Dynamic ipsets updates following named requests
Description
I propose a plugin that is able to update netfilter ipsets when some specific requests are received by named
. This may be useful in a situation where:
-
named
is running on a LAN - the same server is forwarding packets to the internet and handles firewall rules
The use case can be:
- we block all outgoing traffic (all internet request must use a secured proxy)
- but for some internet servers we want to allow traffic based on the IPs that where securely given by
named
. The idea is if the request name matches a wildcard, it then adds the address to an A or AAAA ipset. - this is useful for some 'approved' domains that have many public addresses and would more reliable than looping on the name.
Request
I already have a working plugin that has the following features:
- independent plugin
- can be linked with libipset or libnftnl libraries (ipset or nft sets)
- reacts when an A or AAAA answer will be given to the client, and if the wildcards matches something in the set, it adds the address to it before answering to the client (in this case the answer will be a few ms longer, but this will allow success of the tcp connection afterwards)
- when there is no match the timings overhead is negligible
The configuration is as follows, for updating 'entertainment' ipset of filter nft table with all IP address that we got from *.example.com :
plugin query "update-ipset.so" {
ipset entertainment {
sites {
*.example.com.;
*.other-example.com.;
};
ttl 3600;
nftable filter; family inet;
};
};
I made a patch that is working on my systems, however:
- I didn't made unit tests yet. I would like to see the community first feedbacks first
- I tried to follow the coding rules, and checked for memory leaks in different situations
Links / references
0001-Plugin-for-updating-ipsets-during-name-resolution.patch