- PR #28: IPSet module, by Kevin Chou. Created a module to support

  the ipset that could add the domain's ip to a list easily.
  Needs libmnl, and --enable-ipset and config it, doc/README.ipset.md.
- Fix to omit RRSIGs from addition to the ipset.

diff --git a/doc/Changelog b/doc/Changelog
index 6d67cc166d45a4e733b08fe80d7d3e07d8f00dc3..10c88224ea17564618550a160692e7262b109272 100644 (file)
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,3 +1,9 @@
+18 June 2019: Wouter
+       - PR #28: IPSet module, by Kevin Chou.  Created a module to support
+         the ipset that could add the domain's ip to a list easily.
+         Needs libmnl, and --enable-ipset and config it, doc/README.ipset.md.
+       - Fix to omit RRSIGs from addition to the ipset.
+
 17 June 2019: Wouter
        - Master contains version 1.9.3 in development.
        - Fix #39: In libunbound, leftover logfile is close()d unpredictably.

diff --git a/doc/README.ipset.md b/doc/README.ipset.md
new file mode 100644 (file)
index 0000000..4bd993e
--- /dev/null
+++ b/doc/README.ipset.md
@@ -0,0 +1,65 @@
+## Created a module to support the ipset that could add the domain's ip to a list easily.
+
+### Purposes:
+* In my case, I can't access the facebook, twitter, youtube and thousands web site for some reason. VPN is a solution. But the internet too slow whether all traffics pass through the vpn.
+So, I set up a transparent proxy to proxy the traffic which has been blocked only.
+At the final step, I need to install a dns service which would work with ipset well to launch the system.
+I did some research for this. Unfortunately, Unbound, My favorite dns service doesn't support ipset yet. So, I decided to implement it by my self and contribute the patch. It's good for me and the community.
+```
+# unbound.conf
+server:
+  ...
+  local-zone: "facebook.com" ipset
+  local-zone: "twitter.com" ipset
+  local-zone: "instagram.com" ipset
+  more social website
+
+ipset:
+  name-v4: "gfwlist"
+```
+```
+# iptables
+iptables -A PREROUTING -p tcp -m set --match-set gfwlist dst -j REDIRECT --to-ports 10800
+iptables -A OUTPUT -p tcp -m set --match-set gfwlist dst -j REDIRECT --to-ports 10800
+```
+
+* This patch could work with iptables rules to batch block the IPs.
+```
+# unbound.conf
+server:
+  ...
+  local-zone: "facebook.com" ipset
+  local-zone: "twitter.com" ipset
+  local-zone: "instagram.com" ipset
+  more social website
+
+ipset:
+  name-v4: "blacklist"
+  name-v6: "blacklist6"
+```
+```
+# iptables
+iptables -A INPUT -m set --set blacklist src -j DROP
+ip6tables -A INPUT -m set --set blacklist6 src -j DROP
+```
+
+### Notes:
+* To enable this module the root privileges is required.
+* Please create a set with ipset command first. eg. **ipset -N blacklist iphash**
+
+### How to use:
+```
+./configure --enable-ipset
+make && make install
+```
+
+### Configuration:
+```
+# unbound.conf
+server:
+  ...
+  local-zone: "example.com" ipset
+
+ipset:
+  name-v4: "blacklist"
+```

diff --git a/ipset/ipset.c b/ipset/ipset.c
index fb16c06a3df2590681c78f60f965b68696c04e51..2e90b012c5280bbd3d90b0cc890ee1f9d7299358 100755 (executable)
--- a/ipset/ipset.c
+++ b/ipset/ipset.c
@@ -160,7 +160,8 @@ static int ipset_update(struct module_env *env, struct dns_msg *return_msg, stru
 
                                        if (strncasecmp(p->str, s, plen) == 0) {
                                                d = (struct packed_rrset_data*)rrset->entry.data;
-                                               for (j = 0; j < d->count + d->rrsig_count; j++) {
+                                               /* to d->count, not d->rrsig_count, because we do not want to add the RRSIGs, only the addresses */
+                                               for (j = 0; j < d->count; j++) {
                                                        rr_len = d->rr_len[j];
                                                        rr_data = d->rr_data[j];