Supporting nftset in dnsmasq

The dnsmasq that is included in the LXD snap wasn’t compiled with HAVE_NFTSET flag. I’m trying to firewall my restricted container using domain names and I need dnsmasq to put the IP addresses into my netfilter set but it can’t do it because it wasn’t compiled with the HAVE_NFTSET. Any chance the LXD snap could include a dnsmasq binary compiled with nftset?

I’m using Ubuntu 24.04.1 with LXD 5.21.2

The default dnsmasq (/usr/sbin) has all the same compile options plus nftset and it’s only 120 bytes larger.

Hello,

The LXD snaps use the dnsmasq-base package from the corresponding distro/base core version. At the moment, the latest/edge channel comes with a dnsmasq compiled with nftset support enabled as it uses the one from Ubuntu Noble (24.04):

$ snap list lxd
Name  Version      Rev    Tracking     Publisher   Notes
lxd   git-e49b748  31373  latest/edge  canonical✓  -
$ sudo LD_LIBRARY_PATH=/snap/lxd/current/lib/:/snap/lxd/current/lib/x86_64-linux-gnu/:/snap/lxd/current/zfs-2.2/lib PATH=/snap/lxd/current/zfs-2.2/bin:/snap/lxd/current/bin:$PATH nsenter --mount=/run/snapd/ns/lxd.mnt -- dnsmasq --version | grep -i nftset
Compile time options: IPv6 GNU-getopt DBus no-UBus i18n IDN2 DHCP DHCPv6 no-Lua TFTP conntrack ipset nftset auth cryptohash DNSSEC loop-detect inotify dumpfile

Anything but latest/edge uses package from older Ubuntu releases (20.04 or 22.04 depending on channels). In those, nftset is not enabled:

$ snap list lxd
Name  Version        Rev    Tracking    Publisher   Notes
lxd   5.0.3-80aeff7  29351  5.0/stable  canonical✓  -
$ sudo LD_LIBRARY_PATH=/snap/lxd/current/lib/:/snap/lxd/current/lib/x86_64-linux-gnu/:/snap/lxd/current/zfs-2.1/lib PATH=/snap/lxd/current/zfs-2.1/bin:/snap/lxd/current/bin:$PATH nsenter --mount=/run/snapd/ns/lxd.mnt -- dnsmasq --version | grep -i nftset
Compile time options: IPv6 GNU-getopt DBus no-UBus i18n IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset no-nftset auth cryptohash DNSSEC loop-detect inotify dumpfile

# or

$ snap list lxd
Name  Version      Rev    Tracking   Publisher   Notes
lxd   git-3dfb201  31285  5.21/edge  canonical✓  -
$ sudo LD_LIBRARY_PATH=/snap/lxd/current/lib/:/snap/lxd/current/lib/x86_64-linux-gnu/:/snap/lxd/current/zfs-2.2/lib PATH=/snap/lxd/current/zfs-2.2/bin:/snap/lxd/current/bin:$PATH nsenter --mount=/run/snapd/ns/lxd.mnt -- dnsmasq --version | grep -i nftset
Compile time options: IPv6 GNU-getopt DBus no-UBus i18n IDN2 DHCP DHCPv6 no-Lua TFTP conntrack ipset no-nftset auth cryptohash DNSSEC loop-detect inotify dumpfile

tl;dr: use latest/edge.

2 Likes

Thank you for the explanation!

We expect the switch to core24 for latest/stable in LXD 6.3, but this work is still ongoing.

1 Like