ipset in dnsmasq not working?

[fovecifer]

First, thank you merlin!

I need the ipset function in dnsmasq to put some IPs to a ipset which I named "vpn".
And the dnsmasq do not support ipset in default, so I change the compile options from "NO_IPSET" to "HAVA_IPSET" in the Makefile.
And I add the ipset configurations in dnsmasq.conf which looks like this:

server=/facebook.com/8.8.8.8
ipset=/facebook.com/vpn
server=/youtube.com/8.8.8.8
ipset=/youtube.com/vpn
server=/twitter.com/8.8.8.8
ipset=/twitter.com/vpn

As I know, when I
nslookup facebook.com 127.0.0.1
in the rt-ac68u, the IP of facebook should added into ipset vpn.
but

admin@RT-AC68U-4EE0:/jffs/configs# ipset --list vpn
Name: vpn
Type: iphash
References: 1
Header: hashsize: 1024 probes: 8 resize: 50
Members:

there is no IPs in this ipset.

Anyone could tell me what's the problems?

 

[RMerlin]

ipset support in dnsmasq requires additional libraries that are not included in the firmware. That's why I keep it disabled.

 

[fovecifer]

ipset support in dnsmasq requires additional libraries that are not included in the firmware. That's why I keep it disabled.

Thank you merlin!

I will try to fix it.

 

[consatan]

ipset support in dnsmasq requires additional libraries that are not included in the firmware. That's why I keep it disabled.

Hi, RMerlin,

How can I included ipset and mark iptables modules when compile firmware from source?

 

[RMerlin]

Hi, RMerlin,

How can I included ipset and mark iptables modules when compile firmware from source?

Both are already included in the firmware.

merlin@mint-dev ~ $ cat asuswrt/release/src-rt-6.x/linux/linux-2.6/.config | grep -P "MARK|IP_NF_SET"
# CONFIG_MARKEINS is not set
# CONFIG_NETWORK_SECMARK is not set
CONFIG_NF_CONNTRACK_MARK=y
CONFIG_NETFILTER_XT_TARGET_CONNMARK=y
CONFIG_NETFILTER_XT_TARGET_MARK=y
CONFIG_NETFILTER_XT_MATCH_CONNMARK=y
CONFIG_NETFILTER_XT_MATCH_MARK=y
CONFIG_IP_NF_SET=m
CONFIG_IP_NF_SET_MAX=256
CONFIG_IP_NF_SET_HASHSIZE=1024
CONFIG_IP_NF_SET_IPMAP=m
CONFIG_IP_NF_SET_MACIPMAP=m
CONFIG_IP_NF_SET_PORTMAP=m
CONFIG_IP_NF_SET_IPHASH=m
CONFIG_IP_NF_SET_NETHASH=m
CONFIG_IP_NF_SET_IPPORTHASH=m
CONFIG_IP_NF_SET_IPPORTIPHASH=m
CONFIG_IP_NF_SET_IPPORTNETHASH=m
CONFIG_IP_NF_SET_IPTREE=m
CONFIG_IP_NF_SET_IPTREEMAP=m
CONFIG_IP_NF_SET_SETLIST=m
# CONFIG_BRIDGE_EBT_MARK is not set
CONFIG_BRIDGE_EBT_MARK_T=m
# CONFIG_NET_SCH_DSMARK is not set
CONFIG_CLS_U32_MARK=y

 

[Joachim Zobel]

The dnsmasq config.h tells me, that HAVE_IPSET does not require external libraries:
----------------------------------------------------------------------------------------------------
/* The default set of options to build. Built with these options, dnsmasq
has no library dependencies other than libc */

#define HAVE_DHCP
#define HAVE_DHCP6
#define HAVE_TFTP
#define HAVE_SCRIPT
#define HAVE_AUTH
#define HAVE_IPSET
#define HAVE_LOOP
#define HAVE_INOTIFY
----------------------------------------------------------------------------------------------------
So maybe ipset does not require external libraries any more (or config.h is simply wrong).

We had a short discussion of this on irc, I am writing this ias a reminder for my feature request to add HAVE_IPSET if it is easily doable.

 

[RMerlin]

The dnsmasq config.h tells me, that HAVE_IPSET does not require external libraries:
----------------------------------------------------------------------------------------------------
/* The default set of options to build. Built with these options, dnsmasq
has no library dependencies other than libc */

#define HAVE_DHCP
#define HAVE_DHCP6
#define HAVE_TFTP
#define HAVE_SCRIPT
#define HAVE_AUTH
#define HAVE_IPSET
#define HAVE_LOOP
#define HAVE_INOTIFY
----------------------------------------------------------------------------------------------------
So maybe ipset does not require external libraries any more (or config.h is simply wrong).

We had a short discussion of this on irc, I am writing this ias a reminder for my feature request to add HAVE_IPSET if it is easily doable.

I could never get it to work, which led me to believe it needed ipset v6 (Asuswrt is based on the older ipset v4). ipset v6 requires libmnl, which isn't included in the firmware at his time.

They do mention having added support for older kernels after the initial patch was submitted to dnsmasq (I was originally referring to that older patch), however it's possible their kernel detection is broken, or their v4 support itself is broken.

So in the end, it's more trouble than I'm willing to deal with at this time. If someone really wants this faster, they will have to do it themselves and submit a pull request for it.