[Dnsmasq-discuss] dnsmasq Debian 10 ipset nftables
mailinglistnoone at abwesend.de
mailinglistnoone at abwesend.de
Sat Apr 25 12:54:10 BST 2020
Hello Simon,
thank you for your answer. That's a pity. I'm only a private user and not a company, so I can't donate a significant amount for this.
Is it really so complicated to add this feature?
The replacement of ipset is explained on the pages https://wiki.nftables.org/wiki-nftables/index.php/Moving_from_ipset_to_nftables and https://wiki.nftables.org/wiki-nftables/index.php/Sets.
If I understand it correctly, you only need one:
nft add set ip filter blackhole { type ipv4_addr\;}
nft add element ip filter blackhole { 192.168.3.4 }
As a result, dnsmasq would only need to perform an "nft add element" via the libnftnl library.
At https://git.netfilter.org/libnftnl/tree/examples there is an example "nft-set-elem-add.c". Wouldn't this be exactly what is needed?
Unfortunately I lack the programming skills to implement this myself.
I still hope that this feature will come, because nftables will replace iptables and is enabled by default in Debian nftables.
Kind regards
> Gesendet: Sonntag, 22. Dezember 2019 um 21:03 Uhr
> Von: "Simon Kelley" <simon at thekelleys.org.uk>
> An: dnsmasq-discuss at lists.thekelleys.org.uk
> Betreff: Re: [Dnsmasq-discuss] dnsmasq Debian 10 ipset nftables
>
> Main dnsmasq maintainer here.
>
> I just looked at the nftables documentation, and it looks like all the
> support is needed to do the same sort of things we do with iptables, but
> it would take either an nftables expert or a lot of reading to get
> sufficiently familiar with the system to actually implement it.
>
> I'd gladly accept a patch, or a paid commission to implement this.
> Failing either of those, it will go on the "nice to have" list, but
> given the current rate of progress, it may be some time.
>
>
> Cheers,
>
> Simon.
>
>
> On 20/12/2019 13:34, mailinglistnoone at abwesend.de wrote:
> > Many thanks for your answer.
> >
> > Is it planned to support nftables through dnsmasq? Is there a roadmap?
> >
> > iptables-legacy is unfortunately only a temporary solution.
> >
> > *Gesendet:* Donnerstag, 19. Dezember 2019 um 17:20 Uhr
> > *Von:* "Florent Fourcot" <florent.fourcot at wifirst.fr>
> > *An:* mailinglistnoone at abwesend.de, dnsmasq-discuss at lists.thekelleys.org.uk
> > *Betreff:* Re: [Dnsmasq-discuss] dnsmasq Debian 10 ipset nftables
> > Hello,
> >
> > Currently ipset are filled with Linux netlink interface, so it's fast
> > and efficient (not like running an external command). ipset module is an
> > iptables extension, and is not supported by nftables.
> >
> > nftables has built-in same functionality than ipset (no need of an
> > extension), and is manageable thanks to netlink as well. But it's not
> > included today in dnsmasq.
> >
> > So If you want to change our firewall after a DNS resolution on dnsmasq,
> > you still have to use iptables and not nftables (i.e. iptables-legacy on
> > Debian 10).
> >
> > _______________________________________________
> > Dnsmasq-discuss mailing list
> > Dnsmasq-discuss at lists.thekelleys.org.uk
> > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
> >
>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>
More information about the Dnsmasq-discuss
mailing list