[Dnsmasq-discuss] feature request: ipset options
Simon Kelley
simon at thekelleys.org.uk
Mon Apr 23 22:39:34 BST 2018
I'm no ipset expert, but it looks to me like you can get this effect
anyway, by creating the ipset as type hash:ip and specifying a netmask.
http://ipset.netfilter.org/ipset.man.html
hash:ip
The hash:ip set type uses a hash to store IP host addresses (default) or
network addresses. Zero valued IP address cannot be stored in a hash:ip
type of set.
CREATE-OPTIONS := [ family { inet | inet6 } ] | [ hashsize value ] [
maxelem value ] [ netmask cidr ] [ timeout value ] [ counters ] [
comment ] [ skbinfo ]
ADD-ENTRY := ipaddr
ADD-OPTIONS := [ timeout value ] [ packets value ] [ bytes value ] [
comment string ] [ skbmark value ] [ skbprio value ] [ skbqueue value ]
DEL-ENTRY := ipaddr
TEST-ENTRY := ipaddr
Optional create options:
netmask cidr
When the optional netmask parameter specified, network addresses will be
stored in the set instead of IP host addresses. The cidr prefix value
must be between 1-32 for IPv4 and between 1-128 for IPv6. An IP address
will be in the set if the network address, which is resulted by masking
the address with the netmask, can be found in the set. Examples:
ipset create foo hash:ip netmask 30
ipset add foo 192.168.1.0/24
ipset test foo 192.168.1.2
Cheers,
Simon.
On 23/04/18 21:15, Leonardo Rodrigues wrote:
>
> I'm running dnsmasq with ipset support in some VERY low memory
(those all-in-one boards), and RAM is really my main concern
> here. I'm actually using some 'ipset' rules on dnsmasq.conf to have some
> domains IPs on an ipset list and, thus, being able to allow/deny them
> with iptables.
>
> Some of the sets are REALLY large (10k+ entries).
>
> I was thinking on having a dnsmasq option for, instead of adding the
> full IP to the set, adding its /24 network for example (simple stripping
> last digit and adding '.0/24'). In that case, the sets would be
> significantly smaller. I know with this i'll pottentially allowing
> traffic i'm not looking for, by assuming th domain holds the entire /24
> network. But i'm really concerned with RAM usage, and i'm willing to
> have that risk.
>
> Would it be hard to implement something like that in dnsmasq ? Would
> this be useful for any one else ?
>
>
More information about the Dnsmasq-discuss
mailing list