Skip to content

owent/coredns-nftables

Repository files navigation

coredns-nftables

nftables plugin of coredns

Name

nftables - Modify nftables after got a DNS response message.

Compilation

nftables:github.com/owent/coredns-nftables

This plugin should be add before cache or between cache and finalize.

sed -i.bak -r '/finalize:.*/d' plugin.cfg
sed -i.bak '/cache:.*/a finalize:github.com/tmeckel/coredns-finalizer' plugin.cfg
go get github.com/tmeckel/coredns-finalizer

sed -i.bak -r '/nftables:.*/d' plugin.cfg
sed -i.bak '/cache:.*/i nftables:github.com/owent/coredns-nftables' plugin.cfg
go get github.com/owent/coredns-nftables

go generate

Syntax

nftables [ip/ip6]... {
  set add element <TABLE_NAME> <SET_NAME> [ip/ip6/auto] [interval] [timeout]
  [set lru max <count>]
  [set lru retry times <count>]
  [set lru timeout <timeout>]
  [connection timeout <timeout>]
  [async <true/false>]
}

nftables [inet/bridge/arp/netdev]... {
  set add element <TABLE_NAME> <SET_NAME> <ip/ip6> [interval] [timeout]
  [set lru max <count>]
  [set lru retry times <count>]
  [set lru timeout <timeout>]
  [connection timeout <timeout>]
  [async <true/false>]
}

The timeout should be greater than cache.

Valid timeout units are "ms", "s", "m", "h".

If more than one connection timeout <timeout>, async <true/false>, set lru * are set, we use the last one.

Examples

Enable nftables:

example.org {
    whoami
    forward . 8.8.8.8
    finalize
    nftables ip ip6 {
      set add element filter IPSET auto false 24h
      connection timeout 10m
    }

    nftables inet bridge {
      set add element filter IPV4 ip false 24h
      set add element filter IPV6 ip6 false 24h
    }
}

See Also

For Developers

Debug Build

git clone --depth 1 https://github.com/coredns/coredns.git coredns
cd coredns
git reset --hard
sed -i.bak -r '/finalize:.*/d' plugin.cfg
sed -i.bak '/cache:.*/a finalize:github.com/tmeckel/coredns-finalizer' plugin.cfg
go get github.com/tmeckel/coredns-finalizer
sed -i.bak -r '/nftables:.*/d' plugin.cfg
sed -i.bak '/cache:.*/a nftables:github.com/owent/coredns-nftables' plugin.cfg
go get -u github.com/owent/coredns-nftables@main
# go get github.com/owent/coredns-nftables@latest
go generate

env CGO_ENABLED=1 GOOS=linux GOARCH=amd64 go build -gcflags=all="-N -l" -o build/linux/amd64/coredns

Configure File For Debug

(default_dns_ip) {
  debug
  # errors
  forward . 119.29.29.29 223.5.5.5 1.0.0.1 94.140.14.140 2402:4e00:: 2400:3200::1 2400:3200:baba::1 2606:4700:4700::1001 2a10:50c0::1:ff {
    policy sequential
  }
  loop
  log
}

. {
  import default_dns_ip
}

owent.net www.owent.net {
  nftables ip ip6 {
    set add element test_coredns_nft TEST_SET auto false 24h
    set lru max 30000
    set lru retry times 5
    set lru timeout 5m
    connection timeout 20m
    async true
  }
  nftables bridge {
    set add element test_coredns_nft TEST_SET_IPV4 ip false 24h
    set add element test_coredns_nft TEST_SET_IPV6 ip6 false 24h
  }
  import default_dns_ip
}

VSCode lanch example

{
  "version": "0.2.0",
  "configurations": [
    {
      "name": "Launch Package",
      "type": "go",
      "request": "launch",
      "mode": "debug",
      "program": "${workspaceFolder}",
      "args": [
        "-dns.port=6813",
        "-conf=${workspaceFolder}/.vscode/test-coredns.conf",
        "-alsologtostderr"
      ],
      "showLog": true
    },
    {
      "name": "Launch Executable",
      "type": "go",
      "request": "launch",
      "mode": "exec",
      "program": "${workspaceFolder}/build/linux/amd64/coredns",
      "args": [
        "-dns.port=6813",
        "-conf=${workspaceFolder}/.vscode/test-coredns.conf",
        "-alsologtostderr"
      ],
      "cwd": "${workspaceFolder}/build",
      "showLog": true
    }
  ]
}

Run

go get -v github.com/go-delve/delve/cmd/dlv

sudo build/linux/amd64/coredns -dns.port=6813 -conf test-coredns.conf

dig owent.net @127.0.0.1 -p 6813

About

nftables plugin of coredns

Resources

License

Stars

Watchers

Forks

Packages

No packages published

Languages