[Dnsmasq-discuss] Proposal and sample code: actions replacing ipsets??

Lee Essen lee.essen at nowonline.co.uk
Wed Jan 22 16:46:04 GMT 2014 

On 18 Jan 2014, at 20:59, Lee Essen <lee.essen at nowonline.co.uk> wrote:

> Hi,
> 
> I’ve been a long time user of the ipset functionality of dnsmasq which has been fantastic for selective domain-based routing using iptables. Recently I’ve been looking at using a different device to handle my routing, separate to the dnsmasq instance … obviously that makes it difficult to make use of the ipset's.
> 
> Specifically I’m looking at a MikroTik device which can maintain it’s own lists (I’m sure it’s really ipsets under the covers.) In the same way as iptables, it can build “lists” based on src or dst address of incoming packets.
> 
> I started to look at adjusting the ipset code so that rather than add to sets, it would send a udp packet to a given address but with a src address matching the address that would have been added to the ipset … in that way you can match specific udp packets on a different machine and use that to build the “list”. Thus allowing the dnsmasq instance to be separate from your firewall.
> 
> In the process of trying to modify the code it was easier to add a more generic “action” concept than add individual support for udp sending. Plus you might want to do other things as well … potentially run a script/lua etc? (obviously with performance considered.)
> 
> So, I have put together a patch that changes the ipset functionality into “action”, where you can specify either ipset or udp as an action.
> [lots deleted]

I’ve had a bit of a rethink on this and I am now of the opinion that it’s much clearer to just implement the udp capability as a separate option rather than trying to create a generic action type capability.

So I’ve had another go, this time I think I’ve done a bit better job, obviously it’s just a suggestion but it does demonstrate how it could work…

This time it’s against trunk (c5f4ec7d231294b1abf4178e9fe5a6b497e0a5eb) and I’ve included as much IPv6 support as I can muster, the config will take IPv6 addresses, but I haven’t actually written the bit to send forged IPv6 udp packets yet, I need to create a test environment before I can really play with that.

This one adds a name to address mapping:

udp-send-dest=<name>@<ip4-address>:<port>[,<ipv6-address>:<port>]    (where ipv6-address needs to be surrounded by square brackets]

… the udp-send-dest option accepts one, or both addresses and in any order. The intention is that is will send IPv4 matches to the IPv4 address and IPv6 matches to the IPv6 address … if they are specified, and once the code is written for IPv6!

Then…

udp-send=/<domain>/<domain>/<…>/<dest>

For example:

udp-send-dest=vpn-clear at 192.168.1.2:3000
udp-send-dest=vpn-secure at 192.168.1.2:3001

udp-send=/google.com/google.co.uk/vpn-clear
udp-send=/somethingsecret.com/vpn-secure

The config dest bits are resolved once all the config is read, so there are no order dependencies.

Anyway … patch attached … more to see if it’s a viable concept than anything else. That said, I’m using it on OpenWRT and it’s working really well so far.

Regards,

Lee.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 120-udp-send.patch
Type: application/octet-stream
Size: 14287 bytes
Desc: not available
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20140122/16b53da6/attachment-0001.obj>

More information about the Dnsmasq-discuss mailing list