan.kissl...@gmail.com>:
v2: Update to v6 of underlying dnsmasq patch.
v3: Update to v7 of underlying dnsmasq patch.
.../services/dnsmasq/files/dnsmasq.init | 12 +
...track-mark-based-DNS-query-filtering.patch | 1320 +++++++++++++++++
2 files changed, 1332 insertions(+)
create mode 100644
package/network/services/dnsmasq/patches/300-Connection-track-mark-based-DNS-query-filtering.patch
diff --git a/package/network/services/dnsmasq/files/dnsmasq.init
b/package/network/services/dnsmasq/files/dnsmasq.init
index 680e72f..b46988f 100644
--- a/package/network/services/dnsmasq/files/dnsmasq.init
+++ b/package/network/services/dnsmasq/files/dnsmasq.init
@@ -172,6 +172,10 @@ append_ipset() {
xappend "--ipset=$1"
}
+append_connmark_allowlist() {
+ xappend "--connmark-allowlist=$1"
+}
+
append_interface() {
network_get_device ifname "$1" || ifname="$1"
xappend "--interface=$ifname"
@@ -913,6 +917,14 @@ dnsmasq_start()
config_list_foreach "$cfg" "rev_server" append_rev_server
config_list_foreach "$cfg" "address" append_address
config_list_foreach "$cfg" "ipset" append_ipset
+
+ local connmark_allowlist_enable
+ config_get connmark_allowlist_enable "$cfg" connmark_allowlist_enable 0
+ [ "$connmark_allowlist_enable" -gt 0 ] && {
+ append_parm "$cfg" "connmark_allowlist_enable"
"--connmark-allowlist-enable"
+ config_list_foreach "$cfg" "connmark_allowlist"
append_connmark_allowlist
+ }
+
[ -n "$BOOT" ] || {
config_list_foreach "$cfg" "interface" append_interface
config_list_foreach "$cfg" "notinterface" append_notinterface
diff --git
a/package/network/services/dnsmasq/patches/300-Connection-track-mark-based-DNS-query-filtering.patch
b/package/network/services/dnsmasq/patches/300-Connection-track-mark-based-DNS-query-filtering.patch
new file mode 100644
index 0000000..bb3533e
--- /dev/null
+++
b/package/network/services/dnsmasq/patches/300-Connection-track-mark-based-DNS-query-filtering.patch
@@ -0,0 +1,1320 @@
+From 462371dc003ac17f2fb36935c68314063e2c5dfd Mon Sep 17 00:00:00 2001
+From: Etan Kissling <etan_kissl...@apple.com>
+Date: Tue, 12 Jan 2021 10:51:21 +0100
+Subject: [PATCH v7] Connection track mark based DNS query filtering.
+
+This extends query filtering support beyond what is currently possible
+with the `--ipset` configuration option, by adding support for:
+1) Specifying allowlists on a per-client basis, based on their
+ associated Linux connection track mark.
+2) Dynamic configuration of allowlists via Ubus.
+3) Reporting when a DNS query resolves or is rejected via Ubus.
+4) DNS name patterns containing wildcards.
+
+Disallowed queries are not forwarded; they are rejected
+with a REFUSED error code.
+
+Signed-off-by: Etan Kissling <etan_kissl...@apple.com>
+(addressed reviewer feedback)
+Signed-off-by: Etan Kissling <etan.kissl...@gmail.com>
+---
+v2: Rebase to v2.83, and fix compilation when HAVE_UBUS not present.
+v3: Rebase to v2.84test2.
+v4: Rebase to v2.84rc2 (update copyright notice).
+v5: Correct logging of `ubus_notify` errors (also in existing code).
+
+Etan Kissling <etan.kissl...@gmail.com>:
+v6: Integrate checks for weird queries into `extract_request`.
+ Skip Ubus reporting when daemon->namebuff is not initialized.
+ Fix options parsing for mark / mask with bit 31 set.
+ Disable filtering for external queries (`auth_dns && !local_auth`).
+ Report all CNAME RRs via Ubus instead of just a (potential) subset.
+ Avoid redundant `is_valid_dns_name` evaluations.
+ Unify DNS name pattern matching logic across transports (UDP / TCP).
+v7: Fix typos and adjust code style to project.
+
+ Makefile | 2 +-
+ man/dnsmasq.8 | 31 +++-
+ src/dnsmasq.h | 25 +++-
+ src/forward.c | 134 +++++++++++++++++-
+ src/option.c | 151 ++++++++++++++++++++
+ src/pattern.c | 386 ++++++++++++++++++++++++++++++++++++++++++++++++++
+ src/rfc1035.c | 77 +++++++++-
+ src/ubus.c | 184 +++++++++++++++++++++++-
+ 8 files changed, 980 insertions(+), 10 deletions(-)
+ create mode 100644 src/pattern.c
+
+diff --git a/Makefile b/Makefile
+index e4c3f5c..506e56b 100644
+--- a/Makefile
++++ b/Makefile
+@@ -79,7 +79,7 @@ copts_conf = .copts_$(sum)
+ objs = cache.o rfc1035.o util.o option.o forward.o network.o \
+ dnsmasq.o dhcp.o lease.o rfc2131.o netlink.o dbus.o bpf.o \
+ helper.o tftp.o log.o conntrack.o dhcp6.o rfc3315.o \
+- dhcp-common.o outpacket.o radv.o slaac.o auth.o ipset.o \
++ dhcp-common.o outpacket.o radv.o slaac.o auth.o ipset.o pattern.o \
+ domain.o dnssec.o blockdata.o tables.o loop.o inotify.o \
+ poll.o rrfilter.o edns0.o arp.o crypto.o dump.o ubus.o \
+ metrics.o hash_questions.o
+diff --git a/man/dnsmasq.8 b/man/dnsmasq.8
+index ac7c9fa..04d666d 100644
+--- a/man/dnsmasq.8
++++ b/man/dnsmasq.8
+@@ -368,7 +368,10 @@ provides service at that name, rather than the default
which is
+ .TP
+ .B --enable-ubus[=<service-name>]
+ Enable dnsmasq UBus interface. It sends notifications via UBus on
+-DHCPACK and DHCPRELEASE events. Furthermore it offers metrics.
++DHCPACK and DHCPRELEASE events. Furthermore it offers metrics
++and allows configuration of Linux connection track mark based filtering.
++When DNS query filtering based on Linux connection track marks is enabled
++UBus notifications are generated for each resolved or filtered DNS query.
+ Requires that dnsmasq has been built with UBus support. If the service
+ name is given, dnsmasq provides service at that namespace, rather than
+ the default which is
+@@ -533,6 +536,32 @@ These IP sets must already exist. See
+ .BR ipset (8)
+ for more details.
+ .TP
++.B --connmark-allowlist-enable[=<mask>]
++Enables filtering of incoming DNS queries with associated Linux connection
track marks
++according to individual allowlists configured via a series of
\fB--connmark-allowlist\fP
++options. Disallowed queries are not forwarded; they are rejected with a
REFUSED error code.
++DNS queries are only allowed if they do not have an associated Linux
connection
++track mark, or if the queried domains match the configured DNS patterns for
the
++associated Linux connection track mark. If no allowlist is configured for a
++Linux connection track mark, all DNS queries associated with that mark are
rejected.
