dnsmasq: nftset: serve from ipset config

Use existing ipset configs as source for nftsets to be compatible with
existing configs. As the OS can either have iptables XOR nftables
support, it's fine to provide both to dnsmasq. dnsmasq will silently
fail for the present one. Depending on the dnsmasq compile time options,
the ipsets or nftsets option will not be added to the dnsmasq config
file.

dnsmasq will try to add the IP addresses to all sets, regardless of the
IP version defined for the set. Adding an IPv6 to an IPv4 set and vice
versa will silently fail.

Signed-off-by: Mathias Kresin <dev@kresin.me>

diff --git a/package/network/services/dnsmasq/files/dnsmasq.init b/package/network/services/dnsmasq/files/dnsmasq.init
index 2b6ee0bd2357e9a1d3372de509d20630a63b430c..b13f35210077fc685d0d4ba59820458d76ac3f9e 100755 (executable)
--- a/package/network/services/dnsmasq/files/dnsmasq.init
+++ b/package/network/services/dnsmasq/files/dnsmasq.init
@@ -172,10 +172,6 @@ append_address() {
        xappend "--address=$1"
 }
 
-append_nftset() {
-       xappend "--nftset=$1"
-}
-
 append_connmark_allowlist() {
        xappend "--connmark-allowlist=$1"
 }
@@ -799,33 +795,14 @@ dhcp_relay_add() {
 
 dnsmasq_ipset_add() {
        local cfg="$1"
-       local ipsets domains
+       local ipsets nftsets domains
 
        add_ipset() {
                ipsets="${ipsets:+$ipsets,}$1"
        }
 
-       add_domain() {
-               # leading '/' is expected
-               domains="$domains/$1"
-       }
-
-       config_list_foreach "$cfg" "name" add_ipset
-       config_list_foreach "$cfg" "domain" add_domain
-
-       if [ -z "$ipsets" ] || [ -z "$domains" ]; then
-               return 0
-       fi
-
-       xappend "--ipset=$domains/$ipsets"
-}
-
-dnsmasq_nftset_add() {
-       local cfg="$1"
-       local nftsets domains
-
        add_nftset() {
-               nftsets="${nftsets:+$nftsets,}$1"
+               nftsets="${nftsets:+$nftsets,}inet#fw4#$1"
        }
 
        add_domain() {
@@ -833,13 +810,15 @@ dnsmasq_nftset_add() {
                domains="$domains/$1"
        }
 
+       config_list_foreach "$cfg" "name" add_ipset
        config_list_foreach "$cfg" "name" add_nftset
        config_list_foreach "$cfg" "domain" add_domain
 
-       if [ -z "$nftsets" ] || [ -z "$domains" ]; then
+       if [ -z "$ipsets" ] || [ -z "$nftsets" ] || [ -z "$domains" ]; then
                return 0
        fi
 
+       xappend "--ipset=$domains/$ipsets"
        xappend "--nftset=$domains/$nftsets"
 }
 
@@ -974,7 +953,6 @@ dnsmasq_start()
        config_list_foreach "$cfg" "server" append_server
        config_list_foreach "$cfg" "rev_server" append_rev_server
        config_list_foreach "$cfg" "address" append_address
-       config_list_foreach "$cfg" "nftset" append_nftset
 
        local connmark_allowlist_enable
        config_get connmark_allowlist_enable "$cfg" connmark_allowlist_enable 0
@@ -1167,10 +1145,6 @@ dnsmasq_start()
        config_foreach filter_dnsmasq ipset dnsmasq_ipset_add "$cfg"
        echo >> $CONFIGFILE_TMP
 
-       echo >> $CONFIGFILE_TMP
-       config_foreach filter_dnsmasq nftset dnsmasq_nftset_add "$cfg"
-       echo >> $CONFIGFILE_TMP
-
        echo >> $CONFIGFILE_TMP
        mv -f $CONFIGFILE_TMP $CONFIGFILE
        mv -f $HOSTFILE_TMP $HOSTFILE