<div dir="ltr"><div><div><div>This is working ipset+dnsmasq router with Tomato firrmware£šI dont use IPv6) £º<br><br>[asus:/tmp]$ lsmod<br>Module Size Used by Tainted: P <br>tcp_vegas 1632 99 <br>
ip_set_nethash 7696 0 <br>cifs 235104 2 <br>ip_set_iphash 5776 2 <br>ipt_set 896 3 <br>ip_set_iptreemap 9440 0 <br>ip_set 13856 7 ip_set_nethash,ip_set_iphash,ipt_set,ip_set_iptreemap<br>
nls_cp936 120640 0 <br>ip6table_mangle 992 0 <br>ip6table_filter 736 0 <br>xt_recent 6624 2 <br>xt_IMQ 736 1 <br>imq 2288 0 <br>ehci_hcd 34144 0 <br>
ext2 52256 2 <br>ext3 106816 0 <br>jbd 46592 1 ext3<br>mbcache 4400 2 ext2,ext3<br>usb_storage 31168 3 <br>sd_mod 20416 4 <br>
scsi_wait_scan 384 0 <br>scsi_mod 70688 3 usb_storage,sd_mod,scsi_wait_scan<br>leds_usb 1936 0 <br>led_class 1520 1 leds_usb<br>ledtrig_usbdev 2368 1 leds_usb<br>
wl 3479584 0 <br>dnsmq 1904 1 wl<br>et 42944 0 <br>igs 14928 1 wl<br>emf 19040 2 wl,igs<br><br></div>no iptable_nat, ip_tables, iptable_filter like your system, but it's working, i think these iptables function was compile into core kenel and dont need loaded by hand?<br>
<br></div>On RT-N66U:<br><br>[RT-N56U:/opt/home/admin]$ iptables -t nat -nvL --line-number<br>Chain PREROUTING (policy ACCEPT 12634 packets, 3093K bytes)<br>num pkts bytes target prot opt in out source destination <br>
1 7 408 VSERVER all -- * * <a href="http://0.0.0.0/0">0.0.0.0/0</a> 192.168.2.68 <br>2 1 60 REDSOCKS tcp -- br0 * <a href="http://192.168.1.0/24">192.168.1.0/24</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> <br>
<br>Chain INPUT (policy ACCEPT 8951 packets, 2655K bytes)<br>num pkts bytes target prot opt in out source destination <br><br>Chain OUTPUT (policy ACCEPT 869 packets, 336K bytes)<br>num pkts bytes target prot opt in out source destination <br>
<br>Chain POSTROUTING (policy ACCEPT 791 packets, 319K bytes)<br>num pkts bytes target prot opt in out source destination <br>1 0 0 SNAT all -- * eth3 <a href="http://192.168.1.0/24">192.168.1.0/24</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> to:192.168.2.68<br>
2 79 17197 SNAT all -- * br0 <a href="http://192.168.1.0/24">192.168.1.0/24</a> <a href="http://192.168.1.0/24">192.168.1.0/24</a> to:192.168.1.1<br><br>Chain REDSOCKS (1 references)<br>
num pkts bytes target prot opt in out source destination <br>1 0 0 RETURN all -- * * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/8">0.0.0.0/8</a> <br>
2 0 0 RETURN all -- * * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://10.0.0.0/8">10.0.0.0/8</a> <br>3 0 0 RETURN all -- * * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://127.0.0.0/8">127.0.0.0/8</a> <br>
4 0 0 RETURN all -- * * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://169.254.0.0/16">169.254.0.0/16</a> <br>5 0 0 RETURN all -- * * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://172.16.0.0/12">172.16.0.0/12</a> <br>
6 1 60 RETURN all -- * * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://192.168.0.0/16">192.168.0.0/16</a> <br>7 0 0 RETURN all -- * * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://224.0.0.0/4">224.0.0.0/4</a> <br>
8 0 0 RETURN all -- * * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://240.0.0.0/4">240.0.0.0/4</a> <br>9 0 0 RETURN all -- * * <a href="http://0.0.0.0/0">0.0.0.0/0</a> 66.228.50.250 <br>
10 0 0 DNAT tcp -- * * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> match-set gfwlist dst to:<a href="http://192.168.1.1:8099">192.168.1.1:8099</a><br>
<br></div>I think the last line can proof iptables with ipset is working. <br></div><div class="gmail_extra"><br><br><div class="gmail_quote">2014-02-16 15:53 GMT+08:00 Hartmut Krafft <span dir="ltr"><<a href="mailto:hartmut@mail.ru" target="_blank">hartmut@mail.ru</a>></span>:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><p dir="ltr">So it seems you don't have the iptables modules loaded. Check if you have installed iptables properly. Compare with your other machine where it works.</p>
<div class="HOEnZb"><div class="h5">
<div>On Feb 16, 2014 7:51 AM, "Punk[D.M]" <<a href="mailto:punkdm@gmail.com" target="_blank">punkdm@gmail.com</a>> wrote:<br type="attribution"><blockquote style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">This is my modules loaded:<br><br>[RT-N56U:/opt/home/admin]$ lsmod<br>Module Size Used by<br>xt_set 4800 1 <br>ip_set_list_set 7408 0 <br>ip_set_bitmap_ip 6720 0 <br>
ip_set_hash_net 21056 0 <br>ip_set_hash_ip 16432 1 <br>ip_set 21904 5 xt_set,ip_set_list_set,ip_set_bitmap_ip,ip_set_hash_net,ip_set_hash_ip<br>nfnetlink 1904 1 ip_set<br>
hw_nat 36368 0 <br>
nf_nat_ftp 1152 0 <br>nf_conntrack_ftp 5072 1 nf_nat_ftp<br>usblp 9552 0 <br>ext4 275504 2 <br>jbd2 50944 1 ext4<br>mbcache 4272 1 ext4<br>
rt3090_ap 604400 0 <br>usb_storage 30912 3 <br>rt2860v2_ap 620896 0 <br>ohci_hcd 15776 0 <br>ehci_hcd 34000 0 <br></div><div class="gmail_extra"><br><br><div class="gmail_quote">
2014-02-16 5:56 GMT+08:00 Hartmut Krafft <span dir="ltr"><<a href="mailto:hartmut@mail.ru" target="_blank">hartmut@mail.ru</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
I don't have such raw sockets here and the ipset works regardless.<br>
Did you check that the modules are installed?<br>
<br>
$ lsmod<br>
Module Size Used by<br>
xt_set 5293 2<br>
iptable_filter 1492 0<br>
ip_set_hash_ip 15967 1<br>
ip_set 25709 2 ip_set_hash_ip,xt_set<br>
nfnetlink 5128 2 ip_set<br>
xt_tcpudp 2094 2<br>
xt_REDIRECT 1664 1<br>
xt_LOG 11752 0<br>
iptable_nat 2551 1<br>
nf_conntrack_ipv4 12913 1<br>
nf_defrag_ipv4 1342 1 nf_conntrack_ipv4<br>
nf_nat_ipv4 3574 1 iptable_nat<br>
nf_nat 16548 3 nf_nat_ipv4,xt_REDIRECT,iptable_nat<br>
nf_conntrack 84374 4 nf_nat,nf_nat_ipv4,iptable_nat,nf_conntrack_ipv4<br>
ip_tables 11577 2 iptable_filter,iptable_nat<br>
x_tables 17000 6 ip_tables,xt_tcpudp,xt_LOG,xt_set,iptable_filter,xt_REDIRECT<br>
<div><div><br>
On Feb 15, 2014 9:41 PM, "Punk[D.M]" <<a href="mailto:punkdm@gmail.com" target="_blank">punkdm@gmail.com</a>> wrote:<br>
><br>
> Yes, i am sure the ipset main function is working:<br>
><br>
> [RT-N56U:/opt/home/admin]$ ipset -H<br>
> ipset v6.19<br>
> .......<br>
><br>
> and:<br>
><br>
> [RT-N56U:/opt/home/admin]$ ipset -L gfwlist<br>
> Name: gfwlist<br>
> Type: hash:ip<br>
> Revision: 1<br>
> Header: family inet hashsize 1024 maxelem 65536<br>
> Size in memory: 8264<br>
> References: 1<br>
> Members:<br>
><br>
> I found something, but i'm not sure it is worse to think:<br>
><br>
> On my other router that running Tomato firmware(ipset v4.5 and Linux kernel 2.6.22.19), ipset with dnsmasq working fine, from netstat -lnp , i can see dnsmasq have a RAW Proto standing:<br>
><br>
> udp 0 0 <a href="http://0.0.0.0:43000" target="_blank">0.0.0.0:43000</a> 0.0.0.0:* 5590/eapd <br>
> raw 0 0 <a href="http://0.0.0.0:255" target="_blank">0.0.0.0:255</a> 0.0.0.0:* 7 12439/dnsmasq <br>
> raw 0 0 <a href="http://0.0.0.0:255" target="_blank">0.0.0.0:255</a> 0.0.0.0:* 7 16777/pppd <br>
> raw 0 0 <a href="http://0.0.0.0:255" target="_blank">0.0.0.0:255</a> 0.0.0.0:* 7 4011/socat <br>
> raw 0 0 <a href="http://0.0.0.0:255" target="_blank">0.0.0.0:255</a> 0.0.0.0:* 7 1231/ss-local<br>
><br>
> but on this RT-N56U system, none of RAW exist:<br>
><br>
> udp 0 0 <a href="http://192.168.1.1:138" target="_blank">192.168.1.1:138</a> 0.0.0.0:* 673/nmbd <br>
> udp 0 0 <a href="http://0.0.0.0:138" target="_blank">0.0.0.0:138</a> 0.0.0.0:* 673/nmbd <br>
> udp 0 0 <a href="http://192.168.1.1:48066" target="_blank">192.168.1.1:48066</a> 0.0.0.0:* 544/miniupnpd <br>
