From patchwork Thu Sep  2 05:57:11 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Etan Kissling <etan.kissling@gmail.com>
X-Patchwork-Id: 1523485
X-Patchwork-Delegate: hauke@hauke-m.de
Return-Path: 
 <openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
	dkim=pass (2048-bit key;
 secure) header.d=lists.infradead.org header.i=@lists.infradead.org
 header.a=rsa-sha256 header.s=bombadil.20210309 header.b=RhzC3Zgw;
	dkim=fail reason="signature verification failed" (2048-bit key;
 unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256
 header.s=20210112 header.b=WbiNVNMd;
	dkim-atps=neutral
Authentication-Results: ozlabs.org;
 spf=none (no SPF record) smtp.mailfrom=lists.openwrt.org
 (client-ip=2607:7c80:54:e::133; helo=bombadil.infradead.org;
 envelope-from=openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org;
 receiver=<UNKNOWN>)
Received: from bombadil.infradead.org (bombadil.infradead.org
 [IPv6:2607:7c80:54:e::133])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest
 SHA256)
	(No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 4H0VgW74dXz9sSs
	for <incoming@patchwork.ozlabs.org>; Thu,  2 Sep 2021 16:01:59 +1000 (AEST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=lists.infradead.org; s=bombadil.20210309; h=Sender:
	Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post:
	List-Archive:List-Unsubscribe:List-Id:MIME-Version:In-Reply-To:References:
	Message-ID:Date:Subject:CC:To:From:Reply-To:Content-ID:Content-Description:
	Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:
	List-Owner; bh=7fL1R30L/r33t+uosf8+tLTyq+H2YajGLTzysEXS6pg=; b=RhzC3ZgwW35jZu
	4Fho9d7Q4cxTYMUhHDz1IDqsfvyHUrQZ6zaumH9d+A/evMRbUczht6rE4Ozoqc41wrHXZ7tcJcTFU
	V1aGzUC/ssEcjcaYTgQW87UPSX6is0OyY0l+jmXbEvh06KvmtKLgAwsGT+09sDhHk3G21ZoyFb5k7
	cFX8hxGvOYFee827nCiqBnUNa0Qw6bGZRepMkNBNcCtU9bJEUtZzSnv6aW/ELN/8UIcdS6CvcDxQP
	kXpxEXfOZCK1FrmPn699az/BkkPZ4NdpOu0cmq0eNB01XjTCD436s49l9QEi+YTgDyN2K64L4oAez
	aNJbJB4AIt0uNafBAu0A==;
Received: from localhost ([::1] helo=bombadil.infradead.org)
	by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux))
	id 1mLfiz-008bUq-7O; Thu, 02 Sep 2021 05:57:21 +0000
Received: from mail-ej1-x62e.google.com ([2a00:1450:4864:20::62e])
 by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux))
 id 1mLfit-008bQ6-PM
 for openwrt-devel@lists.openwrt.org; Thu, 02 Sep 2021 05:57:19 +0000
Received: by mail-ej1-x62e.google.com with SMTP id e21so1590212ejz.12
 for <openwrt-devel@lists.openwrt.org>; Wed, 01 Sep 2021 22:57:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112;
 h=from:to:cc:subject:thread-topic:thread-index:date:message-id
 :references:in-reply-to:accept-language:content-language
 :content-transfer-encoding:mime-version;
 bh=W2kza/8mMDPx4FtjEdJlVMguoEG5nxrOUTTH7DaxHAM=;
 b=WbiNVNMdDS9cbRUXDi1PBtP2dTgrvVjICPMFq6snY1YSEMDKXFJRPj2vlnV9wYv34G
 0oTWZb8SW07XMF+dK6K9cS+S1EuS4WEgMKWZXsuDdzSvLpnkPLj7ltA8JIAkNHYCQ0lW
 b3/7fpA3T6FT7uilnu50oSKhjK0cRWusZ6fKUwVTgak74BTWnRbGJCLFg86xFhVeLIOs
 d/nEC3ErYfTnYMJUCqCW/3WOqL6OdADNjxApqQ1snwZGhwoVLRtwJDZ7gbnh+hsbkKMK
 zO2fEr5PAbw1msqbWxf2oJfkLFUs1DwDtTh47PG2UKoaMT2UduJfSZICJGWim+gzQpEe
 xDpg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:thread-topic:thread-index
