dnsproxy: add three new features
This commit adds the following features: 1. UCI support for local DNS over HTTPS/TLS/QUIC server. 2. UCI support for using private reverse DNS. 3. procd jail with CAP_NET_BIND_SERVICE, allowing dnsproxy to serve on standard ports directly. Signed-off-by: Emily H. <battery_tag708@simplelogin.com>
This commit is contained in:
parent
490866d752
commit
5df794e343
|
@ -6,7 +6,7 @@ include $(TOPDIR)/rules.mk
|
|||
|
||||
PKG_NAME:=dnsproxy
|
||||
PKG_VERSION:=0.70.0
|
||||
PKG_RELEASE:=1
|
||||
PKG_RELEASE:=2
|
||||
|
||||
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
|
||||
PKG_SOURCE_URL:=https://codeload.github.com/AdguardTeam/dnsproxy/tar.gz/v$(PKG_VERSION)?
|
||||
|
@ -45,6 +45,8 @@ endef
|
|||
define Package/dnsproxy/install
|
||||
$(call GoPackage/Package/Install/Bin,$(1))
|
||||
|
||||
$(INSTALL_DIR) $(1)/etc/capabilities/
|
||||
$(INSTALL_DATA) $(CURDIR)/files/dnsproxy.json $(1)/etc/capabilities/dnsproxy.json
|
||||
$(INSTALL_DIR) $(1)/etc/config/
|
||||
$(INSTALL_CONF) $(CURDIR)/files/dnsproxy.config $(1)/etc/config/dnsproxy
|
||||
$(INSTALL_DIR) $(1)/etc/init.d/
|
||||
|
|
|
@ -37,8 +37,19 @@ config dnsproxy 'edns'
|
|||
option enabled '0'
|
||||
option edns_addr ''
|
||||
|
||||
config dnsproxy 'private_rdns'
|
||||
option enabled '0'
|
||||
list upstream '127.0.0.1:53'
|
||||
|
||||
config dnsproxy 'servers'
|
||||
list bootstrap 'tls://8.8.8.8'
|
||||
list fallback 'tls://9.9.9.9'
|
||||
list upstream 'tls://1.1.1.1'
|
||||
|
||||
config dnsproxy 'tls'
|
||||
option enabled '0'
|
||||
option tls_crt ''
|
||||
option tls_key ''
|
||||
option https_port '8443'
|
||||
option tls_port '853'
|
||||
option quic_port '853'
|
||||
|
|
|
@ -66,6 +66,11 @@ load_config_list() {
|
|||
|
||||
is_empty "bogus_nxdomain" "ip_addr" || config_list_foreach "bogus_nxdomain" "ip_addr" "append_param '--bogus-nxdomain'"
|
||||
|
||||
is_enabled "private_rdns" "enabled" && {
|
||||
append_param "--use-private-rdns"
|
||||
config_list_foreach "private_rdns" "upstream" "append_param '--private-rdns-upstream'"
|
||||
}
|
||||
|
||||
for i in "bootstrap" "fallback" "upstream"; do
|
||||
is_empty "servers" "$i" || config_list_foreach "servers" "$i" "append_param '--$i'"
|
||||
done
|
||||
|
@ -95,6 +100,14 @@ load_config_param() {
|
|||
append_param "--edns"
|
||||
append_param_arg "edns" "edns_addr" "--edns-addr"
|
||||
}
|
||||
|
||||
is_enabled "tls" "enabled" && {
|
||||
append_param_arg "tls" "tls_crt" "--tls-crt"
|
||||
append_param_arg "tls" "tls_key" "--tls-key"
|
||||
append_param_arg "tls" "https_port" "--https-port"
|
||||
append_param_arg "tls" "tls_port" "--tls-port"
|
||||
append_param_arg "tls" "quic_port" "--quic-port"
|
||||
}
|
||||
}
|
||||
|
||||
start_service() {
|
||||
|
@ -102,6 +115,11 @@ start_service() {
|
|||
|
||||
is_enabled "global" "enabled" || return 1
|
||||
|
||||
local log_file tls_crt tls_key
|
||||
config_get log_file global log_file
|
||||
config_get tls_crt tls tls_crt
|
||||
config_get tls_key tls tls_key
|
||||
|
||||
procd_open_instance "$CONF"
|
||||
procd_set_param command "$PROG"
|
||||
|
||||
|
@ -114,6 +132,13 @@ start_service() {
|
|||
procd_set_param stderr 1
|
||||
procd_set_param user dnsproxy
|
||||
|
||||
procd_add_jail dnsproxy ronly log
|
||||
procd_set_param capabilities "/etc/capabilities/dnsproxy.json"
|
||||
procd_add_jail_mount "/etc/ssl/certs/ca-certificates.crt"
|
||||
[ -z "$log_file" ] || procd_add_jail_mount_rw "$log_file"
|
||||
[ -z "$tls_crt" ] || procd_add_jail_mount "$tls_crt"
|
||||
[ -z "$tls_key" ] || procd_add_jail_mount "$tls_key"
|
||||
|
||||
procd_close_instance
|
||||
}
|
||||
|
||||
|
|
|
@ -0,0 +1,17 @@
|
|||
{
|
||||
"bounding": [
|
||||
"CAP_NET_BIND_SERVICE"
|
||||
],
|
||||
"effective": [
|
||||
"CAP_NET_BIND_SERVICE"
|
||||
],
|
||||
"ambient": [
|
||||
"CAP_NET_BIND_SERVICE"
|
||||
],
|
||||
"permitted": [
|
||||
"CAP_NET_BIND_SERVICE"
|
||||
],
|
||||
"inheritable": [
|
||||
"CAP_NET_BIND_SERVICE"
|
||||
]
|
||||
}
|
Loading…
Reference in New Issue