Re: [Dnsmasq-discuss] [PATCH] Connection track mark based DNS query filtering.
On 23/10/2022 11:43, Geert Stappers via Dnsmasq-discuss wrote: > On Sun, Oct 23, 2022 at 10:15:47AM +0200, Geert Stappers via Dnsmasq-discuss > wrote: >> On Fri, Jan 22, 2021 at 09:34:53PM +0100, Etan Kissling wrote: >>> This extends query filtering support beyond what is currently possible >>> with the `--ipset` configuration option, by adding support for: >>> 1) Specifying allowlists on a per-client basis, based on their >>>associated Linux connection track mark. >>> 2) Dynamic configuration of allowlists via Ubus. >>> 3) Reporting when a DNS query resolves or is rejected via Ubus. >>> 4) DNS name patterns containing wildcards. >>> >>> Disallowed queries are not forwarded; they are rejected >>> with a REFUSED error code. >>> >>> Signed-off-by: Etan Kissling >>> --- >>> Makefile | 2 +- >>> man/dnsmasq.8 | 31 +++- >>> src/dnsmasq.h | 25 +++- >>> src/forward.c | 123 +++- >>> src/option.c | 134 ++ >>> src/pattern.c | 386 ++ >>> src/rfc1035.c | 82 +++ >>> src/ubus.c| 182 >>> 8 files changed, 956 insertions(+), 9 deletions(-) >>> create mode 100644 src/pattern.c >> >> >> Found this while looking for another patch. >> Did see that no one did respond to the patch. >> I might be wrong about that due my archive my only point of view. >> >> >> What where other responses? >> > I'm asking especially the mailinglist because I got > > : host mx-in.g.apple.com[17.72.136.242] said: 550 > > 5.1.6 recipient no longer on server: etan_kissl...@apple.com (in reply to > > RCPT TO command) > > > Groeten > Geert Stappers I could make use of this feature! I have no opinion on the code, or whether it implements the behaviour as described I think we have seen Apple behave something like this in the past? They will present a patch once and it nobody wants to bite then there won't be prompting. I think it's up to the maintainers of dnsmasq whether we want to integrate this and maintain it? Ed W ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] [PATCH] Connection track mark based DNS query filtering.
On Sun, Oct 23, 2022 at 10:15:47AM +0200, Geert Stappers via Dnsmasq-discuss wrote: > On Fri, Jan 22, 2021 at 09:34:53PM +0100, Etan Kissling wrote: > > This extends query filtering support beyond what is currently possible > > with the `--ipset` configuration option, by adding support for: > > 1) Specifying allowlists on a per-client basis, based on their > >associated Linux connection track mark. > > 2) Dynamic configuration of allowlists via Ubus. > > 3) Reporting when a DNS query resolves or is rejected via Ubus. > > 4) DNS name patterns containing wildcards. > > > > Disallowed queries are not forwarded; they are rejected > > with a REFUSED error code. > > > > Signed-off-by: Etan Kissling > > --- > > Makefile | 2 +- > > man/dnsmasq.8 | 31 +++- > > src/dnsmasq.h | 25 +++- > > src/forward.c | 123 +++- > > src/option.c | 134 ++ > > src/pattern.c | 386 ++ > > src/rfc1035.c | 82 +++ > > src/ubus.c| 182 > > 8 files changed, 956 insertions(+), 9 deletions(-) > > create mode 100644 src/pattern.c > > > Found this while looking for another patch. > Did see that no one did respond to the patch. > I might be wrong about that due my archive my only point of view. > > > What where other responses? > I'm asking especially the mailinglist because I got : host mx-in.g.apple.com[17.72.136.242] said: 550 5.1.6 recipient no longer on server: etan_kissl...@apple.com (in reply to RCPT TO command) Groeten Geert Stappers -- Silence is hard to parse ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] [PATCH] Connection track mark based DNS query filtering.