++If a mask is specified, Linux connection track marks are first bitwise ANDed
++with the given mask before being processed.
++.TP
++.B --connmark-allowlist=<connmark>[/<mask>][,<pattern>[/<pattern>...]]
++Configures the DNS patterns that are allowed in DNS queries associated with
++the given Linux connection track mark.
++If a mask is specified, Linux connection track marks are first bitwise ANDed
++with the given mask before they are compared to the given connection track
mark.
++Patterns follow the syntax of DNS names, but additionally allow the wildcard
++character "*" to be used up to twice per label to match 0 or more characters
++within that label. Note that the wildcard never matches a dot (e.g.,
"*.example.com"
++matches "api.example.com" but not "api.us.example.com"). Patterns must be
++fully qualified, i.e., consist of at least two labels. The final label must
not be
++fully numeric, and must not be the "local" pseudo-TLD. A pattern must end
with at least
++two literal (non-wildcard) labels.
++Instead of a pattern, "*" can be specified to disable allowlist filtering
++for a given Linux connection track mark entirely.
++.TP
+ .B \-m, --mx-host=<mx name>[[,<hostname>],<preference>]
+ Return an MX record named <mx name> pointing to the given hostname (if
+ given), or
+diff --git a/src/dnsmasq.h b/src/dnsmasq.h
+index e770454..b48e433 100644
+--- a/src/dnsmasq.h
++++ b/src/dnsmasq.h
+@@ -273,7 +273,8 @@ struct event_desc {
+ #define OPT_IGNORE_CLID 59
+ #define OPT_SINGLE_PORT 60
+ #define OPT_LEASE_RENEW 61
+-#define OPT_LAST 62
++#define OPT_CMARK_ALST_EN 62
++#define OPT_LAST 63
+
+ #define OPTION_BITS (sizeof(unsigned int)*8)
+ #define OPTION_SIZE ( (OPT_LAST/OPTION_BITS)+((OPT_LAST%OPTION_BITS)!=0) )
+@@ -567,6 +568,12 @@ struct ipsets {
+ struct ipsets *next;
+ };
+
++struct allowlist {
++ uint32_t mark, mask;
++ char **patterns;
++ struct allowlist *next;
++};
++
+ struct irec {
+ union mysockaddr addr;
+ struct in_addr netmask; /* only valid for IPv4 */
+@@ -1042,6 +1049,8 @@ extern struct daemon {
+ struct bogus_addr *bogus_addr, *ignore_addr;
+ struct server *servers;
+ struct ipsets *ipsets;
++ uint32_t allowlist_mask;
++ struct allowlist *allowlists;
+ int log_fac; /* log facility */
+ char *log_file; /* optional log file */
+ int max_logs; /* queue limit */
+@@ -1231,6 +1240,9 @@ size_t setup_reply(struct dns_header *header, size_t
qlen,
+ int extract_addresses(struct dns_header *header, size_t qlen, char *name,
+ time_t now, char **ipsets, int is_sign, int check_rebind,
+ int no_cache_dnssec, int secure, int *doctored);
++#if defined(HAVE_CONNTRACK) && defined(HAVE_UBUS)
++void report_addresses(struct dns_header *header, size_t len, uint32_t mark);
++#endif
+ size_t answer_request(struct dns_header *header, char *limit, size_t qlen,
+ struct in_addr local_addr, struct in_addr local_netmask,
+ time_t now, int ad_reqd, int do_bit, int
have_pseudoheader);
+@@ -1504,6 +1516,10 @@ void ubus_init(void);
+ void set_ubus_listeners(void);
+ void check_ubus_listeners(void);
+ void ubus_event_bcast(const char *type, const char *mac, const char *ip,
const char *name, const char *interface);
++# ifdef HAVE_CONNTRACK
++void ubus_event_bcast_connmark_allowlist_refused(uint32_t mark, const char
*name);
++void ubus_event_bcast_connmark_allowlist_resolved(uint32_t mark, const char
*pattern, const char *ip, uint32_t ttl);
++# endif
+ #endif
+
+ /* ipset.c */
+@@ -1512,6 +1528,13 @@ void ipset_init(void);
+ int add_to_ipset(const char *setname, const union all_addr *ipaddr, int
flags, int remove);
+ #endif
+
++/* pattern.c */
++#ifdef HAVE_CONNTRACK
++int is_valid_dns_name(const char *value);
++int is_valid_dns_name_pattern(const char *value);
++int is_dns_name_matching_pattern(const char *name, const char *pattern);
++#endif
++
+ /* helper.c */
+ #if defined(HAVE_SCRIPT)
+ int create_helper(int event_fd, int err_fd, uid_t uid, gid_t gid, long
max_fd);
+diff --git a/src/forward.c b/src/forward.c
+index 8fb0327..61592a8 100644
+--- a/src/forward.c
++++ b/src/forward.c
+@@ -614,6 +614,15 @@ static int forward_query(int udpfd, union mysockaddr
*udpaddr,
+ plen = setup_reply(header, plen, addrp, flags, daemon->local_ttl);
+ if (oph)
+ plen = add_pseudoheader(header, plen, ((unsigned char *) header) +
PACKETSZ, daemon->edns_pktsz, 0, NULL, 0, do_bit, 0);
++#if defined(HAVE_CONNTRACK) && defined(HAVE_UBUS)
++ if (option_bool(OPT_CMARK_ALST_EN))
++ {
++ unsigned int mark;
++ int have_mark = get_incoming_mark(udpaddr, dst_addr, /* istcp: */ 0,
&mark);
++ if (have_mark && ((uint32_t) mark & daemon->allowlist_mask))
++ report_addresses(header, plen, mark);
++ }
++#endif
+ send_from(udpfd, option_bool(OPT_NOWILD) ||
option_bool(OPT_CLEVERBIND), (char *)header, plen, udpaddr, dst_addr,
dst_iface);
+ }
+
+@@ -1301,6 +1310,15 @@ void reply_query(int fd, int family, time_t now)
+ dump_packet(DUMP_REPLY, daemon->packet, (size_t)nn, NULL,
&src->source);
+ #endif
+
++#if defined(HAVE_CONNTRACK) && defined(HAVE_UBUS)
++ if (option_bool(OPT_CMARK_ALST_EN))
++ {
++ unsigned int mark;
++ int have_mark = get_incoming_mark(&src->source, &src->dest,
/* istcp: */ 0, &mark);
++ if (have_mark && ((uint32_t) mark & daemon->allowlist_mask))
++ report_addresses(header, nn, mark);
++ }
++#endif
+ send_from(src->fd, option_bool(OPT_NOWILD) || option_bool
(OPT_CLEVERBIND), daemon->packet, nn,
+ &src->source, &src->dest, src->iface);
+
+@@ -1318,6 +1336,31 @@ void reply_query(int fd, int family, time_t now)
