From patchwork Fri Jun 25 07:50:59 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Etan Kissling X-Patchwork-Id: 1497006 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.openwrt.org (client-ip=2607:7c80:54:e::133; helo=bombadil.infradead.org; envelope-from=openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org; receiver=) Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=bombadil.20210309 header.b=HucGzHV+; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20161025 header.b=kEup+4iZ; dkim-atps=neutral Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:e::133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4GB8yS05RLz9sPf for ; Fri, 25 Jun 2021 18:18:06 +1000 (AEST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:In-Reply-To:References: Message-ID:Date:Subject:To:From:Reply-To:Cc:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=E3zwDeBKoKZaH8SNtJ37agNNoRyzAOT2q1I90jGehPc=; b=HucGzHV+JHu93+ 5zahSTdqNPa+/WgrqgXrYQuEowfZH4+JsTAHU1aJ/ue50H0Pb32DIzy+ed0pEgzxG1xmluI9z7Gws VHHBPHEIvxJAPhmTu3utW1fUwLrA5Bv3HvuNO3WwxIRGeBd7Un3KcQ8J8ILYV+1dcw0cjHaOKKliq uOK7fgSO9mp134PbADtepQZuAwxX/cajeotXMub1r8jW3szhWGtc/uWBXK1Qzvivli2zsIiZuqO+q cNKkiB+NgUaqb+3RUcYMPWxNTv3SHJHZIheEQCC79OVHldHlnQUHeeuSDMmNf/H+RbZprl72sDQVl NacemVM9D2gdjx1bdWaQ==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1lwgyl-000FSP-LS; Fri, 25 Jun 2021 08:14:24 +0000 Received: from mail-ot1-x333.google.com ([2607:f8b0:4864:20::333]) by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux)) id 1lwgcC-0008gh-7B for openwrt-devel@lists.openwrt.org; Fri, 25 Jun 2021 07:51:08 +0000 Received: by mail-ot1-x333.google.com with SMTP id d21-20020a9d72d50000b02904604cda7e66so6653226otk.7 for ; Fri, 25 Jun 2021 00:51:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:subject:thread-topic:thread-index:date:message-id :references:in-reply-to:accept-language:content-language :content-transfer-encoding:mime-version; bh=fex/iyzT+rGQA2/GjOCyP7Sv+gs6NojldmxVMEt9hjI=; b=kEup+4iZRAwOa2G4936V8sSAJL27ADxZzSNCc9vsDzL9PNCHo43yWgn1sbFX4Hd2Pb mDz9QTxAGdonQZFBzfZ2hCFwqTj0NwF5DhvYEWsZhW8xK02N6sUVf4zHk3YPUrR8gm8b xLOdzNQHaS6EkTXPUmIf0DwCXcm97TAGzNc5H5aP/G46yI16BMQWfhXMglcvogbybIHE DOhOw50xcac48+sF6hNaveJQGMAVRnjhV6raRbsBckIwHkW5iu2b1Ql3T8rG3uXVKX/Z qrhdA45IjaIrK8ru6kdxtKbpWAF8s0UETnu/WnARcgOMgMFoMVpWKGGb/uIn1rhhPw8v ipGw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:thread-topic:thread-index:date :message-id:references:in-reply-to:accept-language:content-language :content-transfer-encoding:mime-version; bh=fex/iyzT+rGQA2/GjOCyP7Sv+gs6NojldmxVMEt9hjI=; b=ZF94SYCiQKX1+7g48gkdsoU4r0Cqs6mHgZISaztTYIoXUe8QgBC31CXcKqshmQ/t86 F/65J0T5NoawW82W5zRqQO71o07fle0PJUTs2mCrS2+MsDfYEaOCaLtS7u1dhtZs/v+B 7YIIm0VknLGn024xqn4oDm5KVaxnuvlZjH77hsEnuozbRY6kMXlNumFygODxvtwztmY9 iKhYcQPCXiex/yU5sYaAvC2v+YBCpffBPeVMVyNpfCRn5Af18Fc2oPxuOAHzy3y/tEiP s0mHNn9/UeUMNcF5D57NLL+jiglLJ61nCreejCFrM5lue5vHdVZQR9L9EFae4tFCO7Tx y6Jg== X-Gm-Message-State: AOAM5301Pkm427WpHv3uUGRgOPXhxOiRxiEmVD9mdIx+bJl6XPiUWIwG PxGzYyqOiO1gVNPothOGGi0IgHjkSkw= X-Google-Smtp-Source: ABdhPJwZmPYHFNHVBBZeMVCFf6xlOKCHyc6lqUpuPdXKrpxjnz35u097MOZZnwL3S2lXR1PU2BH7iw== X-Received: by 2002:a9d:600f:: with SMTP id h15mr8738853otj.30.1624607462493; Fri, 25 Jun 2021 00:51:02 -0700 (PDT) Received: from