[Dnsmasq-discuss] [OpenWrt] Integration of connmark based DNS filtering
>From 7694255ba440a1f53faeaae6cd034d0e1256e8a9 Mon Sep 17 00:00:00 2001
From: Etan Kissling
Date: Mon, 20 Apr 2020 16:39:24 +0200
Subject: [PATCH] openwrt: Integration of connmark based DNS filtering
This integrates the proposed Dnsmasq patch from email:
- [PATCH v5] dnsmasq: connection track mark based DNS query filtering
into OpenWrt 21.02.
Signed-off-by: Etan Kissling
---
This patch uses OpenWrt 21.02 as basis and may be useful for testing
on OpenWrt (Ubus event monitoring, and Uci based configuration).
.../services/dnsmasq/files/dnsmasq.init | 12 +
...track-mark-based-DNS-query-filtering.patch | 1262 +
2 files changed, 1274 insertions(+)
create mode 100644
package/network/services/dnsmasq/patches/300-Connection-track-mark-based-DNS-query-filtering.patch
diff --git a/package/network/services/dnsmasq/files/dnsmasq.init
b/package/network/services/dnsmasq/files/dnsmasq.init
index 680e72f..b46988f 100644
--- a/package/network/services/dnsmasq/files/dnsmasq.init
+++ b/package/network/services/dnsmasq/files/dnsmasq.init
@@ -172,6 +172,10 @@ append_ipset() {
xappend "--ipset=$1"
}
+append_connmark_allowlist() {
+ xappend "--connmark-allowlist=$1"
+}
+
append_interface() {
network_get_device ifname "$1" || ifname="$1"
xappend "--interface=$ifname"
@@ -913,6 +917,14 @@ dnsmasq_start()
config_list_foreach "$cfg" "rev_server" append_rev_server
config_list_foreach "$cfg" "address" append_address
config_list_foreach "$cfg" "ipset" append_ipset
+
+ local connmark_allowlist_enable
+ config_get connmark_allowlist_enable "$cfg" connmark_allowlist_enable 0
+ [ "$connmark_allowlist_enable" -gt 0 ] && {
+ append_parm "$cfg" "connmark_allowlist_enable"
"--connmark-allowlist-enable"
+ config_list_foreach "$cfg" "connmark_allowlist"
append_connmark_allowlist
+ }
+
[ -n "$BOOT" ] || {
config_list_foreach "$cfg" "interface" append_interface
config_list_foreach "$cfg" "notinterface" append_notinterface
diff --git
a/package/network/services/dnsmasq/patches/300-Connection-track-mark-based-DNS-query-filtering.patch
b/package/network/services/dnsmasq/patches/300-Connection-track-mark-based-DNS-query-filtering.patch
new file mode 100644
index 000..4758100
--- /dev/null
+++
b/package/network/services/dnsmasq/patches/300-Connection-track-mark-based-DNS-query-filtering.patch
@@ -0,0 +1,1262 @@
+From e403e6dfabd9b9c4d4b132a940987f1cf3595278 Mon Sep 17 00:00:00 2001
+From: Etan Kissling
+Date: Tue, 12 Jan 2021 10:51:21 +0100
+Subject: [PATCH v5] Connection track mark based DNS query filtering.
+
+This extends query filtering support beyond what is currently possible
+with the `--ipset` configuration option, by adding support for:
+1) Specifying allowlists on a per-client basis, based on their
+ associated Linux connection track mark.
+2) Dynamic configuration of allowlists via Ubus.
+3) Reporting when a DNS query resolves or is rejected via Ubus.
+4) DNS name patterns containing wildcards.
+
+Disallowed queries are not forwarded; they are rejected
+with a REFUSED error code.
+
+Signed-off-by: Etan Kissling
+---
+v2: Rebase to v2.83, and fix compilation when HAVE_UBUS not present.
+v3: Rebase to v2.84test2.
+v4: Rebase to v2.84rc2 (update copyright notice).
+v5: Correct logging of `ubus_notify` errors (also in existing code).
