coredns_nftables

package module

v0.2.1 Latest Latest Go to latest Published: Oct 19, 2022 License: Apache-2.0 Imports: 19 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/owent/coredns-nftables

Links

Open Source Insights

README ¶

coredns-nftables

nftables plugin of coredns

Name

nftables - Modify nftables after got a DNS response message.

Compilation

nftables:github.com/owent/coredns-nftables

This plugin should be add before cache or between cache and finalize.

sed -i.bak -r '/finalize:.*/d' plugin.cfg
sed -i.bak '/cache:.*/a finalize:github.com/tmeckel/coredns-finalizer' plugin.cfg
go get github.com/tmeckel/coredns-finalizer

sed -i.bak -r '/nftables:.*/d' plugin.cfg
sed -i.bak '/cache:.*/i nftables:github.com/owent/coredns-nftables' plugin.cfg
go get github.com/owent/coredns-nftables

go generate

Syntax

nftables [ip/ip6]... {
  set add element <TABLE_NAME> <SET_NAME> [ip/ip6/auto] [interval] [timeout]
  [set lru max <count>]
  [set lru retry times <count>]
  [set lru timeout <timeout>]
  [connection timeout <timeout>]
  [async <true/false>]
}

nftables [inet/bridge/arp/netdev]... {
  set add element <TABLE_NAME> <SET_NAME> <ip/ip6> [interval] [timeout]
  [set lru max <count>]
  [set lru retry times <count>]
  [set lru timeout <timeout>]
  [connection timeout <timeout>]
  [async <true/false>]
}

The timeout should be greater than cache.

Valid timeout units are "ms", "s", "m", "h".

If more than one connection timeout <timeout>, async <true/false>, set lru * are set, we use the last one.

Examples

Enable nftables:

example.org {
    whoami
    forward . 8.8.8.8
    finalize
    nftables ip ip6 {
      set add element filter IPSET auto false 24h
      connection timeout 10m
    }

    nftables inet bridge {
      set add element filter IPV4 ip false 24h
      set add element filter IPV6 ip6 false 24h
    }
}

For Developers

Debug Build

git clone --depth 1 https://github.com/coredns/coredns.git coredns
cd coredns
git reset --hard
sed -i.bak -r '/finalize:.*/d' plugin.cfg
sed -i.bak '/cache:.*/a finalize:github.com/tmeckel/coredns-finalizer' plugin.cfg
go get github.com/tmeckel/coredns-finalizer
sed -i.bak -r '/nftables:.*/d' plugin.cfg
sed -i.bak '/cache:.*/a nftables:github.com/owent/coredns-nftables' plugin.cfg
go get -u github.com/owent/coredns-nftables@main
# go get github.com/owent/coredns-nftables@latest
go generate

env CGO_ENABLED=1 GOOS=linux GOARCH=amd64 go build -gcflags=all="-N -l" -o build/linux/amd64/coredns

Configure File For Debug

(default_dns_ip) {
  debug
  # errors
  forward . 119.29.29.29 223.5.5.5 1.0.0.1 94.140.14.140 2402:4e00:: 2400:3200::1 2400:3200:baba::1 2606:4700:4700::1001 2a10:50c0::1:ff {
    policy sequential
  }
  loop
  log
}

. {
  import default_dns_ip
}

owent.net www.owent.net {
  nftables ip ip6 {
    set add element test_coredns_nft TEST_SET auto false 24h
    set lru max 30000
    set lru retry times 5
    set lru timeout 5m
    connection timeout 20m
    async true
  }
  nftables bridge {
    set add element test_coredns_nft TEST_SET_IPV4 ip false 24h
    set add element test_coredns_nft TEST_SET_IPV6 ip6 false 24h
  }
  import default_dns_ip
}

VSCode lanch example

{
  "version": "0.2.0",
  "configurations": [
    {
      "name": "Launch Package",
      "type": "go",
      "request": "launch",
      "mode": "debug",
      "program": "${workspaceFolder}",
      "args": [
        "-dns.port=6813",
        "-conf=${workspaceFolder}/.vscode/test-coredns.conf",
        "-alsologtostderr"
      ],
      "showLog": true
    },
    {
      "name": "Launch Executable",
      "type": "go",
      "request": "launch",
      "mode": "exec",
      "program": "${workspaceFolder}/build/linux/amd64/coredns",
      "args": [
        "-dns.port=6813",
        "-conf=${workspaceFolder}/.vscode/test-coredns.conf",
        "-alsologtostderr"
      ],
      "cwd": "${workspaceFolder}/build",
      "showLog": true
    }
  ]
}

