-
-
Notifications
You must be signed in to change notification settings - Fork 361
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
IPSet module #28
IPSet module #28
Conversation
Hi, |
Thank you for your reply. |
Hi, |
the ipset that could add the domain's ip to a list easily. Needs libmnl, and --enable-ipset and config it, doc/README.ipset.md. - Fix to omit RRSIGs from addition to the ipset.
Thank you for the PR! The documentation you write, I have put in doc/README.ipset.md, so that other people can reference it. |
* nlnet/master: (22 commits) Nicer spelling and layout. - For NLnetLabs#45, check that 127.0.0.1 and ::1 are not used in unbound.conf when do-not-query-localhost is turned on, or at default on, unbound-checkconf prints a warning if it is found in forward-addr or stub-addr statements. - Fix memleak in unit test, reported from the clang 8.0 static analyzer. - Fix python dict reference and double free in config. - Merge PR NLnetLabs#6: Python module: support multiple instances - Merge PR NLnetLabs#5: Python module: define constant MODULE_RESTART_NEXT - Merge PR NLnetLabs#4: Python module: assign something useful to the per-query data store 'qdata' Noted in Changelog. - Added documentation to the ipset files (for doxygen output). - make depend - Fix to make unbound-control with ipset, remove unused variable, use unsigned type because of comparison, and assign null instead of compare with it. Remade lex and yacc output. - PR NLnetLabs#28: IPSet module, by Kevin Chou. Created a module to support the ipset that could add the domain's ip to a list easily. Needs libmnl, and --enable-ipset and config it, doc/README.ipset.md. - Fix to omit RRSIGs from addition to the ipset. - Fix for NLnetLabs#24: Fix abort due to scan of auth zone masters using old address from previous scan. - Fix NLnetLabs#39: In libunbound, leftover logfile is close()d unpredictably. - Master contains version 1.9.3 in development. fix segmentation fault rollback the code bugfix performance improvement edit config parser to support ipset Add support for ipset Document how to configure multiple python modules Support multiple python module instances ...
Many thanks for implementing this feature! Do you know the how many |
There is no limit on it. It uses memory to store them. You can have as many as you like. If you have a local-zone without local-data in it, it uses less memory. It then also uses more time to read them in. Consider using the include: "file" directive to organize the lists. |
Thank you for this patch but I can't get this working.
Created the ipsets:
But nothing is added to the sets.
And is it possible to have multiple ipsets? |
The previous commit should allow you to see in the logs (set verbosity high up for it) when an ipaddress is added to the set. |
The output should look like this (for me in a test), with verbosity 3 or higher: |
i probably have the same issue as @schm0 although i get the log message as described nothing is appended to the ipset at all. I also found some issues in addition to that.
What i would like to do is having a special view for clients with restricted internet access. i.e. my TV set should not be able to access the internet by default but there are some cases where i want to allow it based on the response of unbound for i.e. "pool.ntp.org" as far as i can see the way this module is implemented does not allow such configuration at all. Its not a problem if you don't want to avoid responding with addresses that are not routable but doing so makes my TV set a lot less noisy with regards to connection attempts (that will fail repeatedly).
|
Additionally i would like to add that i would have a use-case for multiple ipset lists too which currently is not possible either. |
@mercora Thank you for your suggestion. Basically, I think to support the multiple ipset is the answer to solve the problem that you facing. |
ok,sounds reasonable. Then lets find out why it is not working as is for now :) |
Hi, We would like to include the ipset module under the BSD license. It was contributed by you (Kevin Chou) but you did not mention the license. Is it okay to include the ipset module under the 3-clause BSD license that we use for Unbound? Best regards, Wouter |
@wcawijngaards No worries. It's ok. |
Thanks for the quick reply! We try to keep our licensing as clear as possible. |
This patch enables ipset support in the unbound-daemon-heavy variant. See [1] for instructions on how to use it. Also fix a minor typo in the libunbound-light description. [1] NLnetLabs/unbound#28 Signed-off-by: Stijn Segers <foss@volatilesystems.org>
This patch enables ipset support in the unbound-daemon-heavy variant. See [1] for instructions on how to use it. Also fix a minor typo in the libunbound-light description. [1] NLnetLabs/unbound#28 Signed-off-by: Stijn Segers <foss@volatilesystems.org>
This patch enables ipset support in the unbound-daemon-heavy variant. See [1] for instructions on how to use it. Also fix a minor typo in the libunbound-light description. [1] NLnetLabs/unbound#28 Signed-off-by: Stijn Segers <foss@volatilesystems.org>
Hi all, are there plans for the ipset support in this module to be extended to allow multiple ipsets, for example to maintain a block list for some domains and an allow list for others? |
This patch enables ipset support in the unbound-daemon-heavy variant. See [1] for instructions on how to use it. Also fix a minor typo in the libunbound-light description. [1] NLnetLabs/unbound#28 Signed-off-by: Stijn Segers <foss@volatilesystems.org>
This patch enables ipset support in the unbound-daemon-heavy variant. See [1] for instructions on how to use it. Also fix a minor typo in the libunbound-light description. [1] NLnetLabs/unbound#28 Signed-off-by: Stijn Segers <foss@volatilesystems.org>
@wcawijngaards question from a noob - how does the update loop look like here? i mean what triggers queries for the domains specified in local-zone after initial startup query is done? i was trying to answer this question by looking at the code base, but failed miserably. |
@paulgear No plans at the present for multiple ipsets. We have contributed code. After the lookup to the internet is complete for the query, the modules are done. At that point the ipset.c:ipset_update() function is called with the just newly looked up query answer. This scans the message for the names listed in the local-zone statements, and then adds them to the ipset in ipset.c:add_to_ipset(). |
Created a module to support the ipset that could add the domain's ip to a list easily.
Purposes:
So, I set up a transparent proxy to proxy the traffic which has been blocked only.
At the final step, I need to install a dns service which would work with ipset well to launch the system.
I did some research for this. Unfortunately, Unbound, My favorite dns service doesn't support ipset yet. So, I decided to implement it by my self and contribute the patch. It's good for me and the community.
Notes:
How to use:
Configuration: