Discussion:
[Dnsmasq-discuss] Using nftables internal "ipset" rule
Ronaldo Afonso
2016-04-28 21:29:22 UTC
Permalink
Hi,

I'm using the "ipset" feature of dnsmasq with iptables and it's working
perfectly.

The think is ... now I need to change my firewall to nftables and I just
found that nftables is not able to access an "external ipset set". The
nftables has is own kind of "internal ipset set of rules".

I know that dnsmasq uses an netlink socket to insert ipset rules inside
the linux kernel netfilter subsystem.

So I was wandering if it is so complicated to use that same netlink
socket to include "dnsmasq ipset rules" directly in the "nftables rule set"
instead of in an "external ipset set".

Some think like this: nft add element filter ip_writelist { some_ip_address
}

Of course the "nftable ipset rule" must already be created. Just like an
external ipset rule.

Would it be a nice feature since nftables seems to be far from supporting
an external ipset rule?

Thanks ...
--
Ronaldo Afonso
11 9 5252 0484
www.ronaldoafonso.com.br
Simon Kelley
2016-05-03 17:07:55 UTC
Permalink
I think the way to go with this may be to use the libnftnl library.


http://netfilter.org/projects/libnftnl/index.html

Unfortunately, there doesn't appear to be any documentation for that (or
the underlying netlink API).

I guess that the answer to your question is that it would be a good idea
to include nftables support, but it's not trivial to do, and I don't
have the expertise or time to do it at the moment.

If someone knows how to do this, and makes a patch, I'd certainly accept it.


Cheers,

Simon.
Post by Ronaldo Afonso
Hi,
I'm using the "ipset" feature of dnsmasq with iptables and it's working
perfectly.
The think is ... now I need to change my firewall to nftables and I just
found that nftables is not able to access an "external ipset set". The
nftables has is own kind of "internal ipset set of rules".
I know that dnsmasq uses an netlink socket to insert ipset rules inside
the linux kernel netfilter subsystem.
So I was wandering if it is so complicated to use that same netlink
socket to include "dnsmasq ipset rules" directly in the "nftables rule set"
instead of in an "external ipset set".
Some think like this: nft add element filter ip_writelist { some_ip_address
}
Of course the "nftable ipset rule" must already be created. Just like an
external ipset rule.
Would it be a nice feature since nftables seems to be far from supporting
an external ipset rule?
Thanks ...
_______________________________________________
Dnsmasq-discuss mailing list
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Jason A. Donenfeld
2017-06-16 17:16:07 UTC
Permalink
Hey Simon,

Fast forward 5 years from when I wrote the original ipset patch for
dnsmasq, and I too have a need for nftables support with it. Did you
ever figure out how to add nft sets to dnsmasq? If not, maybe I'll
take a stab at it in the next few months.

Jason
David Forrest
2017-06-16 18:55:31 UTC
Permalink
I've noticed that nftables will be included in the 3.12 kernel which is not
yet out in my centos7. I'm just a user and anxious for it.

Amicalement,
Dave

Maple Park Development
Linux Systems Integration
http://www.maplepark.com/
--

Ce message et les piÚces jointes sont confidentiels et réservés à l'usage
exclusif de ses destinataires. Il peut également être protégé par le secret
professionnel. Si vous recevez ce message par erreur, merci d'en avertir
immédiatement l'expéditeur et de le détruire. L'intégrité du message ne
pouvant être assurée sur Internet, la responsabilité du groupe Parc de
l'érable ne pourra être recherchée quant au contenu de ce message. Bien que
les meilleurs efforts soient faits pour maintenir cette transmission
exempte de tout virus, l'expéditeur ne donne aucune garantie à cet égard et
sa responsabilité ne saurait être recherchée pour tout dommage résultant
d'un virus transmis.
Post by Jason A. Donenfeld
Hey Simon,
Fast forward 5 years from when I wrote the original ipset patch for
dnsmasq, and I too have a need for nftables support with it. Did you
ever figure out how to add nft sets to dnsmasq? If not, maybe I'll
take a stab at it in the next few months.
Jason
_______________________________________________
Dnsmasq-discuss mailing list
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Simon Kelley
2017-06-24 22:23:53 UTC
Permalink
Post by Jason A. Donenfeld
Hey Simon,
Fast forward 5 years from when I wrote the original ipset patch for
dnsmasq, and I too have a need for nftables support with it. Did you
ever figure out how to add nft sets to dnsmasq? If not, maybe I'll
take a stab at it in the next few months.
Jason
I didn't. Please fell free to look at this.

A thought. Rather than importing another library to access this, could
we do something that runs the command-line tool, and would be easier to
update to the next filtering solution, or the filters in other OS's. It
would be generally more flexible.


so we could have something like ipset, but which just runs an arbirary
command, (which would be "ipset add ......" for ipset) but could instead
run the nftables utility, or something completely different.


Cheers,

Simon.

Loading...