What's new

ipset with dnsmasq problem on AC68U

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

szpunk

New Around Here
3.0.0.4.374.39 (Merlin build) on Asus RT-AC68R:

I want use ipset with dnsmasq, in my dnsmasq.custom file i have these code:

Code:
ipset=/twitter.com/gfwlist
ipset=/facebook.com/gfwlist

etc...

When i restart dnsmasq, i got these error:

Apr 17 13:50:09 dnsmasq[22408]: recompile with HAVE_IPSET defined to enable ipset directives at line 2 of /jffs/dnsmasq/custom/gfwlist.cfg

I have same issue on Padavan's custom firewall for rt-n56, and i try to recomplie that firmware with HAVE_IPSET defined, reboot the router and i got another error in log:

dnsmasq[515]:failed to create IPset control socket: Protocol not supported

and dnsmasq failed to start.

I'm sure ipset mod loaded:

admin@RT-AC68U:/tmp/home/root# lsmod | grep ip
ipt_set 1054 2
ip_set_iphash 6474 3
ip_set_nethash 8272 0
ip_set 12034 5 ipt_set,ip_set_iphash,ip_set_nethash
ipt_REDIRECT 969 1
nf_nat_sip 5586 0
nf_conntrack_sip 16679 1 nf_nat_sip
ip6table_filter 893 0
ip6table_mangle 1093 0
admin@RT-AC68U:/tmp/home/root#

and ipset list create succsed:

admin@RT-AC68U:/tmp/home/root# ipset -L
Name: whitelist
Type: iphash
References: 1
Header: hashsize: 8192 probes: 8 resize: 50
Members:

Name: gfwlist
Type: iphash
References: 1
Header: hashsize: 4096 probes: 8 resize: 50
Members:

Name: nogaelist
Type: iphash
References: 0
Header: hashsize: 1024 probes: 8 resize: 50
Members:

All these same setting worked smooth on Shibby's Tomato firmware on AC66U,
any suggest?
 
dnsmasq isn't compiled with built-in ipset support. I gave it a quick try a few months ago, and it involved too many additional pre-requisites so I gave up on it.
 
On newest Padavan's custom firmware (RT-N56U), I compile dnsmasq with HAVE_IPSET and tested working:

Code:
Jul  7 17:54:50 automount: Activate swap partition /dev/sda3 SUCCESS!
[COLOR="Red"]Jul  7 17:54:51 dnsmasq[431]: failed to create IPset control socket: Protocol not supported
Jul  7 17:54:51 dnsmasq[431]: FAILED to start up[/COLOR]
Jul  7 17:54:51 kernel: Ralink HW NAT v2.50.7 Module Enabled, ASIC: RT3883, REV: 0105, FoE Size: 16384
Jul  7 17:54:51 kernel: EXT4-fs (sda2): warning: mounting unchecked fs, running e2fsck is recommended
Jul  7 17:54:51 kernel: EXT4-fs (sda2): mounted filesystem without journal. Opts: (null)
Jul  7 17:54:51 RT-N56U: Hardware NAT/Routing: Enabled, IPoE/PPPoE offload [WAN]<->[LAN/WLAN]
Jul  7 17:54:51 RT-N56U: Hardware NAT/Routing: IPv4 UDP flow offload - OFF
Jul  7 17:54:51 RT-N56U: Hardware NAT/Routing: IPv6 routes offload - OFF
Jul  7 17:54:51 kernel: EXT4-fs (sda1): mounted filesystem with ordered data mode. Opts: (null)
Jul  7 17:54:51 kernel: eth3: ===> VirtualIF_open
Jul  7 17:54:51 DHCP WAN Client: starting on eth3 ...
Jul  7 17:54:52 opt-mount.sh: started [/dev/sda1 /media/Main]
Jul  7 17:54:52 kernel: br0: port 1(eth2) entering forwarding state
Jul  7 17:54:52 httpd[535]: Server listening port 80 (HTTP).
Jul  7 17:54:52 dropbear[544]: Running in background
Jul  7 17:54:52 miniupnpd[552]: version 1.8 started
Jul  7 17:54:52 miniupnpd[552]: HTTP listening on port 14058
Jul  7 17:54:53 kernel: Netfilter messages via NETLINK v0.30.
Jul  7 17:54:53 kernel: ip_set: protocol 6
Jul  7 17:54:55 DHCP WAN Client: bound (eth3), IP: 192.168.8.30, GW: 192.168.8.1, lease time: 86400
Jul  7 17:54:55 RT-N56U: WAN up (eth3)
Jul  7 17:54:59 IPT: firewall started
Jul  7 17:55:00 Samba Server: daemon is started
Jul  7 17:55:00 opt-start.sh: call /opt/etc/init.d
Jul  7 17:55:02 NTP Client: Synchronizing time to pool.ntp.org.
Jul  7 17:55:03 IPT: firewall already started
Jul  7 17:55:03 shadowsocks: Starting ss-local... 
Jul  7 17:55:03 shadowsocks: ss-local start success. 
Jul  7 17:55:03 shadowsocks: Starting ss-redir... 
Jul  7 17:55:03 shadowsocks: ss-redir start success. 
Jul  7 17:55:03 redsocks: Starting redsocks... 
Jul  7 17:55:03 redsocks: redsocks start success. 
Jul  7 17:55:03 pdnsd: Starting pdnsd... 
Jul  7 17:55:03 pdnsd[714]: pdnsd-1.2.9b-par starting.
Jul  7 17:55:03 pdnsd: pdnsd start success. 
[COLOR="Red"]Jul  7 17:55:12 watchdog: dnsmasq is missing, start again!
Jul  7 17:55:12 dnsmasq[725]: started, version 2.68 cachesize 1000[/COLOR]
Jul  7 17:55:12 dnsmasq[725]: compile time options: IPv6 GNU-getopt no-RTC no-DBus no-i18n no-IDN DHCP DHCPv6 no-scripts TFTP no-conntrack ipset no-auth
Jul  7 17:55:12 dnsmasq[725]: warning: ignoring resolv-file flag because no-resolv is set
Jul  7 17:55:12 dnsmasq-dhcp[725]: DHCP, IP range 192.168.1.2 -- 192.168.1.244, lease time 1d
Jul  7 17:55:12 dnsmasq-dhcp[725]: DHCP, sockets bound exclusively to interface br0
............................................................................
Jul  7 17:55:12 dnsmasq[725]: read /etc/storage/dnsmasq/hosts - 0 addresses
Jul  7 17:55:32 NTP Client: Synchronizing time to time.nist.gov.
Jul  7 17:55:39 NTP Client: System time changed, offset: 3.486095s
Jul  7 18:01:03 dropbear[829]: Child connection from 192.168.1.134:53291
Jul  7 18:01:03 dropbear[829]: Password auth succeeded for 'admin' from 192.168.1.134:53291

It's seem like dnsmasq start too earler when compile with IPSET? We can see dnsmasq started failed first, but it is succes reload by "watchdog" later. @RMerlin, can you make your firmware try restart dnsmasq later like this?
 
dnsmasq has to start relatively early, since it's used for all kind of things, not just for DNS resolution.
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top