dnsmasq: Support nftables nftsets

Add build option for nftables sets. By default disable iptables ipset
support.  By default enable nftable nftset support since this is what
fw4 uses.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
dnsmasq: nftset: serve from ipset config

Use existing ipset configs as source for nftsets to be compatible with
existing configs. As the OS can either have iptables XOR nftables
support, it's fine to provide both to dnsmasq. dnsmasq will silently
fail for the present one. Depending on the dnsmasq compile time options,
the ipsets or nftsets option will not be added to the dnsmasq config
file.

dnsmasq will try to add the IP addresses to all sets, regardless of the
IP version defined for the set. Adding an IPv6 to an IPv4 set and vice
versa will silently fail.

Signed-off-by: Mathias Kresin <dev@kresin.me>
dnsmasq: support populating nftsets in addition to ipsets

Tell dnsmasq to populate nftsets instead of ipsets, if firewall4 is present in
the system. Keep the same configuration syntax in /etc/config/dhcp, for
compatibility purposes.

Huge thanks to Jo-Philipp Wich for basically writing the function.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
dnsmasq: obtain nftset ip family from nft

Unfortunately dnsmasq nft is noisy if an attempt to add a mismatched ip address
family to an nft set is made.

Heuristic to guess which ip family a nft set might belong by inferring
from the set name.

In order of preference:

If setname ends with standalone '4' or '6' use that, else
if setname has '4' or '6' delimited by '-' or '_' use that (eg
foo-4-bar) else
If setname begins with '4' or '6' standalone use that.

By standalone I mean not as part of a larger number eg. 24

If the above fails then use the existing nft set query mechanism and if
that fails, well you're stuffed!

With-thanks-to: Jo-Philipp Wich <jo@mein.io> who improved my regexp
knowledge.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
dnsmasq: specify firewall table for nftset

Permit ipsets to specify an nftables table for the set.  New config
parameter is 'table'.  If not specified the default of 'fw4' is used.

config ipset
	list name 'BK_4,BK_6'
	option table 'dscpclassify'
	option table_family 'ip'
	option family '4'
	list domain 'ms-acdc.office.com'
	list domain 'windowsupdate.com'
	list domain 'update.microsoft.com'
	list domain 'graph.microsoft.com'
	list domain '1drv.ms'
	list domain '1drv.com'

The table family can also be specified, usually 'ip' or 'ip6' else the
default 'inet' capable of both ipv4 & ipv6 is used.

If the table family is not specified then finally a family option is
available to specify either '4' or '6' for ipv4 or ipv6 respectively.

This is all in addition to the existing heuristic that will look in the
nftset name for an ip family clue, or in total desperation, query the
value from the nftset itself.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>

diff --git a/package/network/services/dnsmasq/Makefile b/package/network/services/dnsmasq/Makefile
index e2902ed8753b6e8482707697caeb24ea54a08ef7..d4aa29845012d011783a394953b1dc72b16ec98e 100644 (file)
--- a/package/network/services/dnsmasq/Makefile
+++ b/package/network/services/dnsmasq/Makefile
@@ -30,6 +30,7 @@ PKG_CONFIG_DEPENDS:= CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_dhcp \
        CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_dnssec \
        CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_auth \
        CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_ipset \
+       CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_nftset \
        CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_conntrack \
        CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_noid \
        CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_broken_rtc \
@@ -61,10 +62,11 @@ endef
 
 define Package/dnsmasq-full
 $(call Package/dnsmasq/Default)
-  TITLE += (with DNSSEC, DHCPv6, Auth DNS, IPset, Conntrack, NO_ID enabled by default)
+  TITLE += (with DNSSEC, DHCPv6, Auth DNS, IPset, Nftset, Conntrack, NO_ID enabled by default)
   DEPENDS+=+PACKAGE_dnsmasq_full_dnssec:libnettle \
        +PACKAGE_dnsmasq_full_ipset:kmod-ipt-ipset \
-       +PACKAGE_dnsmasq_full_conntrack:libnetfilter-conntrack
+       +PACKAGE_dnsmasq_full_conntrack:libnetfilter-conntrack \
+       +PACKAGE_dnsmasq_full_nftset:nftables-json
   VARIANT:=full
   PROVIDES:=dnsmasq
 endef
@@ -83,7 +85,7 @@ define Package/dnsmasq-full/description
 $(call Package/dnsmasq/description)
 
 This is a fully configurable variant with DHCPv4, DHCPv6, DNSSEC, Authoritative DNS
-and IPset, Conntrack support & NO_ID enabled by default.
+and nftset, Conntrack support & NO_ID enabled by default.
 endef
 
 define Package/dnsmasq/conffiles
@@ -109,6 +111,9 @@ define Package/dnsmasq-full/config
                default y
        config PACKAGE_dnsmasq_full_ipset
                bool "Build with IPset support."
+               default n
+       config PACKAGE_dnsmasq_full_nftset
+               bool "Build with Nftset support."
                default y
        config PACKAGE_dnsmasq_full_conntrack
                bool "Build with Conntrack support."
@@ -144,6 +149,7 @@ ifeq ($(BUILD_VARIANT),full)
                $(if $(CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_dnssec),-DHAVE_DNSSEC) \
                $(if $(CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_auth),,-DNO_AUTH) \
                $(if $(CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_ipset),,-DNO_IPSET) \
+               $(if $(CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_nftset),-DHAVE_NFTSET,) \
                $(if $(CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_conntrack),-DHAVE_CONNTRACK,) \
                $(if $(CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_noid),-DNO_ID,) \
                $(if $(CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_broken_rtc),-DHAVE_BROKEN_RTC) \

diff --git a/package/network/services/dnsmasq/files/dnsmasq.init b/package/network/services/dnsmasq/files/dnsmasq.init
index c4ca3eb2db39d08355ec82904456a54fa8648003..386b47616e7f10a1961443d04e3acb4dc19074b0 100755 (executable)
--- a/package/network/services/dnsmasq/files/dnsmasq.init
+++ b/package/network/services/dnsmasq/files/dnsmasq.init
@@ -33,6 +33,7 @@ dnsmasq_ignore_opt() {
                [ "${dnsmasq_features#* DNSSEC }" = "$dnsmasq_features" ] || dnsmasq_has_dnssec=1
                [ "${dnsmasq_features#* TFTP }" = "$dnsmasq_features" ] || dnsmasq_has_tftp=1
                [ "${dnsmasq_features#* ipset }" = "$dnsmasq_features" ] || dnsmasq_has_ipset=1
+               [ "${dnsmasq_features#* nftset }" = "$dnsmasq_features" ] || dnsmasq_has_nftset=1
        fi
 
        case "$opt" in
@@ -55,6 +56,8 @@ dnsmasq_ignore_opt() {
                        [ -z "$dnsmasq_has_tftp" ] ;;
                ipset)
                        [ -z "$dnsmasq_has_ipset" ] ;;
+               nftset)
+                       [ -z "$dnsmasq_has_nftset" ] ;;
                *)
                        return 1
        esac
@@ -169,10 +172,6 @@ append_address() {
        xappend "--address=$1"
 }
 
-append_ipset() {
-       xappend "--ipset=$1"
-}
-
 append_connmark_allowlist() {
        xappend "--connmark-allowlist=$1"
 }
@@ -796,25 +795,54 @@ dhcp_relay_add() {
 
 dnsmasq_ipset_add() {
        local cfg="$1"
-       local ipsets domains
+       local ipsets nftsets domains
 
        add_ipset() {
                ipsets="${ipsets:+$ipsets,}$1"
        }
 
+       add_nftset() {
+               local IFS=,
+               for set in $1; do
+                       local fam="$family"
+                       [ -n "$fam" ] || fam=$(echo "$set" | sed -nre \
+                               's#^.*[^0-9]([46])$|^.*[-_]([46])[-_].*$|^([46])[^0-9].*$#\1\2\3#p')
+                       [ -n "$fam" ] || \
+                               fam=$(nft -t list set "$table_family" "$table" "$set" 2>&1 | sed -nre \
+                               's#^\t\ttype .*\bipv([46])_addr\b.*$#\1#p')
+
+                       [ -n "$fam" ] || \
+                               logger -t dnsmasq "Cannot infer address family from non-existent nftables set '$set'"
+
+                       nftsets="${nftsets:+$nftsets,}${fam:+$fam#}$table_family#$table#$set"
+               done
+       }
+
        add_domain() {
                # leading '/' is expected
                domains="$domains/$1"
        }
 
+       config_get table "$cfg" table 'fw4'
+       config_get table_family "$cfg" table_family 'inet'
+       if [ "$table_family" = "ip" ] ; then
+               family="4"
+       elif [ "$table_family" = "ip6" ] ; then
+               family="6"
+       else
+               config_get family "$cfg" family
+       fi
+
        config_list_foreach "$cfg" "name" add_ipset
+       config_list_foreach "$cfg" "name" add_nftset
        config_list_foreach "$cfg" "domain" add_domain
 
-       if [ -z "$ipsets" ] || [ -z "$domains" ]; then
+       if [ -z "$ipsets" ] || [ -z "$nftsets" ] || [ -z "$domains" ]; then
                return 0
        fi
 
        xappend "--ipset=$domains/$ipsets"
+       xappend "--nftset=$domains/$nftsets"
 }
 
 dnsmasq_start()
@@ -948,7 +976,6 @@ dnsmasq_start()
        config_list_foreach "$cfg" "server" append_server
        config_list_foreach "$cfg" "rev_server" append_rev_server
        config_list_foreach "$cfg" "address" append_address
-       config_list_foreach "$cfg" "ipset" append_ipset
 
        local connmark_allowlist_enable
        config_get connmark_allowlist_enable "$cfg" connmark_allowlist_enable 0
@@ -1141,7 +1168,6 @@ dnsmasq_start()
        config_foreach filter_dnsmasq ipset dnsmasq_ipset_add "$cfg"
        echo >> $CONFIGFILE_TMP
 
-       echo >> $CONFIGFILE_TMP
        mv -f $CONFIGFILE_TMP $CONFIGFILE
        mv -f $HOSTFILE_TMP $HOSTFILE