In the existing workflow and configuration, Unbound requires an ipset to be specified globally and referenced where necessary in each local-zone declaration.
This is very limiting as it does not allow delineation of domains operating in different contexts, i.e. utilising ipsets for each port or protocol.
Having all rules bundled into a single ipset implies uniformity in access (egress/ingress) when bound to an ipset, potentially causing unwanted firewall access for domains over ports/interfaces/etc that are not desired.
For example, using the follwing config to populate an ipset for two domains where https_example.com operates over https port 443 and amqp_domain.net operates over 5431:
Causes issues when trying to create matching iptables rules to allow to distinct ports on each domain:
ipset -A OUTPUT -m tcp -p tcp --dport 443 -m set --match-set test_set dst -J ALLOW
ipset -A OUTPUT --dport 5431 -m set --match-set test_set dst -J ALLOW
As both https_example.com and amqp_domain.amqp will be allowed on port 443 and 5431.
Changes
This PR does the following:
Supports per-rule ipset targets
Allows for ipset entries to have expiry set based on RRSet entry TTL
Ensures backwards compatibility with global ipset declaration
Handles netlink ACK responses appropriately to check for errors (including permissions)
The new local-zone declaration format is: lcoal-zone: <domain> ipset [<protocol> <set name> <ttl | no-ttl>].
The last parameters are still optional, should the user still be using the global ipset declaration.
Global declarations will be translated into per-rule definitions internally for simplicity, but have no difference in their behaviour.
The protocol field is designed for network layer protocols (i.e. ipv4/ipv6/arpa/etc), it only supports ipv4 and ipv6 values currently inline with the existing supported protocols, appropriately logging an error when encountering an invalid value.
Would allow for an iptables setup as follows, ensuring no overlap between the rules.
ipset -A OUTPUT -m tcp -p tcp --dport 443 -m set --match-set https_set dst -J ALLOW
ipset -A OUTPUT --dport 5431 -m set --match-set amqp_set dst -J ALLOW
ipset -A OUTPUT -m tcp -p tcp --dport 443 -m set --match-set test_test dst -J ALLOW
Notes
There are a few things to note, obviously this needs to have Unbound build with ipset support via --enable-ipset and the apparmor profile modified to include the CAP_NET_ADMIN permission as well (necessitated by netlink framework).
These changes would need to be included in the Debian package distribution and also potentially some refactor to allow the apparmor profile to be conditionally modified to include the capability when the USE_IPSET env var is detected from the configure script (I will raise a separate issue to deal with this as it is a more general problem to be solved with the Debian package).
In a BSD distribution, compiled with the packet filter framework, there is no support for TTLs to be set on individual table entries. The only support that pf provides is invoking manual expiry of table entries past a delta of n seconds via the pfctl -t <table> -T expire <seconds> flag (https://man.openbsd.org/pfctl#T~3).
Thus no support is added there for TTLs and a suitable warning is raised from the parser when the config is checked.
TODO [Done]
There are a few things I'd like to do before this is moved out of draft and into a fully reviewable state:
[x] Add tests for both old and new ipset declaration format
[x] Double check parser behaviour to ensure 5 parameter variant is not early matched by 2 parameter variant
[x] Updated documentation to deprecate old ipset format and detail new format as well as limitation of no rule TTLs on BSD distributions using packet filter.
Problem
In the existing workflow and configuration, Unbound requires an ipset to be specified globally and referenced where necessary in each
local-zonedeclaration. This is very limiting as it does not allow delineation of domains operating in different contexts, i.e. utilising ipsets for each port or protocol. Having all rules bundled into a single ipset implies uniformity in access (egress/ingress) when bound to an ipset, potentially causing unwanted firewall access for domains over ports/interfaces/etc that are not desired.For example, using the follwing config to populate an ipset for two domains where
https_example.comoperates over https port 443 andamqp_domain.netoperates over 5431:Causes issues when trying to create matching iptables rules to allow to distinct ports on each domain:
As both
https_example.comandamqp_domain.amqpwill be allowed on port 443 and 5431.Changes
This PR does the following:
The new
local-zonedeclaration format is:lcoal-zone: <domain> ipset [<protocol> <set name> <ttl | no-ttl>]. The last parameters are still optional, should the user still be using the global ipset declaration. Global declarations will be translated into per-rule definitions internally for simplicity, but have no difference in their behaviour.The
protocolfield is designed for network layer protocols (i.e. ipv4/ipv6/arpa/etc), it only supportsipv4andipv6values currently inline with the existing supported protocols, appropriately logging an error when encountering an invalid value.Example Configuration
An example config in this new setup is:
Would allow for an iptables setup as follows, ensuring no overlap between the rules.
Notes
There are a few things to note, obviously this needs to have Unbound build with ipset support via
--enable-ipsetand the apparmor profile modified to include theCAP_NET_ADMINpermission as well (necessitated by netlink framework). These changes would need to be included in the Debian package distribution and also potentially some refactor to allow the apparmor profile to be conditionally modified to include the capability when the USE_IPSET env var is detected from theconfigurescript (I will raise a separate issue to deal with this as it is a more general problem to be solved with the Debian package).In a BSD distribution, compiled with the packet filter framework, there is no support for TTLs to be set on individual table entries. The only support that pf provides is invoking manual expiry of table entries past a delta of
nseconds via thepfctl -t <table> -T expire <seconds>flag (https://man.openbsd.org/pfctl#T~3). Thus no support is added there for TTLs and a suitable warning is raised from the parser when the config is checked.TODO [Done]
There are a few things I'd like to do before this is moved out of draft and into a fully reviewable state: