[Dnsmasq-discuss] Compile with HAVE_IPSET on kernel 3.0.x problem

Punk[D.M] punkdm at gmail.com
Sun Feb 16 08:55:05 UTC 2014


This is working ipset+dnsmasq router with Tomato firrmware(I dont use IPv6)
:

[asus:/tmp]$ lsmod
Module                  Size  Used by    Tainted: P
tcp_vegas               1632 99
ip_set_nethash          7696  0
cifs                  235104  2
ip_set_iphash           5776  2
ipt_set                  896  3
ip_set_iptreemap        9440  0
ip_set                 13856  7
ip_set_nethash,ip_set_iphash,ipt_set,ip_set_iptreemap
nls_cp936             120640  0
ip6table_mangle          992  0
ip6table_filter          736  0
xt_recent               6624  2
xt_IMQ                   736  1
imq                     2288  0
ehci_hcd               34144  0
ext2                   52256  2
ext3                  106816  0
jbd                    46592  1 ext3
mbcache                 4400  2 ext2,ext3
usb_storage            31168  3
sd_mod                 20416  4
scsi_wait_scan           384  0
scsi_mod               70688  3 usb_storage,sd_mod,scsi_wait_scan
leds_usb                1936  0
led_class               1520  1 leds_usb
ledtrig_usbdev          2368  1 leds_usb
wl                   3479584  0
dnsmq                   1904  1 wl
et                     42944  0
igs                    14928  1 wl
emf                    19040  2 wl,igs

no iptable_nat, ip_tables, iptable_filter like your system, but it's
working, i think these iptables function was compile into core kenel and
dont need loaded by hand?

On RT-N66U:

[RT-N56U:/opt/home/admin]$ iptables -t nat -nvL --line-number
Chain PREROUTING (policy ACCEPT 12634 packets, 3093K bytes)
num   pkts bytes target     prot opt in     out     source
destination
1        7   408 VSERVER    all  --  *      *       0.0.0.0/0
192.168.2.68
2        1    60 REDSOCKS   tcp  --  br0    *       192.168.1.0/24
0.0.0.0/0

Chain INPUT (policy ACCEPT 8951 packets, 2655K bytes)
num   pkts bytes target     prot opt in     out     source
destination

Chain OUTPUT (policy ACCEPT 869 packets, 336K bytes)
num   pkts bytes target     prot opt in     out     source
destination

Chain POSTROUTING (policy ACCEPT 791 packets, 319K bytes)
num   pkts bytes target     prot opt in     out     source
destination
1        0     0 SNAT       all  --  *      eth3    192.168.1.0/24
0.0.0.0/0            to:192.168.2.68
2       79 17197 SNAT       all  --  *      br0     192.168.1.0/24
192.168.1.0/24       to:192.168.1.1

Chain REDSOCKS (1 references)
num   pkts bytes target     prot opt in     out     source
destination
1        0     0 RETURN     all  --  *      *       0.0.0.0/0
0.0.0.0/8
2        0     0 RETURN     all  --  *      *       0.0.0.0/0
10.0.0.0/8
3        0     0 RETURN     all  --  *      *       0.0.0.0/0
127.0.0.0/8
4        0     0 RETURN     all  --  *      *       0.0.0.0/0
169.254.0.0/16
5        0     0 RETURN     all  --  *      *       0.0.0.0/0
172.16.0.0/12
6        1    60 RETURN     all  --  *      *       0.0.0.0/0
192.168.0.0/16
7        0     0 RETURN     all  --  *      *       0.0.0.0/0
224.0.0.0/4
8        0     0 RETURN     all  --  *      *       0.0.0.0/0
240.0.0.0/4
9        0     0 RETURN     all  --  *      *       0.0.0.0/0
66.228.50.250
10       0     0 DNAT       tcp  --  *      *       0.0.0.0/0
0.0.0.0/0            match-set gfwlist dst to:192.168.1.1:8099

I think the last line can proof iptables with ipset is working.