+
+ Makefile | 2 +-
+ man/dnsmasq.8 | 31 +++-
+ src/dnsmasq.h | 25 +++-
+ src/forward.c | 121 +++-
+ src/option.c | 134 ++
+ src/pattern.c | 386 ++
+ src/rfc1035.c | 82 +++
+ src/ubus.c| 184 +++-
+ 8 files changed, 956 insertions(+), 9 deletions(-)
+ create mode 100644 src/pattern.c
+
+diff --git a/Makefile b/Makefile
+index e4c3f5c..506e56b 100644
+--- a/Makefile
b/Makefile
+@@ -79,7 +79,7 @@ copts_conf = .copts_$(sum)
+ objs = cache.o rfc1035.o util.o option.o forward.o network.o \
+dnsmasq.o dhcp.o lease.o rfc2131.o netlink.o dbus.o bpf.o \
+helper.o tftp.o log.o conntrack.o dhcp6.o rfc3315.o \
+- dhcp-common.o outpacket.o radv.o slaac.o auth.o ipset.o \
++ dhcp-common.o outpacket.o radv.o slaac.o auth.o ipset.o pattern.o \
+domain.o dnssec.o blockdata.o tables.o loop.o inotify.o \
+poll.o rrfilter.o edns0.o arp.o crypto.o dump.o ubus.o \
+metrics.o hash_questions.o
+diff --git a/man/dnsmasq.8 b/man/dnsmasq.8
+index ac7c9fa..04d666d 100644
+--- a/man/dnsmasq.8
b/man/dnsmasq.8
+@@ -368,7 +368,10 @@ provides service at that name, rather than the default
which is
+ .TP
+ .B --enable-ubus[=]
+ Enable dnsmasq UBus interface. It sends notifications via UBus on
+-DHCPACK and DHCPRELEASE events. Furthermore it offers metrics.
++DHCPACK and DHCPRELEASE events. Furthermore it offers metrics
++and allows configuration of Linux connection track mark
[Dnsmasq-discuss] [OpenWrt] Integration of connmark based DNS filtering
>From 7694255ba440a1f53faeaae6cd034d0e1256e8a9 Mon Sep 17 00:00:00 2001
From: Etan Kissling
Date: Mon, 20 Apr 2020 16:39:24 +0200
Subject: [PATCH] openwrt: Integration of connmark based DNS filtering
This integrates the proposed Dnsmasq patch from email:
- [PATCH v5] dnsmasq: connection track mark based DNS query filtering
into OpenWrt 21.02.
Signed-off-by: Etan Kissling
---
This patch uses OpenWrt 21.02 as basis and may be useful for testing
on OpenWrt (Ubus event monitoring, and Uci based configuration).
.../services/dnsmasq/files/dnsmasq.init | 12 +
...track-mark-based-DNS-query-filtering.patch | 1262 +
2 files changed, 1274 insertions(+)
create mode 100644
package/network/services/dnsmasq/patches/300-Connection-track-mark-based-DNS-query-filtering.patch
diff --git a/package/network/services/dnsmasq/files/dnsmasq.init
b/package/network/services/dnsmasq/files/dnsmasq.init
index 680e72f..b46988f 100644
--- a/package/network/services/dnsmasq/files/dnsmasq.init
+++ b/package/network/services/dnsmasq/files/dnsmasq.init
@@ -172,6 +172,10 @@ append_ipset() {
xappend "--ipset=$1"
}
+append_connmark_allowlist() {
+ xappend "--connmark-allowlist=$1"
+}
+
append_interface() {
network_get_device ifname "$1" || ifname="$1"
xappend "--interface=$ifname"
@@ -913,6 +917,14 @@ dnsmasq_start()
config_list_foreach "$cfg" "rev_server" append_rev_server
config_list_foreach "$cfg" "address" append_address
config_list_foreach "$cfg" "ipset" append_ipset
+
+ local connmark_allowlist_enable
+ config_get connmark_allowlist_enable "$cfg" connmark_allowlist_enable 0
+ [ "$connmark_allowlist_enable" -gt 0 ] && {
+ append_parm "$cfg" "connmark_allowlist_enable"
"--connmark-allowlist-enable"
+ config_list_foreach "$cfg" "connmark_allowlist"
append_connmark_allowlist
+ }
+
[ -n "$BOOT" ] || {
config_list_foreach "$cfg" "interface" append_interface
config_list_foreach "$cfg" "notinterface" append_notinterface
diff --git
a/package/network/services/dnsmasq/patches/300-Connection-track-mark-based-DNS-query-filtering.patch
b/package/network/services/dnsmasq/patches/300-Connection-track-mark-based-DNS-query-filtering.patch
new file mode 100644
index 000..4758100
--- /dev/null
+++
b/package/network/services/dnsmasq/patches/300-Connection-track-mark-based-DNS-query-filtering.patch
@@ -0,0 +1,1262 @@
+From e403e6dfabd9b9c4d4b132a940987f1cf3595278 Mon Sep 17 00:00:00 2001
+From: Etan Kissling
+Date: Tue, 12 Jan 2021 10:51:21 +0100
+Subject: [PATCH v5] Connection track mark based DNS query filtering.
+
+This extends query filtering support beyond what is currently possible
+with the `--ipset` configuration option, by adding support for:
+1) Specifying allowlists on a per-client basis, based on their
+ associated Linux connection track mark.
+2) Dynamic configuration of allowlists via Ubus.
+3) Reporting when a DNS query resolves or is rejected via Ubus.
+4) DNS name patterns containing wildcards.
+
+Disallowed queries are not forwarded; they are rejected
+with a REFUSED error code.
+
+Signed-off-by: Etan Kissling
+---
+v2: Rebase to v2.83, and fix compilation when HAVE_UBUS not present.
+v3: Rebase to v2.84test2.
+v4: Rebase to v2.84rc2 (update copyright notice).
+v5: Correct logging of `ubus_notify` errors (also in existing code).
+
+ Makefile | 2 +-
+ man/dnsmasq.8 | 31 +++-
+ src/dnsmasq.h | 25 +++-
+ src/forward.c | 121 +++-
+ src/option.c | 134 ++
+ src/pattern.c | 386 ++
+ src/rfc1035.c | 82 +++
+ src/ubus.c| 184 +++-
+ 8 files changed, 956 insertions(+), 9 deletions(-)
+ create mode 100644 src/pattern.c
+
+diff --git a/Makefile b/Makefile
+index e4c3f5c..506e56b 100644
+--- a/Makefile
b/Makefile
+@@ -79,7 +79,7 @@ copts_conf = .copts_$(sum)
+ objs = cache.o rfc1035.o util.o option.o forward.o network.o \
+dnsmasq.o dhcp.o lease.o rfc2131.o netlink.o dbus.o bpf.o \
+helper.o tftp.o log.o conntrack.o dhcp6.o rfc3315.o \
+- dhcp-common.o outpacket.o radv.o slaac.o auth.o ipset.o \
++ dhcp-common.o outpacket.o radv.o slaac.o auth.o ipset.o pattern.o \
+domain.o dnssec.o blockdata.o tables.o loop.o inotify.o \
+poll.o rrfilter.o edns0.o arp.o crypto.o dump.o ubus.o \
+metrics.o hash_questions.o
+diff --git a/man/dnsmasq.8 b/man/dnsmasq.8
+index ac7c9fa..04d666d 100644
+--- a/man/dnsmasq.8
b/man/dnsmasq.8
+@@ -368,7 +368,10 @@ provides service at that name, rather than the default
which is
+ .TP
+ .B --enable-ubus[=]
+ Enable dnsmasq UBus interface. It sends notifications via UBus on
+-DHCPACK and DHCPRELEASE events. Furthermore it offers metrics.
++DHCPACK and DHCPRELEASE events. Furthermore it offers metrics
++and allows configuration of Linux connection track mark
Re: [Dnsmasq-discuss] DKIM / DMARC emails.
On 21.02.21, 21:54, "Dnsmasq-discuss on behalf of Simon Kelley" wrote: > OK. It's set. Looking for feedback, good and bad. > > Simon. My latest '[PATCH v5] Connection track mark based DNS query filtering.' email did no longer get filtered into the junk folder, so I think the settings may be good now. Thanks Etan ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
