The first two commands in my case show that ipset is present in config. The fourth command shows that the nftset has been set up (the fifth returns nothing, which I assume is fine). However there's nothing in the generated dnsmasq configuration (and indeed looking up names manually don't add them in).
Post the output please.
To see if the sets exist, try
$ nft --terse list sets
leave out --terse to include the elements, above only shows structure.
Also linking his GH issue:
# uci show firewall |grep ipset
firewall.@ipset[0]=ipset
firewall.@ipset[0].name='bulk'
firewall.@ipset[0].family='ipv4'
firewall.@ipset[0].match='dest_ip'
firewall.@ipset[0].timeout='600'
# uci show dhcp|grep ipset
dhcp.@dnsmasq[0].ipset='/update.microsoft.com/bulk'
# grep nftset /var/etc/dnsmasq.conf.*
# nft list sets
table inet fw4 {
set bulk {
type ipv4_addr
timeout 10m
}
}
# ipset list
You want to remove the old ipset syntax from /etc/config/dhcp and use the newer syntax.
uci del dhcp.@dnsmasq[0].ipset
uci add dhcp ipset
uci add_list dhcp.@ipset[-1].name='bulk'
uci add_list dhcp.@ipset[-1].domain='windowsupdate.com'
uci add_list dhcp.@ipset[-1].domain='update.microsoft.com'
uci commit dhcp
service dnsmasq restart
Or use the IP Sets tab in the DHCP and DNS menu in LuCI.
2 Likes
Thanks - that's fixed it. The documentation could probably do with updating.
Running the latest 24.10-rc2 and the LuCI DHCP and DNS > IP Sets tab, when I create an entry pointing to openwork.org (for example), nothing gets populated into fw4 sets. What am I missing? 
EDIT: got it working. re-installed latest build with dnsmasq-full and everything seems to work. no extra dependencies needed, too.
I don't want to sound that harsh, but why do you necro bump a thread from one year ago and then use a development version and not a stable version.
This kind of testing and feedback maybe fits better on actual issues i.e. on GitHub...
1 Like