diff options
| author | Simon Kelley <simon@thekelleys.org.uk> | 2021-09-27 21:31:20 +0100 |
|---|---|---|
| committer | Simon Kelley <simon@thekelleys.org.uk> | 2021-09-27 21:49:28 +0100 |
| commit | 47aefca5e405b4b6627ef952fdc42e61b1baa770 (patch) | |
| tree | 853a36100c922de403e543fa779bb1ce58c7ab2e /src/rfc1035.c | |
| parent | 981fb037102306a4ca683f14c8469db4d5e27233 (diff) | |
| download | dnsmasq-47aefca5e405b4b6627ef952fdc42e61b1baa770.tar.gz | |
Add --nftset option, like --ipset but for the newer nftables.v2.87test2
Thanks to Chen Zhenge for the original patch, which I've
reworked. Any bugs down to SRK.
Diffstat (limited to 'src/rfc1035.c')
| -rw-r--r-- | src/rfc1035.c | 26 |
1 files changed, 16 insertions, 10 deletions
diff --git a/src/rfc1035.c b/src/rfc1035.c index 3a7f3a5..124a4f2 100644 --- a/src/rfc1035.c +++ b/src/rfc1035.c @@ -540,8 +540,8 @@ static int print_txt(struct dns_header *header, const size_t qlen, char *name, expired and cleaned out that way. Return 1 if we reject an address because it look like part of dns-rebinding attack. */ int extract_addresses(struct dns_header *header, size_t qlen, char *name, time_t now, - char **ipsets, int is_sign, int check_rebind, int no_cache_dnssec, - int secure, int *doctored) + struct ipsets *ipsets, struct ipsets *nftsets, int is_sign, int check_rebind, + int no_cache_dnssec, int secure, int *doctored) { unsigned char *p, *p1, *endrr, *namep; int j, qtype, qclass, aqtype, aqclass, ardlen, res, searched_soa = 0; @@ -552,6 +552,11 @@ int extract_addresses(struct dns_header *header, size_t qlen, char *name, time_t #else (void)ipsets; /* unused */ #endif +#ifdef HAVE_NFTSET + char **nftsets_cur; +#else + (void)nftsets; /* unused */ +#endif int found = 0, cname_count = CNAME_CHAIN; struct crec *cpp = NULL; int flags = RCODE(header) == NXDOMAIN ? F_NXDOMAIN : 0; @@ -843,14 +848,15 @@ int extract_addresses(struct dns_header *header, size_t qlen, char *name, time_t #ifdef HAVE_IPSET if (ipsets && (flags & (F_IPV4 | F_IPV6))) - { - ipsets_cur = ipsets; - while (*ipsets_cur) - { - log_query((flags & (F_IPV4 | F_IPV6)) | F_IPSET, name, &addr, *ipsets_cur, 0); - add_to_ipset(*ipsets_cur++, &addr, flags, 0); - } - } + for (ipsets_cur = ipsets->sets; *ipsets_cur; ipsets_cur++) + if (add_to_ipset(*ipsets_cur, &addr, flags, 0) == 0) + log_query((flags & (F_IPV4 | F_IPV6)) | F_IPSET, ipsets->domain, &addr, *ipsets_cur, 1); +#endif +#ifdef HAVE_NFTSET + if (nftsets && (flags & (F_IPV4 | F_IPV6))) + for (nftsets_cur = nftsets->sets; *nftsets_cur; nftsets_cur++) + if (add_to_nftset(*nftsets_cur, &addr, flags, 0) == 0) + log_query((flags & (F_IPV4 | F_IPV6)) | F_IPSET, nftsets->domain, &addr, *nftsets_cur, 0); #endif } |