From patchwork Sat Jun 26 23:26:19 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Etan Kissling <etan.kissling@gmail.com>
X-Patchwork-Id: 1497664
Return-Path: 
 <openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
 spf=none (no SPF record) smtp.mailfrom=lists.openwrt.org
 (client-ip=2607:7c80:54:e::133; helo=bombadil.infradead.org;
 envelope-from=openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org;
 receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
	dkim=pass (2048-bit key;
 secure) header.d=lists.infradead.org header.i=@lists.infradead.org
 header.a=rsa-sha256 header.s=bombadil.20210309 header.b=Ke7DPbld;
	dkim=fail reason="signature verification failed" (2048-bit key;
 unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256
 header.s=20161025 header.b=b7E6Qpwj;
	dkim-atps=neutral
Received: from bombadil.infradead.org (bombadil.infradead.org
 [IPv6:2607:7c80:54:e::133])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest
 SHA256)
	(No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 4GC96X1q5Gz9sX5
	for <incoming@patchwork.ozlabs.org>; Sun, 27 Jun 2021 09:28:36 +1000 (AEST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=lists.infradead.org; s=bombadil.20210309; h=Sender:
	Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post:
	List-Archive:List-Unsubscribe:List-Id:MIME-Version:In-Reply-To:References:
	Message-ID:Date:Subject:CC:To:From:Reply-To:Content-ID:Content-Description:
	Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:
	List-Owner; bh=DQbsauRkWcDmhrgKS49HNYwwhJl6UmThrs4u8Y5FSpA=; b=Ke7DPbldfUbe4X
	XB15mEPSVHrZkLZ05EEWvUYB7VaErJZ67evPt8jctd43QDOG3kb8o3ScgusgeqjWebTlzjG577D2T
	HjYCV0hmgb57JMfN07dRjdcnIdYLJUACk8LRIS9GhaL7jKWncRdPtYib5hLpZAcOOkEMQP9EXJbg3
	riE5dMtWjshJ9xXtmIM+spnZiR7dQd7G2VUPe9NzAfu30ATdxFhJhpeUrIAO62CKHbCvudCS3/Q1j
	HhhYa5rN0AGuGNsQtB8DsriR86mj00w0qy8J8QfhsWYJWYss4TN4SiElNmTanVogDmgitpgvswH2P
	gPWciY22d2Z1WR90cKVw==;
Received: from localhost ([::1] helo=bombadil.infradead.org)
	by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux))
	id 1lxHhO-004rMp-9D; Sat, 26 Jun 2021 23:26:54 +0000
Received: from mail-ej1-x633.google.com ([2a00:1450:4864:20::633])
 by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux))
 id 1lxHhJ-004rMH-Bo
 for openwrt-devel@lists.openwrt.org; Sat, 26 Jun 2021 23:26:51 +0000
Received: by mail-ej1-x633.google.com with SMTP id yy20so14076948ejb.6
 for <openwrt-devel@lists.openwrt.org>; Sat, 26 Jun 2021 16:26:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=from:to:cc:subject:thread-topic:thread-index:date:message-id
 :references:in-reply-to:accept-language:content-language
 :content-transfer-encoding:mime-version;
 bh=YlZdc3+HXg9rsD8Te/ctycMHTj2E8OnkoSiJ/ubXa9g=;
 b=b7E6QpwjKOsbXfVll6PyTiTBEFaoB+0TKf5UYPv+y0gEYnV/Y/EJPbp8IZ4iQubrkC
