[Dnsmasq-discuss] [OpenWrt] Integration of connmark based DNS filtering
>From 7694255ba440a1f53faeaae6cd034d0e1256e8a9 Mon Sep 17 00:00:00 2001 From: Etan Kissling Date: Mon, 20 Apr 2020 16:39:24 +0200 Subject: [PATCH] openwrt: Integration of connmark based DNS filtering This integrates the proposed Dnsmasq patch from email: - [PATCH v5] dnsmasq: connection track mark based DNS query filtering into OpenWrt 21.02. Signed-off-by: Etan Kissling --- This patch uses OpenWrt 21.02 as basis and may be useful for testing on OpenWrt (Ubus event monitoring, and Uci based configuration). .../services/dnsmasq/files/dnsmasq.init | 12 + ...track-mark-based-DNS-query-filtering.patch | 1262 + 2 files changed, 1274 insertions(+) create mode 100644 package/network/services/dnsmasq/patches/300-Connection-track-mark-based-DNS-query-filtering.patch diff --git a/package/network/services/dnsmasq/files/dnsmasq.init b/package/network/services/dnsmasq/files/dnsmasq.init index 680e72f..b46988f 100644 --- a/package/network/services/dnsmasq/files/dnsmasq.init +++ b/package/network/services/dnsmasq/files/dnsmasq.init @@ -172,6 +172,10 @@ append_ipset() { xappend "--ipset=$1" } +append_connmark_allowlist() { + xappend "--connmark-allowlist=$1" +} + append_interface() { network_get_device ifname "$1" || ifname="$1" xappend "--interface=$ifname" @@ -913,6 +917,14 @@ dnsmasq_start() config_list_foreach "$cfg" "rev_server" append_rev_server config_list_foreach "$cfg" "address" append_address config_list_foreach "$cfg" "ipset" append_ipset + + local connmark_allowlist_enable + config_get connmark_allowlist_enable "$cfg" connmark_allowlist_enable 0 + [ "$connmark_allowlist_enable" -gt 0 ] && { + append_parm "$cfg" "connmark_allowlist_enable" "--connmark-allowlist-enable" + config_list_foreach "$cfg" "connmark_allowlist" append_connmark_allowlist + } + [ -n "$BOOT" ] || { config_list_foreach "$cfg" "interface" append_interface config_list_foreach "$cfg" "notinterface" append_notinterface diff --git a/package/network/services/dnsmasq/patches/300-Connection-track-mark-based-DNS-query-filtering.patch b/package/network/services/dnsmasq/patches/300-Connection-track-mark-based-DNS-query-filtering.patch new file mode 100644 index 000..4758100 --- /dev/null +++ b/package/network/services/dnsmasq/patches/300-Connection-track-mark-based-DNS-query-filtering.patch @@ -0,0 +1,1262 @@ +From e403e6dfabd9b9c4d4b132a940987f1cf3595278 Mon Sep 17 00:00:00 2001 +From: Etan Kissling +Date: Tue, 12 Jan 2021 10:51:21 +0100 +Subject: [PATCH v5] Connection track mark based DNS query filtering. + +This extends query filtering support beyond what is currently possible +with the `--ipset` configuration option, by adding support for: +1) Specifying allowlists on a per-client basis, based on their + associated Linux connection track mark. +2) Dynamic configuration of allowlists via Ubus. +3) Reporting when a DNS query resolves or is rejected via Ubus. +4) DNS name patterns containing wildcards. + +Disallowed queries are not forwarded; they are rejected +with a REFUSED error code. + +Signed-off-by: Etan Kissling +--- +v2: Rebase to v2.83, and fix compilation when HAVE_UBUS not present. +v3: Rebase to v2.84test2. +v4: Rebase to v2.84rc2 (update copyright notice). +v5: Correct logging of `ubus_notify` errors (also in existing code). + + Makefile | 2 +- + man/dnsmasq.8 | 31 +++- + src/dnsmasq.h | 25 +++- + src/forward.c | 121 +++- + src/option.c | 134 ++ + src/pattern.c | 386 ++ + src/rfc1035.c | 82 +++ + src/ubus.c| 184 +++- + 8 files changed, 956 insertions(+), 9 deletions(-) + create mode 100644 src/pattern.c + +diff --git a/Makefile b/Makefile +index e4c3f5c..506e56b 100644 +--- a/Makefile b/Makefile +@@ -79,7 +79,7 @@ copts_conf = .copts_$(sum) + objs = cache.o rfc1035.o util.o option.o forward.o network.o \ +dnsmasq.o dhcp.o lease.o rfc2131.o netlink.o dbus.o bpf.o \ +helper.o tftp.o log.o conntrack.o dhcp6.o rfc3315.o \ +- dhcp-common.o outpacket.o radv.o slaac.o auth.o ipset.o \ ++ dhcp-common.o outpacket.o radv.o slaac.o auth.o ipset.o pattern.o \ +domain.o dnssec.o blockdata.o tables.o loop.o inotify.o \ +poll.o rrfilter.o edns0.o arp.o crypto.o dump.o ubus.o \ +metrics.o hash_questions.o +diff --git a/man/dnsmasq.8 b/man/dnsmasq.8 +index ac7c9fa..04d666d 100644 +--- a/man/dnsmasq.8 b/man/dnsmasq.8 +@@ -368,7 +368,10 @@ provides service at that name, rather than the default which is + .TP + .B --enable-ubus[=] + Enable dnsmasq UBus interface. It sends notifications via UBus on +-DHCPACK and DHCPRELEASE events. Furthermore it offers metrics. ++DHCPACK and DHCPRELEASE events. Furthermore it offers metrics ++and allows configuration of Linux connection track mark
[Dnsmasq-discuss] [OpenWrt] Integration of connmark based DNS filtering
>From 7694255ba440a1f53faeaae6cd034d0e1256e8a9 Mon Sep 17 00:00:00 2001 From: Etan Kissling Date: Mon, 20 Apr 2020 16:39:24 +0200 Subject: [PATCH] openwrt: Integration of connmark based DNS filtering This integrates the proposed Dnsmasq patch from email: - [PATCH v5] dnsmasq: connection track mark based DNS query filtering into OpenWrt 21.02. Signed-off-by: Etan Kissling --- This patch uses OpenWrt 21.02 as basis and may be useful for testing on OpenWrt (Ubus event monitoring, and Uci based configuration). .../services/dnsmasq/files/dnsmasq.init | 12 + ...track-mark-based-DNS-query-filtering.patch | 1262 + 2 files changed, 1274 insertions(+) create mode 100644 package/network/services/dnsmasq/patches/300-Connection-track-mark-based-DNS-query-filtering.patch diff --git a/package/network/services/dnsmasq/files/dnsmasq.init b/package/network/services/dnsmasq/files/dnsmasq.init index 680e72f..b46988f 100644 --- a/package/network/services/dnsmasq/files/dnsmasq.init +++ b/package/network/services/dnsmasq/files/dnsmasq.init @@ -172,6 +172,10 @@ append_ipset() { xappend "--ipset=$1" } +append_connmark_allowlist() { + xappend "--connmark-allowlist=$1" +} + append_interface() { network_get_device ifname "$1" || ifname="$1" xappend "--interface=$ifname" @@ -913,6 +917,14 @@ dnsmasq_start() config_list_foreach "$cfg" "rev_server" append_rev_server config_list_foreach "$cfg" "address" append_address config_list_foreach "$cfg" "ipset" append_ipset + + local connmark_allowlist_enable + config_get connmark_allowlist_enable "$cfg" connmark_allowlist_enable 0 + [ "$connmark_allowlist_enable" -gt 0 ] && { + append_parm "$cfg" "connmark_allowlist_enable" "--connmark-allowlist-enable" + config_list_foreach "$cfg" "connmark_allowlist" append_connmark_allowlist + } + [ -n "$BOOT" ] || { config_list_foreach "$cfg" "interface" append_interface config_list_foreach "$cfg" "notinterface" append_notinterface diff --git a/package/network/services/dnsmasq/patches/300-Connection-track-mark-based-DNS-query-filtering.patch b/package/network/services/dnsmasq/patches/300-Connection-track-mark-based-DNS-query-filtering.patch new file mode 100644 index 000..4758100 --- /dev/null +++ b/package/network/services/dnsmasq/patches/300-Connection-track-mark-based-DNS-query-filtering.patch @@ -0,0 +1,1262 @@ +From e403e6dfabd9b9c4d4b132a940987f1cf3595278 Mon Sep 17 00:00:00 2001 +From: Etan Kissling +Date: Tue, 12 Jan 2021 10:51:21 +0100 +Subject: [PATCH v5] Connection track mark based DNS query filtering. + +This extends query filtering support beyond what is currently possible +with the `--ipset` configuration option, by adding support for: +1) Specifying allowlists on a per-client basis, based on their + associated Linux connection track mark. +2) Dynamic configuration of allowlists via Ubus. +3) Reporting when a DNS query resolves or is rejected via Ubus. +4) DNS name patterns containing wildcards. + +Disallowed queries are not forwarded; they are rejected +with a REFUSED error code. + +Signed-off-by: Etan Kissling +--- +v2: Rebase to v2.83, and fix compilation when HAVE_UBUS not present. +v3: Rebase to v2.84test2. +v4: Rebase to v2.84rc2 (update copyright notice). +v5: Correct logging of `ubus_notify` errors (also in existing code). + + Makefile | 2 +- + man/dnsmasq.8 | 31 +++- + src/dnsmasq.h | 25 +++- + src/forward.c | 121 +++- + src/option.c | 134 ++ + src/pattern.c | 386 ++ + src/rfc1035.c | 82 +++ + src/ubus.c| 184 +++- + 8 files changed, 956 insertions(+), 9 deletions(-) + create mode 100644 src/pattern.c + +diff --git a/Makefile b/Makefile +index e4c3f5c..506e56b 100644 +--- a/Makefile b/Makefile +@@ -79,7 +79,7 @@ copts_conf = .copts_$(sum) + objs = cache.o rfc1035.o util.o option.o forward.o network.o \ +dnsmasq.o dhcp.o lease.o rfc2131.o netlink.o dbus.o bpf.o \ +helper.o tftp.o log.o conntrack.o dhcp6.o rfc3315.o \ +- dhcp-common.o outpacket.o radv.o slaac.o auth.o ipset.o \ ++ dhcp-common.o outpacket.o radv.o slaac.o auth.o ipset.o pattern.o \ +domain.o dnssec.o blockdata.o tables.o loop.o inotify.o \ +poll.o rrfilter.o edns0.o arp.o crypto.o dump.o ubus.o \ +metrics.o hash_questions.o +diff --git a/man/dnsmasq.8 b/man/dnsmasq.8 +index ac7c9fa..04d666d 100644 +--- a/man/dnsmasq.8 b/man/dnsmasq.8 +@@ -368,7 +368,10 @@ provides service at that name, rather than the default which is + .TP + .B --enable-ubus[=] + Enable dnsmasq UBus interface. It sends notifications via UBus on +-DHCPACK and DHCPRELEASE events. Furthermore it offers metrics. ++DHCPACK and DHCPRELEASE events. Furthermore it offers metrics ++and allows configuration of Linux connection track mark
Re: [Dnsmasq-discuss] DKIM / DMARC emails.
On 21.02.21, 21:54, "Dnsmasq-discuss on behalf of Simon Kelley" wrote: > OK. It's set. Looking for feedback, good and bad. > > Simon. My latest '[PATCH v5] Connection track mark based DNS query filtering.' email did no longer get filtered into the junk folder, so I think the settings may be good now. Thanks Etan ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss