- PR NLnetLabs#28: IPSet module, by Kevin Chou. Created a module to s…

…upport

  the ipset that could add the domain's ip to a list easily.
  Needs libmnl, and --enable-ipset and config it, doc/README.ipset.md.
- Fix to omit RRSIGs from addition to the ipset.

doc/Changelog

@@ -1,3 +1,9 @@
+18 June 2019: Wouter
+	- PR #28: IPSet module, by Kevin Chou.  Created a module to support
+	  the ipset that could add the domain's ip to a list easily.
+	  Needs libmnl, and --enable-ipset and config it, doc/README.ipset.md.
+	- Fix to omit RRSIGs from addition to the ipset.
+
 17 June 2019: Wouter
 	- Master contains version 1.9.3 in development.
 	- Fix #39: In libunbound, leftover logfile is close()d unpredictably.

doc/README.ipset.md

@@ -0,0 +1,65 @@
+## Created a module to support the ipset that could add the domain's ip to a list easily.
+
+### Purposes:
+* In my case, I can't access the facebook, twitter, youtube and thousands web site for some reason. VPN is a solution. But the internet too slow whether all traffics pass through the vpn.
+So, I set up a transparent proxy to proxy the traffic which has been blocked only.
+At the final step, I need to install a dns service which would work with ipset well to launch the system.
+I did some research for this. Unfortunately, Unbound, My favorite dns service doesn't support ipset yet. So, I decided to implement it by my self and contribute the patch. It's good for me and the community.
+```
+# unbound.conf
+server:
+  ...
+  local-zone: "facebook.com" ipset
+  local-zone: "twitter.com" ipset
+  local-zone: "instagram.com" ipset
+  more social website
+
+ipset:
+  name-v4: "gfwlist"
+```
+```
+# iptables
+iptables -A PREROUTING -p tcp -m set --match-set gfwlist dst -j REDIRECT --to-ports 10800
+iptables -A OUTPUT -p tcp -m set --match-set gfwlist dst -j REDIRECT --to-ports 10800
+```
+
+* This patch could work with iptables rules to batch block the IPs.
+```
+# unbound.conf
+server:
+  ...
+  local-zone: "facebook.com" ipset
+  local-zone: "twitter.com" ipset
+  local-zone: "instagram.com" ipset
+  more social website
+
+ipset:
+  name-v4: "blacklist"
+  name-v6: "blacklist6"
+```
+```
+# iptables
+iptables -A INPUT -m set --set blacklist src -j DROP
+ip6tables -A INPUT -m set --set blacklist6 src -j DROP
+```
+
+### Notes:
+* To enable this module the root privileges is required.
+* Please create a set with ipset command first. eg. **ipset -N blacklist iphash**
+
+### How to use:
+```
+./configure --enable-ipset
+make && make install
+```
+
+### Configuration:
+```
+# unbound.conf
+server:
+  ...
+  local-zone: "example.com" ipset
+
+ipset:
+  name-v4: "blacklist"
+```

ipset/ipset.c

@@ -160,7 +160,8 @@ static int ipset_update(struct module_env *env, struct dns_msg *return_msg, stru
 
 					if (strncasecmp(p->str, s, plen) == 0) {
 						d = (struct packed_rrset_data*)rrset->entry.data;
-						for (j = 0; j < d->count + d->rrsig_count; j++) {
+						/* to d->count, not d->rrsig_count, because we do not want to add the RRSIGs, only the addresses */
+						for (j = 0; j < d->count; j++) {
 							rr_len = d->rr_len[j];
 							rr_data = d->rr_data[j];