[Dnsmasq-discuss] [OpenWrt] Integration of connmark based DNS filtering

2021-02-28 Thread Etan Kissling via Dnsmasq-discuss
>From 7694255ba440a1f53faeaae6cd034d0e1256e8a9 Mon Sep 17 00:00:00 2001
From: Etan Kissling 
Date: Mon, 20 Apr 2020 16:39:24 +0200
Subject: [PATCH] openwrt: Integration of connmark based DNS filtering

This integrates the proposed Dnsmasq patch from email:
- [PATCH v5] dnsmasq: connection track mark based DNS query filtering
into OpenWrt 21.02.

Signed-off-by: Etan Kissling 
---
This patch uses OpenWrt 21.02 as basis and may be useful for testing
on OpenWrt (Ubus event monitoring, and Uci based configuration).

 .../services/dnsmasq/files/dnsmasq.init   |   12 +
 ...track-mark-based-DNS-query-filtering.patch | 1262 +
 2 files changed, 1274 insertions(+)
 create mode 100644 
package/network/services/dnsmasq/patches/300-Connection-track-mark-based-DNS-query-filtering.patch

diff --git a/package/network/services/dnsmasq/files/dnsmasq.init 
b/package/network/services/dnsmasq/files/dnsmasq.init
index 680e72f..b46988f 100644
--- a/package/network/services/dnsmasq/files/dnsmasq.init
+++ b/package/network/services/dnsmasq/files/dnsmasq.init
@@ -172,6 +172,10 @@ append_ipset() {
xappend "--ipset=$1"
 }

+append_connmark_allowlist() {
+   xappend "--connmark-allowlist=$1"
+}
+
 append_interface() {
network_get_device ifname "$1" || ifname="$1"
xappend "--interface=$ifname"
@@ -913,6 +917,14 @@ dnsmasq_start()
config_list_foreach "$cfg" "rev_server" append_rev_server
config_list_foreach "$cfg" "address" append_address
config_list_foreach "$cfg" "ipset" append_ipset
+
+   local connmark_allowlist_enable
+   config_get connmark_allowlist_enable "$cfg" connmark_allowlist_enable 0
+   [ "$connmark_allowlist_enable" -gt 0 ] && {
+   append_parm "$cfg" "connmark_allowlist_enable" 
"--connmark-allowlist-enable"
+   config_list_foreach "$cfg" "connmark_allowlist" 
append_connmark_allowlist
+   }
+
[ -n "$BOOT" ] || {
config_list_foreach "$cfg" "interface" append_interface
config_list_foreach "$cfg" "notinterface" append_notinterface
diff --git 
a/package/network/services/dnsmasq/patches/300-Connection-track-mark-based-DNS-query-filtering.patch
 
