<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Aptos;
panose-1:2 11 0 4 2 2 2 2 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
font-size:11.0pt;
font-family:"Aptos",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#467886;
text-decoration:underline;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Aptos",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:11.0pt;
mso-ligatures:none;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:216552446;
mso-list-template-ids:-175092088;}
ol
{margin-bottom:0cm;}
ul
{margin-bottom:0cm;}
--></style>
</head>
<body lang="EN-AU" link="#467886" vlink="#96607D" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal"><span style="mso-fareast-language:EN-US">Hi all,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US">It’s been a few months and I just want to check in on this and see if anyone has thought about the proposed changes for per-local zone ipsets.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US">I also noticed that there are some changes in PR for nftables support by buevsan:
<a href="https://github.com/NLnetLabs/unbound/pull/1196">https://github.com/NLnetLabs/unbound/pull/1196</a>. Which makes me wonder about support between the two. I.e. refactoring my changes post-merge of nftables support to ensure compatibility. Otherwise in
the inverse case of merging these changes and refactoring the nftables work to conform.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US">Cheers,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US">Jack<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<div id="mail-editor-reference-message-container">
<div>
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal" style="margin-bottom:12.0pt"><b><span style="font-size:12.0pt;color:black">From:
</span></b><span style="font-size:12.0pt;color:black">Kilrain, Jack <Jack.Kilrain@netapp.com><br>
<b>Date: </b>Thursday, 14 November 2024 at 5:33</span><span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black"> </span><span style="font-size:12.0pt;color:black">pm<br>
<b>To: </b>Unbound Mailing List <unbound-users@lists.nlnetlabs.nl><br>
<b>Cc: </b>Raevski, Gregory <Gregory.Raevski@netapp.com><br>
<b>Subject: </b>Per-local zone ipset declarations with TTLs<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal">Hi all,<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">I recently raised a PR to add support for per-local-zone ipset specification, allowing for more than one ipset to be used and set TTLs on the ipset entries based on RRSet timeout field values which can be conditionally enabled (implementation
details, config examples and reasoning can be found on the PR): <a href="https://github.com/NLnetLabs/unbound/pull/1162" title="https://github.com/NLnetLabs/unbound/pull/1162">https://github.com/NLnetLabs/unbound/pull/1162</a><o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">I wanted to discuss a few things here:<o:p></o:p></p>
<ol style="margin-top:0cm" start="1" type="1">
<li class="MsoNormal" style="mso-list:l0 level1 lfo1">Asking for reviews and opinions on it, plus any assistance I can give to get it into a state that is mergable<o:p></o:p></li><li class="MsoNormal" style="mso-list:l0 level1 lfo1">Necessary changes for the Debian package to add the CAP_NET_ADMIN support conditionally on compilation with --enable-ipset (possibly detect this based on env vars set from the configure script) to update
the apparmor profile with the capability<o:p></o:p></li><li class="MsoNormal" style="mso-list:l0 level1 lfo1">BSD’s packet filter framework has no support for per-entry TTLs into a table, i.e. can only evict entries from a table based on a delta invoked on the table itself, implying no automatic eviction. If someone
more familiar with BSD than I has any idea on this, would be great to hear about a potential solution.<o:p></o:p></li></ol>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">In terms of use case, we are looking to use Unbound as a forwarding DNS server which conditionally adds resolved addresses into ipsets for firewall passthru. Essentially a DNS firewall. Given we have services that talk over various ports
and protocols, the restriction of a single global ipset makes it impossible to distinguish entries on a per-port/protocol/etc basis from a single ipset.<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">Would be great to hear some feedback, opinions etc on this. Open to anything.<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">Cheers,<o:p></o:p></p>
<p class="MsoNormal">Jack<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
</div>
</div>
</div>
</body>
</html>