Run

go get -v github.com/go-delve/delve/cmd/dlv

sudo build/linux/amd64/coredns -dns.port=6813 -conf test-coredns.conf

dig owent.net @127.0.0.1 -p 6813

Documentation ¶

Index ¶

func ClearCache()
func CloseCache(cache *NftablesCache) error
func SetConnectionTimeout(timeout time.Duration)
func SetNftableAsyncMode(mode bool)
func SetSetLruMaxCount(count int)
func SetSetLruMaxRetryTimes(times int)
func SetSetLruTimeout(timeout time.Duration)
type NftableCache
type NftableIPCache
type NftablesCache
- func NewCache() (*NftablesCache, error)
type NftablesHandler
- func NewNftablesHandler() NftablesHandler
type NftablesRuleSet
type NftablesSetAddElement
- func (m *NftablesSetAddElement) Name() string
- func (m *NftablesSetAddElement) ServeDNS(ctx context.Context, cache *NftablesCache, answer *dns.RR, ...) (error, bool)

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func ClearCache ¶ added in v0.2.0

func ClearCache()

func CloseCache ¶

func CloseCache(cache *NftablesCache) error

func SetConnectionTimeout ¶

func SetConnectionTimeout(timeout time.Duration)

func SetNftableAsyncMode ¶ added in v0.2.0

func SetNftableAsyncMode(mode bool)

func SetSetLruMaxCount ¶ added in v0.2.0

func SetSetLruMaxCount(count int)

func SetSetLruMaxRetryTimes ¶ added in v0.2.0

func SetSetLruMaxRetryTimes(times int)

func SetSetLruTimeout ¶ added in v0.2.0

func SetSetLruTimeout(timeout time.Duration)

Types ¶

type NftableCache ¶ added in v0.2.0

type NftableCache struct {
	// contains filtered or unexported fields
}

type NftableIPCache ¶ added in v0.2.0

type NftableIPCache struct {
	ExpireTime time.Time
	ApplyCount int
}

type NftablesCache ¶

type NftablesCache struct {
	CreateTimepoint           time.Time
	NftableConnection         *nftables.Conn
	NetworkNamespace          netns.NsHandle
	HasNftableConnectionError bool
	// contains filtered or unexported fields
}

func NewCache ¶

func NewCache() (*NftablesCache, error)

func (*NftablesCache) GetFamilyName ¶

func (cache *NftablesCache) GetFamilyName(family nftables.TableFamily) string

func (*NftablesCache) LruIgnoreIp ¶ added in v0.2.0

func (cache *NftablesCache) LruIgnoreIp(answer *dns.RR) bool

func (*NftablesCache) LruUpdateIp ¶ added in v0.2.0

func (cache *NftablesCache) LruUpdateIp(answer *dns.RR, rulesCounter int)

func (*NftablesCache) MutableNftablesTable ¶

func (cache *NftablesCache) MutableNftablesTable(family nftables.TableFamily, tableName string) *NftableCache

func (*NftablesCache) SetAddElements ¶ added in v0.2.0

func (cache *NftablesCache) SetAddElements(tableCache *NftableCache, set *nftables.Set, elements []nftables.SetElement) error

type NftablesHandler ¶

type NftablesHandler struct {
	Next plugin.Handler

	Rules map[nftables.TableFamily]*NftablesRuleSet
}

NftablesHandler implements the plugin.Handler interface.

func NewNftablesHandler ¶

func NewNftablesHandler() NftablesHandler

func (*NftablesHandler) MutableRuleSet ¶

func (m *NftablesHandler) MutableRuleSet(family nftables.TableFamily) *NftablesRuleSet

func (*NftablesHandler) Name ¶

func (m *NftablesHandler) Name() string

func (*NftablesHandler) ServeDNS ¶

func (m *NftablesHandler) ServeDNS(ctx context.Context, w dns.ResponseWriter, r *dns.Msg) (int, error)

func (*NftablesHandler) ServeWorker ¶

func (m *NftablesHandler) ServeWorker(ctx context.Context, r *dns.Msg) error

type NftablesRuleSet ¶

type NftablesRuleSet struct {
	RuleAddElement []*NftablesSetAddElement
}

type NftablesSetAddElement ¶

type NftablesSetAddElement struct {
	TableName string
	SetName   string
	Interval  bool
	Timeout   time.Duration
	KeyType   nftables.SetDatatype
}

func (*NftablesSetAddElement) Name ¶

func (m *NftablesSetAddElement) Name() string

func (*NftablesSetAddElement) ServeDNS ¶

func (m *NftablesSetAddElement) ServeDNS(ctx context.Context, cache *NftablesCache, answer *dns.RR, family nftables.TableFamily) (error, bool)

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL