coredns_nftables

package module
v0.2.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Oct 19, 2022 License: Apache-2.0 Imports: 19 Imported by: 0

README

coredns-nftables

nftables plugin of coredns

Name

nftables - Modify nftables after got a DNS response message.

Compilation

nftables:github.com/owent/coredns-nftables

This plugin should be add before cache or between cache and finalize.

sed -i.bak -r '/finalize:.*/d' plugin.cfg
sed -i.bak '/cache:.*/a finalize:github.com/tmeckel/coredns-finalizer' plugin.cfg
go get github.com/tmeckel/coredns-finalizer

sed -i.bak -r '/nftables:.*/d' plugin.cfg
sed -i.bak '/cache:.*/i nftables:github.com/owent/coredns-nftables' plugin.cfg
go get github.com/owent/coredns-nftables

go generate

Syntax

nftables [ip/ip6]... {
  set add element <TABLE_NAME> <SET_NAME> [ip/ip6/auto] [interval] [timeout]
  [set lru max <count>]
  [set lru retry times <count>]
  [set lru timeout <timeout>]
  [connection timeout <timeout>]
  [async <true/false>]
}

nftables [inet/bridge/arp/netdev]... {
  set add element <TABLE_NAME> <SET_NAME> <ip/ip6> [interval] [timeout]
  [set lru max <count>]
  [set lru retry times <count>]
  [set lru timeout <timeout>]
  [connection timeout <timeout>]
  [async <true/false>]
}

The timeout should be greater than cache.

Valid timeout units are "ms", "s", "m", "h".

If more than one connection timeout <timeout>, async <true/false>, set lru * are set, we use the last one.

Examples

Enable nftables:

example.org {
    whoami
    forward . 8.8.8.8
    finalize
    nftables ip ip6 {
      set add element filter IPSET auto false 24h
      connection timeout 10m
    }

    nftables inet bridge {
      set add element filter IPV4 ip false 24h
      set add element filter IPV6 ip6 false 24h
    }
}

See Also

For Developers

Debug Build
git clone --depth 1 https://github.com/coredns/coredns.git coredns
cd coredns
git reset --hard
sed -i.bak -r '/finalize:.*/d' plugin.cfg
sed -i.bak '/cache:.*/a finalize:github.com/tmeckel/coredns-finalizer' plugin.cfg
go get github.com/tmeckel/coredns-finalizer
sed -i.bak -r '/nftables:.*/d' plugin.cfg
sed -i.bak '/cache:.*/a nftables:github.com/owent/coredns-nftables' plugin.cfg
go get -u github.com/owent/coredns-nftables@main
# go get github.com/owent/coredns-nftables@latest
go generate

env CGO_ENABLED=1 GOOS=linux GOARCH=amd64 go build -gcflags=all="-N -l" -o build/linux/amd64/coredns
Configure File For Debug
(default_dns_ip) {
  debug
  # errors
  forward . 119.29.29.29 223.5.5.5 1.0.0.1 94.140.14.140 2402:4e00:: 2400:3200::1 2400:3200:baba::1 2606:4700:4700::1001 2a10:50c0::1:ff {
    policy sequential
  }
  loop
  log
}

. {
  import default_dns_ip
}

owent.net www.owent.net {
  nftables ip ip6 {
    set add element test_coredns_nft TEST_SET auto false 24h
    set lru max 30000
    set lru retry times 5
    set lru timeout 5m
    connection timeout 20m
    async true
  }
  nftables bridge {
    set add element test_coredns_nft TEST_SET_IPV4 ip false 24h
    set add element test_coredns_nft TEST_SET_IPV6 ip6 false 24h
  }
  import default_dns_ip
}
VSCode lanch example
{
  "version": "0.2.0",
  "configurations": [
    {
      "name": "Launch Package",
      "type": "go",
      "request": "launch",
      "mode": "debug",
      "program": "${workspaceFolder}",
      "args": [
        "-dns.port=6813",
        "-conf=${workspaceFolder}/.vscode/test-coredns.conf",
        "-alsologtostderr"
      ],
      "showLog": true
    },
    {
      "name": "Launch Executable",
      "type": "go",
      "request": "launch",
      "mode": "exec",
      "program": "${workspaceFolder}/build/linux/amd64/coredns",
      "args": [
        "-dns.port=6813",
        "-conf=${workspaceFolder}/.vscode/test-coredns.conf",
        "-alsologtostderr"
      ],
      "cwd": "${workspaceFolder}/build",
      "showLog": true
    }
  ]
}
Run
go get -v github.com/go-delve/delve/cmd/dlv