+ }
+
+
++#ifdef HAVE_CONNTRACK
++static int is_query_allowed_for_mark(uint32_t mark, const char *name)
++{
++ int is_allowable_name, did_validate_name = 0;
++ struct allowlist *allowlists;
++ char **patterns_pos;
++
++ for (allowlists = daemon->allowlists; allowlists; allowlists =
allowlists->next)
++ if (allowlists->mark == (mark & daemon->allowlist_mask &
allowlists->mask))
++ for (patterns_pos = allowlists->patterns; *patterns_pos; patterns_pos++)
++ {
++ if (!strcmp(*patterns_pos, "*"))
++ return 1;
++ if (!did_validate_name)
++ {
++ is_allowable_name = name ? is_valid_dns_name(name) : 0;
++ did_validate_name = 1;
++ }
++ if (is_allowable_name && is_dns_name_matching_pattern(name,
*patterns_pos))
++ return 1;
++ }
++ return 0;
++}
++#endif
++
+ void receive_query(struct listener *listen, time_t now)
+ {
+ struct dns_header *header = (struct dns_header *)daemon->packet;
+@@ -1329,6 +1372,11 @@ void receive_query(struct listener *listen, time_t now)
+ size_t m;
+ ssize_t n;
+ int if_index = 0, auth_dns = 0, do_bit = 0, have_pseudoheader = 0;
++#ifdef HAVE_CONNTRACK
++ unsigned int mark = 0;
++ int have_mark = 0;
++ int is_single_query = 0, allowed = 1;
++#endif
+ #ifdef HAVE_AUTH
+ int local_auth = 0;
+ #endif
+@@ -1557,6 +1605,11 @@ void receive_query(struct listener *listen, time_t now)
+ #ifdef HAVE_DUMPFILE
+ dump_packet(DUMP_QUERY, daemon->packet, (size_t)n, &source_addr, NULL);
+ #endif
++
++#ifdef HAVE_CONNTRACK
++ if (option_bool(OPT_CMARK_ALST_EN))
++ have_mark = get_incoming_mark(&source_addr, &dst_addr, /* istcp: */ 0,
&mark);
++#endif
+
+ if (extract_request(header, (size_t)n, daemon->namebuff, &type))
+ {
+@@ -1571,6 +1624,10 @@ void receive_query(struct listener *listen, time_t now)
+ else
+ log_query(F_QUERY | F_IPV6 | F_FORWARD, daemon->namebuff,
+ (union all_addr *)&source_addr.in6.sin6_addr, types);
++
++#ifdef HAVE_CONNTRACK
++ is_single_query = 1;
++#endif
+
+ #ifdef HAVE_AUTH
+ /* find queries for zones we're authoritative for, and answer them
directly */
+@@ -1612,20 +1669,50 @@ void receive_query(struct listener *listen, time_t now)
+ udp_size = PACKETSZ; /* Sanity check - can't reduce below default. RFC
6891 6.2.3 */
+ }
+
++#ifdef HAVE_CONNTRACK
+ #ifdef HAVE_AUTH
+- if (auth_dns)
++ if (!auth_dns || local_auth)
++#endif
++ if (option_bool(OPT_CMARK_ALST_EN) && have_mark && ((uint32_t) mark &
daemon->allowlist_mask))
++ allowed = is_query_allowed_for_mark((uint32_t) mark, is_single_query ?
daemon->namebuff : NULL);
++#endif
++
++ if (0);
++#ifdef HAVE_CONNTRACK
++ else if (!allowed)
++ {
++#ifdef HAVE_UBUS
++ if (is_single_query)
++ ubus_event_bcast_connmark_allowlist_refused(mark, daemon->namebuff);
++#endif
++ m = setup_reply(header, n, /* addrp: */ NULL, /* flags: */ 0, /* ttl:
*/ 0);
++ if (m >= 1)
++ {
++ send_from(listen->fd, option_bool(OPT_NOWILD) ||
option_bool(OPT_CLEVERBIND),
++ (char *)header, m, &source_addr, &dst_addr, if_index);
++ daemon->metrics[METRIC_DNS_LOCAL_ANSWERED]++;
++ }
++ }
++#endif
++#ifdef HAVE_AUTH
++ else if (auth_dns)
+ {
+ m = answer_auth(header, ((char *) header) + udp_size, (size_t)n, now,
&source_addr,
+ local_auth, do_bit, have_pseudoheader);
+ if (m >= 1)
+ {
++#if defined(HAVE_CONNTRACK) && defined(HAVE_UBUS)
++ if (local_auth)
++ if (option_bool(OPT_CMARK_ALST_EN) && have_mark && ((uint32_t) mark
& daemon->allowlist_mask))
++ report_addresses(header, m, mark);
++#endif
+ send_from(listen->fd, option_bool(OPT_NOWILD) ||
option_bool(OPT_CLEVERBIND),
+ (char *)header, m, &source_addr, &dst_addr, if_index);
+ daemon->metrics[METRIC_DNS_AUTH_ANSWERED]++;
+ }
+ }
+- else
+ #endif
++ else
+ {
+ int ad_reqd = do_bit;
+ /* RFC 6840 5.7 */
+@@ -1637,6 +1724,10 @@ void receive_query(struct listener *listen, time_t now)
+
+ if (m >= 1)
+ {
++#if defined(HAVE_CONNTRACK) && defined(HAVE_UBUS)
++ if (option_bool(OPT_CMARK_ALST_EN) && have_mark && ((uint32_t) mark &
daemon->allowlist_mask))
++ report_addresses(header, m, mark);
++#endif
+ send_from(listen->fd, option_bool(OPT_NOWILD) ||
option_bool(OPT_CLEVERBIND),
+ (char *)header, m, &source_addr, &dst_addr, if_index);
+ daemon->metrics[METRIC_DNS_LOCAL_ANSWERED]++;
+@@ -1827,6 +1918,9 @@ unsigned char *tcp_request(int confd, time_t now,
+ {
+ size_t size = 0;
+ int norebind = 0;
++#ifdef HAVE_CONNTRACK
++ int is_single_query = 0, allowed = 1;
++#endif
+ #ifdef HAVE_AUTH
+ int local_auth = 0;
+ #endif
+@@ -1859,7 +1953,7 @@ unsigned char *tcp_request(int confd, time_t now,
+
+ #ifdef HAVE_CONNTRACK
+ /* Get connection mark of incoming query to set on outgoing connections. */
+- if (option_bool(OPT_CONNTRACK))
++ if (option_bool(OPT_CONNTRACK) || option_bool(OPT_CMARK_ALST_EN))
+ {
+ union all_addr local;
+
+@@ -1943,6 +2037,10 @@ unsigned char *tcp_request(int confd, time_t now,
+ log_query(F_QUERY | F_IPV6 | F_FORWARD, daemon->namebuff,
+ (union all_addr *)&peer_addr.in6.sin6_addr, types);
+
++#ifdef HAVE_CONNTRACK
++ is_single_query = 1;
++#endif
++
+ #ifdef HAVE_AUTH
+ /* find queries for zones we're authoritative for, and answer them
directly */
+ if (!auth_dns && !option_bool(OPT_LOCALISE))
+@@ -1974,13 +2072,32 @@ unsigned char *tcp_request(int confd, time_t now,
+ if (flags & 0x8000)
+ do_bit = 1; /* do bit */
+ }
++
++#ifdef HAVE_CONNTRACK
++#ifdef HAVE_AUTH
++ if (!auth_dns || local_auth)
++#endif
++ if (option_bool(OPT_CMARK_ALST_EN) && have_mark && ((uint32_t) mark &
daemon->allowlist_mask))
++ allowed = is_query_allowed_for_mark((uint32_t) mark, is_single_query
? daemon->namebuff : NULL);
++#endif
+
++ if (0);
++#ifdef HAVE_CONNTRACK
++ else if (!allowed)
++ {
++#ifdef HAVE_UBUS
++ if (is_single_query)
++ ubus_event_bcast_connmark_allowlist_refused(mark, daemon->namebuff);
++#endif
++ m = setup_reply(header, size, /* addrp: */ NULL, /* flags: */ 0, /*
ttl: */ 0);
++ }
++#endif
+ #ifdef HAVE_AUTH
+- if (auth_dns)
++ else if (auth_dns)
+ m = answer_auth(header, ((char *) header) + 65536, (size_t)size, now,
&peer_addr,
+ local_auth, do_bit, have_pseudoheader);
+- else
+ #endif
++ else
+ {
+ int ad_reqd = do_bit;
+ /* RFC 6840 5.7 */
+@@ -2208,6 +2325,13 @@ unsigned char *tcp_request(int confd, time_t now,
+
+ *length = htons(m);
+
++#if defined(HAVE_CONNTRACK) && defined(HAVE_UBUS)
++#ifdef HAVE_AUTH
++ if (!auth_dns || local_auth)
++#endif
++ if (m != 0 && option_bool(OPT_CMARK_ALST_EN) && have_mark &&
((uint32_t) mark & daemon->allowlist_mask))
++ report_addresses(header, m, mark);
++#endif
+ if (m == 0 || !read_write(confd, packet, m + sizeof(u16), 0))
+ return packet;
+ }
+diff --git a/src/option.c b/src/option.c
+index 0a72406..312d15f 100644
+--- a/src/option.c
++++ b/src/option.c
+@@ -168,6 +168,8 @@ struct myoption {
+ #define LOPT_SINGLE_PORT 359
+ #define LOPT_SCRIPT_TIME 360
+ #define LOPT_PXE_VENDOR 361
++#define LOPT_CMARK_ALST_EN 362
++#define LOPT_CMARK_ALST 363
+
+ #ifdef HAVE_GETOPT_LONG
+ static const struct option opts[] =
+@@ -321,6 +323,8 @@ static const struct myoption opts[] =
+ { "auth-sec-servers", 1, 0, LOPT_AUTHSFS },
+ { "auth-peer", 1, 0, LOPT_AUTHPEER },
+ { "ipset", 1, 0, LOPT_IPSET },
++ { "connmark-allowlist-enable", 2, 0, LOPT_CMARK_ALST_EN },
++ { "connmark-allowlist", 1, 0, LOPT_CMARK_ALST },
+ { "synth-domain", 1, 0, LOPT_SYNTH },
+ { "dnssec", 0, 0, LOPT_SEC_VALID },
+ { "trust-anchor", 1, 0, LOPT_TRUST_ANCHOR },
+@@ -501,6 +505,8 @@ static struct {
+ { LOPT_AUTHSFS, ARG_DUP, "<NS>[,<NS>...]", gettext_noop("Secondary
authoritative nameservers for forward domains"), NULL },
+ { LOPT_AUTHPEER, ARG_DUP, "<ipaddr>[,<ipaddr>...]", gettext_noop("Peers
which are allowed to do zone transfer"), NULL },
+ { LOPT_IPSET, ARG_DUP, "/<domain>[/<domain>...]/<ipset>...",
gettext_noop("Specify ipsets to which matching domains should be added"), NULL
},
++ { LOPT_CMARK_ALST_EN, ARG_ONE, "[=<mask>]", gettext_noop("Enable filtering
of DNS queries with connection-track marks."), NULL },
++ { LOPT_CMARK_ALST, ARG_DUP,
"<connmark>[/<mask>][,<pattern>[/<pattern>...]]", gettext_noop("Set allowed DNS
patterns for a connection-track mark."), NULL },
+ { LOPT_SYNTH, ARG_DUP, "<domain>,<range>,[<prefix>]", gettext_noop("Specify
a domain and address range for synthesised names"), NULL },
+ { LOPT_SEC_VALID, OPT_DNSSEC_VALID, NULL, gettext_noop("Activate DNSSEC
validation"), NULL },
+ { LOPT_TRUST_ANCHOR, ARG_DUP, "<domain>,[<class>],...",
gettext_noop("Specify trust anchor key digest."), NULL },
+@@ -647,6 +653,22 @@ static char *canonicalise_opt(char *s)
+ return ret;
+ }
+
++#ifdef HAVE_CONNTRACK
++static int strtoul_check(char *a, unsigned long *res)
++{
++ if (!a)
++ return 0;
++
++ unhide_metas(a);
++
++ *res = strtoul(a, NULL, 0);
++ if (errno)
++ return 0;
++
++ return 1;
++}
++#endif
++
+ static int atoi_check(char *a, int *res)
+ {
+ char *p;
+@@ -2743,6 +2765,135 @@ static int one_opt(int option, char *arg, char
*errstr, char *gen_err, int comma
+ }
+ #endif
+
++ case LOPT_CMARK_ALST_EN: /* --connmark-allowlist-enable */
++#ifndef HAVE_CONNTRACK
++ ret_err(_("recompile with HAVE_CONNTRACK defined to enable
connmark-allowlist directives"));
++ break;
++#else
++ {
++ unsigned long mask = UINT32_MAX;
++
++ if (arg)
++ if (!strtoul_check(arg, &mask) || mask < 1 || mask > UINT32_MAX)
++ ret_err(gen_err);
++
++ set_option_bool(OPT_CMARK_ALST_EN);
++ daemon->allowlist_mask = (uint32_t) mask;
++ break;
++ }
++#endif
++
++ case LOPT_CMARK_ALST: /* --connmark-allowlist */
++#ifndef HAVE_CONNTRACK
++ ret_err(_("recompile with HAVE_CONNTRACK defined to enable
connmark-allowlist directives"));
++ break;
++#else
++ {
++ struct allowlist *allowlists;
++ char **patterns, **patterns_pos;
++ unsigned long mark, mask = UINT32_MAX;
++ size_t num_patterns = 0;
++
++ char *c, *m = NULL;
++ char *separator;
++ unhide_metas(arg);
++ if (!arg)
++ ret_err(gen_err);
++ c = arg;
++ if (*c < '0' || *c > '9')
++ ret_err(gen_err);
++ while (*c && *c != ',')
++ {
++ if (*c == '/')
++ {
++ if (m)
++ ret_err(gen_err);
++ *c = '\0';
++ m = ++c;
++ }
++ if (*c < '0' || *c > '9')
++ ret_err(gen_err);
++ c++;
++ }
++ separator = c;
++ if (!*separator)
++ break;
++ while (c && *c)
++ {
++ char *end = strchr(++c, '/');
++ if (end)
++ *end = '\0';
++ if (strcmp(c, "*") && !is_valid_dns_name_pattern(c))
++ ret_err(gen_err);
++ if (end)
++ *end = '/';
++ if (num_patterns >= UINT16_MAX - 1)
++ ret_err(gen_err);
++ num_patterns++;
++ c = end;
++ }
++
++ *separator = '\0';
++ if (!strtoul_check(arg, &mark) || mark < 1 || mark > UINT32_MAX)
++ ret_err(gen_err);
++ if (m)
++ if (!strtoul_check(m, &mask) || mask < 1 || mask > UINT32_MAX ||
(mark & ~mask))
++ ret_err(gen_err);
++ if (num_patterns)
++ *separator = ',';
++ for (allowlists = daemon->allowlists; allowlists; allowlists =
allowlists->next)
++ if (allowlists->mark == (uint32_t) mark && allowlists->mask ==
(uint32_t) mask)
++ ret_err(gen_err);
++
++ patterns = opt_malloc((num_patterns + 1) * sizeof(char *));
++ if (!patterns)
++ goto fail_cmark_allowlist;
++ patterns_pos = patterns;
