Firewall - config ipset - questions

Installing and Using OpenWrt Network and Wireless Configuration
1

Hey all,

I have a question regarding adding ipsets to LEDE. I would like to add a hash:net table. I have the following config that successfully creates the table:

 config ipset
         option name 'bogons'
         option family 'ipv4'
         option storage 'hash'
         option match 'net'

...but what option do I use to add hash:net entires to this list?

I'm attempting to do this because I'm not using the UCI for my ipsets (they are added to /etc/rc.local currently), but I have had success in adding entires into the firewall using extra arguments. I also understand the UCI permits entires directly refrencing the ipsets if they are added to the UCI. Thanks.

2

See the hashsize section in the Man page for IPSET

3

What am I looking for regarding hashsize?

The list I created is the default size...the same size as my working list that I'm trying to migrate into UCI. As I noted, I am able to setup the list and it's working. I just don't know the syntax to add entries via /etc/config/firewall.

4

I think you either have to fill the ipset manually with ipset itself.
Or use the iprange option as described in the firewall configuration wiki page.

I dont know if you can specify multiple iprange options.
But then its normally a list option, like:

list iprange 'rangehere'
list iprange 'anotherrangehere'

Or if you can specify multiply ip ranges in one iprange option, like:

option iprange 'onerange anotherrange'

Or if you even have to copy the entire ipset block and only change the iprange option.

The documentation is a bit unclear.

However for larger lists that is quite contra productive.
Better store the ips/ip ranges in a file and use ipset restore.

5

I beiveve this is the case.

iprange did not work.

I agree. I believe I'll continue to create and populate ipsets using /etc/rc.local.

6

I was referring to the ipset create syntax, rather than what hashsize to use.

There are other examples, such as in the timeout section...

    ipset create test hash:ip timeout 300 
    ipset add test 192.168.0.1 timeout 60
7

@jwoods, aaah, I understand now.

...but I understand the ipset command. I was trying to migrate my commands into OpenWRT. I do not believe you can make and pre-populate a hash:net set, I will continue to do that using ipset commands in /etc/rc.local.

The Wiki says I can declare the external set's name in UCI, though; and then have the option to make direct rules naming the set. This may be a good option, as I use one static Bogon hash:net set and one hash:ip set populated by a script upon a route change.

Thanks all.