On Fri, Jan 22, 2021 at 09:34:53PM +0100, Etan Kissling wrote: > This extends query filtering support beyond what is currently possible > with the `--ipset` configuration option, by adding support for: > 1) Specifying allowlists on a per-client basis, based on their >associated Linux connection track mark. > 2) Dynamic configuration of allowlists via Ubus. > 3) Reporting when a DNS query resolves or is rejected via Ubus. > 4) DNS name patterns containing wildcards. > > Disallowed queries are not forwarded; they are rejected > with a REFUSED error code. > > Signed-off-by: Etan Kissling > --- > Makefile | 2 +- > man/dnsmasq.8 | 31 +++- > src/dnsmasq.h | 25 +++- > src/forward.c | 123 +++- > src/option.c | 134 ++ > src/pattern.c | 386 ++ > src/rfc1035.c | 82 +++ > src/ubus.c| 182 > 8 files changed, 956 insertions(+), 9 deletions(-) > create mode 100644 src/pattern.c Found this while looking for another patch. Did see that no one did respond to the patch. I might be wrong about that due my archive my only point of view. What where other responses? Groeten Geert Stappers -- Silence is hard to parse ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] [PATCH] Connection track mark based DNS query filtering.
This extends query filtering support beyond what is currently possible with the `--ipset` configuration option, by adding support for: 1) Specifying allowlists on a per-client basis, based on their associated Linux connection track mark. 2) Dynamic configuration of allowlists via Ubus. 3) Reporting when a DNS query resolves or is rejected via Ubus. 4) DNS name patterns containing wildcards. Disallowed queries are not forwarded; they are rejected with a REFUSED error code. Signed-off-by: Etan Kissling --- Makefile | 2 +- man/dnsmasq.8 | 31 +++- src/dnsmasq.h | 25 +++- src/forward.c | 123 +++- src/option.c | 134 ++ src/pattern.c | 386 ++ src/rfc1035.c | 82 +++ src/ubus.c| 182 8 files changed, 956 insertions(+), 9 deletions(-) create mode 100644 src/pattern.c diff --git a/Makefile b/Makefile index 7d2afd1..cf41bc2 100644 --- a/Makefile +++ b/Makefile @@ -77,7 +77,7 @@ copts_conf = .copts_$(sum) objs = cache.o rfc1035.o util.o option.o forward.o network.o \ dnsmasq.o dhcp.o lease.o rfc2131.o netlink.o dbus.o bpf.o \ helper.o tftp.o log.o conntrack.o dhcp6.o rfc3315.o \ - dhcp-common.o outpacket.o radv.o slaac.o auth.o ipset.o \ + dhcp-common.o outpacket.o radv.o slaac.o auth.o ipset.o pattern.o \ domain.o dnssec.o blockdata.o tables.o loop.o inotify.o \ poll.o rrfilter.o edns0.o arp.o crypto.o dump.o ubus.o \ metrics.o hash_questions.o diff --git a/man/dnsmasq.8 b/man/dnsmasq.8 index ac7c9fa..04d666d 100644 --- a/man/dnsmasq.8 +++ b/man/dnsmasq.8 @@ -368,7 +368,10 @@ provides service at that name, rather than the default which is .TP .B --enable-ubus[=] Enable dnsmasq UBus interface. It sends notifications via UBus on -DHCPACK and DHCPRELEASE events. Furthermore it offers metrics. +DHCPACK and DHCPRELEASE events. Furthermore it offers metrics +and allows configuration of Linux connection track mark based filtering. +When DNS query filtering based on Linux connection track marks is enabled +UBus notifications are generated for each resolved or filtered DNS query. Requires that dnsmasq has been built with UBus support. If the service name is given, dnsmasq provides service at that namespace, rather than the default which is @@ -533,6 +536,32 @@ These IP sets must already exist. See .BR ipset (8) for more details. .TP +.B --connmark-allowlist-enable[=] +Enables filtering of incoming DNS queries with associated Linux connection track marks +according