On Fri 2022-02-04 16:53 Simon Kelley wrote: > This surprises me: I can believe it's possible that whatever happens > after the call into nft_run_cmd_from_buffer() could run concurrently, > with nft_run_cmd_from_buffer() returning immediately, but if you put a > sleep(5) into add_to_nftset() I'd expect that to block the reply.
Apologies, I'm an idiot, I was thrown off by the post-nftset log_query(). Arrg. So, on the one hand I may indeed have a race condition with nft_run_cmd_from_buffer() returning immediately, which appears can be addressed with a simple patch... I'll test more. Another problem appears to be software like apt doing SRV queries, effectively resolving CNAMES themselves. Can't see a fix for that... $ apt uddate Err:1 http://deb.debian.org/debian bullseye InRelease Could not connect to debian.map.fastlydns.net:80 (151.101.126.132). - connect (111: Connection refused) Unable to connect to deb.debian.org:http: Err:2 http://deb.debian.org/debian bullseye-updates InRelease Unable to connect to deb.debian.org:http: ...because query #3 is not in my nftset: Feb 5 17:29:07 dnsmasq[8068]: 1 127.0.0.1/41766 query[SRV] _http._tcp.security.debian.org from 127.0.0.1 Feb 5 17:29:07 dnsmasq[8068]: 1 127.0.0.1/41766 forwarded _http._tcp.security.debian.org to 192.168.1.1 Feb 5 17:29:07 dnsmasq[8068]: 2 127.0.0.1/60606 query[SRV] _http._tcp.deb.debian.org from 127.0.0.1 Feb 5 17:29:07 dnsmasq[8068]: 2 127.0.0.1/60606 forwarded _http._tcp.deb.debian.org to 192.168.1.1 Feb 5 17:29:07 dnsmasq[8068]: 1 127.0.0.1/41766 reply _http._tcp.security.debian.org is <SRV> Feb 5 17:29:07 dnsmasq[8068]: 3 127.0.0.1/49100 query[A] debian.map.fastlydns.net from 127.0.0.1 Feb 5 17:29:07 dnsmasq[8068]: 3 127.0.0.1/49100 forwarded debian.map.fastlydns.net to 192.168.1.1 Feb 5 17:29:07 dnsmasq[8068]: 2 127.0.0.1/60606 reply _http._tcp.deb.debian.org is <SRV> Feb 5 17:29:07 dnsmasq[8068]: 4 127.0.0.1/52591 query[A] debian.map.fastlydns.net from 127.0.0.1 Feb 5 17:29:07 dnsmasq[8068]: 3 127.0.0.1/49100 reply debian.map.fastlydns.net is 151.101.126.132 Feb 5 17:29:07 dnsmasq[8068]: 4 127.0.0.1/52591 reply query is duplicate Feb 5 17:29:07 dnsmasq[8068]: 5 127.0.0.1/37265 query[A] security.debian.org from 127.0.0.1 Feb 5 17:29:07 dnsmasq[8068]: 5 127.0.0.1/37265 forwarded security.debian.org to 192.168.1.1 Feb 5 17:29:07 dnsmasq[8068]: 6 127.0.0.1/58615 query[A] deb.debian.org from 127.0.0.1 Feb 5 17:29:07 dnsmasq[8068]: 6 127.0.0.1/58615 forwarded deb.debian.org to 192.168.1.1 Feb 5 17:29:07 dnsmasq[8068]: 5 127.0.0.1/37265 nftset add 4 inet filter _apt_4 151.101.130.132 security.debian.org Feb 5 17:29:07 dnsmasq[8068]: 5 127.0.0.1/37265 reply security.debian.org is 151.101.130.132 Feb 5 17:29:07 dnsmasq[8068]: 5 127.0.0.1/37265 nftset add 4 inet filter _apt_4 151.101.194.132 security.debian.org Feb 5 17:29:07 dnsmasq[8068]: 5 127.0.0.1/37265 reply security.debian.org is 151.101.194.132 Feb 5 17:29:07 dnsmasq[8068]: 5 127.0.0.1/37265 nftset add 4 inet filter _apt_4 151.101.2.132 security.debian.org Feb 5 17:29:07 dnsmasq[8068]: 5 127.0.0.1/37265 reply security.debian.org is 151.101.2.132 Feb 5 17:29:07 dnsmasq[8068]: 5 127.0.0.1/37265 nftset add 4 inet filter _apt_4 151.101.66.132 security.debian.org Feb 5 17:29:07 dnsmasq[8068]: 5 127.0.0.1/37265 reply security.debian.org is 151.101.66.132 Feb 5 17:29:07 dnsmasq[8068]: 6 127.0.0.1/58615 reply deb.debian.org is <CNAME> Feb 5 17:29:07 dnsmasq[8068]: 6 127.0.0.1/58615 nftset add 4 inet filter _apt_4 151.101.126.132 deb.debian.org Feb 5 17:29:07 dnsmasq[8068]: 6 127.0.0.1/58615 reply debian.map.fastlydns.net is 151.101.126.132 Thanks for your time, much appreciated! _______________________________________________ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
