[pbr] wish: populate ipset automatically

stangri / source.openwrt.melmac.net

OpenWrt Packages

GNU General Public License v3.0

144 stars 47 forks source link

[pbr] wish: populate ipset automatically #166

Closed bonuzzz closed 1 year ago

bonuzzz commented 1 year ago

I have adguardhome as primary dns server, so dnsmasq doesn't populate ipset list, because it doesn't receive dns requests front clients. To populate ipset I have script, but probably pbr would have internal method to do it.

#!/bin/bash
sed -e "s/.*\://" /tmp/dnsmasq.d/pbr |

while IFS=' ' read -r line; do
    nslookup $line 127.0.0.1:5553 >/dev/null
done

5553 is port of dnsmasq

stangri commented 1 year ago

@bonuzzz Can you please help me understand how is it different from setting resolver_set to none?

bonuzzz commented 1 year ago

It's not the same, because rules don't affect on subdomains there. But just noticed my script doesn't affect too.

The problem now is I want to use dnsmasq.ipset resolver, I have to use dnsmasq as primary dns server, otherwise dnsmasq doesn't received any requests from clients and ipset list doesn't populated. I tried to solve it with nslookup or dig to send request through dnsmasq speсially. But I forgot about subdomains.

stangri commented 1 year ago

Right, so to confirm you want pbr to populate ipsets just line dnsmasq does?

bonuzzz commented 1 year ago

Yes. When I use adguardhome as upstream dns server, it has router's ip as source of requests. This is main problem, which I want to solve.

stangri commented 1 year ago

Right, so to confirm you want pbr to populate ipsets just line dnsmasq does?

Yeah, that's not something I would consider for pbr.

If you can convince AdGuardHome people to populate ipsets or nft sets, given a specific file similar to dnsmasq, I can consider implementing support for AGH in the resolver_set option.

I'm going to close this as won't fix.

bonuzzz commented 1 year ago

Like this one? https://github.com/AdguardTeam/AdGuardHome/commit/88812f05f56438151e70856250b1db6de62eaef6

And found another parameter in documentation

ipset_file (since v0.107.13): Same as ipset, but the rules are read from a file. If this property is set, property ipset is ignored.

stangri commented 1 year ago

Yes, that's a great discovery, exactly like that.

I can look into if you can provide a sample of working configuration -- the main yaml config file and the ipset_file.

UPDATE: please either change the subject to: "[wish] support adguardhome.ipset as resolver_set option" and reopen this when AGH 107.13 has been backported to 22.03 or open a new issue with the subject above when this happens and you can provide working yaml files.