[Dnsmasq-discuss] [patch] logs ipset action

Wang Jian larkwang at gmail.com
Fri Mar 28 16:30:22 UTC 2014

I have used ipset action for a while and it works pretty well. Before
this ipset functionality exists, I used scripts to generate ipset
lists based on dnsmasq server= rules.

But in the last few days, an ip subnet is added to REDSOCKS ipset
which makes a lot of sites damn slow. Because there are other things
happened at the same time frame (an outbound bandwidth hogging client;
APCN2 submarine optical fiber cable broken, etc), I didn't figure out
it first hand.

Today I was crazy when a should-be-lightning-fast site is very slow. I
noticed that some .js is loading forever. I used firefox developer to
find the domain, and found that it's ip subnet is in REDSOCKS ipset. I
spent about half an hour trying to find which server= rule triggered
this, but failed.

I have a 'direct' ipset which is used to bypass REDSOCKS ipset. So I
add the ip subnet to this direct ipset. But another slowdown is
expected sooner or later.

Here is a patch enable logs for ipset action (git pull
https://github/lark/dnsmasq  ipset ). I use log_query in a hacky way
to avoid coding lines.

>From 9d40d450debdde34fddbb6aa74989fd03a4aaa22 Mon Sep 17 00:00:00 2001
From: Wang Jian <larkwang at gmail.com>
Date: Fri, 28 Mar 2014 22:50:00 +0800
Subject: [PATCH] Log when adding resolved IP(s) to ipset(s)

There are occasions that resolved IPs are not suitable for the specified
ipset. Tracing this will be easier with logs.
 src/cache.c   | 7 +++++++
 src/dnsmasq.h | 1 +
 src/rfc1035.c | 5 ++++-
 3 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/src/cache.c b/src/cache.c
index 64cfeb1..5cec918 100644
--- a/src/cache.c
+++ b/src/cache.c
@@ -1609,6 +1609,13 @@ void log_query(unsigned int flags, char *name,
struct all_addr *addr, char *arg)
       source = arg;
       verb = "to";
+  else if (flags & F_IPSET)
+    {
+      source = "ipset add";
+      dest = name;
+      name = arg;
+      verb = daemon->addrbuff;
+    }
     source = "cached";

diff --git a/src/dnsmasq.h b/src/dnsmasq.h
index 9c541eb..de2c97a 100644
--- a/src/dnsmasq.h
+++ b/src/dnsmasq.h
@@ -435,6 +435,7 @@ struct crec {
 #define F_KEYTAG    (1u<<23)
 #define F_SECSTAT   (1u<<24)
 #define F_NO_RR     (1u<<25)
+#define F_IPSET     (1u<<26)

 /* Values of uid in crecs with F_CONFIG bit set. */
 #define SRC_INTERFACE 0
diff --git a/src/rfc1035.c b/src/rfc1035.c
index 43a06b9..cc9ce82 100644
--- a/src/rfc1035.c
+++ b/src/rfc1035.c
@@ -1102,7 +1102,10 @@ int extract_addresses(struct dns_header
*header, size_t qlen, char *name, time_t
                          ipsets_cur = ipsets;
                          while (*ipsets_cur)
-                           add_to_ipset(*ipsets_cur++, &addr, flags, 0);
+                            {
+                             log_query(F_IPSET, name, &addr, *ipsets_cur);
+                             add_to_ipset(*ipsets_cur++, &addr, flags, 0);
+                            }


More information about the Dnsmasq-discuss mailing list