From f8250aa5a49a2089c37a786c89c2491939e4096e Mon Sep 17 00:00:00 2001
From: Mathias Kresin <dev@kresin.me>
Date: Wed, 4 May 2022 00:04:36 +0200
Subject: [PATCH] dnsmasq: nftset: serve from ipset config

Use existing ipset configs as source for nftsets to be compatible with
existing configs. As the OS can either have iptables XOR nftables
support, it's fine to provide both to dnsmasq. dnsmasq will silently
fail for the present one. Depending on the dnsmasq compile time options,
the ipsets or nftsets option will not be added to the dnsmasq config
file.

dnsmasq will try to add the IP addresses to all sets, regardless of the
IP version defined for the set. Adding an IPv6 to an IPv4 set and vice
versa will silently fail.

Signed-off-by: Mathias Kresin <dev@kresin.me>
---
 .../services/dnsmasq/files/dnsmasq.init       | 36 +++----------------
 1 file changed, 5 insertions(+), 31 deletions(-)

diff --git a/package/network/services/dnsmasq/files/dnsmasq.init b/package/network/services/dnsmasq/files/dnsmasq.init
index 2b6ee0bd23..b13f352100 100755
--- a/package/network/services/dnsmasq/files/dnsmasq.init
+++ b/package/network/services/dnsmasq/files/dnsmasq.init
@@ -172,10 +172,6 @@ append_address() {
 	xappend "--address=$1"
 }
 
-append_nftset() {
-	xappend "--nftset=$1"
-}
-
 append_connmark_allowlist() {
 	xappend "--connmark-allowlist=$1"
 }
@@ -799,33 +795,14 @@ dhcp_relay_add() {
 
 dnsmasq_ipset_add() {
 	local cfg="$1"
-	local ipsets domains
+	local ipsets nftsets domains
 
 	add_ipset() {
 		ipsets="${ipsets:+$ipsets,}$1"
 	}
 
-	add_domain() {
-		# leading '/' is expected
-		domains="$domains/$1"
-	}
-
-	config_list_foreach "$cfg" "name" add_ipset
-	config_list_foreach "$cfg" "domain" add_domain
-
-	if [ -z "$ipsets" ] || [ -z "$domains" ]; then
-		return 0
-	fi
-
-	xappend "--ipset=$domains/$ipsets"
-}
-
-dnsmasq_nftset_add() {
-	local cfg="$1"
-	local nftsets domains
-
 	add_nftset() {
-		nftsets="${nftsets:+$nftsets,}$1"
+		nftsets="${nftsets:+$nftsets,}inet#fw4#$1"
 	}
 
 	add_domain() {
@@ -833,13 +810,15 @@ dnsmasq_nftset_add() {
 		domains="$domains/$1"
 	}
 
+	config_list_foreach "$cfg" "name" add_ipset
 	config_list_foreach "$cfg" "name" add_nftset
 	config_list_foreach "$cfg" "domain" add_domain
 
-	if [ -z "$nftsets" ] || [ -z "$domains" ]; then
+	if [ -z "$ipsets" ] || [ -z "$nftsets" ] || [ -z "$domains" ]; then
 		return 0
 	fi
 
+	xappend "--ipset=$domains/$ipsets"
 	xappend "--nftset=$domains/$nftsets"
 }
 
@@ -974,7 +953,6 @@ dnsmasq_start()
 	config_list_foreach "$cfg" "server" append_server
 	config_list_foreach "$cfg" "rev_server" append_rev_server
 	config_list_foreach "$cfg" "address" append_address
-	config_list_foreach "$cfg" "nftset" append_nftset
 
 	local connmark_allowlist_enable
 	config_get connmark_allowlist_enable "$cfg" connmark_allowlist_enable 0
@@ -1167,10 +1145,6 @@ dnsmasq_start()
 	config_foreach filter_dnsmasq ipset dnsmasq_ipset_add "$cfg"
 	echo >> $CONFIGFILE_TMP
 
-	echo >> $CONFIGFILE_TMP
-	config_foreach filter_dnsmasq nftset dnsmasq_nftset_add "$cfg"
-	echo >> $CONFIGFILE_TMP
-
 	echo >> $CONFIGFILE_TMP
 	mv -f $CONFIGFILE_TMP $CONFIGFILE
 	mv -f $HOSTFILE_TMP $HOSTFILE
-- 
2.30.2