[Dnsmasq-discuss] DNS TTL && IPSET TIMEOUT

Geert Stappers stappers at stappers.nl
Thu Sep 17 21:01:28 BST 2020 

On Thu, Sep 17, 2020 at 07:06:22AM +0000, Roderick Groesbeek wrote:
> Hi List,
> 
> Ipset supports a concept of 'aging' entries, like:
> ~~
> Examples from ipset(8):
> ipset create test hash:ip timeout 300
> ipset add test 192.168.0.1 timeout 60
> ipset -exist add test 192.168.0.1 timeout 600
> ~~
> 
> Dnsmasq supports a concept of adding entries to ipset
> ~~
> ipset=/.wearetriple.com/p1_afkl_http_https_test
> ~~
> 
> 
> However the timeout functionality is not implemented in the current DNSMASQ implementation.
> Using the DNS TTL as an IPSET TIMEOUT would seem natural...
> 
> 
> 
> Would this be right construct, to support that behavior?

Transform it into a unified patch, to make testing possible.


> ATTR_DATA followed by the IP or TIMEOUT value in the nested construct?
> 
> ~~
>   proto = IPSET_PROTOCOL;
>   add_attr(nlh, IPSET_ATTR_PROTOCOL, sizeof(proto), &proto);
>   add_attr(nlh, IPSET_ATTR_SETNAME, strlen(setname) + 1, setname);
> 
>   nested[0] = (struct my_nlattr *)(buffer + NL_ALIGN(nlh->nlmsg_len));
>   nlh->nlmsg_len += NL_ALIGN(sizeof(struct my_nlattr));
>   nested[0]->nla_type = NLA_F_NESTED | IPSET_ATTR_DATA;
> 
>   nested[1] = (struct my_nlattr *)(buffer + NL_ALIGN(nlh->nlmsg_len));
>   nlh->nlmsg_len += NL_ALIGN(sizeof(struct my_nlattr));
>   nested[1]->nla_type = NLA_F_NESTED | IPSET_ATTR_IP;
>   add_attr(nlh,
>            (af == AF_INET ? IPSET_ATTR_IPADDR_IPV4 : IPSET_ATTR_IPADDR_IPV6) | NLA_F_NET_BYTEORDER,
>            addrsz, ipaddr);
> 
>   nested[2] = (struct my_nlattr *)(buffer + NL_ALIGN(nlh->nlmsg_len));
>   nlh->nlmsg_len += NL_ALIGN(sizeof(struct my_nlattr));
>   nested[2]->nla_type = NLA_F_NESTED | IPSET_ATTR_DATA;
> 
>   nested[3] = (struct my_nlattr *)(buffer + NL_ALIGN(nlh->nlmsg_len));
>   nlh->nlmsg_len += NL_ALIGN(sizeof(struct my_nlattr));
>   nested[3]->nla_type = NLA_F_NESTED | IPSET_ATTR_TIMEOUT;
>   add_attr(nlh, IPSET_ATTR_TIMEOUT | NLA_F_NET_BYTEORDER,  sizeof(attl), &attl);
> 
>   nested[3]->nla_len = (void *)buffer + NL_ALIGN(nlh->nlmsg_len) - (void *)nested[3];
>   nested[2]->nla_len = (void *)buffer + NL_ALIGN(nlh->nlmsg_len) - (void *)nested[2];
>   nested[1]->nla_len = (void *)buffer + NL_ALIGN(nlh->nlmsg_len) - (void *)nested[1];
>   nested[0]->nla_len = (void *)buffer + NL_ALIGN(nlh->nlmsg_len) - (void *)nested[0];
> 
>   while (retry_send(sendto(ipset_sock, buffer, nlh->nlmsg_len, 0,
>                            (struct sockaddr *)&snl, sizeof(snl))));
> ~~
> 
> sendto(3, {{len=88, type=NFNL_SUBSYS_IPSET<<8|IPSET_CMD_ADD, flags=NLM_F_REQUEST, seq=0, pid=0}, {nfgen_family=AF_INET, version=NFNETLINK_V0, res_id=htons(0), [{{nla_len=5, nla_type=NFNETLINK_V1}, "\x06"}, {{nla_len=28, nla_type=0x2}, "\x70\x31\x5f\x61\x66\x6b\x6c\x5f\x68\x74\x74\x70\x5f\x68\x74\x74\x70\x73\x5f\x74\x65\x73\x74\x00"}, {{nla_len=32, nla_type=NLA_F_NESTED|0x7}, "\x1c\x00\x01\x80\x08\x00\x01\x40\x5d\xbb\x0d\xc8\x10\x00\x06\x80\x0c\x00\x06\x40\x0e\x00\x00\x00\x00\x00\x00\x00"}]}, 88, 0, {sa_family=AF_NETLINK, nl_pid=0, nl_groups=00000000}, 12) = 88
> 
> 
> Met vriendelijke groet / Best regards,
> 
> Roderick Groesbeek


Groeten
Geert Stappers
-- 
Silence is hard to parse

More information about the Dnsmasq-discuss mailing list