b/package/network/services/dnsmasq/patches/300-Connection-track-mark-based-DNS-query-filtering.patch
new file mode 100644
index 000..4758100
--- /dev/null
+++ 
b/package/network/services/dnsmasq/patches/300-Connection-track-mark-based-DNS-query-filtering.patch
@@ -0,0 +1,1262 @@
+From e403e6dfabd9b9c4d4b132a940987f1cf3595278 Mon Sep 17 00:00:00 2001
+From: Etan Kissling 
+Date: Tue, 12 Jan 2021 10:51:21 +0100
+Subject: [PATCH v5] Connection track mark based DNS query filtering.
+
+This extends query filtering support beyond what is currently possible
+with the `--ipset` configuration option, by adding support for:
+1) Specifying allowlists on a per-client basis, based on their
+   associated Linux connection track mark.
+2) Dynamic configuration of allowlists via Ubus.
+3) Reporting when a DNS query resolves or is rejected via Ubus.
+4) DNS name patterns containing wildcards.
+
+Disallowed queries are not forwarded; they are rejected
+with a REFUSED error code.
+
+Signed-off-by: Etan Kissling 
+---
+v2: Rebase to v2.83, and fix compilation when HAVE_UBUS not present.
+v3: Rebase to v2.84test2.
+v4: Rebase to v2.84rc2 (update copyright notice).
+v5: Correct logging of `ubus_notify` errors (also in existing code).
+
+ Makefile  |   2 +-
+ man/dnsmasq.8 |  31 +++-
+ src/dnsmasq.h |  25 +++-
+ src/forward.c | 121 +++-
+ src/option.c  | 134 ++
+ src/pattern.c | 386 ++
+ src/rfc1035.c |  82 +++
+ src/ubus.c| 184 +++-
+ 8 files changed, 956 insertions(+), 9 deletions(-)
+ create mode 100644 src/pattern.c
+
+diff --git a/Makefile b/Makefile
+index e4c3f5c..506e56b 100644
+--- a/Makefile
 b/Makefile
+@@ -79,7 +79,7 @@ copts_conf = .copts_$(sum)
+ objs = cache.o rfc1035.o util.o option.o forward.o network.o \
+dnsmasq.o dhcp.o lease.o rfc2131.o netlink.o dbus.o bpf.o \
+helper.o tftp.o log.o conntrack.o dhcp6.o rfc3315.o \
+-   dhcp-common.o outpacket.o radv.o slaac.o auth.o ipset.o \
++   dhcp-common.o outpacket.o radv.o slaac.o auth.o ipset.o pattern.o \
+domain.o dnssec.o blockdata.o tables.o loop.o inotify.o \
+poll.o rrfilter.o edns0.o arp.o crypto.o dump.o ubus.o \
+metrics.o hash_questions.o
+diff --git a/man/dnsmasq.8 b/man/dnsmasq.8
+index ac7c9fa..04d666d 100644
+--- a/man/dnsmasq.8
 b/man/dnsmasq.8
+@@ -368,7 +368,10 @@ provides service at that name, rather than the default 
which is
+ .TP 
+ .B --enable-ubus[=]
+ Enable dnsmasq UBus interface. It sends notifications via UBus on
+-DHCPACK and DHCPRELEASE events. Furthermore it offers metrics.
++DHCPACK and DHCPRELEASE events. Furthermore it offers metrics
++and allows configuration of Linux connection track mark 

[Dnsmasq-discuss] [OpenWrt] Integration of connmark based DNS filtering

2021-02-28 Thread Etan Kissling via Dnsmasq-discuss
>From 7694255ba440a1f53faeaae6cd034d0e1256e8a9 Mon Sep 17 00:00:00 2001
From: Etan Kissling 
Date: Mon, 20 Apr 2020 16:39:24 +0200
Subject: [PATCH] openwrt: Integration of connmark based DNS filtering

This integrates the proposed Dnsmasq patch from email:
- [PATCH v5] dnsmasq: connection track mark based DNS query filtering
into OpenWrt 21.02.

Signed-off-by: Etan Kissling 
---
This patch uses OpenWrt 21.02 as basis and may be useful for testing
on OpenWrt (Ubus event monitoring, and Uci based configuration).

 .../services/dnsmasq/files/dnsmasq.init   |   12 +
 ...track-mark-based-DNS-query-filtering.patch | 1262 +
 2 files changed, 1274 insertions(+)
 create mode 100644 
package/network/services/dnsmasq/patches/300-Connection-track-mark-based-DNS-query-filtering.patch

diff --git a/package/network/services/dnsmasq/files/dnsmasq.init 
b/package/network/services/dnsmasq/files/dnsmasq.init
index 680e72f..b46988f 100644
--- a/package/network/services/dnsmasq/files/dnsmasq.init
+++ b/package/network/services/dnsmasq/files/dnsmasq.init
@@ -172,6 +172,10 @@ append_ipset() {
xappend "--ipset=$1"
 }
 
+append_connmark_allowlist() {
+   xappend "--connmark-allowlist=$1"
+}
+
 append_interface() {
network_get_device ifname "$1" || ifname="$1"
xappend "--interface=$ifname"
@@ -913,6 +917,14 @@ dnsmasq_start()
config_list_foreach "$cfg" "rev_server" append_rev_server
config_list_foreach "$cfg" "address" append_address
config_list_foreach "$cfg" "ipset" append_ipset
+
+   local connmark_allowlist_enable
+   config_get connmark_allowlist_enable "$cfg" connmark_allowlist_enable 0
+   [ "$connmark_allowlist_enable" -gt 0 ] && {
+   append_parm "$cfg" "connmark_allowlist_enable" 
"--connmark-allowlist-enable"
+   config_list_foreach "$cfg" "connmark_allowlist" 
append_connmark_allowlist
+   }
+
[ -n "$BOOT" ] || {
config_list_foreach "$cfg" "interface" append_interface
config_list_foreach "$cfg" "notinterface" append_notinterface
diff --git 
a/package/network/services/dnsmasq/patches/300-Connection-track-mark-based-DNS-query-filtering.patch
 
b/package/network/services/dnsmasq/patches/300-Connection-track-mark-based-DNS-query-filtering.patch
new file mode 100644
index 000..4758100
--- /dev/null
+++ 
b/package/network/services/dnsmasq/patches/300-Connection-track-mark-based-DNS-query-filtering.patch
@@ -0,0 +1,1262 @@
+From e403e6dfabd9b9c4d4b132a940987f1cf3595278 Mon Sep 17 00:00:00 2001
+From: Etan Kissling 
+Date: Tue, 12 Jan 2021 10:51:21 +0100
+Subject: [PATCH v5] Connection track mark based DNS query filtering.
+
+This extends query filtering support beyond what is currently possible
+with the `--ipset` configuration option, by adding support for:
+1) Specifying allowlists on a per-client basis, based on their
+   associated Linux connection track mark.
+2) Dynamic configuration of allowlists via Ubus.
+3) Reporting when a DNS query resolves or is rejected via Ubus.
+4) DNS name patterns containing wildcards.
+
+Disallowed queries are not forwarded; they are rejected
+with a REFUSED error code.
+
+Signed-off-by: Etan Kissling 
+---
+v2: Rebase to v2.83, and fix compilation when HAVE_UBUS not present.
+v3: Rebase to v2.84test2.
+v4: Rebase to v2.84rc2 (update copyright notice).
+v5: Correct logging of `ubus_notify` errors (also in existing code).
+
+ Makefile  |   2 +-
+ man/dnsmasq.8 |  31 +++-
+ src/dnsmasq.h |  25 +++-
+ src/forward.c | 121 +++-
+ src/option.c  | 134 ++
+ src/pattern.c | 386 ++
+ src/rfc1035.c |  82 +++
+ src/ubus.c| 184 +++-
+ 8 files changed, 956 insertions(+), 9 deletions(-)
+ create mode 100644 src/pattern.c
+
+diff --git a/Makefile b/Makefile
+index e4c3f5c..506e56b 100644
+--- a/Makefile
 b/Makefile
+@@ -79,7 +79,7 @@ copts_conf = .copts_$(sum)
+ objs = cache.o rfc1035.o util.o option.o forward.o network.o \
+dnsmasq.o dhcp.o lease.o rfc2131.o netlink.o dbus.o bpf.o \
+helper.o tftp.o log.o conntrack.o dhcp6.o rfc3315.o \
+-   dhcp-common.o outpacket.o radv.o slaac.o auth.o ipset.o \
++   dhcp-common.o outpacket.o radv.o slaac.o auth.o ipset.o pattern.o \
+domain.o dnssec.o blockdata.o tables.o loop.o inotify.o \
+poll.o rrfilter.o edns0.o arp.o crypto.o dump.o ubus.o \
+metrics.o hash_questions.o
+diff --git a/man/dnsmasq.8 b/man/dnsmasq.8
+index ac7c9fa..04d666d 100644
+--- a/man/dnsmasq.8
 b/man/dnsmasq.8
+@@ -368,7 +368,10 @@ provides service at that name, rather than the default 
which is
+ .TP 
+ .B --enable-ubus[=]
+ Enable dnsmasq UBus interface. It sends notifications via UBus on
+-DHCPACK and DHCPRELEASE events. Furthermore it offers metrics.
++DHCPACK and DHCPRELEASE events. Furthermore it offers metrics
++and allows configuration of Linux connection track mark 

Re: [Dnsmasq-discuss] DKIM / DMARC emails.

2021-02-21 Thread Etan Kissling via Dnsmasq-discuss



On 21.02.21, 21:54, "Dnsmasq-discuss on behalf of Simon Kelley" 
 wrote:

> OK. It's set. Looking for feedback, good and bad.
>
> Simon.

My latest '[PATCH v5] Connection track mark based DNS query filtering.'
email did no longer get filtered into the junk folder, so I think the
settings may be good now.

Thanks

Etan




___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss