* [ipset] Can't resolve domain names containing an hyphen "-"
@ 2025-08-22 15:52 Pierre Mazière
2025-08-22 16:41 ` Jan Engelhardt
0 siblings, 1 reply; 2+ messages in thread
From: Pierre Mazière @ 2025-08-22 15:52 UTC (permalink / raw)
To: netfilter-devel
Hello,
I might have found a bug in ipset domain name resolving code:
--------------------------------------------------------------
# ipset create testset hash:ip
# ipset add testset hyphen-containing.example.com
ipset v7.2x: Syntax error: cannot parse hyphen: resolving to IPv4 address failed
----------------------------------------------------------------
This is the output of ipset 7.22 in an up-to-date debian testing system as well
as of 7.24 directly compiled from the git repository.
The issue seems to be located in the parse_ipaddr function of
lib/parse.c: the function attempts to find if the string pointed by the str
argument is a range of IPs containing IPSET_RANGE_SEPARATOR defined in
include/libipset/parse.h as "-".
If IPSET_RANGE_SEPARATOR is found, it is replaced by '\0' which results
in the truncation of the string pointed by the str argument.
If the string is a domain name then the subsequent attempt to resolve it
fails because it is incomplete compared to what was passed initially to
the parse_ipaddr function.
I don't have any understanding of what is done before or after
this step. Therefore, if you consider this report as valid, I'll leave
to the relevant developer the task to fix this issue in the most secure
and appropriate way.
Many thanks to all involved developers and non developers for their work on
this very important set of tools that is netfilter !
Pierre
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: [ipset] Can't resolve domain names containing an hyphen "-"
2025-08-22 15:52 [ipset] Can't resolve domain names containing an hyphen "-" Pierre Mazière
@ 2025-08-22 16:41 ` Jan Engelhardt
0 siblings, 0 replies; 2+ messages in thread
From: Jan Engelhardt @ 2025-08-22 16:41 UTC (permalink / raw)
To: Pierre Mazière; +Cc: netfilter-devel
On Friday 2025-08-22 17:52, Pierre Mazière wrote:
>--------------------------------------------------------------
># ipset create testset hash:ip
># ipset add testset hyphen-containing.example.com
>ipset v7.2x: Syntax error: cannot parse hyphen: resolving to IPv4 address failed
>----------------------------------------------------------------
>
>The issue seems to be located in the parse_ipaddr function of
>lib/parse.c: the function attempts to find if the string pointed by the str
>argument is a range of IPs containing IPSET_RANGE_SEPARATOR defined in
>include/libipset/parse.h as "-".
>If IPSET_RANGE_SEPARATOR is found, it is replaced by '\0' which results
>in the truncation of the string pointed by the str argument.
And this is well documented in the manpage.
If host names or service names with dash in the name are used instead of
IP addresses or service numbers, then the host name or service name must
be enclosed in square brackets.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2025-08-22 16:47 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-08-22 15:52 [ipset] Can't resolve domain names containing an hyphen "-" Pierre Mazière
2025-08-22 16:41 ` Jan Engelhardt
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.