Trying for a definitive on the issue of nftsets/ipsets dnsmasq

hello, good day to all!

I am not going into war and peace here.

I’ve done a lot of reading on the subject of openwrt , dnsmasq, nftsets/ipsets with regard to setting up an nftset/ipset relating to a DDNS domain in the hope that dnsmasq would populate the ipset that a firewall rule could use - perhaps triggered by an nslookup on cron.

It left me dazed !

My questions are:
-in openwrt (24.10.4 install with dnsmasq-full the only addition/change as such) , does/can nftset/ipset updates by dnsmasq work or not please ?

- if ‘yes’, how and is there a definitive guide ?

It seems to be a bit of a mess of a subject so, i’d like to know if i’m wasting my time on it for now.

thank you

dnsmasq-full supports adding resolved domains to a nftset which you have to define in luci/network/firewall

there is no such thing as nftset/ipset , it is apple XOR potato.

Step 1 : create nftset
Step 2 : create rule using it
Step 3 : once you install dnsmasq-full the options to populate nftset appear
Step 4 : use owut for future upgrades, default dnsmasq can not start with extra options

thank you for the reply - most appreciated.

Please will you clarify what triggers the dnsmasq updating the nftset with the ip address ?

For instance, if I issue an

nslookup  ddnsdomain.ddns.net  1.1.1.1

should that trigger dnsmasq to update the nftset, because currently nothing happens

OpenWrt 24.10.4, r28959-29397011cc as a fresh install so to speak - only installed dnsmasq-full (and removed dnsmasq)

The following was created in the respective config files from using the respective luci interface tabs.

Is there anything else that is needed to be added/corrected/etc

in config dhcp

config ipset
        list name 'ddnsset'
        list domain 'dnsdomain.ddns.net'
        option table_family 'ip'
        option table 'fw4'

in config firewall

config ipset
option name 'ddnsset'
option family 'ipv4'
list match 'src_ip'

nft list sets

table inet fw4 {
        set ddnsset {
                type ipv4_addr
                
        }
}

(these are not the real domains)

No, because dnsmasq has to be the one receiving the lookup request. If you send it to 1.1.1.1, dnsmasq never sees it.

Run the nslookup but use your router LAN IP instead of 1.1.1.1.

Thank you - i have run the router lan ip but nothing appears in the nft list sets result.

I will delete everything and start over i think

Change this to inet.

That sorted it - thanks many !

Hours I have been coupled with being a bit if a newbie at this type of stuff.

Why did that change fix it please - what is it about inet over ip ?

Thank you again

The default fw4 table is of type inet, not ip or ip6. dnsmasq was trying to add the results to set table ip fw4 ddnsset, but it’s really inet.

It’s probably a misleading option in LuCI since if you leave the table as fw4, changing the family from “IPv4+IPv6” will break it, even if the set is meant for IPv4 results only.

Thank you for your time to assist.

It’s a learning curve for me that’s for sure.

Good stuff - peace and best wishes

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.