On 18 Jan 2014, at 20:59, Lee Essen <lee.es...@nowonline.co.uk> wrote:
> Hi, > > I’ve been a long time user of the ipset functionality of dnsmasq which has > been fantastic for selective domain-based routing using iptables. Recently > I’ve been looking at using a different device to handle my routing, separate > to the dnsmasq instance … obviously that makes it difficult to make use of > the ipset's. > > Specifically I’m looking at a MikroTik device which can maintain it’s own > lists (I’m sure it’s really ipsets under the covers.) In the same way as > iptables, it can build “lists” based on src or dst address of incoming > packets. > > I started to look at adjusting the ipset code so that rather than add to > sets, it would send a udp packet to a given address but with a src address > matching the address that would have been added to the ipset … in that way > you can match specific udp packets on a different machine and use that to > build the “list”. Thus allowing the dnsmasq instance to be separate from your > firewall. > > In the process of trying to modify the code it was easier to add a more > generic “action” concept than add individual support for udp sending. Plus > you might want to do other things as well … potentially run a script/lua etc? > (obviously with performance considered.) > > So, I have put together a patch that changes the ipset functionality into > “action”, where you can specify either ipset or udp as an action. > [lots deleted] I’ve had a bit of a rethink on this and I am now of the opinion that it’s much clearer to just implement the udp capability as a separate option rather than trying to create a generic action type capability. So I’ve had another go, this time I think I’ve done a bit better job, obviously it’s just a suggestion but it does demonstrate how it could work… This time it’s against trunk (c5f4ec7d231294b1abf4178e9fe5a6b497e0a5eb) and I’ve included as much IPv6 support as I can muster, the config will take IPv6 addresses, but I haven’t actually written the bit to send forged IPv6 udp packets yet, I need to create a test environment before I can really play with that. This one adds a name to address mapping: udp-send-dest=<name>@<ip4-address>:<port>[,<ipv6-address>:<port>] (where ipv6-address needs to be surrounded by square brackets] … the udp-send-dest option accepts one, or both addresses and in any order. The intention is that is will send IPv4 matches to the IPv4 address and IPv6 matches to the IPv6 address … if they are specified, and once the code is written for IPv6! Then… udp-send=/<domain>/<domain>/<…>/<dest> For example: udp-send-dest=vpn-clear@192.168.1.2:3000 udp-send-dest=vpn-secure@192.168.1.2:3001 udp-send=/google.com/google.co.uk/vpn-clear udp-send=/somethingsecret.com/vpn-secure The config dest bits are resolved once all the config is read, so there are no order dependencies. Anyway … patch attached … more to see if it’s a viable concept than anything else. That said, I’m using it on OpenWRT and it’s working really well so far. Regards, Lee.
120-udp-send.patch
Description: Binary data
_______________________________________________ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