> Active UNIX domain sockets (only servers)<br>
> Proto RefCnt Flags Type State I-Node PID/Program name Path<br>
> unix 2 [ ACC ] STREAM LISTENING 973 786/pdnsd /var/cache/pdnsd/pdnsd.status<br>
><br>
> I pay attention to the RAW because i found the error string from ipset.c next section:<br>
><br>
> if (old_kernel && (ipset_sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) != -1)<br>
> return;<br>
> <br>
> if (!old_kernel &&<br>
> (buffer = safe_malloc(BUFF_SZ)) &&<br>
> (ipset_sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_NETFILTER)) != -1 &&<br>
> (bind(ipset_sock, (struct sockaddr *)&snl, sizeof(snl)) != -1))<br>
> return;<br>
> <br>
> die (_("failed to create IPset control socket: %s"), NULL, EC_MISC);<br>
><br>
> It is about RAW check or something? I am a total novice of C language...<br>
><br>
> It's first time i use mail list, it's right to reply all?<br>
><br>
><br>
> 2014-02-16 2:58 GMT+08:00 Hartmut Krafft <<a href="mailto:hartmut@mail.ru" target="_blank">hartmut@mail.ru</a>>:<br>
>><br>
>> Hi!<br>
>> Do you have ipset installed correctly? You need a kernel module and an admin program called ipset. You first need to create your ipsets using this program (man ipset). Only then you can use them in dnsmasq. You can check if the IP set was created correctly by issuing ipset -l gfwlist (or another name).<br>
>> But I think you are missing the basic ipset support in your system. You should have got an error creating the empty IP sets, though...<br>
>><br>
>> On Feb 15, 2014 6:50 PM, "Punk[D.M]" <<a href="mailto:punkdm@gmail.com" target="_blank">punkdm@gmail.com</a>> wrote:<br>
>> ><br>
>> > After i compile a ASUS RT-N56U/N65U/N14U custom firmware 3.X.3.7-079 by Padavan(<a href="https://code.google.com/p/rt-n56u/" target="_blank">https://code.google.com/p/rt-n56u/</a>) with HAVE_IPSET on kernel-3.0.x (or kernel-3.4.x),<br>
>> ><br>
>> ><br>
>> > reboot the router and i got this error in log:<br>
>> ><br>
>> > dnsmasq[515]:failed to create IPset control socket: Protocol not supported<br>
>> ><br>
>> > and dnsmasq failed to start.<br>
>> ><br>
>> > I had some ipset setting in dnsmasq config:<br>
>> ><br>
>> ><br>
>> ><br>
>> > ipset=/<a href="http://youtube.com/gfwlist" target="_blank">youtube.com/gfwlist</a><br>
>> ><br>
>> > ipset=/<a href="http://twitter.com/gfwlist" target="_blank">twitter.com/gfwlist</a><br>
>> ><br>
>> > ...etc<br>
>> ><br>
>> > Any suggest with this? Thanks!<br>
>> ><br>
>> ><br>
>> ><br>
>> > Sorry my english!<br>
>> ><br>
>> ><br>
>> > <br>
>> ><br>
>> ><br>
>> _______________________________________________<br>
>> Dnsmasq-discuss mailing list<br>
>> <a href="mailto:Dnsmasq-discuss@lists.thekelleys.org.uk" target="_blank">Dnsmasq-discuss@lists.thekelleys.org.uk</a><br>
>> <a href="http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss" target="_blank">http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss</a><br>
><br>
><br>
_______________________________________________<br>
Dnsmasq-discuss mailing list<br>
<a href="mailto:Dnsmasq-discuss@lists.thekelleys.org.uk" target="_blank">Dnsmasq-discuss@lists.thekelleys.org.uk</a><br>
<a href="http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss" target="_blank">http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss</a><br>
</div></div></blockquote></div><br></div>
</blockquote></div></div></div><br>_______________________________________________<br>
Dnsmasq-discuss mailing list<br>
<a href="mailto:Dnsmasq-discuss@lists.thekelleys.org.uk">Dnsmasq-discuss@lists.thekelleys.org.uk</a><br>
<a href="http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss" target="_blank">http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss</a><br>
<br></blockquote></div><br></div>