On 06/06/2011 06:26, harish badrinath wrote: > This (in my world) starts making sense when dnsmasq needs to work > with chillispot (http://www.chillispot.info/) for example, > to whitelist/blacklist certain domains based on "business logic" > and for that dnsmasq needs to communicate with other processes using > static shared memory.
Simon has kindly introduced a new feature in the latest test releases which essentially perpetuates the iptables conntrack mark from the inbound client request, onto the upstream server request. (ie to IPTABLES, the upstream request continues to look like the original connection) I'm hoping to use this for some of my "business logic" requirements (in particular it could be used to prevent DNS tunnelling) Perhaps give some consideration to whether that feature could be used to simplify some of your configuration? ie using iptables to route/limit the requests based on the user making them? However, some kind of in-process high speed filtering does sound like a cool feature (not sure what I would personally use it for though). Perhaps it's worth sponsoring a specific feature here (ie inside of dnsmasq)? eg adding some kind of high speed static lookup table to support white/blacklists? (also be aware of IPSET in modern kernels which implements flexible hashes of ip addresses, ports and more) Good luck Ed W
