Thanks @hnyman for posting the PR link.
I've tried to build the 2.87 supporting nft myself, but my build VM couldn't handle the extra storage required for the toolchain (vs SDKs I already have there), so it failed.
I'd very much like to test the dnsmasq-full from that PR and if anyone is building/has already built it for x86_64, please send a link!
free for life oracle cloud hosts, FTW.
sign up, and spin one up. won't be fast, but it'll get the job done.
or try the 8 core trial host, I think they last 3 mo, if you don't pay.
Google, Amazon and MS have those too, but I think Oracle are the
only ones offering free for life.
I'm also very interested in this version of Dnsmasq due to nftset support, but I want to ask a general question about how openwrt handles the package update.
Assume the pr is merged, when will we see the new version in the opkg archive? Next dot release? Major release? I know the answer for debian or arch, but I'm not so sure about openwrt.
hello everyone is it included in the last snapshot? "dnsmaq 2.87"
No. It is still just a pull request. Not yet merged.
Poll the packages dir of the snapshots?
Seems rather pointless, at least before the PR is actually pushed; and if you want to know when that happens, go to the PR and hit the subscribe button.
Nifty. I’m hoping it 2.87 might improve query performance with large adblock lists.
Would it be possible to backport 2.87 to the OpenWrt 21.x series also?
The PR received a lethal dose and is in need of a champion to resuscitate.
You should have seen a huge improvement with v2.86. I can run the full OISD list with no increase in load or latency.
The dnsmasq 2.86 package hasn't been backported to OpenWrt 21.02 so I can't easily test it out. Also, that version of dnsmasq seems to have enough serious bugs that I'm holding off on upgrading to OpenWrt 22.03 until dnsmasq 2.87 lands.
dnsmasq v2.87 will land in master soon™ (for some value of soon), chances for it to land at all in openwrt-22.03 however would be slim (non-zero, as it can be argued that it fixes a real deficiency of nftables based ipsets, but very slim, as it is a quite major change in a release code base; generally, this would be a big no-no).
Hmm. I'm not particularly interested in the nftables related improvements myself. I'm much more interested in the security bug fixes, performance, and stability improvements. Judging from the forums, dnsmasq 2.86 is rather buggy and it has several CVEs.
I don't see any breaking changes in dnsmasq 2.87. So if we bumped the package version and made no other changes to how it integrates in the system (e.g. --nftset) then wouldn't it be a relatively safe net improvement over the status quo?
Agree - 2.86 has a breaking bug that causes it to crash outright when configured to mask IPv6 responses for specific domains. At minimum this needs to be backported to 22.03.
dnsmasq ver.2.87 x86 64 for OpenWrt 22.03.2
Please give it a try,
But in my case ,nftset is not working properly
I tried to build my domain list config in forms of
nftset=/www.example.com/4#inet#vpn_table#set_vpn_ipv4,6#inet#vpn_table#set_vpn_ipv6
or
nftset=/www.example.com/4#inet#vpn_table#set_vpn_ipv4
nftset=/www.example.com/6#inet#vpn_table#set_vpn_ipv6
and my nft table was like
table inet vpn_table {
set set_vpn_v4 {
type ipv4_addr
flags interval
elements {
}
}
set set_vpn_v6 {
type ipv6_addr
flags interval
elements {
}
}
ruchains {xxxxxxxxx
}
}
the ipv4 addresses were added to the nft set correctly, some how it seem like dnsmasq didn't deal with the ipv6 addddress
maybe there are something wrong with my configuarations
----mistry solved------------
Turns out it was my fault,
No need to specify the address family for each sets.
DNSMASQ will put the right in the sets according to set types.
Seems like once DNSMASQ receive a given address family, it will discard all the records that don't fit, then,there won't be any records for the following sets with different address family specified
Thank you so much, you saved me a lot of time! Seems to be working just fine with pbr on OpenWrt 22.03!
Did you implement any changes in the init script from the previously closed PR or is it just the new dnsmasq binary with the old init script?
I just compiled the package and try it on the 22.03.2 official build, did not make any changes to the old init script
Would you be so kind to build and share dnsmasq-full 2.88 ipk for OpenWrt 22.03 using this: https://github.com/openwrt/openwrt/blob/5c7e4a9d2e25d5ecc33c3c2650e4f954936c9c69/package/network/services/dnsmasq/Makefile ?
@stangri you are right, dnsmasq was updated to 2.88 in snapshot.
You can find the package here:
https://downloads.openwrt.org/snapshots/packages/aarch64_generic/base/dnsmasq-full_2.88-1_aarch64_generic.ipk
This is for arm64 routers. You can adjust the URL for your architecture. You can check what architecture for packages your router is using by running opkg info dnsmasq.
I also had to install this package:
https://downloads.openwrt.org/snapshots/packages/aarch64_generic/base/libubox20220927_2022-09-27-ea560134-1_aarch64_generic.ipk
Important: Make sure to install it first, because without it DNS resolution stops working.
There is a luci IP Set section in Luci -> DHCP and DNS -> IP Sets where you can add domains that should be added to an ipset.
But creating an IP Set there does not create the nftables set. You will get this error: user.notice dnsmasq: Cannot infer address family from non-existent nftables set 'XXXXXX'.
So you must first create the IP Set:
Edit /etc/config/firewall...
config ipset
option name 'test_uci_set'
option enabled '1'
option match 'ip' # net if you want add a cidr subnet
# Optional
list entry '192.168.2.100'
list entry '192.168.2.102'
You can leave out the list lines if you don't want to add any manual IPs to the set. This will create an empty set.
Then you can reload the rules and verify the set was created:
# Reload firewall rules
fw4 reload
# Show all sets
nft list sets
# Show the IPs in a specific set. Make sure to adjust to the name of your set.
nft list set inet fw4 test_uci_set
Then go back to Luci -> DHCP and DNS -> IP Sets and create an IP Set with the same name.
Then resolve some of the hosts in that set and run nft list set inet fw4 test_uci_set to see if it is updated with the relevant info.
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.