 QON4xs/Mc+xwvHaDmpppcPdZiKN6HA6TVWX1aQMkNXTWxY4j0NFmc7UA8CiPoPdtMfKl
 AQUXUm3ZXexh9sCcvcA3xAccMxfxobQiiuL7qJDU1Hu+ieVhV66fDhnuNVKzC005Bdpi
 Kv1x3uLJQYNVt1jCgThhB4sxiY34dF6fKZrCV/0nIwZd2kR8j5HNhXjE7ni+peV6VxqU
 arLb+bnDMQpdb8QEH/pdGcfH/+XT/HSWDZAofe6EQYHN1e78Vg+4pGFRr6c7QzH9n8B5
 BMPw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:thread-topic:thread-index
 :date:message-id:references:in-reply-to:accept-language
 :content-language:content-transfer-encoding:mime-version;
 bh=YlZdc3+HXg9rsD8Te/ctycMHTj2E8OnkoSiJ/ubXa9g=;
 b=kE8v3AnQYcl5vlDl4XjkQqqOTgvzCqhRvg8MnplpX02K6Z7kKEoP9bVv3tZEw1lUIr
 nEcple4Rea/pRNmTNsg+GwUEL+3Lg9KaGnW2uVV2ZdTGEj7Z8NpwQN6RWEi0icbU01tJ
 3JcxxcH42I/YbwNp94VXhRU9KrRk8jra+CMduro8TppKpcklcOJ9JI6XxR6pZOHYqgBD
 Tdi3dZIUacIPRYWUorDLuGrDnyq4L3+4elfSzFFib74NaawNl+SijVfwgbnkdD6C0foa
 pFmbdppCOjMqkAlh8yuCMeud+5BkC808zxseUAebREW8mx1pVJaedCiotFqO8jqezZt6
 RXZQ==
X-Gm-Message-State: AOAM533gI03otD73rSDbEdVdVwFcu6uHl1+Bb+JN5H2mGDmQZqk2WGcM
 assBHOqACVxoRP9iEtJqht9rXpE1bbw=
X-Google-Smtp-Source: 
 ABdhPJxMIy4pw4Xo8rWk6tyCt7J496bAQ9rOit8iai632HJ5dbZ3ihHXYAyXu/3uhs8V73U10ACq1w==
X-Received: by 2002:a17:906:ae42:: with SMTP id
 lf2mr13889972ejb.325.1624750007897;
 Sat, 26 Jun 2021 16:26:47 -0700 (PDT)
Received: from AS8PR09MB5466.eurprd09.prod.outlook.com
 ([2603:1026:c03:64ad::5])
 by smtp.gmail.com with ESMTPSA id e21sm4841959ejy.54.2021.06.26.16.26.47
 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
 Sat, 26 Jun 2021 16:26:47 -0700 (PDT)
From: Etan Kissling <etan.kissling@gmail.com>
To: "openwrt-devel@lists.openwrt.org" <openwrt-devel@lists.openwrt.org>
CC: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Subject: [PATCH v4 2/2] dnsmasq: add config option for connmark DNS filtering
Thread-Topic: [PATCH v4 2/2] dnsmasq: add config option for connmark DNS
 filtering
Thread-Index: AQHXauKq9ZpnCzXbnU2eBLHo+S8yBA==
X-MS-Exchange-MessageSentRepresentingType: 1
Date: Sat, 26 Jun 2021 23:26:19 +0000
Message-ID: 
 <AS8PR09MB5466E0E24A000E157C3BE705F9059@AS8PR09MB5466.eurprd09.prod.outlook.com>
References: 
 <AS8PR09MB54665E9081207A5DE8FE4B63F90A9@AS8PR09MB5466.eurprd09.prod.outlook.com>,
 <AS8PR09MB5466C63929D8C0ECEB9AC8E7F9069@AS8PR09MB5466.eurprd09.prod.outlook.com>,
 <AS8PR09MB54660F4FA119E688C9E67B0AF9059@AS8PR09MB5466.eurprd09.prod.outlook.com>
In-Reply-To: 
 <AS8PR09MB54660F4FA119E688C9E67B0AF9059@AS8PR09MB5466.eurprd09.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-Exchange-Organization-SCL: -1
X-MS-TNEF-Correlator: 
X-MS-Exchange-Organization-RecordReviewCfmType: 0
MIME-Version: 1.0
X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 
X-CRM114-CacheID: sfid-20210626_162649_451613_9C54935D 
X-CRM114-Status: UNSURE (   8.12  )
X-CRM114-Notice: Please train this message.
