13791 – dnsmasq to ubound migration: Request to compile with --enable-ipset --with-libmnl

Bug 13791 - dnsmasq to ubound migration: Request to compile with --enable-ipset --with-libmnl

Summary: dnsmasq to ubound migration: Request to compile with --enable-ipset --with-l...

Status:	CLOSED FIXED

Alias:	None

Product:	IPFire
Classification:	Unclassified
Component:	--- (show other bugs)
Version:	2
Hardware:	x86_64 Linux

Importance:	Will affect almost no one Balancing
Assignee:	L. E.
QA Contact:

URL:
Keywords:

Depends on:
Blocks:

Reported:	2024-11-08 14:16 UTC by L. E.
Modified:	2025-01-23 10:54 UTC (History)
CC List:	2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description L. E. 2024-11-08 14:16:41 UTC

Not a bug, but a feature request:

In previous releases, the DNS server was using dnsmasq as DNS server, which was very useful, as it had the ability to specify option --ipset in /etc/sysconfig/dnsmasq
as
“CUSTOM_ARGS=”–ipset=/domain1/domain2/ipset/"
which I was using a lot for my custom rules.
Upon an update of ipfire, I saw that it now uses unbound DNS server.
The unbound DNS server also has a module for ipsets, however it needs to be compiled into the daemon.
From what I can see, this isn’t the case, unfortunately:

]# unbound -V
Version 1.20.0

Configure line: --prefix=/usr --sysconfdir=/etc --with-pidfile=/var/run/unbound.pid --with-rootkey-file=/var/lib/unbound/root.key --disable-static --with-libevent --enable-event-api --enable-tfo-client --enable-tfo-server ac_cv_func_getentropy=no
Linked libs: libevent 2.1.12-stable (it uses epoll), OpenSSL 3.2.2 4 Jun 2024
Linked modules: dns64 respip validator iterator

It would be necessary to compile it with parameters --enable-ipset --with-libmnl

https://fossies.org/linux/unbound/doc/README.ipset.md

Thread that proposed using bugtracker for this request:
https://community.ipfire.org/t/unbound-with-ipset-support/13140/5

Comment 1 Michael Tremer 2024-11-19 13:32:23 UTC

Hello,

we don't use this feature, but I would be happy to accept a patch for this.

Comment 2 L. E. 2024-11-21 09:47:31 UTC

Here it is:

# git diff
diff --git a/lfs/unbound b/lfs/unbound
index d8efaf872..49e29b2b4 100644
--- a/lfs/unbound
+++ b/lfs/unbound
@@ -81,6 +81,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
                        --enable-event-api \
                        --enable-tfo-client \
                        --enable-tfo-server \
+                       --enable-ipset \
+                       --with-libmnl \
                        ac_cv_func_getentropy=no

        cd $(DIR_APP) && make $(MAKETUNING)

Comment 3 Michael Tremer 2024-11-21 10:38:07 UTC

Please submit the patch to the mailing list as described here:

> https://www.ipfire.org/docs/devel/submit-patches

Comment 4 Adolf Belka 2025-01-07 20:17:22 UTC

patch has been merged into CU191

https://git.ipfire.org/?p=ipfire-2.x.git;a=commit;h=5d697d7f6dd6c73a88391e94d30ba3b725787f83

Comment 5 Adolf Belka 2025-01-07 20:17:58 UTC

https://www.ipfire.org/blog/ipfire-2-29-core-update-191-is-available-for-testing

Comment 6 Adolf Belka 2025-01-14 10:12:33 UTC

@L.E. are you able to verify this patch with Core Update 191 Testing?

Comment 7 Adolf Belka 2025-01-23 10:54:15 UTC

https://www.ipfire.org/blog/ipfire-2-29-core-update-191-released