I am experimenting with https-dns-proxy
.
At some point, the code is doing this:
json_add_array firewall
for c in $forceDNSPorts; do
if netstat -tuln | grep 'LISTEN' | grep ":${c}" >/dev/null 2>&1 || [ "$c" = "53" ]; then
json_add_object ""
json_add_string type redirect
json_add_string target DNAT
json_add_string src lan
json_add_string proto "tcp udp"
json_add_string src_dport "$c"
json_add_string dest_port "$c"
json_add_boolean reflection 0
json_close_object
else
json_add_object ""
json_add_string type rule
json_add_string src lan
json_add_string dest "*"
json_add_string proto "tcp udp"
json_add_string dest_port "$c"
json_add_string target REJECT
json_close_object
fi
done
json_close_array
procd_close_data
procd_close_instance
I am completely unfamiliar with procd
and jshn
, but my guess is that this creates a json object, fills it in, and then somehow adds it to the firewall config.
What is the command that actually adds this json firewall
array to the fw3
config?
Also, because I have no lan
network, when I do a fw3 print
I see this:
Warning: Warning: ubus rule (ubus:https-dns-proxy[main] rule 1) refers to not existing zone 'lan'
Warning: Warning: ubus redirect (ubus:https-dns-proxy[main] redirect 0) refers to not existing zone 'lan'
The warning makes sense, however I cannot find the added config in /etc/config/firewall
which is where it would be if it had been added by something like uci add
.
Where does the config added by https-dns-proxy
actually live?
Finally, it seems wrong to me that https-dns-proxy
hardcodes lan
. It means users that have created another internal subnet will have the force_dns
option of https-dns-proxy
fail silently.
In other words a client on a subnet other than lan
will be able to bypass the dns resolver, which will run contrary to user expectations.