++ c = separator;
++ while (c && *c)
++ {
++ char *end = strchr(++c, '/');
++ if (end)
++ *end = '\0';
++ if (!(*patterns_pos++ = opt_string_alloc(c)))
++ goto fail_cmark_allowlist;
++ if (end)
++ *end = '/';
++ c = end;
++ }
++ *patterns_pos++ = NULL;
++
++ allowlists = opt_malloc(sizeof(struct allowlist));
++ if (!allowlists)
++ goto fail_cmark_allowlist;
++ memset(allowlists, 0, sizeof(struct allowlist));
++ allowlists->mark = (uint32_t) mark;
++ allowlists->mask = (uint32_t) mask;
++ allowlists->patterns = patterns;
++ allowlists->next = daemon->allowlists;
++ daemon->allowlists = allowlists;
++ break;
++
++ fail_cmark_allowlist:
++ if (patterns)
++ {
++ for (patterns_pos = patterns; *patterns_pos; patterns_pos++)
++ {
++ free(*patterns_pos);
++ *patterns_pos = NULL;
++ }
++ free(patterns);
++ patterns = NULL;
++ }
++ if (allowlists)
++ {
++ free(allowlists);
++ allowlists = NULL;
++ }
++ ret_err(gen_err);
++ }
++#endif
++
+ case 'c': /* --cache-size */
+ {
+ int size;
+diff --git a/src/pattern.c b/src/pattern.c
+new file mode 100644
+index 0000000..74f5801
+--- /dev/null
++++ b/src/pattern.c
+@@ -0,0 +1,386 @@
++/* dnsmasq is Copyright (c) 2000-2021 Simon Kelley
++
++ This program is free software; you can redistribute it and/or modify
++ it under the terms of the GNU General Public License as published by
++ the Free Software Foundation; version 2 dated June, 1991, or
++ (at your option) version 3 dated 29 June, 2007.
++
++ This program is distributed in the hope that it will be useful,
++ but WITHOUT ANY WARRANTY; without even the implied warranty of
++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
++ GNU General Public License for more details.
++
++ You should have received a copy of the GNU General Public License
++ along with this program. If not, see <http://www.gnu.org/licenses/>.
++*/
++
++#include "dnsmasq.h"
++
++#ifdef HAVE_CONNTRACK
++
++#define LOG(...) \
++ do { \
++ my_syslog(LOG_WARNING, __VA_ARGS__); \
++ } while (0)
++
++#define ASSERT(condition) \
++ do { \
++ if (!(condition)) \
++ LOG("[pattern.c:%d] Assertion failure: %s", __LINE__, #condition); \
++ } while (0)
++
++/**
++ * Determines whether a given string value matches against a glob pattern
++ * which may contain zero-or-more-character wildcards denoted by '*'.
++ *
++ * Based on "Glob Matching Can Be Simple And Fast Too" by Russ Cox,
++ * See https://research.swtch.com/glob
++ *
++ * @param value A string value.
++ * @param num_value_bytes The number of bytes of the string value.
++ * @param pattern A glob pattern.
++ * @param num_pattern_bytes The number of bytes of the glob pattern.
++ *
++ * @return 1 If the provided value matches against the
glob pattern.
++ * @return 0 Otherwise.
++ */
++static int is_string_matching_glob_pattern(
++ const char *value,
++ size_t num_value_bytes,
++ const char *pattern,
++ size_t num_pattern_bytes)
++{
++ ASSERT(value);
++ ASSERT(pattern);
++
++ size_t value_index = 0;
++ size_t next_value_index = 0;
++ size_t pattern_index = 0;
++ size_t next_pattern_index = 0;
++ while (value_index < num_value_bytes || pattern_index < num_pattern_bytes)
++ {
++ if (pattern_index < num_pattern_bytes)
++ {
++ char pattern_character = pattern[pattern_index];
++ if ('a' <= pattern_character && pattern_character <= 'z')
++ pattern_character -= 'a' - 'A';
++ if (pattern_character == '*')
++ {
++ // zero-or-more-character wildcard
++ // Try to match at value_index, otherwise restart at value_index
+ 1 next.
++ next_pattern_index = pattern_index;
++ pattern_index++;
++ if (value_index < num_value_bytes)
++ next_value_index = value_index + 1;
++ else
++ next_value_index = 0;
++ continue;
++ }
++ else
++ {
++ // ordinary character
++ if (value_index < num_value_bytes)
++ {
++ char value_character = value[value_index];
++ if ('a' <= value_character && value_character <= 'z')
++ value_character -= 'a' - 'A';
++ if (value_character == pattern_character)
++ {
++ pattern_index++;
++ value_index++;
++ continue;
++ }
++ }
++ }
++ }
++ if (next_value_index)
++ {
++ pattern_index = next_pattern_index;
++ value_index = next_value_index;
++ continue;
++ }
++ return 0;
++ }
++ return 1;
++}
++
++/**
++ * Determines whether a given string value represents a valid DNS name.
++ *
++ * - DNS names must adhere to RFC 1123: 1 to 253 characters in length,
consisting of a sequence of labels
++ * delimited by dots ("."). Each label must be 1 to 63 characters in
length, contain only
++ * ASCII letters ("a"-"Z"), digits ("0"-"9"), or hyphens ("-") and must not
start or end with a hyphen.
++ *
++ * - A valid name must be fully qualified, i.e., consist of at least two
labels.
++ * The final label must not be fully numeric, and must not be the "local"
pseudo-TLD.
++ *
++ * - Examples:
++ * Valid: "example.com"
++ * Invalid: "ipcamera", "ipcamera.local", "8.8.8.8"
++ *
++ * @param value A string value.
++ *
++ * @return 1 If the provided string value is a valid
DNS name.
++ * @return 0 Otherwise.
++ */
++int is_valid_dns_name(const char *value)
++{
++ ASSERT(value);
++
++ size_t num_bytes = 0;
++ size_t num_labels = 0;
++ const char *label = NULL;
++ int is_label_numeric = 1;
++ for (const char *c = value;; c++)
++ {
++ if (*c &&
++ *c != '-' && *c != '.' &&
++ (*c < '0' || *c > '9') &&
++ (*c < 'A' || *c > 'Z') &&
++ (*c < 'a' || *c > 'z'))
++ {
++ LOG("Invalid DNS name: Invalid character %c.", *c);
++ return 0;
++ }
++ if (*c)
++ num_bytes++;
++ if (!label)
++ {
++ if (!*c || *c == '.')
++ {
++ LOG("Invalid DNS name: Empty label.");
++ return 0;
++ }
++ if (*c == '-')
++ {
++ LOG("Invalid DNS name: Label starts with hyphen.");
++ return 0;
++ }
++ label = c;
++ }
++ if (*c && *c != '.')
++ {
++ if (*c < '0' || *c > '9')
++ is_label_numeric = 0;
++ }
++ else
++ {
++ if (c[-1] == '-')
++ {
++ LOG("Invalid DNS name: Label ends with hyphen.");
++ return 0;
++ }
++ size_t num_label_bytes = (size_t) (c - label);
++ if (num_label_bytes > 63)
++ {
++ LOG("Invalid DNS name: Label is too long (%zu).",
num_label_bytes);
++ return 0;
++ }
++ num_labels++;
++ if (!*c)
++ {
++ if (num_labels < 2)
++ {
++ LOG("Invalid DNS name: Not enough labels (%zu).", num_labels);
++ return 0;
++ }
++ if (is_label_numeric)
++ {
++ LOG("Invalid DNS name: Final label is fully numeric.");
++ return 0;
++ }
++ if (num_label_bytes == 5 &&
++ (label[0] == 'l' || label[0] == 'L') &&
++ (label[1] == 'o' || label[1] == 'O') &&
++ (label[2] == 'c' || label[2] == 'C') &&
++ (label[3] == 'a' || label[3] == 'A') &&
++ (label[4] == 'l' || label[4] == 'L'))
++ {
++ LOG("Invalid DNS name: \"local\" pseudo-TLD.");
++ return 0;
++ }
++ if (num_bytes < 1 || num_bytes > 253)
++ {
++ LOG("DNS name has invalid length (%zu).", num_bytes);
++ return 0;
++ }
++ return 1;
++ }
++ label = NULL;
++ is_label_numeric = 1;
++ }
++ }
++}
++
++/**
++ * Determines whether a given string value represents a valid DNS name
pattern.
++ *
++ * - DNS names must adhere to RFC 1123: 1 to 253 characters in length,
consisting of a sequence of labels
++ * delimited by dots ("."). Each label must be 1 to 63 characters in
length, contain only
++ * ASCII letters ("a"-"Z"), digits ("0"-"9"), or hyphens ("-") and must not
start or end with a hyphen.
++ *
++ * - Patterns follow the syntax of DNS names, but additionally allow the
wildcard character "*" to be used up to
++ * twice per label to match 0 or more characters within that label. Note
that the wildcard never matches a dot
++ * (e.g., "*.example.com" matches "api.example.com" but not
"api.us.example.com").
++ *
++ * - A valid name or pattern must be fully qualified, i.e., consist of at
least two labels.
++ * The final label must not be fully numeric, and must not be the "local"
pseudo-TLD.
++ * A pattern must end with at least two literal (non-wildcard) labels.
++ *
++ * - Examples:
++ * Valid: "example.com", "*.example.com", "video*.example.com",
"api*.*.example.com", "*-prod-*.example.com"
++ * Invalid: "ipcamera", "ipcamera.local", "*", "*.com", "8.8.8.8"
++ *
++ * @param value A string value.
++ *
++ * @return 1 If the provided string value is a valid
DNS name pattern.
++ * @return 0 Otherwise.
++ */
++int is_valid_dns_name_pattern(const char *value)
++{
++ ASSERT(value);
++
++ size_t num_bytes = 0;
++ size_t num_labels = 0;
++ const char *label = NULL;
++ int is_label_numeric = 1;
++ size_t num_wildcards = 0;
++ int previous_label_has_wildcard = 1;
++ for (const char *c = value;; c++)
++ {
++ if (*c &&
++ *c != '*' && // Wildcard.
++ *c != '-' && *c != '.' &&
++ (*c < '0' || *c > '9') &&
++ (*c < 'A' || *c > 'Z') &&
++ (*c < 'a' || *c > 'z'))
++ {
++ LOG("Invalid DNS name pattern: Invalid character %c.", *c);
++ return 0;
++ }
++ if (*c && *c != '*')
++ num_bytes++;
++ if (!label)
++ {
++ if (!*c || *c == '.')
++ {
++ LOG("Invalid DNS name pattern: Empty label.");
++ return 0;
++ }
++ if (*c == '-')
++ {
++ LOG("Invalid DNS name pattern: Label starts with hyphen.");
++ return 0;
++ }
++ label = c;
++ }
++ if (*c && *c != '.')
++ {
++ if (*c < '0' || *c > '9')
++ is_label_numeric = 0;
++ if (*c == '*')
++ {
++ if (num_wildcards >= 2)
++ {
++ LOG("Invalid DNS name pattern: Wildcard character used more
than twice per label.");
++ return 0;
++ }
++ num_wildcards++;
++ }
++ }
++ else
++ {
++ if (c[-1] == '-')
++ {
++ LOG("Invalid DNS name pattern: Label ends with hyphen.");
++ return 0;
++ }
++ size_t num_label_bytes = (size_t) (c - label) - num_wildcards;
++ if (num_label_bytes > 63)
++ {
++ LOG("Invalid DNS name pattern: Label is too long (%zu).",
num_label_bytes);
++ return 0;
++ }
++ num_labels++;
++ if (!*c)
++ {
++ if (num_labels < 2)
++ {
++ LOG("Invalid DNS name pattern: Not enough labels (%zu).",
num_labels);
++ return 0;
++ }
++ if (num_wildcards != 0 || previous_label_has_wildcard)
++ {
++ LOG("Invalid DNS name pattern: Wildcard within final two
labels.");
++ return 0;
++ }
++ if (is_label_numeric)
++ {
++ LOG("Invalid DNS name pattern: Final label is fully
numeric.");
++ return 0;
++ }
++ if (num_label_bytes == 5 &&
++ (label[0] == 'l' || label[0] == 'L') &&
++ (label[1] == 'o' || label[1] == 'O') &&
++ (label[2] == 'c' || label[2] == 'C') &&
++ (label[3] == 'a' || label[3] == 'A') &&
++ (label[4] == 'l' || label[4] == 'L'))
++ {
++ LOG("Invalid DNS name pattern: \"local\" pseudo-TLD.");
++ return 0;
++ }
++ if (num_bytes < 1 || num_bytes > 253)
++ {
++ LOG("DNS name pattern has invalid length after removing
wildcards (%zu).", num_bytes);
++ return 0;
++ }
++ return 1;
++ }
++ label = NULL;
++ is_label_numeric = 1;
++ previous_label_has_wildcard = num_wildcards != 0;
++ num_wildcards = 0;
++ }
++ }
++}
++
++/**
++ * Determines whether a given DNS name matches against a DNS name pattern.
++ *
++ * @param name A valid DNS name.
++ * @param pattern A valid DNS name pattern.
++ *
++ * @return 1 If the provided DNS name matches against
the DNS name pattern.
