[Dnsmasq-discuss] [PATCH] Support nftables set
Qi-An Fu
fugoes.qa at gmail.com
Tue Jul 21 10:36:27 BST 2020
Hi,
I wrote a patch to add nftables set support to dnsmasq. The patch is
available at https://github.com/Fugoes/dnsmasq. It is in an early stage,
though I have tested it with a configuration file with ~70000 nftables
set rules and it works just fine.
I think this feature is quite useful, e.g. Debian 10 has switched to
nftables backend by default, and ipset is not available.
Here are some notes on this patch:
- It uses libnftables to execute nftables operations. This library is
kind of a high level library. libnftables provides an interface with
nft's cli interface:
> int nft_run_cmd_from_buffer(struct nft_ctx *nft, const char *buf);
The library does not invoke fork(). The only overhead is parsing the
command. libnftables is based on libnftnl, and libnftnl is based on
libnl. The overhead of parsing could be avoided by using libnftnl or
even libnl. However, I could not find useful documentation of
libnftnl, so I go with libnftables.
- It uses a radix-tree-like data structure (as well as a hash table) to
search for domain name's nftables set name. Check the src/dntree.*
files for more information.
nftables set's "add" command does NOT reset the target entry's timeout
value, while ipset's "add" command would reset it. AFAIK, there is no
direct way to implement ipset's "add" command's behavior in nftables.
Any suggestions?
--
Qi-An Fu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20200721/e7d2d9a1/attachment.html>
More information about the Dnsmasq-discuss
mailing list