First thing to note is that you'll need to be running a snapshot version of OpenWrt as the dnsmasq build in 22.03.x has ipset support and not nftset.
22.03.5-box$ dnsmasq -v
Dnsmasq version 2.86 Copyright (c) 2000-2021 Simon Kelley
Compile time options: blah ... conntrack ipset auth ...
snapshot-box$ dnsmasq -v
Dnsmasq version 2.89 Copyright (c) 2000-2022 Simon Kelley
Compile time options: blah ... conntrack no-ipset nftset auth ...
Once that's done, you'll have to manually create the sets and populate them, as the LuCI firewall code doesn't yet fully support nftsets, but it looks like you've already got a good handle on that (just translate your iptables rules to nft).
Dnsmasq version 2.89 Copyright (c) 2000-2022 Simon Kelley
Compile time options: IPv6 GNU-getopt no-RTC no-DBus UBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset nftset auth cryptohash DNSSEC no-ID loop-detect inotify dumpfile
This software comes with ABSOLUTELY NO WARRANTY.
Dnsmasq is free software, and you are welcome to redistribute it
under the terms of the GNU General Public License, version 2 or 3.
root@OpenWrt:~# nft list sets
table inet fw4 {
set socialmedia1 {
type ipv4_addr
}
set streaming {
type ipv4_addr
}
set test {
type ipv4_addr
}
}
table inet nft-qos-monitor {
}
table inet nft-qos-static {
}
/etc/config/dhcp
config ipset
list name 'streaming'
list domain 'youtube.com'
config ipset
list name 'test_uci_set'
list domain 'youtube.com'
list domain 'googlevideo.com'
config ipset
list name 'test'
list domain 'google.com'
list domain 'googlevideo.com'
list domain 'youtube.com'
/etc/config/firewall
config ipset
option name 'test'
option enabled '1'
option match 'ip'
OK, then just verify all the individual components are in place.
uci show firewall | grep ipset
uci show dhcp | grep ipset
grep nftset /var/etc/dnsmasq.conf.*
nft list sets
ipset list
If they are, wait for clients to query the router's dnsmasq for the target domains and populate the sets. Clients might be caching previous query results, so it might not appear to be working instantly.
Keep in mind that one very significant limitation of the nftset setting in dnsmasq is that dnsmasq does not actually add the IP address for the specified domain until and unless the domain name is encountered by dnsmasq in a DNS request.
When I add a test set, it uses the proper table family in the dnsmasq config. This is with snapshot r22755-326eb6e482 on an x86 bare metal install, dnsmasq-full 2.89-4 and firewall4 2023-03-23-04a06bd7-1.
$ tail -7 /etc/config/firewall
config ipset
option name 'fred'
option comment 'A test of things'
option family 'ipv4'
option counters '1'
list match 'dest_ip'
$ tail -4 /etc/config/dhcp
config ipset
list name 'fred'
list domain 'google.com'
... uci commit, restart fw4 and dnsmasq ...
$ nft list set inet fw4 fred
table inet fw4 {
set fred {
type ipv4_addr
comment "A test of things"
}
}
$ grep nftset /var/etc/dnsmasq.conf.cfg01411c
nftset=/google.com/4#inet#fw4#fred
$ nslookup google.com
...
$ nft list set inet fw4 fred
table inet fw4 {
set fred {
type ipv4_addr
comment "A test of things"
elements = { 142.250.176.14 }
}
}
There does seem to be a minor bug: the counters option is ignored when creating the set (although I think this might be a deliberate omission, as I recall seeing a bug fix on nftables committed just recently).