mwan3 nftset instead of ipset for rules #20582
Comments
|
22.03 still has dnsmasq 2.86, which doesn’t yet support nftsets. But it is supported now in master/snapshots which uses dnsmasq 2.89. |
|
@dave14305 thank you for your reply. Anyway I installed dnsmasq-full and I can see that the nftset is correctly populated with the IP address associated with the desired hostname (nft list ruleset shows them). |
|
I have not yet ported mwan3 to nft. Therefore, the whole thing only works via the compatibility layer iptables-nft. As far as I can remember, this does not apply to ipsets. |
|
@feckert thank you for looking into this! I don't think iptables-nft can accept an nftset... Maybe there is a way to create an ipset starting from nftset and pass it to the --match-set argument? |
|
That could work, but I have never done it. Unfortunately, I don't have the time to verify it. You can have a look at it and then report back if it works? |
|
I only found the ipset-translate utility that converts FROM ipset to nftset, not the other way around... |
|
That said I think this must be addressed in some way or another because ipset support has been recently removed from openwrt dnsmasq so expect complaints about it to increase soon :) (https://forum.openwrt.org/t/dnsmasq-full-ipset-support-removed-in-master/150274) |
|
This issue would be fixed if mwan3 uses native nft in the future (hopfully). But up to now nft rules are not supported |
Dear @feckert,
I'm using openwrt 22.03.03 with mwan3 2.11.4-1.
I'm using firewall4 with nftables and removed any legacy iptables related packages.
The problem is that I'm trying to create some rules based on hostnames instead of IPs.
So I have created a new nftset and told dnsmasq to populate it based on selected hostnames.
How can I use the nftset in the rule? I tried to put the nftset name into the "ipset" field without any luck.
Thank you
The text was updated successfully, but these errors were encountered: