New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
mwan3 nftset instead of ipset for rules #20582
Comments
22.03 still has dnsmasq 2.86, which doesn’t yet support nftsets. But it is supported now in master/snapshots which uses dnsmasq 2.89. |
@dave14305 thank you for your reply. Anyway I installed dnsmasq-full and I can see that the nftset is correctly populated with the IP address associated with the desired hostname (nft list ruleset shows them). |
I have not yet ported mwan3 to nft. Therefore, the whole thing only works via the compatibility layer iptables-nft. As far as I can remember, this does not apply to ipsets. |
@feckert thank you for looking into this! I don't think iptables-nft can accept an nftset... Maybe there is a way to create an ipset starting from nftset and pass it to the --match-set argument? |
That could work, but I have never done it. Unfortunately, I don't have the time to verify it. You can have a look at it and then report back if it works? |
I only found the ipset-translate utility that converts FROM ipset to nftset, not the other way around... |
That said I think this must be addressed in some way or another because ipset support has been recently removed from openwrt dnsmasq so expect complaints about it to increase soon :) (https://forum.openwrt.org/t/dnsmasq-full-ipset-support-removed-in-master/150274) |
This issue would be fixed if mwan3 uses native nft in the future (hopfully). But up to now nft rules are not supported |
Dear @feckert,
I'm using openwrt 22.03.03 with mwan3 2.11.4-1.
I'm using firewall4 with nftables and removed any legacy iptables related packages.
The problem is that I'm trying to create some rules based on hostnames instead of IPs.
So I have created a new nftset and told dnsmasq to populate it based on selected hostnames.
How can I use the nftset in the rule? I tried to put the nftset name into the "ipset" field without any luck.
Thank you
The text was updated successfully, but these errors were encountered: