This extends query filtering support beyond what is currently possible
with the `--ipset` configuration option, by adding support for:
1) Specifying allowlists on a per-client basis, based on their
associated Linux connection track mark.
2) Dynamic configuration of allowlists via Ubus.
3) Reporting when a DNS query resolves or is rejected via Ubus.
4) DNS name patterns containing wildcards.
Disallowed queries are not forwarded; they are rejected
with a REFUSED error code.
Signed-off-by: Etan Kissling
(addressed reviewer feedback)
Signed-off-by: Etan Kissling
---
v2: Rebase to v2.83, and fix compilation when HAVE_UBUS not present.
v3: Rebase to v2.84test2.
v4: Rebase to v2.84rc2 (update copyright notice).
v5: Correct logging of `ubus_notify` errors (also in existing code).
Etan Kissling :
v6: Integrate checks for weird queries into `extract_request`.
Skip Ubus reporting when daemon->namebuff is not initialized.
Fix options parsing for mark / mask with bit 31 set.
Disable filtering for external queries (`auth_dns && !local_auth`).
Report all CNAME RRs via Ubus instead of just a (potential) subset.
Avoid redundant `is_valid_dns_name` evaluations.
Unify DNS name pattern matching logic across transports (UDP / TCP).
v7: Fix typos and adjust code style to project.
v8: Rebase to v2.85 (update options numbers).
v9: Rebase to v2.86test2 (options, setup_reply, uint32_t -> u32).
Fix strtoul_check for sizeof(long) > sizeof(u32), and generic errno.
Makefile | 2 +-
man/dnsmasq.8 | 31 +++-
src/dnsmasq.h | 25 +++-
src/forward.c | 143 ++-
src/option.c | 142 ++-
src/pattern.c | 386 ++
src/rfc1035.c | 77 +-
src/ubus.c| 184 +++-
8 files changed, 978 insertions(+), 12 deletions(-)
create mode 100644 src/pattern.c
diff --git a/Makefile b/Makefile
index 367cd26..0cd592e 100644
--- a/Makefile
+++ b/Makefile
@@ -79,7 +79,7 @@ copts_conf = .copts_$(sum)
objs = cache.o rfc1035.o util.o option.o forward.o network.o \
dnsmasq.o dhcp.o lease.o rfc2131.o netlink.o dbus.o bpf.o \
helper.o tftp.o log.o conntrack.o dhcp6.o rfc3315.o \
- dhcp-common.o outpacket.o radv.o slaac.o auth.o ipset.o \
+ dhcp-common.o outpacket.o radv.o slaac.o auth.o ipset.o pattern.o \
domain.o dnssec.o blockdata.o tables.o loop.o inotify.o \
poll.o rrfilter.o edns0.o arp.o crypto.o dump.o ubus.o \
metrics.o hash-questions.o domain-match.o
diff --git a/man/dnsmasq.8 b/man/dnsmasq.8
index e6bc6f0..ea8457b 100644
--- a/man/dnsmasq.8
+++ b/man/dnsmasq.8
@@ -371,7 +371,10 @@ provides service at that name, rather than the default
which is
.TP
.B --enable-ubus[=]
Enable dnsmasq UBus interface. It sends notifications via UBus on
-DHCPACK and DHCPRELEASE events. Furthermore it offers metrics.
+DHCPACK and DHCPRELEASE events. Furthermore it offers metrics
+and allows configuration of Linux connection track mark based filtering.
+When DNS query filtering based on Linux connection track marks is enabled
+UBus notifications are generated for each resolved or filtered DNS query.
Requires that dnsmasq has been built with UBus support. If the service
name is given, dnsmasq provides service at that namespace, rather than
the default which is
@@ -536,6 +539,32 @@ These IP sets must already exist. See
.BR ipset (8)
for more details.
.TP
+.B --connmark-allowlist-enable[=]
+Enables filtering of incoming DNS queries with associated Linux connection
track marks
+according to individual allowlists configured via a series of
\fB--connmark-allowlist\fP
+options. Disallowed queries are not forwarded; they are rejected with a
REFUSED error code.
+DNS queries are only allowed if they do not have an associated Linux connection
+track mark, or if the queried domains match the configured DNS patterns for the
+associated Linux connection track mark. If no allowlist is configured for a
+Linux connection track mark, all DNS queries associated with that mark are
rejected.
+If a mask is specified, Linux connection track marks are first bitwise ANDed
+with the given mask before being processed.
+.TP
+.B --connmark-allowlist=[/][,[/...]]
+Configures the DNS patterns that are allowed in DNS queries associated with
+the given Linux connection track mark.
+If a mask is specified, Linux connection track marks are first bitwise ANDed
+with the given mask before they are compared to the given connection track
mark.
+Patterns follow the syntax of DNS names, but additionally allow the wildcard
+character "*" to be used up to twice per label to match 0 or more characters
+within that label. Note that the wildcard never matches a dot (e.g.,
"*.example.com"
+matches "api.example.com" but not "api.us.example.com"). Patterns must be
+fully qualified, i.e., consist of at least two labels. The final label must
not be
+fully numeric, and must not be the "local" pseudo-TLD. A pat
