You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
On OpenBSD packet filter tables provide similar functionality to linux netfilter ipset. The second commit adds support for them.
Since the pf is manipulated by ioctl() on /dev/pf, /dev/pf needs to be opened before privileges are dropped. The first commit renames the modules's init functions to setup and allows modules to implement an init funtion which is run once before privileges are dropped. One unwanted side effect of this change is that now on reload by -HUP signal the ordering of the modules mustn't change.
This is not yet well tested, but feedback on whether the general approach is acceptable is highly welcome.
Hi, so your code looks nice. The issue is not the ipset addition, but that I need to talk about the general approach. It modifies the contract API of the modules, so I think it is best if I talk with my colleagues about it. And figure out what it is that we want from it, what you have done could be that (and it looks fine & a lot of work too).
From my initial look, the script API could be impacted to change too; otherwise I am not sure; maybe just extending the API with a priv setup routine or maybe the change to modify the existing init to setup routines in the pull request now. Trying to pick the best architectural solution for module support.
This functionality would be incredibly useful as a lot of BSD systems that are used as routers/firewalls use Unbound as its primary DNS resolver, for example OPNsense and pfSense. Thanks.
FreeBSD provides the ipset functionality by setfib.
Maybe I should have described the use case: making firewall decisions based on domain names (A and AAAA responses) by populating (pf tables or ipset) with resolved IPs.
I can’t figure out how setfib could be of use here.
There is a modified version of this patch in #1098 . I tried to remove some of the changes to other parts of the code, but it is nice to keep the startup capability for modules to get privileged items.
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
On OpenBSD packet filter tables provide similar functionality to linux netfilter ipset. The second commit adds support for them.
Since the pf is manipulated by
ioctl()on/dev/pf,/dev/pfneeds to be opened before privileges are dropped. The first commit renames the modules's init functions to setup and allows modules to implement an init funtion which is run once before privileges are dropped. One unwanted side effect of this change is that now on reload by -HUP signal the ordering of the modules mustn't change.This is not yet well tested, but feedback on whether the general approach is acceptable is highly welcome.