2014-02-16 15:53 GMT+08:00 Hartmut Krafft <hartmut at mail.ru>:

> So it seems you don't have the iptables modules loaded. Check if you have
> installed iptables properly. Compare with your other machine where it works.
> On Feb 16, 2014 7:51 AM, "Punk[D.M]" <punkdm at gmail.com> wrote:
>
> This is my modules loaded:
>
> [RT-N56U:/opt/home/admin]$ lsmod
> Module                  Size  Used by
> xt_set                  4800  1
> ip_set_list_set         7408  0
> ip_set_bitmap_ip        6720  0
> ip_set_hash_net        21056  0
> ip_set_hash_ip         16432  1
> ip_set                 21904  5
> xt_set,ip_set_list_set,ip_set_bitmap_ip,ip_set_hash_net,ip_set_hash_ip
> nfnetlink               1904  1 ip_set
> hw_nat                 36368  0
> nf_nat_ftp              1152  0
> nf_conntrack_ftp        5072  1 nf_nat_ftp
> usblp                   9552  0
> ext4                  275504  2
> jbd2                   50944  1 ext4
> mbcache                 4272  1 ext4
> rt3090_ap             604400  0
> usb_storage            30912  3
> rt2860v2_ap           620896  0
> ohci_hcd               15776  0
> ehci_hcd               34000  0
>
>
> 2014-02-16 5:56 GMT+08:00 Hartmut Krafft <hartmut at mail.ru>:
>
>> I don't have such raw sockets here and the ipset works regardless.
>> Did you check that the modules are installed?
>>
>> $ lsmod
>> Module                  Size  Used by
>> xt_set                  5293  2
>> iptable_filter          1492  0
>> ip_set_hash_ip         15967  1
>> ip_set                 25709  2 ip_set_hash_ip,xt_set
>> nfnetlink               5128  2 ip_set
>> xt_tcpudp               2094  2
>> xt_REDIRECT             1664  1
>> xt_LOG                 11752  0
>> iptable_nat             2551  1
>> nf_conntrack_ipv4      12913  1
>> nf_defrag_ipv4          1342  1 nf_conntrack_ipv4
>> nf_nat_ipv4             3574  1 iptable_nat
>> nf_nat                 16548  3 nf_nat_ipv4,xt_REDIRECT,iptable_nat
>> nf_conntrack           84374  4
>> nf_nat,nf_nat_ipv4,iptable_nat,nf_conntrack_ipv4
>> ip_tables              11577  2 iptable_filter,iptable_nat
>> x_tables               17000  6
>> ip_tables,xt_tcpudp,xt_LOG,xt_set,iptable_filter,xt_REDIRECT
>>
>> On Feb 15, 2014 9:41 PM, "Punk[D.M]" <punkdm at gmail.com> wrote:
>> >
>> > Yes, i am sure the ipset main function is working:
>> >
>> > [RT-N56U:/opt/home/admin]$ ipset -H
>> > ipset v6.19
>> > .......
>> >
>> > and:
>> >
>> > [RT-N56U:/opt/home/admin]$ ipset -L gfwlist
>> > Name: gfwlist
>> > Type: hash:ip
>> > Revision: 1
>> > Header: family inet hashsize 1024 maxelem 65536
>> > Size in memory: 8264
>> > References: 1
>> > Members:
>> >
>> > I found something, but i'm not sure it is worse to think:
>> >
>> > On my other router that running Tomato firmware(ipset v4.5 and Linux
>> kernel 2.6.22.19), ipset with dnsmasq working fine, from netstat -lnp , i
>> can see dnsmasq have a RAW Proto standing:
>> >
>> > udp        0      0 0.0.0.0:43000           0.0.0.0:*
>> 5590/eapd
>> > raw        0      0 0.0.0.0:255             0.0.0.0:*
>> 7           12439/dnsmasq
>> > raw        0      0 0.0.0.0:255             0.0.0.0:*
>> 7           16777/pppd
>> > raw        0      0 0.0.0.0:255             0.0.0.0:*
>> 7           4011/socat