++ * @return 0 Otherwise.
++ */
++int is_dns_name_matching_pattern(const char *name, const char *pattern)
++{
++ ASSERT(name);
++ ASSERT(is_valid_dns_name(name));
++ ASSERT(pattern);
++ ASSERT(is_valid_dns_name_pattern(pattern));
++
++ const char *n = name;
++ const char *p = pattern;
++
++ do {
++ const char *name_label = n;
++ while (*n && *n != '.')
++ n++;
++ const char *pattern_label = p;
++ while (*p && *p != '.')
++ p++;
++ if (!is_string_matching_glob_pattern(
++ name_label, (size_t) (n - name_label),
++ pattern_label, (size_t) (p - pattern_label)))
++ break;
++ if (*n)
++ n++;
++ if (*p)
++ p++;
++ } while (*n && *p);
++
++ return !*n && !*p;
++}
++
++#endif
+diff --git a/src/rfc1035.c b/src/rfc1035.c
+index ea438c2..d60253d 100644
+--- a/src/rfc1035.c
++++ b/src/rfc1035.c
+@@ -884,6 +884,80 @@ int extract_addresses(struct dns_header *header, size_t
qlen, char *name, time_t
+ return 0;
+ }
+
++#if defined(HAVE_CONNTRACK) && defined(HAVE_UBUS)
++void report_addresses(struct dns_header *header, size_t len, uint32_t mark)
++{
++ unsigned char *p, *endrr;
++ int i;
++ unsigned long attl;
++ struct allowlist *allowlists;
++ char **pattern_pos;
++
++ if (RCODE(header) != NOERROR)
++ return;
++
++ for (allowlists = daemon->allowlists; allowlists; allowlists =
allowlists->next)
++ if (allowlists->mark == (mark & daemon->allowlist_mask &
allowlists->mask))
++ for (pattern_pos = allowlists->patterns; *pattern_pos; pattern_pos++)
++ if (!strcmp(*pattern_pos, "*"))
++ return;
++
++ if (!(p = skip_questions(header, len)))
++ return;
++ for (i = ntohs(header->ancount); i != 0; i--)
++ {
++ int aqtype, aqclass, ardlen;
++
++ if (!extract_name(header, len, &p, daemon->namebuff, 1, 10))
++ return;
++
++ if (!CHECK_LEN(header, p, len, 10))
++ return;
++ GETSHORT(aqtype, p);
++ GETSHORT(aqclass, p);
++ GETLONG(attl, p);
++ GETSHORT(ardlen, p);
++
++ if (!CHECK_LEN(header, p, len, ardlen))
++ return;
++ endrr = p+ardlen;
++
++ if (aqclass == C_IN)
++ {
++ if (aqtype == T_CNAME)
++ {
++ char namebuff[MAXDNAME];
++ if (!extract_name(header, len, &p, namebuff, 1, 0))
++ return;
++ ubus_event_bcast_connmark_allowlist_resolved(mark,
daemon->namebuff, namebuff, attl);
++ }
++ if (aqtype == T_A)
++ {
++ struct in_addr addr;
++ char ip[INET_ADDRSTRLEN];
++ if (ardlen != INADDRSZ)
++ return;
++ memcpy(&addr, p, ardlen);
++ if (inet_ntop(AF_INET, &addr, ip, sizeof ip))
++ ubus_event_bcast_connmark_allowlist_resolved(mark,
daemon->namebuff, ip, attl);
++ }
++ else if (aqtype == T_AAAA)
++ {
++ struct in6_addr addr;
++ char ip[INET6_ADDRSTRLEN];
++ if (ardlen != IN6ADDRSZ)
++ return;
++ memcpy(&addr, p, ardlen);
++ if (inet_ntop(AF_INET6, &addr, ip, sizeof ip))
++ ubus_event_bcast_connmark_allowlist_resolved(mark,
daemon->namebuff, ip, attl);
++ }
++ }
++
++ p = endrr;
++ }
++}
++#endif
++
+ /* If the packet holds exactly one query
+ return F_IPV4 or F_IPV6 and leave the name from the query in name */
+ unsigned int extract_request(struct dns_header *header, size_t qlen, char
*name, unsigned short *typep)
+@@ -894,7 +968,8 @@ unsigned int extract_request(struct dns_header *header,
size_t qlen, char *name,
+ if (typep)
+ *typep = 0;
+
+- if (ntohs(header->qdcount) != 1 || OPCODE(header) != QUERY)
++ if (ntohs(header->qdcount) != 1 || OPCODE(header) != QUERY ||
++ ntohs(header->ancount) != 0 || ntohs(header->nscount) != 0)
+ return 0; /* must be exactly one query. */
+
+ if (!extract_name(header, qlen, &p, name, 1, 4))
+diff --git a/src/ubus.c b/src/ubus.c
+index 33c2783..00b14dd 100644
+--- a/src/ubus.c
++++ b/src/ubus.c
+@@ -28,10 +28,38 @@ static int ubus_handle_metrics(struct ubus_context *ctx,
struct ubus_object *obj
+ struct ubus_request_data *req, const char
*method,
+ struct blob_attr *msg);
+
++#ifdef HAVE_CONNTRACK
++enum {
++ SET_CONNMARK_ALLOWLIST_MARK,
++ SET_CONNMARK_ALLOWLIST_MASK,
++ SET_CONNMARK_ALLOWLIST_PATTERNS
++};
++static const struct blobmsg_policy set_connmark_allowlist_policy[] = {
++ [SET_CONNMARK_ALLOWLIST_MARK] = {
++ .name = "mark",
++ .type = BLOBMSG_TYPE_INT32
++ },
++ [SET_CONNMARK_ALLOWLIST_MASK] = {
++ .name = "mask",
++ .type = BLOBMSG_TYPE_INT32
++ },
++ [SET_CONNMARK_ALLOWLIST_PATTERNS] = {
++ .name = "patterns",
++ .type = BLOBMSG_TYPE_ARRAY
++ }
++};
++static int ubus_handle_set_connmark_allowlist(struct ubus_context *ctx,
struct ubus_object *obj,
++ struct ubus_request_data *req,
const char *method,
++ struct blob_attr *msg);
++#endif
++
+ static void ubus_subscribe_cb(struct ubus_context *ctx, struct ubus_object
*obj);
+
+ static const struct ubus_method ubus_object_methods[] = {
+ UBUS_METHOD_NOARG("metrics", ubus_handle_metrics),
++#ifdef HAVE_CONNTRACK
++ UBUS_METHOD("set_connmark_allowlist", ubus_handle_set_connmark_allowlist,
set_connmark_allowlist_policy),
++#endif
+ };
+
+ static struct ubus_object_type ubus_object_type =
+@@ -178,6 +206,122 @@ static int ubus_handle_metrics(struct ubus_context *ctx,
struct ubus_object *obj
+ return ubus_send_reply(ctx, req, b.head);
+ }
+
++#ifdef HAVE_CONNTRACK
++static int ubus_handle_set_connmark_allowlist(struct ubus_context *ctx,
struct ubus_object *obj,
++ struct ubus_request_data *req,
const char *method,