X-Spam-Score: -0.2 (/)
X-Spam-Report: Spam detection software,
 running on the system "bombadil.infradead.org",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 Content preview: This adds uci support to configure connmark based DNS
 filtering. Signed-off-by: Etan Kissling (See
 https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2021q2/015151.html)
 Signed-off-by: Etan Kissling --- v2: Bundle with patch to update dnsmasq
 to 2.86test [...]
 Content analysis details:   (-0.2 points, 5.0 required)
 pts rule name              description
 ---- ----------------------
 --------------------------------------------------
 -0.0 RCVD_IN_DNSWL_NONE     RBL: Sender listed at https://www.dnswl.org/,
 no trust [2a00:1450:4864:20:0:0:0:633 listed in]
 [list.dnswl.org]
 -0.0 SPF_PASS               SPF: sender matches SPF record
 0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
 0.0 FREEMAIL_FROM          Sender email is commonly abused enduser mail
 provider [etan.kissling[at]gmail.com]
 -0.1 DKIM_VALID_AU          Message has a valid DKIM or DK signature from
 author's domain
 -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
 0.1 DKIM_SIGNED            Message has a DKIM or DK signature,
 not necessarily
 valid
 -0.1 DKIM_VALID_EF          Message has a valid DKIM or DK signature from
 envelope-from domain
X-BeenThere: openwrt-devel@lists.openwrt.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: OpenWrt Development List <openwrt-devel.lists.openwrt.org>
List-Unsubscribe: <https://lists.openwrt.org/mailman/options/openwrt-devel>,
 <mailto:openwrt-devel-request@lists.openwrt.org?subject=unsubscribe>
List-Archive: <http://lists.openwrt.org/pipermail/openwrt-devel/>
List-Post: <mailto:openwrt-devel@lists.openwrt.org>
List-Help: <mailto:openwrt-devel-request@lists.openwrt.org?subject=help>
List-Subscribe: <https://lists.openwrt.org/mailman/listinfo/openwrt-devel>,
 <mailto:openwrt-devel-request@lists.openwrt.org?subject=subscribe>
Sender: "openwrt-devel" <openwrt-devel-bounces@lists.openwrt.org>
Errors-To: 
 openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org

This adds uci support to configure connmark based DNS filtering.

Signed-off-by: Etan Kissling <etan_kissling@apple.com>
(See https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2021q2/015151.html)
Signed-off-by: Etan Kissling <etan.kissling@gmail.com>
---
v2: Bundle with patch to update dnsmasq to 2.86test3.

 package/network/services/dnsmasq/files/dnsmasq.init | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/package/network/services/dnsmasq/files/dnsmasq.init b/package/network/services/dnsmasq/files/dnsmasq.init
index 44e7d2d4f9..3e06218a43 100644
--- a/package/network/services/dnsmasq/files/dnsmasq.init
+++ b/package/network/services/dnsmasq/files/dnsmasq.init
@@ -172,6 +172,10 @@ append_ipset() {
 	xappend "--ipset=$1"
 }
 
+append_connmark_allowlist() {
+	xappend "--connmark-allowlist=$1"
+}
+
 append_interface() {
 	network_get_device ifname "$1" || ifname="$1"
 	xappend "--interface=$ifname"
@@ -913,6 +917,14 @@ dnsmasq_start()
 	config_list_foreach "$cfg" "rev_server" append_rev_server
 	config_list_foreach "$cfg" "address" append_address
 	config_list_foreach "$cfg" "ipset" append_ipset
+
+	local connmark_allowlist_enable
+	config_get connmark_allowlist_enable "$cfg" connmark_allowlist_enable 0
+	[ "$connmark_allowlist_enable" -gt 0 ] && {
+		append_parm "$cfg" "connmark_allowlist_enable" "--connmark-allowlist-enable"
+		config_list_foreach "$cfg" "connmark_allowlist" append_connmark_allowlist
+	}
+
 	[ -n "$BOOT" ] || {
 		config_list_foreach "$cfg" "interface" append_interface
 		config_list_foreach "$cfg" "notinterface" append_notinterface