to individual allowlists configured via a series of \fB--connmark-allowlist\fP +options. Disallowed queries are not forwarded; they are rejected with a REFUSED error code. +DNS queries are only allowed if they do not have an associated Linux connection +track mark, or if the queried domains match the configured DNS patterns for the +associated Linux connection track mark. If no allowlist is configured for a +Linux connection track mark, all DNS queries associated with that mark are rejected. +If a mask is specified, Linux connection track marks are first bitwise ANDed +with the given mask before being processed. +.TP +.B --connmark-allowlist=[/][,[/...]] +Configures the DNS patterns that are allowed in DNS queries associated with +the given Linux connection track mark. +If a mask is specified, Linux connection track marks are first bitwise ANDed +with the given mask before they are compared to the given connection track mark. +Patterns follow the syntax of DNS names, but additionally allow the wildcard +character "*" to be used up to twice per label to match 0 or more characters +within that label. Note that the wildcard never matches a dot (e.g., "*.example.com" +matches "api.example.com" but not "api.us.example.com"). Patterns must be +fully qualified, i.e., consist of at least two labels. The final label must not be +fully numeric, and must not be the "local" pseudo-TLD. A pattern must end with at least +two literal (non-wildcard) labels. +Instead of a pattern, "*" can be specified to disable allowlist filtering +for a given Linux connection track mark entirely. +.TP .B \-m, --mx-host=[[,],] Return an MX record named pointing to the given hostname (if given), or diff --git a/src/dnsmasq.h b/src/dnsmasq.h index 360c226..975cc2b 100644 --- a/src/dnsmasq.h +++ b/src/dnsmasq.h @@ -269,7 +269,8 @@ struct event_desc { #define OPT_IGNORE_CLID59 #define OPT_SINGLE_PORT60 #define OPT_LEASE_RENEW61 -#define OPT_LAST 62 +#define OPT_CMARK_ALST_EN 62 +#define OPT_LAST 63 #define OPTION_BITS (sizeof(unsigned int)*8) #define OPTION_SIZE ( (OPT_LAST/OPTION_BITS)+((OPT_LAST%OPTION_BITS)!=0) ) @@ -563,6 +564,12 @@ struct ipsets { struct ipsets *next; }; +struct allowlist { + uint32_t mark, mask; + char **patterns; + struct allowlist *next; +}; + struct irec { union mysockaddr addr; struct in_addr netmask; /* only
[Dnsmasq-discuss] [PATCH] Connection track mark based DNS query filtering.
This extends query filtering support beyond what is currently possible with the `--ipset` configuration option, by adding support for: 1) Specifying allowlists on a per-client basis, based on their associated Linux connection track mark. 2) Dynamic configuration of allowlists via Ubus. 3) Reporting when a DNS query resolves or is rejected via Ubus. 4) DNS name patterns containing wildcards. Disallowed queries are not forwarded; they are rejected with a REFUSED error code. Signed-off-by: Etan Kissling --- Makefile | 2 +- man/dnsmasq.8 | 31 +++- src/dnsmasq.h | 25 +++- src/forward.c | 121 +++- src/option.c | 134 ++ src/pattern.c | 386 ++ src/rfc1035.c | 82 +++ src/ubus.c| 182 8 files changed, 955 insertions(+), 8 deletions(-) create mode 100644 src/pattern.c diff --git a/Makefile b/Makefile index 7d2afd1..cf41bc2 100644 --- a/Makefile +++ b/Makefile @@ -77,7 +77,7 @@ copts_conf = .copts_$(sum) objs = cache.o rfc1035.o util.o option.o forward.o network.o \ dnsmasq.o dhcp.o lease.o rfc2131.o netlink.o dbus.o bpf.o \ helper.o tftp.o log.o conntrack.o dhcp6.o rfc3315.o \ - dhcp-common.o outpacket.o radv.o slaac.o auth.o ipset.o \ + dhcp-common.o outpacket.o radv.o slaac.o auth.o