[Dnsmasq-discuss] dnsmasq v2.87 --nftset and DNS reply race condition

[Alain Ducharme]

Hello,

With: dnsmasq v2.87test5 running on localhost (Debian 11 bullseye PC).

Trying: to use --nftset option to implement an allowlist outbound firewall with nftables.

Result: when an application performs a DNS lookup prior to establishing an outbound connection: most of the time on my PC, but not always, the nft `add element` happens too late; therefore the outbound rules using the nft `ip daddr @set` do not work.

To be clear: the IP addresses do get correctly added to the nft set(s), but only after the application has received a DNS reply from dnsmasq and already attempted a connection and failed.

The problem: appears to be that nftset and DNS reply run concurrently (forks); despite `nftset.c` : `add_to_nftset()` technically being called first, the reply on my PC happens before the nft set is updated in the kernel (nftables can be relatively slow). (perhaps it might work better on a router due to network latency).

Tested: at first I was hypothesizing that perhaps calls to `nft_ctx_output_set_flags(ctx, NFT_CTX_OUTPUT_ECHO);` and `nft_ctx_get_output_buffer(ctx)` in `nftset.c` might be required to wait for the set elements to be committed to the kernel (man libnftables), but that did not help.  I added a `sleep(5);` in `nftset.c` just to see, and that confirmed dnsmasq does not wait for `add_to_nftset` to finish before sending a DNS reply to the client (it was instantaneous).

The question is: would it be possible to have the DNS reply occur only after `add_to_nftset` has fully completed?

Thank you.