Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

FS#269 - dnsmasq-full doesn't set ipsets #5337

Closed
openwrt-bot opened this issue Nov 6, 2016 · 0 comments
Closed

FS#269 - dnsmasq-full doesn't set ipsets #5337

openwrt-bot opened this issue Nov 6, 2016 · 0 comments
Labels

Comments

@openwrt-bot
Copy link

openwrt-bot commented Nov 6, 2016

eTomm:

When you define an ipset in the dhcp config file, dnsmasq doesn't add the set to the ipset list. It correctly configure itself to manage it.

All the tests are being done on LEDE trunk on a Linksys EA8500. Before, in OpenWRT CC 15.05 on a Archer C7 everything was working correctly. In both case the package dnsmasq-full has been installed to substitute dnsmasq.

I declared in /etc/config/dhcp under dnsmasq

config dnsmasq ... list ipset '/hulu.com/hulu' list ipset '/huluim.com/huluim' ...

The configuration generated for dnsmasq correctly contains the ipset, but when you use ipset list to see them you don't see them.

if you use ipset create hash:ip it correctlys begins to fill them.

This is not the case with CC 15.05. There my ipset where working correctly.

@openwrt-bot
Copy link
Author

openwrt-bot commented Nov 15, 2016

aarond10:

Confirmed also on an Archer C7. Did someone clean up the build rules for this and cut it out by mistake?

Tue Nov 15 12:40:25 2016 daemon.crit dnsmasq[9415]: recompile with HAVE_IPSET defined to enable ipset directives at line 14 of /var/etc/dnsmasq.conf.cfg02411c

@openwrt-bot
Copy link
Author

openwrt-bot commented Nov 15, 2016

None:

I've just checked on my build and the 'dnsmasq-full' build option selects dhcpv6, dnssec, auth dns, ipset, conntrack & no_id by default. I further checked the binary built and it includes all the things I would expect.

@openwrt-bot
Copy link
Author

openwrt-bot commented Nov 15, 2016

eTomm:

Should we perform a futher test? What I see is that the ipset is correctly managed by dnsmasq and filled IF IT EXISTS.

Instead in CC 15.05 it was also creating it.

I am using this feature together with mwan3 that has been heavily modified from CC 15.05... maybe was mwan3 that created the ipsets?

@openwrt-bot
Copy link
Author

openwrt-bot commented Nov 15, 2016

None:

Similarly, even going back as far as Jan 2013, I can find no evidence that the dnsmasq init script created the ipsets, and hence dnsmasq's behaviour is as per documentation in that it needs the sets created before it will populate them.

Ipsets can be created in /etc/config/firewall something like

config ipset
option enabled '1'
option name 'hulu'
option storage 'hash'
option family 'ipv4'
option match 'src_ip'

@openwrt-bot
Copy link
Author

openwrt-bot commented Nov 15, 2016

eTomm:

But this doesn't explain why it was working in CC 15.05. Do you have any knowledge regarding mwan3 creating the ipsets?

@openwrt-bot
Copy link
Author

openwrt-bot commented Nov 15, 2016

None:

We can safely say that dnsmasq is not the problem and is working correctly. The issue is elsewhere.

Beyond a quick look at the code and a 'google' a few minutes ago I've no mwan3 knowledge. Assuming you have access to your working system, I'd start by grepping through for 'ipset' and/or some of your set names and see what turns up. Else extract and look through a router backup archive in a similar manner.

I assume you have the mwan3 config rule set - it'll be similar to this is guess:

config rule 'youtube'
option sticky ‘1'
option timeout ‘300'
option ipset 'youtube'
option dest_port '80,443'
option proto 'tcp'
option use_policy 'balanced'

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

1 participant