Use existing ipset configs as source for nftsets to be compatible with
existing configs. As the OS can either have iptables XOR nftables
support, it's fine to provide both to dnsmasq. dnsmasq will silently
fail for the present one. Depending on the dnsmasq compile time options,
the ipsets or nftsets option will not be added to the dnsmasq config
file.
dnsmasq will try to add the IP addresses to all sets, regardless of the
IP version defined for the set. Adding an IPv6 to an IPv4 set and vice
versa will silently fail.
Signed-off-by: Mathias Kresin <dev@kresin.me>
-append_nftset() {
- xappend "--nftset=$1"
-}
-
append_connmark_allowlist() {
xappend "--connmark-allowlist=$1"
}
append_connmark_allowlist() {
xappend "--connmark-allowlist=$1"
}
dnsmasq_ipset_add() {
local cfg="$1"
dnsmasq_ipset_add() {
local cfg="$1"
+ local ipsets nftsets domains
add_ipset() {
ipsets="${ipsets:+$ipsets,}$1"
}
add_ipset() {
ipsets="${ipsets:+$ipsets,}$1"
}
- add_domain() {
- # leading '/' is expected
- domains="$domains/$1"
- }
-
- config_list_foreach "$cfg" "name" add_ipset
- config_list_foreach "$cfg" "domain" add_domain
-
- if [ -z "$ipsets" ] || [ -z "$domains" ]; then
- return 0
- fi
-
- xappend "--ipset=$domains/$ipsets"
-}
-
-dnsmasq_nftset_add() {
- local cfg="$1"
- local nftsets domains
-
- nftsets="${nftsets:+$nftsets,}$1"
+ nftsets="${nftsets:+$nftsets,}inet#fw4#$1"
+ config_list_foreach "$cfg" "name" add_ipset
config_list_foreach "$cfg" "name" add_nftset
config_list_foreach "$cfg" "domain" add_domain
config_list_foreach "$cfg" "name" add_nftset
config_list_foreach "$cfg" "domain" add_domain
- if [ -z "$nftsets" ] || [ -z "$domains" ]; then
+ if [ -z "$ipsets" ] || [ -z "$nftsets" ] || [ -z "$domains" ]; then
+ xappend "--ipset=$domains/$ipsets"
xappend "--nftset=$domains/$nftsets"
}
xappend "--nftset=$domains/$nftsets"
}
config_list_foreach "$cfg" "server" append_server
config_list_foreach "$cfg" "rev_server" append_rev_server
config_list_foreach "$cfg" "address" append_address
config_list_foreach "$cfg" "server" append_server
config_list_foreach "$cfg" "rev_server" append_rev_server
config_list_foreach "$cfg" "address" append_address
- config_list_foreach "$cfg" "nftset" append_nftset
local connmark_allowlist_enable
config_get connmark_allowlist_enable "$cfg" connmark_allowlist_enable 0
local connmark_allowlist_enable
config_get connmark_allowlist_enable "$cfg" connmark_allowlist_enable 0
config_foreach filter_dnsmasq ipset dnsmasq_ipset_add "$cfg"
echo >> $CONFIGFILE_TMP
config_foreach filter_dnsmasq ipset dnsmasq_ipset_add "$cfg"
echo >> $CONFIGFILE_TMP
- echo >> $CONFIGFILE_TMP
- config_foreach filter_dnsmasq nftset dnsmasq_nftset_add "$cfg"
- echo >> $CONFIGFILE_TMP
-
echo >> $CONFIGFILE_TMP
mv -f $CONFIGFILE_TMP $CONFIGFILE
mv -f $HOSTFILE_TMP $HOSTFILE
echo >> $CONFIGFILE_TMP
mv -f $CONFIGFILE_TMP $CONFIGFILE
mv -f $HOSTFILE_TMP $HOSTFILE