ipset.o pattern.o \ domain.o dnssec.o blockdata.o tables.o loop.o inotify.o \ poll.o rrfilter.o edns0.o arp.o crypto.o dump.o ubus.o \ metrics.o hash_questions.o diff --git a/man/dnsmasq.8 b/man/dnsmasq.8 index ac7c9fa..04d666d 100644 --- a/man/dnsmasq.8 +++ b/man/dnsmasq.8 @@ -368,7 +368,10 @@ provides service at that name, rather than the default which is .TP .B --enable-ubus[=] Enable dnsmasq UBus interface. It sends notifications via UBus on -DHCPACK and DHCPRELEASE events. Furthermore it offers metrics. +DHCPACK and DHCPRELEASE events. Furthermore it offers metrics +and allows configuration of Linux connection track mark based filtering. +When DNS query filtering based on Linux connection track marks is enabled +UBus notifications are generated for each resolved or filtered DNS query. Requires that dnsmasq has been built with UBus support. If the service name is given, dnsmasq provides service at that namespace, rather than the default which is @@ -533,6 +536,32 @@ These IP sets must already exist. See .BR ipset (8) for more details. .TP +.B --connmark-allowlist-enable[=] +Enables filtering of incoming DNS queries with associated Linux connection track marks +according to individual allowlists configured via a series of \fB--connmark-allowlist\fP +options. Disallowed queries are not forwarded; they are rejected with a REFUSED error code. +DNS queries are only allowed if they do not have an associated Linux connection +track mark, or if the queried domains match the configured DNS patterns for the +associated Linux connection track mark. If no allowlist is configured for a +Linux connection track mark, all DNS queries associated with that mark are rejected. +If a mask is specified, Linux connection track marks are first bitwise ANDed +with the given mask before being processed. +.TP +.B --connmark-allowlist=[/][,[/...]] +Configures the DNS patterns that are allowed in DNS queries associated with +the given Linux connection track mark. +If a mask is specified, Linux connection track marks are first bitwise ANDed +with the given mask before they are compared to the given connection track mark. +Patterns follow the syntax of DNS names, but additionally allow the wildcard +character "*" to be used up to twice per label to match 0 or more characters +within that label. Note that the wildcard never matches a dot (e.g., "*.example.com" +matches "api.example.com" but not "api.us.example.com"). Patterns must be +fully qualified, i.e., consist of at least two labels. The final label must not be +fully numeric, and must not be the "local" pseudo-TLD. A pattern must end with at least +two literal (non-wildcard) labels. +Instead of a pattern, "*" can be specified to disable allowlist filtering +for a given Linux connection track mark entirely. +.TP .B \-m, --mx-host=[[,],] Return an MX record named pointing to the given hostname (if given), or diff --git a/src/dnsmasq.h b/src/dnsmasq.h index 914f469..852424d 100644 --- a/src/dnsmasq.h +++ b/src/dnsmasq.h @@ -269,7 +269,8 @@ struct event_desc { #define OPT_IGNORE_CLID59 #define OPT_SINGLE_PORT60 #define OPT_LEASE_RENEW61 -#define OPT_LAST 62 +#define OPT_CMARK_ALST_EN 62 +#define OPT_LAST 63 #define OPTION_BITS (sizeof(unsigned int)*8) #define OPTION_SIZE ( (OPT_LAST/OPTION_BITS)+((OPT_LAST%OPTION_BITS)!=0) ) @@ -563,6 +564,12 @@ struct ipsets { struct ipsets *next; }; +struct allowlist { + uint32_t mark, mask; + char **patterns; + struct allowlist *next; +}; + struct irec { union mysockaddr addr; struct in_addr netmask; /* only
[Dnsmasq-discuss] [PATCH] Connection track mark based DNS query filtering.
