[Dnsmasq-discuss] ipset add ipv6 address to ipv4 sets.

Justin cattyhouse at gmail.com
Mon Jan 10 10:51:15 UTC 2022


btw, i see the commits that there will be an option to filter AAAA, if that
is released, please take the ipset= into account. thanks.

On Mon, Jan 10, 2022 at 18:44 Justin <cattyhouse at gmail.com> wrote:

> ok, i agree, if wrong family, at most, it is ignored by ipset.
>
> but, if ipset=/google.com/proxyv4,proxyv6
>
> then, likely dnsmasq will run ipset add at least 4 times ( twice for one
> ipv4 and twice for one ipv6)
>
>
>
> On Mon, Jan 10, 2022 at 06:14 Simon Kelley <simon at thekelleys.org.uk>
> wrote:
>
>> On 09/01/2022 06:37, Justin wrote:
>> > So. i have
>> >
>> > local=/google.com/8.8.8.8
>> > ipset=/google.com/proxy
>> >
>> > when "curl google.com"
>> > dnsmasq log shows:
>> >
>> > ipset add proxy 142.250.217.142 google.com
>> > ipset add proxy 2607:f8b0:4007:818::200e google.com
>> >
>> > looks like dnsmasq does not check the SETNAME "proxy" is ipv4 or ipv6.
>> > so "ipset add proxy 2607:f8b0:4007:818::200e google.com" is not going
>> to work.
>> >
>> > while on ipset command:
>> >
>> > "ipset create testname hash:net" by default creates an ipv4 family.
>> > there seems to be no way to create a SETNAME that contains both ipv4
>> > and ipv6 family.
>> >
>> > finally, my suggestion: can dnsmasq check and SETNAME family and don't
>> > try to add ipv4 or ipv6 ip to wrong family?
>> >
>>
>>
>> It could, and there are two ways it could.
>>
>> 1) Check the address family of the ipset at startup - this will
>> misbehave if the ipset is (for instance) deleted and recreated with a
>> different AF.
>>
>> 2) Check the address family of the ipset each time it does an insertion.
>> This is OK, but it's actually more work than what happens now, which is
>> that the code attempts to insert the address anyway, and if it's the
>> wrong AF, the ipset code ignores it.
>>
>>
>> The main downside to the current system is that the logging is
>> misleading. Maybe just mentioning this behaviour in the man page is the
>> best fix?
>>
>>
>> If you're interesting in IPv6 and IPv4 addresses, you need two ipsets
>> and something like
>>
>>  ipset=/google.com/proxyv4,proxyv6
>>
>>
>> Cheers
>>
>> Simon.
>>
>> > thanks
>> >
>> > _______________________________________________
>> > Dnsmasq-discuss mailing list
>> > Dnsmasq-discuss at lists.thekelleys.org.uk
>> >
>> https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
>> >
>>
>>
>> _______________________________________________
>> Dnsmasq-discuss mailing list
>> Dnsmasq-discuss at lists.thekelleys.org.uk
>> https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
>>
> --
>
> Regards
> Justin He
>
-- 

Regards
Justin He
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20220110/e83c791c/attachment.htm>


More information about the Dnsmasq-discuss mailing list