[Dnsmasq-discuss] Proposal and sample code: actions replacing ipsets??

Lee Essen lee.essen at nowonline.co.uk
Sat Jan 18 16:59:50 GMT 2014


Hi,

I’ve been a long time user of the ipset functionality of dnsmasq which has been fantastic for selective domain-based routing using iptables. Recently I’ve been looking at using a different device to handle my routing, separate to the dnsmasq instance … obviously that makes it difficult to make use of the ipset's.

Specifically I’m looking at a MikroTik device which can maintain it’s own lists (I’m sure it’s really ipsets under the covers.) In the same way as iptables, it can build “lists” based on src or dst address of incoming packets.

I started to look at adjusting the ipset code so that rather than add to sets, it would send a udp packet to a given address but with a src address matching the address that would have been added to the ipset … in that way you can match specific udp packets on a different machine and use that to build the “list”. Thus allowing the dnsmasq instance to be separate from your firewall.

In the process of trying to modify the code it was easier to add a more generic “action” concept than add individual support for udp sending. Plus you might want to do other things as well … potentially run a script/lua etc? (obviously with performance considered.)

So, I have put together a patch that changes the ipset functionality into “action”, where you can specify either ipset or udp as an action.

For example:

action=/google.com/google.co.uk/ipset=fred,udp=1.2.3.4:7800,udp=2.3.4.5:345
action=/sun.com/udp=10.0.0.1:4500

It’s only an idea, but I thought rather than keeping it as a personal patch I’d share it and see if anyone thinks it has any merit.

Some caveats ….

- it’s currently only ipv4
- it uses a fixed sender port (10001 for add, and 10002 for remove … these should be configurable really)
- it’s only a proof of concept, there’s probably loads wrong with the code
- I don’t know how portable the raw sockets are
- I’ve only done very very basic testing
- it does break compatibility with the ipset=/…/ config format … could add backwards compatibility easily enough.

Oh … and probably the most annoying thing … it’s a patch against 2.68 rather than git, I can rework if needed.

I’m happy to work on this more if people think there is any value in it.

Regards,

Lee.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: actions.patch
Type: application/octet-stream
Size: 18125 bytes
Desc: not available
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20140118/d8974153/attachment.obj>


More information about the Dnsmasq-discuss mailing list