Hello, With: dnsmasq v2.87test5 running on localhost (Debian 11 bullseye PC).
Trying: to use --nftset option to implement an allowlist outbound firewall with nftables. Result: when an application performs a DNS lookup prior to establishing an outbound connection: most of the time on my PC, but not always, the nft `add element` happens too late; therefore the outbound rules using the nft `ip daddr @set` do not work. To be clear: the IP addresses do get correctly added to the nft set(s), but only after the application has received a DNS reply from dnsmasq and already attempted a connection and failed. The problem: appears to be that nftset and DNS reply run concurrently (forks); despite `nftset.c` : `add_to_nftset()` technically being called first, the reply on my PC happens before the nft set is updated in the kernel (nftables can be relatively slow). (perhaps it might work better on a router due to network latency). Tested: at first I was hypothesizing that perhaps calls to `nft_ctx_output_set_flags(ctx, NFT_CTX_OUTPUT_ECHO);` and `nft_ctx_get_output_buffer(ctx)` in `nftset.c` might be required to wait for the set elements to be committed to the kernel (man libnftables), but that did not help. I added a `sleep(5);` in `nftset.c` just to see, and that confirmed dnsmasq does not wait for `add_to_nftset` to finish before sending a DNS reply to the client (it was instantaneous). The question is: would it be possible to have the DNS reply occur only after `add_to_nftset` has fully completed? Thank you. _______________________________________________ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
