MWAN3 does not load rules with Ipset

utopinux · January 27, 2023, 5:47pm

Hi
I'm trying to config mwan3 on 22.03.3 with IPset and get below error. please guide me what to do. Thank you!

Sat Jan 28 00:31:53 2023 user.err mwan3-init[31101]: set_user_rules (ipv4): iptables-restore v1.8.7 (nf_tables): Set ipv4vn doesn't exist. Error occurred at line: 3 Try iptables-restore -h' or 'iptables-restore --help' for more information.`

infact IPset ipv4vn does exit

root@NHD-HOME:~# nft list set inet fw4 ipv4vn
table inet fw4 {
        set ipv4vn {
                type ipv4_addr
                flags interval
                auto-merge
                elements = { 1.52.0.0/14, 2.56.16.0/22,
                             2.59.0.0/23, 5.198.248.176/28,
                             14.0.16.0/20, 14.160.0.0/11,
                             14.224.0.0/11, 17.81.39.0/24,
                             17.81.60.0/24, 17.81.145.0/24,
                             17.81.162.0/24, 17.92.240.0/23,
                             20.134.144.0/20, 20.134.208.0/24,
                             20.134.243.0/24, 20.139.144.0/20,

bluewavenet · January 27, 2023, 6:00pm

See:

utopinux · January 27, 2023, 7:12pm

Can you please elaborate more ? I already tried
in /etc/dnsmasq.conf

ipset=/abcd.com/cde.net/ipv4vn2

in /etc/config/firewall

config ipset
	option name 'ipv4vn2'
	option match 'dest_net'
	option loadfile '/etc/VNIP'

Thank you!

bluewavenet · January 27, 2023, 7:41pm

From the other thread:

Ipsets are not the same thing as nft sets.
You need to install the ipset package then create and populate the "ip set".
Mwan3 knows how to read the ipset.
It knows nothing about nft sets.

You must first install the ipset package.
Then remove the ipset config from /etc/config/firewall
Then you must create the ipset you need using the relevent ipset command (then put it in /etc/rc.local so that it gets run every time your router boots).
Refer to that ipset in the dnsmasq config (as you have done already) so that it gets populated automatically with the ip addresses of the FQDNs you are interested in.
Add the ipset to the mwan3 config (I assume you have done this already).
Reboot

utopinux · January 27, 2023, 9:43pm

I think I should need your help. I want to create an IPset from a list of addresses. can you please correct my syntax
ipset create ipv4vn2 hash:ip -f /etc/VNIP. I got an empty ipset with it

the rest I undertand

bluewavenet · January 27, 2023, 10:47pm

What is the format of your file? Is it an ipset "save"? Or is it just a list of ip addresses?

If it is an ipset save then do:
ipset restore -f /etc/VNIP

If it is some kind of list from somewhere then you will have to write a script depending on the format.

Can you go back to the dnsmasq method?

utopinux · January 28, 2023, 4:34pm

Thanks for your direction
After lot of readings and tryings, I could do it only to find that the performance is quite bad; here is the script other newbies might need to create ipset from a list of IPs
for i in $( sed 's/\r//g' /etc/VNIP | sort | uniq ); do ipset add ipv4vn2 $i; done
ipset save -f /etc/ipset.rules

bluewavenet · January 28, 2023, 5:08pm

Do you mean it took a long time for your script to run? It must be a big file....

utopinux · January 29, 2023, 2:35pm

Yes it is big. But Mwan3 was slow with it. I will check it again another days. No time now.
Update: all work fine now. it didnt since unbound crashed.

system · February 8, 2023, 2:35pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.