This extends query filtering support beyond what is currently possible with the `--ipset` configuration option, by adding support for: 1) Specifying allowlists on a per-client basis, based on their associated Linux connection track mark. 2) Dynamic configuration of allowlists via Ubus. 3) Reporting when a DNS query resolves or is rejected via Ubus. 4) DNS name patterns containing wildcards. Disallowed queries are not forwarded; they are rejected with a REFUSED error code. Signed-off-by: Etan Kissling --- Makefile | 2 +- man/dnsmasq.8 | 31 +++- src/dnsmasq.h | 25 +++- src/forward.c | 125 +++- src/option.c | 134 ++ src/pattern.c | 386 ++ src/rfc1035.c | 82 +++ src/ubus.c| 182 8 files changed, 959 insertions(+), 8 deletions(-) create mode 100644 src/pattern.c diff --git a/Makefile b/Makefile index 78e25f0..8c64438 100644 --- a/Makefile +++ b/Makefile @@ -75,7 +75,7 @@ copts_conf = .copts_$(sum) objs = cache.o rfc1035.o util.o option.o forward.o network.o \ dnsmasq.o dhcp.o lease.o rfc2131.o netlink.o dbus.o bpf.o \ helper.o tftp.o log.o conntrack.o dhcp6.o rfc3315.o \ - dhcp-common.o outpacket.o radv.o slaac.o auth.o ipset.o \ + dhcp-common.o outpacket.o radv.o slaac.o auth.o ipset.o pattern.o \ domain.o dnssec.o blockdata.o tables.o loop.o inotify.o \ poll.o rrfilter.o edns0.o arp.o crypto.o dump.o ubus.o metrics.o diff --git a/man/dnsmasq.8 b/man/dnsmasq.8 index 7c6b405..a0dfe96 100644 --- a/man/dnsmasq.8 +++ b/man/dnsmasq.8 @@ -368,7 +368,10 @@ provides service at that name, rather than the default which is .TP .B --enable-ubus[=] Enable dnsmasq UBus interface. It sends notifications via UBus on -DHCPACK and DHCPRELEASE events. Furthermore it offers metrics. +DHCPACK and DHCPRELEASE events. Furthermore it offers metrics +and allows configuration of Linux connection track mark based filtering. +When DNS query filtering based on Linux connection track marks is enabled +UBus notifications are generated for each resolved or filtered DNS query. Requires that dnsmasq has been built with UBus support. If the service name is given, dnsmasq provides service at that namespace, rather than the default which is @@ -533,6 +536,32 @@ These IP sets must already exist. See .BR ipset (8) for more details. .TP +.B --connmark-allowlist-enable[=] +Enables filtering of incoming DNS queries with associated Linux connection track marks +according to individual allowlists configured via a series of \fB--connmark-allowlist\fP +options. Disallowed queries are not forwarded; they are rejected with a REFUSED error code. +DNS queries are only allowed if they do not have an associated Linux connection +track mark, or if the queried domains match the configured DNS patterns for the +associated Linux connection track mark. If no allowlist is configured for a +Linux connection track mark, all DNS queries associated with that mark are rejected. +If a mask is specified, Linux connection track marks are first bitwise ANDed +with the given mask before being processed. +.TP +.B --connmark-allowlist=[/][,[/...]] +Configures the DNS patterns that are allowed in DNS queries associated with +the given Linux connection track mark. +If a mask is specified, Linux connection track marks are first bitwise ANDed +with the given mask before they are compared to the given connection track mark. +Patterns follow the syntax of DNS names, but additionally allow the wildcard +character "*" to be used up to twice per label to match 0 or more characters +within that label. Note that the wildcard never matches a dot (e.g., "*.example.com" +matches "api.example.com" but not "api.us.example.com"). Patterns must be +fully qualified, i.e., consist of at least two labels. The final label must not be +fully numeric, and must not be the "local" pseudo-TLD. A pattern must end with at least +two literal (non-wildcard) labels. +Instead of a pattern, "*" can be specified to disable allowlist filtering +for a given Linux connection track mark entirely. +.TP .B \-m, --mx-host=[[,],] Return an MX record named pointing to the given hostname (if given), or diff --git a/src/dnsmasq.h b/src/dnsmasq.h index 4d78c37..dcbe0ef 100644 --- a/src/dnsmasq.h +++ b/src/dnsmasq.h @@ -269,7 +269,8 @@ struct event_desc { #define OPT_IGNORE_CLID59 #define OPT_SINGLE_PORT60 #define OPT_LEASE_RENEW61 -#define OPT_LAST 62 +#define OPT_CMARK_ALST_EN 62 +#define OPT_LAST 63 #define OPTION_BITS (sizeof(unsigned int)*8) #define OPTION_SIZE ( (OPT_LAST/OPTION_BITS)+((OPT_LAST%OPTION_BITS)!=0) ) @@ -563,6 +564,12 @@ struct ipsets { struct ipsets *next; }; +struct allowlist { + uint32_t mark, mask; + char **patterns; + struct allowlist *next; +}; + struct irec { union mysockaddr addr; struct in_addr netmask; /* only valid for IPv4 */ @@