++ struct blob_attr *msg)
++{
++ const struct blobmsg_policy *policy = set_connmark_allowlist_policy;
++ size_t policy_len = countof(set_connmark_allowlist_policy);
++ struct allowlist *allowlists = NULL, **allowlists_pos;
++ char **patterns = NULL, **patterns_pos;
++ uint32_t mark, mask = UINT32_MAX;
++ size_t num_patterns = 0;
++ struct blob_attr *tb[policy_len];
++ struct blob_attr *attr;
++
++ if (blobmsg_parse(policy, policy_len, tb, blob_data(msg), blob_len(msg)))
++ return UBUS_STATUS_INVALID_ARGUMENT;
++
++ if (!tb[SET_CONNMARK_ALLOWLIST_MARK])
++ return UBUS_STATUS_INVALID_ARGUMENT;
++ mark = blobmsg_get_u32(tb[SET_CONNMARK_ALLOWLIST_MARK]);
++ if (!mark)
++ return UBUS_STATUS_INVALID_ARGUMENT;
++
++ if (tb[SET_CONNMARK_ALLOWLIST_MASK])
++ {
++ mask = blobmsg_get_u32(tb[SET_CONNMARK_ALLOWLIST_MASK]);
++ if (!mask || (mark & ~mask))
++ return UBUS_STATUS_INVALID_ARGUMENT;
++ }
++
++ if (tb[SET_CONNMARK_ALLOWLIST_PATTERNS])
++ {
++ struct blob_attr *head =
blobmsg_data(tb[SET_CONNMARK_ALLOWLIST_PATTERNS]);
++ size_t len = blobmsg_data_len(tb[SET_CONNMARK_ALLOWLIST_PATTERNS]);
++ __blob_for_each_attr(attr, head, len)
++ {
++ char *pattern;
++ if (blob_id(attr) != BLOBMSG_TYPE_STRING)
++ return UBUS_STATUS_INVALID_ARGUMENT;
++ if (!(pattern = blobmsg_get_string(attr)))
++ return UBUS_STATUS_INVALID_ARGUMENT;
++ if (strcmp(pattern, "*") && !is_valid_dns_name_pattern(pattern))
++ return UBUS_STATUS_INVALID_ARGUMENT;
++ num_patterns++;
++ }
++ }
++
++ for (allowlists_pos = &daemon->allowlists; *allowlists_pos; allowlists_pos
= &(*allowlists_pos)->next)
++ if ((*allowlists_pos)->mark == mark && (*allowlists_pos)->mask == mask)
++ {
++ struct allowlist *allowlists_next = (*allowlists_pos)->next;
++ for (patterns_pos = (*allowlists_pos)->patterns; *patterns_pos;
patterns_pos++)
++ {
++ free(*patterns_pos);
++ *patterns_pos = NULL;
++ }
++ free((*allowlists_pos)->patterns);
++ (*allowlists_pos)->patterns = NULL;
++ free(*allowlists_pos);
++ *allowlists_pos = allowlists_next;
++ break;
++ }
++
++ if (!num_patterns)
++ return UBUS_STATUS_OK;
++
++ patterns = whine_malloc((num_patterns + 1) * sizeof(char *));
++ if (!patterns)
++ goto fail;
++ patterns_pos = patterns;
++ if (tb[SET_CONNMARK_ALLOWLIST_PATTERNS])
++ {
++ struct blob_attr *head =
blobmsg_data(tb[SET_CONNMARK_ALLOWLIST_PATTERNS]);
++ size_t len = blobmsg_data_len(tb[SET_CONNMARK_ALLOWLIST_PATTERNS]);
++ __blob_for_each_attr(attr, head, len)
++ {
++ char *pattern;
++ if (!(pattern = blobmsg_get_string(attr)))
++ goto fail;
++ if (!(*patterns_pos = whine_malloc(strlen(pattern) + 1)))
++ goto fail;
++ strcpy(*patterns_pos++, pattern);
++ }
++ }
++
++ allowlists = whine_malloc(sizeof(struct allowlist));
++ if (!allowlists)
++ goto fail;
++ memset(allowlists, 0, sizeof(struct allowlist));
++ allowlists->mark = mark;
++ allowlists->mask = mask;
++ allowlists->patterns = patterns;
++ allowlists->next = daemon->allowlists;
++ daemon->allowlists = allowlists;
++ return UBUS_STATUS_OK;
++
++fail:
++ if (patterns)
++ {
++ for (patterns_pos = patterns; *patterns_pos; patterns_pos++)
++ {
++ free(*patterns_pos);
++ *patterns_pos = NULL;
++ }
++ free(patterns);
++ patterns = NULL;
++ }
++ if (allowlists)
++ {
++ free(allowlists);
++ allowlists = NULL;
++ }
++ return UBUS_STATUS_UNKNOWN_ERROR;
++}
++#endif
++
+ void ubus_event_bcast(const char *type, const char *mac, const char *ip,
const char *name, const char *interface)
+ {
+ struct ubus_context *ubus = (struct ubus_context *)daemon->ubus;
+@@ -197,9 +341,47 @@ void ubus_event_bcast(const char *type, const char *mac,
const char *ip, const c
+ blobmsg_add_string(&b, "interface", interface);
+
+ ret = ubus_notify(ubus, &ubus_object, type, b.head, -1);
+- if (!ret)
++ if (ret)
++ my_syslog(LOG_ERR, _("Failed to send UBus event: %s"),
ubus_strerror(ret));
++}
++
++#ifdef HAVE_CONNTRACK
++void ubus_event_bcast_connmark_allowlist_refused(uint32_t mark, const char
*name)
++{
++ struct ubus_context *ubus = (struct ubus_context *)daemon->ubus;
++ int ret;
++
++ if (!ubus || !notify)
++ return;
++
++ blob_buf_init(&b, 0);
++ blobmsg_add_u32(&b, "mark", mark);
++ blobmsg_add_string(&b, "name", name);
++
++ ret = ubus_notify(ubus, &ubus_object, "connmark-allowlist.refused", b.head,
-1);
++ if (ret)
++ my_syslog(LOG_ERR, _("Failed to send UBus event: %s"),
ubus_strerror(ret));
++}
++
++void ubus_event_bcast_connmark_allowlist_resolved(uint32_t mark, const char
*name, const char *value, uint32_t ttl)
++{
++ struct ubus_context *ubus = (struct ubus_context *)daemon->ubus;
++ int ret;
++
++ if (!ubus || !notify)
++ return;
++
++ blob_buf_init(&b, 0);
++ blobmsg_add_u32(&b, "mark", mark);
++ blobmsg_add_string(&b, "name", name);
++ blobmsg_add_string(&b, "value", value);
++ blobmsg_add_u32(&b, "ttl", ttl);
++
++ ret = ubus_notify(ubus, &ubus_object, "connmark-allowlist.resolved",
b.head, /* timeout: */ 1000);
++ if (ret)
+ my_syslog(LOG_ERR, _("Failed to send UBus event: %s"),
ubus_strerror(ret));
+ }
++#endif
+
+
+ #endif /* HAVE_UBUS */
+--
+2.30.1 (Apple Git-130)
+
--
2.30.1 (Apple Git-130)
_______________________________________________
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