 :date:message-id:references:in-reply-to:accept-language
 :content-language:content-transfer-encoding:mime-version;
 bh=W2kza/8mMDPx4FtjEdJlVMguoEG5nxrOUTTH7DaxHAM=;
 b=E6l98SicEPuUtBjtVGqo/Ad0e4DL5FGfWBmg8+Ql54z6IUO2DZtTPDW+LH/bZZzh90
 Dtt+JTHbnz/Psn9O9zFMsE/8dYoKP6fY0j9svddIYGQ3ly4YDhaUrS0DAjmaTjH7S9hh
 OQW8GskMx56CAqH9RThh5MYkkGZwDlnRbfdIf7D2/SArnJAzoPWHsYyE9h/p1o/H7iak
 WCG+7cfo/tvJiAAtX+UEV+cGjl8xArWxyalPlgAP6Sjux2iDb/bZZHRdy0XrQQ7FOMp8
 jwMhnLOkrU/5ZBXmoc6u6LJusjLM6IOFcgJOxUaE9/Wp78Ftwg4jUUkWYFmsArDihQ5x
 gDpQ==
X-Gm-Message-State: AOAM530jnBCINeD2fbwrOrhahtQsq9nnMzBzeQOR5Oc2PFcUC/bke2IH
 y2T1R2vl3vJ/RXbXYpgOvNMza/xvZxo=
X-Google-Smtp-Source: 
 ABdhPJy5SuwjNAQSbalViYbZYQfW7QBWikM6LSP4dsj1iUOxL3ceBl3ORd9UKkuezZ6oHgEJPEOHzw==
X-Received: by 2002:a17:907:7252:: with SMTP id
 ds18mr1894524ejc.105.1630562233082;
 Wed, 01 Sep 2021 22:57:13 -0700 (PDT)
Received: from AS8PR09MB5466.eurprd09.prod.outlook.com
 ([2603:1026:c03:64ad::5])
 by smtp.gmail.com with ESMTPSA id h25sm320729eji.108.2021.09.01.22.57.12
 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
 Wed, 01 Sep 2021 22:57:12 -0700 (PDT)
From: Etan Kissling <etan.kissling@gmail.com>
To: "openwrt-devel@lists.openwrt.org" <openwrt-devel@lists.openwrt.org>
CC: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Subject: [PATCH v12 2/2] dnsmasq: add config option for connmark DNS filtering
Thread-Topic: [PATCH v12 2/2] dnsmasq: add config option for connmark DNS
 filtering
Thread-Index: AQHXn79feJOdVJmyck6ZYEe2gPU6Og==
X-MS-Exchange-MessageSentRepresentingType: 1
Date: Thu, 2 Sep 2021 05:57:11 +0000
Message-ID: 
 <AS8PR09MB5466D3FF67E3805D9E6D3AE1F9CE9@AS8PR09MB5466.eurprd09.prod.outlook.com>
References: 
 <AS8PR09MB54665E9081207A5DE8FE4B63F90A9@AS8PR09MB5466.eurprd09.prod.outlook.com>,
 <AS8PR09MB5466C63929D8C0ECEB9AC8E7F9069@AS8PR09MB5466.eurprd09.prod.outlook.com>,
 <AS8PR09MB54660F4FA119E688C9E67B0AF9059@AS8PR09MB5466.eurprd09.prod.outlook.com>,
 <AS8PR09MB546617B3C8CEC5D4F4E1BABAF9059@AS8PR09MB5466.eurprd09.prod.outlook.com>,
 <AS8PR09MB54662BE09237B14C0B1635CCF9049@AS8PR09MB5466.eurprd09.prod.outlook.com>,
 <AS8PR09MB5466FA92588D4310B70CEAAFF9049@AS8PR09MB5466.eurprd09.prod.outlook.com>,
 <AS8PR09MB5466AD06F680D28F73463DE4F9189@AS8PR09MB5466.eurprd09.prod.outlook.com>,
 <AS8PR09MB54667EAC318F06C6BBE3D955F9E49@AS8PR09MB5466.eurprd09.prod.outlook.com>,
 <AS8PR09MB5466C842CCAD61B03B3C30E0F9C39@AS8PR09MB5466.eurprd09.prod.outlook.com>,
 <AS8PR09MB54668ABDEB10B3490B98184BF9C69@AS8PR09MB5466.eurprd09.prod.outlook.com>,
 <AS8PR09MB54667CC71FE51E5E05A4E0D3F9CD9@AS8PR09MB5466.eurprd09.prod.outlook.com>,
 <AS8PR09MB546682DA808E0F8E60FD5B09F9CE9@AS8PR09MB5466.eurprd09.prod.outlook.com>
In-Reply-To: 
 <AS8PR09MB546682DA808E0F8E60FD5B09F9CE9@AS8PR09MB5466.eurprd09.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-Exchange-Organization-SCL: -1
X-MS-TNEF-Correlator: 
X-MS-Exchange-Organization-RecordReviewCfmType: 0
MIME-Version: 1.0
X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 
X-CRM114-CacheID: sfid-20210901_225715_885318_FBD4FA72 
X-CRM114-Status: UNSURE (   8.69  )
X-CRM114-Notice: Please train this message.
