[Dnsmasq-discuss] [PATCH] Add nftables set support

Petr Menšík pemensik at redhat.com
Sat Sep 25 10:36:50 UTC 2021


On 9/25/21 09:04, john doe wrote:
> On 9/25/2021 12:06 AM, Simon Kelley wrote:
>> On 22/08/2021 13:57, Chen Zhenge via Dnsmasq-discuss wrote:
>>> Hi all,
>>>
>>>
>>> I am trying to switch my firewall setup from iptables to nftables. One
>>> of the remaining parts that still doesn't support it is dnsmasq, so I
>>> wrote a patch to allow adding IP addresses to nftables sets in addition
>>> to ipsets.
>>>
>>>
>>> This patch adds a new option --nftset, which is the same as --ipset
>>> except that it adds IP address to a given nftables set. It uses
>>> libnftables to perform the operations.
>>>
>>>
>>> I've done some testing on my PC and found no issues so far. The
>>> implementation shares most of its code with ipset so it should be easy
>>> to review. Please let me know if you have found a bug or need something
>>> else.
>>>
>>>
>>> Best,
>>>
>>> Chen Zhenge
>>>
>>
>> OK, this got back to the top of the list, for 2.87, as I promised.
>>
>> One problem is that nft sets can hold either IPv4 or IPv6 addresses, but
>> not both, so do we need some sort of syntax to specify if a particular
>> set should be for IPv4 or IPv6 addresses? Or have I misunderstood?
>>
>
> The mandatory 'type' of the set will determine if IPv4/v6 is used (1).

Which means we need to have different set name for IPv4 and different
for IPv6. Which is not required on ipsets.

I would propose similar approach to auth-server. Allow :4 suffix for
IPv4 only list and :6 for IPv6 only list. If not specified, append 4 to
set name for IPv4 addresses and 6 for IPv6 addresses.

--nftset=/example.net/exset would add A addresses from example.net to
exset4, AAAA addresses to exset6.

--nftset=/example.org/exset:4 would add only A addresses to exset.

Because / is used as domain delimiter, : may be used to specify family.
Which would mean separate names for each family would have to be stored.
extract_addresses() would need separate lists for both families or flag
indication. Complicates things further. I think it should try to verify
given set exist on the start, failing hard if no such list existed at
time of start. Useful since we would generate two names from single
given on command line. And logging error before it can fail on query
resolution. Perhaps localhost address could be added and removed on init
as a test it works?

Just my 2 cents.

Cheers,
Petr

>
>
> 1)
> https://wiki.nftables.org/wiki-nftables/index.php/Sets#Named_sets_specifications
>
>
> -- 
> John Doe
>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
>
-- 
Petr Menšík
Software Engineer
Red Hat, http://www.redhat.com/
email: pemensik at redhat.com
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB




More information about the Dnsmasq-discuss mailing list