I've tried to build the 2.87 supporting nft myself, but my build VM couldn't handle the extra storage required for the toolchain (vs SDKs I already have there), so it failed.
I'd very much like to test the dnsmasq-full from that PR and if anyone is building/has already built it for x86_64, please send a link!
I'm also very interested in this version of Dnsmasq due to nftset support, but I want to ask a general question about how openwrt handles the package update.
Assume the pr is merged, when will we see the new version in the opkg archive? Next dot release? Major release? I know the answer for debian or arch, but I'm not so sure about openwrt.
Seems rather pointless, at least before the PR is actually pushed; and if you want to know when that happens, go to the PR and hit the subscribe button.
The dnsmasq 2.86 package hasn't been backported to OpenWrt 21.02 so I can't easily test it out. Also, that version of dnsmasq seems to have enough serious bugs that I'm holding off on upgrading to OpenWrt 22.03 until dnsmasq 2.87 lands.
dnsmasq v2.87 will land in master soon™ (for some value of soon), chances for it to land at all in openwrt-22.03 however would be slim (non-zero, as it can be argued that it fixes a real deficiency of nftables based ipsets, but very slim, as it is a quite major change in a release code base; generally, this would be a big no-no).
Hmm. I'm not particularly interested in the nftables related improvements myself. I'm much more interested in the security bug fixes, performance, and stability improvements. Judging from the forums, dnsmasq 2.86 is rather buggy and it has several CVEs.
I don't see any breaking changes in dnsmasq 2.87. So if we bumped the package version and made no other changes to how it integrates in the system (e.g. --nftset) then wouldn't it be a relatively safe net improvement over the status quo?
Agree - 2.86 has a breaking bug that causes it to crash outright when configured to mask IPv6 responses for specific domains. At minimum this needs to be backported to 22.03.
table inet vpn_table {
set set_vpn_v4 {
type ipv4_addr
flags interval
elements {
}
}
set set_vpn_v6 {
type ipv6_addr
flags interval
elements {
}
}
ruchains {xxxxxxxxx
}
}
the ipv4 addresses were added to the nft set correctly, some how it seem like dnsmasq didn't deal with the ipv6 addddress
maybe there are something wrong with my configuarations
----mistry solved------------
Turns out it was my fault,
No need to specify the address family for each sets.
DNSMASQ will put the right in the sets according to set types.
Seems like once DNSMASQ receive a given address family, it will discard all the records that don't fit, then,there won't be any records for the following sets with different address family specified
This is for arm64 routers. You can adjust the URL for your architecture. You can check what architecture for packages your router is using by running opkg info dnsmasq.
Important: Make sure to install it first, because without it DNS resolution stops working.
Configuration
There is a luci IP Set section in Luci -> DHCP and DNS -> IP Sets where you can add domains that should be added to an ipset.
But creating an IP Set there does not create the nftables set. You will get this error: user.notice dnsmasq: Cannot infer address family from non-existent nftables set 'XXXXXX'.
So you must first create the IP Set:
Edit /etc/config/firewall...
config ipset
option name 'test_uci_set'
option enabled '1'
option match 'ip' # net if you want add a cidr subnet
# Optional
list entry '192.168.2.100'
list entry '192.168.2.102'
You can leave out the list lines if you don't want to add any manual IPs to the set. This will create an empty set.
Then you can reload the rules and verify the set was created:
# Reload firewall rules
fw4 reload
# Show all sets
nft list sets
# Show the IPs in a specific set. Make sure to adjust to the name of your set.
nft list set inet fw4 test_uci_set
Then go back to Luci -> DHCP and DNS -> IP Sets and create an IP Set with the same name.
Then resolve some of the hosts in that set and run nft list set inet fw4 test_uci_set to see if it is updated with the relevant info.