>> > raw        0      0 0.0.0.0:255             0.0.0.0:*
>> 7           1231/ss-local
>> >
>> > but on this RT-N56U system, none of RAW exist:
>> >
>> > udp        0      0 192.168.1.1:138         0.0.0.0:*
>> 673/nmbd
>> > udp        0      0 0.0.0.0:138             0.0.0.0:*
>> 673/nmbd
>> > udp        0      0 192.168.1.1:48066       0.0.0.0:*
>> 544/miniupnpd
>> > Active UNIX domain sockets (only servers)
>> > Proto RefCnt Flags       Type       State         I-Node PID/Program
>> name    Path
>> > unix  2      [ ACC ]     STREAM     LISTENING     973
>> 786/pdnsd           /var/cache/pdnsd/pdnsd.status
>> >
>> > I pay attention to the RAW because i found the error string from
>> ipset.c next section:
>> >
>> >   if (old_kernel && (ipset_sock = socket(AF_INET, SOCK_RAW,
>> IPPROTO_RAW)) != -1)
>> >     return;
>> >
>> >   if (!old_kernel &&
>> >       (buffer = safe_malloc(BUFF_SZ)) &&
>> >       (ipset_sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_NETFILTER)) !=
>> -1 &&
>> >       (bind(ipset_sock, (struct sockaddr *)&snl, sizeof(snl)) != -1))
>> >     return;
>> >
>> >   die (_("failed to create IPset control socket: %s"), NULL, EC_MISC);
>> >
>> > It is about RAW check or something? I am a total novice of C language...
>> >
>> > It's first time i use mail list, it's right to reply all?
>> >
>> >
>> > 2014-02-16 2:58 GMT+08:00 Hartmut Krafft <hartmut at mail.ru>:
>> >>
>> >> Hi!
>> >> Do you have ipset installed correctly? You need a kernel module and an
>> admin program called ipset. You first need to create your ipsets using this
>> program (man ipset). Only then you can use them in dnsmasq. You can check
>> if the IP set was created correctly by issuing ipset -l gfwlist (or another
>> name).
>> >> But I think you are missing the basic ipset support in your system.
>> You should have got an error creating the empty IP sets, though...
>> >>
>> >> On Feb 15, 2014 6:50 PM, "Punk[D.M]" <punkdm at gmail.com> wrote:
>> >> >
>> >> > After i compile a ASUS RT-N56U/N65U/N14U custom firmware 3.X.3.7-079
>> by Padavan(https://code.google.com/p/rt-n56u/) with HAVE_IPSET on
>> kernel-3.0.x (or kernel-3.4.x),
>> >> >
>> >> >
>> >> > reboot the router and i got this error in log:
>> >> >
>> >> > dnsmasq[515]:failed to create IPset control socket: Protocol not
>> supported
>> >> >
>> >> > and dnsmasq failed to start.
>> >> >
>> >> > I had some ipset setting in dnsmasq config:
>> >> >
>> >> >
>> >> >
>> >> > ipset=/youtube.com/gfwlist
>> >> >
>> >> > ipset=/twitter.com/gfwlist
>> >> >
>> >> > ...etc
>> >> >
>> >> > Any suggest with this? Thanks!
>> >> >
>> >> >
>> >> >
>> >> > Sorry my english!
>> >> >
>> >> >
>> >> >
>> >> >
>> >> >
>> >> _______________________________________________
>> >> Dnsmasq-discuss mailing list
>> >> Dnsmasq-discuss at lists.thekelleys.org.uk
>> >> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>> >
>> >
>> _______________________________________________
>> Dnsmasq-discuss mailing list
>> Dnsmasq-discuss at lists.thekelleys.org.uk
>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>>
>
>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20140216/3a471281/attachment-0001.html>


More information about the Dnsmasq-discuss mailing list