dnsmasq: Enable dnsmasqs new nftables support
authorKevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Mon, 29 Nov 2021 17:16:39 +0000 (17:16 +0000)
committerMathias Kresin <dev@kresin.me>
Wed, 4 May 2022 20:13:55 +0000 (22:13 +0200)
Add build option for nftables sets.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
package/network/services/dnsmasq/Makefile
package/network/services/dnsmasq/files/dnsmasq.init

index 812c0a5555ea2586d777d93f4775e58e5d787fba..c7a365fdc69f7a406aaeff2de800fdb1f6a1cdc7 100644 (file)
@@ -30,6 +30,7 @@ PKG_CONFIG_DEPENDS:= CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_dhcp \
        CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_dnssec \
        CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_auth \
        CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_ipset \
+       CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_nftset \
        CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_conntrack \
        CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_noid \
        CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_broken_rtc \
@@ -61,10 +62,11 @@ endef
 
 define Package/dnsmasq-full
 $(call Package/dnsmasq/Default)
-  TITLE += (with DNSSEC, DHCPv6, Auth DNS, IPset, Conntrack, NO_ID enabled by default)
+  TITLE += (with DNSSEC, DHCPv6, Auth DNS, IPset, Nftset, Conntrack, NO_ID enabled by default)
   DEPENDS+=+PACKAGE_dnsmasq_full_dnssec:libnettle \
        +PACKAGE_dnsmasq_full_ipset:kmod-ipt-ipset \
-       +PACKAGE_dnsmasq_full_conntrack:libnetfilter-conntrack
+       +PACKAGE_dnsmasq_full_conntrack:libnetfilter-conntrack \
+       +PACKAGE_dnsmasq_full_nftset:nftables-json
   VARIANT:=full
   PROVIDES:=dnsmasq
 endef
@@ -110,6 +112,9 @@ define Package/dnsmasq-full/config
        config PACKAGE_dnsmasq_full_ipset
                bool "Build with IPset support."
                default y
+       config PACKAGE_dnsmasq_full_nftset
+               bool "Build with Nftset support."
+               default y
        config PACKAGE_dnsmasq_full_conntrack
                bool "Build with Conntrack support."
                default y
@@ -144,6 +149,7 @@ ifeq ($(BUILD_VARIANT),full)
                $(if $(CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_dnssec),-DHAVE_DNSSEC) \
                $(if $(CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_auth),,-DNO_AUTH) \
                $(if $(CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_ipset),,-DNO_IPSET) \
+               $(if $(CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_nftset),-DHAVE_NFTSET,) \
                $(if $(CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_conntrack),-DHAVE_CONNTRACK,) \
                $(if $(CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_noid),-DNO_ID,) \
                $(if $(CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_broken_rtc),-DHAVE_BROKEN_RTC) \
index 755168d8402d2ad5c3134edbb451af669ccb96ca..2b6ee0bd2357e9a1d3372de509d20630a63b430c 100755 (executable)
@@ -33,6 +33,7 @@ dnsmasq_ignore_opt() {
                [ "${dnsmasq_features#* DNSSEC }" = "$dnsmasq_features" ] || dnsmasq_has_dnssec=1
                [ "${dnsmasq_features#* TFTP }" = "$dnsmasq_features" ] || dnsmasq_has_tftp=1
                [ "${dnsmasq_features#* ipset }" = "$dnsmasq_features" ] || dnsmasq_has_ipset=1
+               [ "${dnsmasq_features#* nftset }" = "$dnsmasq_features" ] || dnsmasq_has_nftset=1
        fi
 
        case "$opt" in
@@ -55,6 +56,8 @@ dnsmasq_ignore_opt() {
                        [ -z "$dnsmasq_has_tftp" ] ;;
                ipset)
                        [ -z "$dnsmasq_has_ipset" ] ;;
+               nftset)
+                       [ -z "$dnsmasq_has_nftset" ] ;;
                *)
                        return 1
        esac
@@ -169,6 +172,10 @@ append_address() {
        xappend "--address=$1"
 }
 
+append_nftset() {
+       xappend "--nftset=$1"
+}
+
 append_connmark_allowlist() {
        xappend "--connmark-allowlist=$1"
 }
@@ -813,6 +820,29 @@ dnsmasq_ipset_add() {
        xappend "--ipset=$domains/$ipsets"
 }
 
+dnsmasq_nftset_add() {
+       local cfg="$1"
+       local nftsets domains
+
+       add_nftset() {
+               nftsets="${nftsets:+$nftsets,}$1"
+       }
+
+       add_domain() {
+               # leading '/' is expected
+               domains="$domains/$1"
+       }
+
+       config_list_foreach "$cfg" "name" add_nftset
+       config_list_foreach "$cfg" "domain" add_domain
+
+       if [ -z "$nftsets" ] || [ -z "$domains" ]; then
+               return 0
+       fi
+
+       xappend "--nftset=$domains/$nftsets"
+}
+
 dnsmasq_start()
 {
        local cfg="$1"
@@ -944,6 +974,7 @@ dnsmasq_start()
        config_list_foreach "$cfg" "server" append_server
        config_list_foreach "$cfg" "rev_server" append_rev_server
        config_list_foreach "$cfg" "address" append_address
+       config_list_foreach "$cfg" "nftset" append_nftset
 
        local connmark_allowlist_enable
        config_get connmark_allowlist_enable "$cfg" connmark_allowlist_enable 0
@@ -1136,6 +1167,10 @@ dnsmasq_start()
        config_foreach filter_dnsmasq ipset dnsmasq_ipset_add "$cfg"
        echo >> $CONFIGFILE_TMP
 
+       echo >> $CONFIGFILE_TMP
+       config_foreach filter_dnsmasq nftset dnsmasq_nftset_add "$cfg"
+       echo >> $CONFIGFILE_TMP
+
        echo >> $CONFIGFILE_TMP
        mv -f $CONFIGFILE_TMP $CONFIGFILE
        mv -f $HOSTFILE_TMP $HOSTFILE