wulfy23
commented
1 year ago Thanks alot for the info and not PEBKAC.
We didn;tdont run fw4 so will need to look into the underlying change causing the above behavior (first guess is the dnsmasq init.d logic). I'm only using ipsets for QoS on my system so its semi non-critical but any peeps using 'sets' for security rules should probably downgrade or use 'release/stable'...
As a (guess at a quick) workaround removing nft style packages MAY correct the issues above but not sure how it detects firewall (ipset method) in use...
(I removed the 'auto' offering of this 'current' build in the interim ~ also due to luci breaking if argon is selected ~ and if i'm unable to resolve by 5 hours time I'll re-upload the previous 'current' build and re-instate that but it is getting borderline long in the tooth) OR thinking aloud we may finally have to make the jump to fw4 which is pretty ironed out by now barring some auxillary package foibles and whatnot... hmmmmm....
EDIT1: ok so without checking source level changes /solutions/workrounds/comments yet... master seems to not add in ipset support any more...
Sun Nov 13 12:24:02 2022 daemon.err dnsmasq[11080]: nftset inet fw4 usrcdn Error: No such file or directory
Sun Nov 13 12:24:02 2022 daemon.err dnsmasq[11080]: nftset inet fw4 usrcdn6 Error: No such file or directory
Sun Nov 13 12:25:24 2022 daemon.err dnsmasq[11080]: nftset inet fw4 bulk Error: No such file or directory
Sun Nov 13 12:25:24 2022 daemon.err dnsmasq[11080]: nftset inet fw4 bulk6 Error: No such file or directory
[root@rpi-dca6325631 ../r212fw4usrcdnTHING 53°]# ipset -L | grep usrcdn
Name: usrcdn
Name: usrcdn6
^C
[root@rpi-dca6325631 ../r212fw4usrcdnTHING 54°]# ipset -L | grep bulk
Name: bulk
Name: bulk6
^C
[root@rpi-dca6325631 ../r212fw4usrcdnTHING 55°]# dnsmasq -v
Dnsmasq version 2.87 Copyright (c) 2000-2022 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus UBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP conntrack >>> no-ipset<<< nftset auth cryptohash DNSSEC no-ID loop-detect inotify dumpfile
need to check if they have an ipset variant or whether we run parrallel nftsets or just switch to nftables/fw4 totally...
(sidenote: the lineage of those entries are from sqm and custom classification so for alot of people they could just be remnants of trying my sqm script and can be removed from the dnsmasq config entirely... albeit we still need to address issue at hand with high priority)
EDIT2:
snapshot_7.1.75-11_r21243 ( as 'current' ) is a manually 'operated on' build selection ditching all iptables stuff as previously harmonious dual install behavior is broken pretty badly. will leave this up for a bit to see if/what comes up before going much further... anyone using vpn policies / custom iptables.user / banip etc. etc. should steer clear of master/current maybe, while this transition / method is investigated further...
for me, i'm kind of ok to jump back to 22 or 21 for iptables if I need that stuff for the time being... ( but I pretty much run master most of the time... the QoS stuff being first on my list of stuff to verify / optimise / update / whatever )... as for the masq errors... they are mostly 'informational' so i'm just gonna leave that stuff in my config for a while as it's good for debugging purposes...
EDIT3:
lol, those errors are still present... they (set creation) were instantiated via QoS script... so may need to update that but surprised OS will not instantiate non existing set before trying to add... anyway, as mentioned most people can just remove those ipsets from their dnsmasq config...
( apart from non-existing set use by masq it's mostly stuff I have to update / remove on my end -> aka all previous build related firewall stuff is pretty void for now - unless obviously it breaks something important / general normal operation of OS )
LionHeartP
Hi all. As per the title, something must have changed in the newest snapshot's firewall configuration. My log is full of errors;
Any solutions? PEBKAC perhaps? xD