unbound icon indicating copy to clipboard operation
unbound copied to clipboard

Published 20 hours ago verified publisher icon NLnetLabs

Port ipset to BSD pf tables

Open madroach opened this issue 5 years ago • 7 comments

On OpenBSD packet filter tables provide similar functionality to linux netfilter ipset. The second commit adds support for them.

Since the pf is manipulated by ioctl() on /dev/pf, /dev/pf needs to be opened before privileges are dropped. The first commit renames the modules's init functions to setup and allows modules to implement an init funtion which is run once before privileges are dropped. One unwanted side effect of this change is that now on reload by -HUP signal the ordering of the modules mustn't change.

This is not yet well tested, but feedback on whether the general approach is acceptable is highly welcome.

madroach avatar Jan 11 '20 15:01 madroach

Hi, so your code looks nice. The issue is not the ipset addition, but that I need to talk about the general approach. It modifies the contract API of the modules, so I think it is best if I talk with my colleagues about it. And figure out what it is that we want from it, what you have done could be that (and it looks fine & a lot of work too). From my initial look, the script API could be impacted to change too; otherwise I am not sure; maybe just extending the API with a priv setup routine or maybe the change to modify the existing init to setup routines in the pull request now. Trying to pick the best architectural solution for module support.

wcawijngaards avatar Jan 13 '20 13:01 wcawijngaards

Ping ? Have had time to consider how to go forward with privileged setup?

madroach avatar May 10 '20 20:05 madroach

ping? I just merged again.

madroach avatar Feb 03 '21 21:02 madroach

This functionality would be incredibly useful as a lot of BSD systems that are used as routers/firewalls use Unbound as its primary DNS resolver, for example OPNsense and pfSense. Thanks.

salekseev avatar Jun 30 '24 12:06 salekseev

FreeBSD provides the ipset functionality by setfib.

Jakker avatar Jul 01 '24 07:07 Jakker

FreeBSD provides the ipset functionality by setfib.

Maybe I should have described the use case: making firewall decisions based on domain names (A and AAAA responses) by populating (pf tables or ipset) with resolved IPs.

I can’t figure out how setfib could be of use here.

salekseev avatar Jul 01 '24 11:07 salekseev

There is a modified version of this patch in #1098 . I tried to remove some of the changes to other parts of the code, but it is nice to keep the startup capability for modules to get privileged items.

wcawijngaards avatar Jul 02 '24 07:07 wcawijngaards

Thank you for the patch! The modified version has been merged and it is in the code repository.

wcawijngaards avatar Jul 03 '24 12:07 wcawijngaards