AS8PR09MB5466.eurprd09.prod.outlook.com ([2603:1026:c03:64ad::5]) by smtp.gmail.com with ESMTPSA id y6sm1203924oiy.18.2021.06.25.00.51.01 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 25 Jun 2021 00:51:02 -0700 (PDT) From: Etan Kissling To: "openwrt-devel@lists.openwrt.org" Subject: [PATCH 1/2 v2] dnsmasq: Update to version 2.86test3 Thread-Topic: [PATCH 1/2 v2] dnsmasq: Update to version 2.86test3 Thread-Index: AQHXaZbWixR/ldKS20OiP/Kkf0ACxA== X-MS-Exchange-MessageSentRepresentingType: 1 Date: Fri, 25 Jun 2021 07:50:59 +0000 Message-ID: References: In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-Exchange-Organization-SCL: -1 X-MS-TNEF-Correlator: X-MS-Exchange-Organization-RecordReviewCfmType: 0 MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20210625_005104_313349_D3643A62 X-CRM114-Status: UNSURE ( 9.28 ) X-CRM114-Notice: Please train this message. X-Spam-Score: -0.2 (/) X-Spam-Report: Spam detection software, running on the system "bombadil.infradead.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Need this version to add config option for connmark DNS filtering. Summary of upstream CHANGELOG: * Handle DHCPREBIND requests in the DHCPv6 server code. * Fix bug which caused dnsmasq to lose track of processes forked. * Major rewrite of the DNS server and domain ha [...] Content analysis details: (-0.2 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [2607:f8b0:4864:20:0:0:0:333 listed in] [list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider [etan.kissling[at]gmail.com] -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain X-BeenThere: openwrt-devel@lists.openwrt.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: OpenWrt Development List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "openwrt-devel" Errors-To: openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org Need this version to add config option for connmark DNS filtering. Summary of upstream CHANGELOG: * Handle DHCPREBIND requests in the DHCPv6 server code. * Fix bug which caused dnsmasq to lose track of processes forked. * Major rewrite of the DNS server and domain handling code. * Revise resource handling for number of concurrent DNS queries. * Improve efficiency of DNSSEC. * Connection track mark based DNS query filtering. Signed-off-by: Etan Kissling --- package/network/services/dnsmasq/Makefile | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/package/network/services/dnsmasq/Makefile b/package/network/services/dnsmasq/Makefile index 90a81b5f65..53080cb95b 100644 --- a/package/network/services/dnsmasq/Makefile +++ b/package/network/services/dnsmasq/Makefile @@ -8,13 +8,13 @@ include $(TOPDIR)/rules.mk PKG_NAME:=dnsmasq -PKG_UPSTREAM_VERSION:=2.85 +PKG_UPSTREAM_VERSION:=2.86test3 PKG_VERSION:=$(subst test,~~test,$(subst rc,~rc,$(PKG_UPSTREAM_VERSION))) PKG_RELEASE:=$(AUTORELEASE) PKG_SOURCE:=$(PKG_NAME)-$(PKG_UPSTREAM_VERSION).tar.xz -PKG_SOURCE_URL:=http://thekelleys.org.uk/dnsmasq -PKG_HASH:=ad98d3803df687e5b938080f3d25c628fe41c878752d03fbc6199787fee312fa +PKG_SOURCE_URL:=http://thekelleys.org.uk/dnsmasq/test-releases +PKG_HASH:=0d0b465db89390e9f518f1239dec88b458c84489e7fd38586af6a5781f85e7db PKG_LICENSE:=GPL-2.0 PKG_LICENSE_FILES:=COPYING From patchwork Sat Jun 26 12:11:49 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Etan Kissling X-Patchwork-Id: 1497614 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.openwrt.org (client-ip=2607:7c80:54:e::133; helo=bombadil.infradead.org; envelope-from=openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org; receiver=) Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=bombadil.20210309 header.b=dL/w32Uk; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20161025 header.b=NGce6EwO; dkim-atps=neutral Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:e::133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4GBt9V5DtLz9sjD for ; Sat, 26 Jun 2021 22:15:10 +1000 (AEST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:In-Reply-To:References: Message-ID:Date:Subject:To:From:Reply-To:Cc:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=DQbsauRkWcDmhrgKS49HNYwwhJl6UmThrs4u8Y5FSpA=; b=dL/w32UkUIuJiZ YccWinkRjQHfA+X6CLS6QLGKGI3rwkxbTEiz8E3Mg+UUkcc4QXWEHWcm7qYWu042sMKo5cPQx5iJ6 /VbcVfa+64WtkvhAtMNAZXrpxzgbyQ8YTSvDBImtL2p0BwvVqIaHx02DM63xIkwLqfCDZZyOAWZky 3DgjbhvVGv/+W3EbDurXQBT6ypa5JASpqk/BSqRBNY2wxaoziA1Xo4QwgPfw1qIfullTfkD+FdxdB aI69N1K5X430FeVJlGCw1baRrzar+aoyL79eJ5hwqPIyJyA8pAwG1p1gEHj6wlYkBN86kzDDZr9Dg bJG/zFk2JPnc+DMJDVSw==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1lx7AL-0046cN-Mr; Sat, 26 Jun 2021 12:12:05 +0000 Received: from mail-ed1-x52b.google.com ([2a00:1450:4864:20::52b]) by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux)) id 1lx7A8-0046aG-AI for openwrt-devel@lists.openwrt.org; Sat, 26 Jun 2021 12:11:53 +0000 Received: by mail-ed1-x52b.google.com with SMTP id df12so17318701edb.2 for ; Sat, 26 Jun 2021 05:11:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:subject:thread-topic:thread-index:date:message-id :references:in-reply-to:accept-language:content-language :content-transfer-encoding:mime-version; bh=YlZdc3+HXg9rsD8Te/ctycMHTj2E8OnkoSiJ/ubXa9g=; b=NGce6EwO/w6XghiuoAxoxjB4qQ+IGgwDRU/DYPT/U6esoAy/ePH8uE7P/G7C6QLRp4 m7exhz1/PDg7BwU2ogvcW8a92PhDdEHgI8RSPk4t3QvlEvTXedkunamGREoYBHE5kgFX RULzqFNVCPYYoE1WoxIWqU/ujmz6MiXydfK6fFxtyL+ZG+wRrG3a4tpttzfz6ZZ9Ggqf yRYjUDSpI/+wQ/sewJO8lFnfwGWRxXNijPBwAOx1AgGQO4Pwey8GsXTBBWNCP6/e37s1 OdQciWtrqTJoRbkM1T6s5R7Bw3Bxl06v2VngeBSxMPRygL7D1QbPjAF8Lqnlqq9IVDo6 5tuw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:thread-topic:thread-index:date :message-id:references:in-reply-to:accept-language:content-language :content-transfer-encoding:mime-version; bh=YlZdc3+HXg9rsD8Te/ctycMHTj2E8OnkoSiJ/ubXa9g=; b=QWMclmchO9uiNRPt+do4WxZ6PezItNnXxme30CyiFqRi0TV/tAp1UtlnkWDanTigHM qkaDAKb+h3vSW+AOXkUcqFztcBLJUsh9uwzdNbc8ccfyUv+r8j8tQrrf4Wk6EbGpVUtx duIWfj7mj/LdCQZVyR3HxDKLicaKUDo+H0KM90fjGoKPWtr4jtge9k7QEhDbKaLOlGDB 595YqF2nx+0dmhbOaJ28MfysYTZlK81I1/O4ZlBcQOD3HGR0lJ/X5fjDMQqDcY1Sjpvv wMC2bbBX/VGjwnOYV/zX+KunKAyn8VfY2ULNuU7dECOjJg2UKJP8o4sM6JhmaCSUCwo5 ZsvA== X-Gm-Message-State: AOAM531OSh7L3UwSVtRem8M8GJFZYVyr98E4Fvz8v9M0bjv9xRcTGSCS 7BdmUwXQlsFeCOA3U0c8Wv35o9ha2AU= X-Google-Smtp-Source: ABdhPJxVub9l8/MUpkuIYpQ09uMWk5C+Jjb7+Yqb8Vs674pDHamVe0Piz7A1aEitJS71PtsGqAVN2g== X-Received: by 2002:a05:6402:5111:: with SMTP id m17mr10630634edd.219.1624709510617; Sat, 26 Jun 2021 05:11:50 -0700 (PDT) Received: from AS8PR09MB5466.eurprd09.prod.outlook.com ([2603:1026:c03:64ad::5]) by smtp.gmail.com with ESMTPSA id m19sm3673685ejn.110.2021.06.26.05.11.50 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Sat, 26 Jun 2021 05:11:50 -0700 (PDT) From: Etan Kissling To: "openwrt-devel@lists.openwrt.org" Subject: [PATCH v3 2/2] dnsmasq: add config option for connmark DNS filtering Thread-Topic: [PATCH v3 2/2] dnsmasq: add config option for connmark DNS filtering Thread-Index: AQHXaoRwx3kKzc8e8kusSlzeWLRHuQ== X-MS-Exchange-MessageSentRepresentingType: 1 Date: Sat, 26 Jun 2021 12:11:49 +0000 Message-ID: References: , In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-Exchange-Organization-SCL: -1 X-MS-TNEF-Correlator: X-MS-Exchange-Organization-RecordReviewCfmType: 0 MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20210626_051152_426846_E4977EEA X-CRM114-Status: UNSURE ( 7.88 ) X-CRM114-Notice: Please train this message. X-Spam-Score: -0.2 (/) X-Spam-Report: Spam detection software, running on the system "bombadil.infradead.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: This adds uci support to configure connmark based DNS filtering. Signed-off-by: Etan Kissling (See https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2021q2/015151.html) Signed-off-by: Etan Kissling --- v2: Bundle with patch to update dnsmasq to 2.86test [...] Content analysis details: (-0.2 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [2a00:1450:4864:20:0:0:0:52b listed in] [list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider [etan.kissling[at]gmail.com] -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain X-BeenThere: openwrt-devel@lists.openwrt.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: OpenWrt Development List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "openwrt-devel" Errors-To: openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org This adds uci support to configure connmark based DNS filtering. Signed-off-by: Etan Kissling (See https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2021q2/015151.html) Signed-off-by: Etan Kissling --- v2: Bundle with patch to update dnsmasq to 2.86test3. package/network/services/dnsmasq/files/dnsmasq.init | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/package/network/services/dnsmasq/files/dnsmasq.init b/package/network/services/dnsmasq/files/dnsmasq.init index 44e7d2d4f9..3e06218a43 100644 --- a/package/network/services/dnsmasq/files/dnsmasq.init +++ b/package/network/services/dnsmasq/files/dnsmasq.init @@ -172,6 +172,10 @@ append_ipset() { xappend "--ipset=$1" } +append_connmark_allowlist() { + xappend "--connmark-allowlist=$1" +} + append_interface() { network_get_device ifname "$1" || ifname="$1" xappend "--interface=$ifname" @@ -913,6 +917,14 @@ dnsmasq_start() config_list_foreach "$cfg" "rev_server" append_rev_server config_list_foreach "$cfg" "address" append_address config_list_foreach "$cfg" "ipset" append_ipset + + local connmark_allowlist_enable + config_get connmark_allowlist_enable "$cfg" connmark_allowlist_enable 0 + [ "$connmark_allowlist_enable" -gt 0 ] && { + append_parm "$cfg" "connmark_allowlist_enable" "--connmark-allowlist-enable" + config_list_foreach "$cfg" "connmark_allowlist" append_connmark_allowlist + } + [ -n "$BOOT" ] || { config_list_foreach "$cfg" "interface" append_interface config_list_foreach "$cfg" "notinterface" append_notinterface