[Dnsmasq-discuss] Can not add query results to ipset after v2.86test2

Xingcong Li lixingcong512 at gmail.com
Tue Jun 29 03:21:52 UTC 2021 

Hello, I found the commit 627056febbf1b08e3028700184ee2f6c7ae799c6 breaks
the legacy support of ipset. Here is my config to reproduce the problem.

# /tmp/dnsmasq.conf
port=30000
server=8.8.8.8
server=/google.com/1.1.1.1
ipset=/google.com/test

I use dig to query google.com, expecting to add DNS to an ipset named
'test'.

$ sudo ipset create test hash:ip
$ sudo src/dnsmasq -d -C /tmp/dnsmasq.conf -q
$ dig @localhost -p30000 google.com

In commit cbd76447fd46b7ed60c63dab95d7119f2420fc23 (parent of 627056febb),
everything works fine:

dnsmasq: started, version 2.86test2-9-gcbd7644 cachesize 150
dnsmasq: compile time options: IPv6 GNU-getopt no-DBus no-UBus no-i18n
no-IDN DHCP DHCPv6 no-Lua TFTP no-conntrack ipset auth no-cryptohash
no-DNSSEC loop-detect inotify dumpfile
dnsmasq: using nameserver 1.1.1.1#53 for domain google.com
dnsmasq: using nameserver 8.8.8.8#53
dnsmasq: reading /etc/resolv.conf
dnsmasq: using nameserver 1.1.1.1#53 for domain google.com
dnsmasq: using nameserver 8.8.8.8#53
dnsmasq: using nameserver 127.0.0.53#53
dnsmasq: read /etc/hosts - 8 addresses
dnsmasq: query[A] google.com from 127.0.0.1
dnsmasq: forwarded google.com to 1.1.1.1
dnsmasq: ipset add test 172.217.26.142 google.com
dnsmasq: reply google.com is 172.217.26.142

In commit 627056febbf1b08e3028700184ee2f6c7ae799c6, answers could not be
added to ipset.

dnsmasq: started, version 2.86test2-11-g9731298 cachesize 150
dnsmasq: compile time options: IPv6 GNU-getopt no-DBus no-UBus no-i18n
no-IDN DHCP DHCPv6 no-Lua TFTP no-conntrack ipset auth no-cryptohash
no-DNSSEC loop-detect inotify dumpfile
dnsmasq: using nameserver 1.1.1.1#53 for domain google.com
dnsmasq: using nameserver 8.8.8.8#53
dnsmasq: reading /etc/resolv.conf
dnsmasq: using nameserver 1.1.1.1#53 for domain google.com
dnsmasq: using nameserver 8.8.8.8#53
dnsmasq: using nameserver 127.0.0.53#53
dnsmasq: read /etc/hosts - 8 addresses
dnsmasq: query[A] google.com from 127.0.0.1
dnsmasq: forwarded google.com to 1.1.1.1
dnsmasq: reply google.com is 142.250.66.46

I added printf() to locate the problem(in function process_reply(), src
file = forward.c)

#ifdef HAVE_IPSET
if (daemon->ipsets && extract_request(header, n, daemon->namebuff, NULL))
{
  printf("searching ipset now\n");

  /* Similar algorithm to search_servers. */
  struct ipsets *ipset_pos;
  unsigned int namelen = strlen(daemon->namebuff);
  unsigned int matchlen = 0;
  for (ipset_pos = daemon->ipsets; ipset_pos; ipset_pos = ipset_pos->next)

In commit 627056febb there is no "searching ipset now" in running logs. The
return value of extract_request() is 0. It is possible that forwarded DNS
queries are not allowed to be added to ipset.

Can I use legacy ipset support in feature releases?

Regards,
Xingcong Li
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20210629/821b15da/attachment.htm>

More information about the Dnsmasq-discuss mailing list