sudo build/linux/amd64/coredns -dns.port=6813 -conf test-coredns.conf

dig owent.net @127.0.0.1 -p 6813

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func ClearCache added in v0.2.0 

func ClearCache()

func CloseCache 

func CloseCache(cache *NftablesCache) error

func SetConnectionTimeout 

func SetConnectionTimeout(timeout time.Duration)

func SetNftableAsyncMode added in v0.2.0 

func SetNftableAsyncMode(mode bool)

func SetSetLruMaxCount added in v0.2.0 

func SetSetLruMaxCount(count int)

func SetSetLruMaxRetryTimes added in v0.2.0 

func SetSetLruMaxRetryTimes(times int)

func SetSetLruTimeout added in v0.2.0 

func SetSetLruTimeout(timeout time.Duration)

Types

type NftableCache added in v0.2.0 

type NftableCache struct {
	// contains filtered or unexported fields
}

type NftableIPCache added in v0.2.0 

type NftableIPCache struct {
	ExpireTime time.Time
	ApplyCount int
}

type NftablesCache 

type NftablesCache struct {
	CreateTimepoint           time.Time
	NftableConnection         *nftables.Conn
	NetworkNamespace          netns.NsHandle
	HasNftableConnectionError bool
	// contains filtered or unexported fields
}

func NewCache 

func NewCache() (*NftablesCache, error)

func (*NftablesCache) GetFamilyName 

func (cache *NftablesCache) GetFamilyName(family nftables.TableFamily) string

func (*NftablesCache) LruIgnoreIp added in v0.2.0 

func (cache *NftablesCache) LruIgnoreIp(answer *dns.RR) bool

func (*NftablesCache) LruUpdateIp added in v0.2.0 

func (cache *NftablesCache) LruUpdateIp(answer *dns.RR, rulesCounter int)

func (*NftablesCache) MutableNftablesTable 

func (cache *NftablesCache) MutableNftablesTable(family nftables.TableFamily, tableName string) *NftableCache

func (*NftablesCache) SetAddElements added in v0.2.0 

func (cache *NftablesCache) SetAddElements(tableCache *NftableCache, set *nftables.Set, elements []nftables.SetElement) error

type NftablesHandler 

type NftablesHandler struct {
	Next plugin.Handler

	Rules map[nftables.TableFamily]*NftablesRuleSet
}

NftablesHandler implements the plugin.Handler interface.

func NewNftablesHandler 

func NewNftablesHandler() NftablesHandler

func (*NftablesHandler) MutableRuleSet 

func (m *NftablesHandler) MutableRuleSet(family nftables.TableFamily) *NftablesRuleSet

func (*NftablesHandler) Name 

func (m *NftablesHandler) Name() string

func (*NftablesHandler) ServeDNS 

func (m *NftablesHandler) ServeDNS(ctx context.Context, w dns.ResponseWriter, r *dns.Msg) (int, error)

func (*NftablesHandler) ServeWorker 

func (m *NftablesHandler) ServeWorker(ctx context.Context, r *dns.Msg) error

type NftablesRuleSet 

type NftablesRuleSet struct {
	RuleAddElement []*NftablesSetAddElement
}

type NftablesSetAddElement 

type NftablesSetAddElement struct {
	TableName string
	SetName   string
	Interval  bool
	Timeout   time.Duration
	KeyType   nftables.SetDatatype
}

func (*NftablesSetAddElement) Name 

func (m *NftablesSetAddElement) Name() string

func (*NftablesSetAddElement) ServeDNS 

func (m *NftablesSetAddElement) ServeDNS(ctx context.Context, cache *NftablesCache, answer *dns.RR, family nftables.TableFamily) (error, bool)

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.