X-Spam-Score: -0.2 (/)
X-Spam-Report: Spam detection software,
 running on the system "bombadil.infradead.org",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 Content preview: This adds uci support to configure connmark based DNS
 filtering.
 Signed-off-by: Etan Kissling (imported from upstream mailing list
 https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2021q2/015151.html)
 Signed-off-by: Etan Kissling --- v2: Bundle with pat [...]
 Content analysis details:   (-0.2 points, 5.0 required)
 pts rule name              description
 ---- ----------------------
 --------------------------------------------------
 -0.0 RCVD_IN_DNSWL_NONE     RBL: Sender listed at https://www.dnswl.org/,
 no trust [2a00:1450:4864:20:0:0:0:62e listed in]
 [list.dnswl.org]
 -0.0 SPF_PASS               SPF: sender matches SPF record
 0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
 0.0 FREEMAIL_FROM          Sender email is commonly abused enduser mail
 provider [etan.kissling[at]gmail.com]
 -0.1 DKIM_VALID_AU          Message has a valid DKIM or DK signature from
 author's domain
 -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
 0.1 DKIM_SIGNED            Message has a DKIM or DK signature,
 not necessarily
 valid
 -0.1 DKIM_VALID_EF          Message has a valid DKIM or DK signature from
 envelope-from domain
X-BeenThere: openwrt-devel@lists.openwrt.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: OpenWrt Development List <openwrt-devel.lists.openwrt.org>
List-Unsubscribe: <https://lists.openwrt.org/mailman/options/openwrt-devel>,
 <mailto:openwrt-devel-request@lists.openwrt.org?subject=unsubscribe>
List-Archive: <http://lists.openwrt.org/pipermail/openwrt-devel/>
List-Post: <mailto:openwrt-devel@lists.openwrt.org>
List-Help: <mailto:openwrt-devel-request@lists.openwrt.org?subject=help>
List-Subscribe: <https://lists.openwrt.org/mailman/listinfo/openwrt-devel>,
 <mailto:openwrt-devel-request@lists.openwrt.org?subject=subscribe>
Sender: "openwrt-devel" <openwrt-devel-bounces@lists.openwrt.org>
Errors-To: 
 openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org

This adds uci support to configure connmark based DNS filtering.

Signed-off-by: Etan Kissling <etan_kissling@apple.com>
(imported from upstream mailing list
https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2021q2/015151.html)
Signed-off-by: Etan Kissling <etan.kissling@gmail.com>
---
v2: Bundle with patch to update dnsmasq.
v8: Update commit message to clarify multiple signed-off-by lines.

 package/network/services/dnsmasq/files/dnsmasq.init | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/package/network/services/dnsmasq/files/dnsmasq.init b/package/network/services/dnsmasq/files/dnsmasq.init
index 205bfb4cf6..9748c09b8e 100644
--- a/package/network/services/dnsmasq/files/dnsmasq.init
+++ b/package/network/services/dnsmasq/files/dnsmasq.init
@@ -173,6 +173,10 @@ append_ipset() {
 	xappend "--ipset=$1"
 }
 
+append_connmark_allowlist() {
+	xappend "--connmark-allowlist=$1"
+}
+
 append_interface() {
 	network_get_device ifname "$1" || ifname="$1"
 	xappend "--interface=$ifname"
@@ -938,6 +942,14 @@ dnsmasq_start()
 	config_list_foreach "$cfg" "rev_server" append_rev_server
 	config_list_foreach "$cfg" "address" append_address
 	config_list_foreach "$cfg" "ipset" append_ipset
+
+	local connmark_allowlist_enable
+	config_get connmark_allowlist_enable "$cfg" connmark_allowlist_enable 0
+	[ "$connmark_allowlist_enable" -gt 0 ] && {
+		append_parm "$cfg" "connmark_allowlist_enable" "--connmark-allowlist-enable"
+		config_list_foreach "$cfg" "connmark_allowlist" append_connmark_allowlist
+	}
+
 	[ -n "$BOOT" ] || {
 		config_list_foreach "$cfg" "interface" append_interface
 		config_list_foreach "$cfg" "notinterface" append_notinterface