Re: [Dnsmasq-discuss] [PATCH] Connection track mark based DNS query filtering.

Sun, 06 Nov 2022 12:34:46 -0800 


On 23/10/2022 11:43, Geert Stappers via Dnsmasq-discuss wrote:
> On Sun, Oct 23, 2022 at 10:15:47AM +0200, Geert Stappers via Dnsmasq-discuss 
> wrote:
>> On Fri, Jan 22, 2021 at 09:34:53PM +0100, Etan Kissling wrote:
>>> This extends query filtering support beyond what is currently possible
>>> with the `--ipset` configuration option, by adding support for:
>>> 1) Specifying allowlists on a per-client basis, based on their
>>>    associated Linux connection track mark.
>>> 2) Dynamic configuration of allowlists via Ubus.
>>> 3) Reporting when a DNS query resolves or is rejected via Ubus.
>>> 4) DNS name patterns containing wildcards.
>>>
>>> Disallowed queries are not forwarded; they are rejected
>>> with a REFUSED error code.
>>>
>>> Signed-off-by: Etan Kissling <etan_kissl...@apple.com>
>>> ---
>>>  Makefile      |   2 +-
>>>  man/dnsmasq.8 |  31 +++-
>>>  src/dnsmasq.h |  25 +++-
>>>  src/forward.c | 123 +++++++++++++++-
>>>  src/option.c  | 134 ++++++++++++++++++
>>>  src/pattern.c | 386 ++++++++++++++++++++++++++++++++++++++++++++++++++
>>>  src/rfc1035.c |  82 +++++++++++
>>>  src/ubus.c    | 182 ++++++++++++++++++++++++
>>>  8 files changed, 956 insertions(+), 9 deletions(-)
>>>  create mode 100644 src/pattern.c
>>  
>>
>> Found this while looking for another patch.
>> Did see that no one did respond to the patch.
>> I might be wrong about that due my archive my only point of view.
>>
>>
>> What where other responses?
>>
> I'm asking especially the mailinglist because I got
>
> <etan_kissl...@apple.com>: host mx-in.g.apple.com[17.72.136.242] said: 550    
>                                                   
>     5.1.6 recipient no longer on server: etan_kissl...@apple.com (in reply to 
>                                                   
>     RCPT TO command)
>
>
> Groeten
> Geert Stappers


I could make use of this feature!

I have no opinion on the code, or whether it implements the behaviour as 
described


I think we have seen Apple behave something like this in the past? They will 
present a patch once
and it nobody wants to bite then there won't be prompting. I think it's up to 
the maintainers of
dnsmasq whether we want to integrate this and maintain it?

Ed W


_______________________________________________
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss






















					Reply via email to