[Dnsmasq-discuss] [PATCH 0/3] ipset: Add Netfilter IPSet Support do DNSMasq

Jason A. Donenfeld Jason at zx2c4.com
Sat Feb 16 04:36:45 GMT 2013 

Services like YouTube and Netflix use tons of ranges of IP addresses
that fluctuate wildly and aren't predictable. However, they're always
from a given subdomain using DNS, like *.c.youtube.com. I'd like to
have firewall rules for these IP addresses -- route them over this
interface, that interface, rate limit them like this, or that, etc. An
efficient way to do this is by adding IP addresses to a netfilter
ipset and using iptables' ipset match support. With services that use
lots of IPs spread out over ranges but instead use DNS, the only way
to do this is to have the DNS forwarder add the resolved IPs to an
ipset before returning the IP to the client.

This series of patches adds an --ipset option to dnsmasq which adds
resolved ips for specified domains to a given list of ipsets using the
netlink on newer kernels and setsockopt on older kernels.

    --ipset=/google.com/yahoo.com/search,vpn

That option will add all resolved IPs for Google and Yahoo domains and
subdomains to two ipsets -- "search" and "vpn". (Sub)-domain matching is
conducted in the same way as with --address.

    --ipset=resolved
    --ipset=/#/resolved

These two options are identical. They each add all resolved domains to
the "resolved" ipset.

If this mailing list post becomes stale, the latest series of patches
may be found at <http://git.zx2c4.com/dnsmasq-ipset>.

Jason A. Donenfeld (3):
  ipset: Integrate ipset.c into build system.
  ipset: Parse new --ipset option and match domains in forward.c
  ipset: Update man page and example config to reflect new option.

 Makefile             |   5 +-
 dnsmasq.conf.example |   4 ++
 man/dnsmasq.8        |   6 +++
 src/config.h         |   6 +++
 src/dnsmasq.h        |  17 +++++-
 src/forward.c        |  20 ++++++-
 src/ipset.c          | 143 +++++++++++++++++++++++++++++++++++++++++++++++++++
 src/option.c         |  64 +++++++++++++++++++++++
 src/rfc1035.c        |  14 ++++-
 9 files changed, 274 insertions(+), 5 deletions(-)
 create mode 100644 src/ipset.c

-- 
1.8.1.2

More information about the Dnsmasq-discuss mailing list