Ipset by domain using Luci

I added the following ipset using Luci:

It creates the following entry in /etc/config/dhcp :

config ipset
	list name 'eduset'
	list domain 'cam.ac.uk'

I restart dnsmasq and firewall, then I check:

# nft list sets
table inet fw4 {
	set torv6 {
		type ipv6_addr
		flags interval
		auto-merge
	}
}

So that does not show the eduset ipset, but does show the other ipset I made for tor, seemingly implying that it is only that DNS based ipset that didn't work.

I have dnsmasq-full and resolveip installed.

Why isn't the eduset ipset showing up?

The set first has to be created in /etc/config/firewall and then dnsmasq can populate it according to your dnsmasq configuration.

@dave14305 Thanks for your reply.

I added the following to /etc/config/firewall:

config ipset 'eduset'
	option name 'eduset'
	option match 'net'

So now it shows up but it has no entries after restarting firewall and dnsmasq:

# nft list ruleset
table inet fw4 {
	set torv6 {
		type ipv6_addr
		flags interval
		auto-merge
		elements = { fc00::/8 }
	}

	set eduset {
		type ipv4_addr
		flags interval
		auto-merge
	}

Seems like dnsmasq is still not populating the ipset?

Are you using a snapshot image? Only dnsmasq 2.87 or higher can populate nftables sets. And that version only exists in snapshots, not 22.03.x.

I'm on 22.03.2 and the dnsmasq version is 2.86-15.

@dave14305 I just saw your replies on a similar question. I'm guessing those entries in Luci on 22.03.2 don't do anything at all?

It's not OpenWrt version-related, it's a dnsmasq-version related. With dnsmasq versions which do not support nft sets, the ipset option makes dnsmasq populate specified ipset, not nft set.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.