Re: Dynamic IP address in a rule?

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Pascal Hambourg <pascal.mail@plouf.fr.eu.org>
To: netfilter@vger.kernel.org
Subject: Re: Dynamic IP address in a rule?
Date: Mon, 27 Apr 2009 13:48:25 +0200	[thread overview]
Message-ID: <49F59B89.3060706@plouf.fr.eu.org> (raw)
In-Reply-To: <1822.192.168.1.3.1240821057.squirrel@webmail.decimal.pt>

Hello,

Jorge Bastos a écrit :
> 
> That is no solution. it may be for your cenario but not for the most of
> people. Just think, if who makes the connection is a modem, and you have
> your *unix machine on nat, that won't work.

Whether the host is behind a NAT device or not is irrelevant. If there 
is a NAT device, its address is irrelevant to the iptables running on 
the host behind it.

> For iptables to do a DNS query every time a packet comes, that's a disaster.
> But other thing cames in mind, when doing: "iptables -L" it does a reverse
> lookup on the IP's, is iptables doing a reverse lookup on every packet? or
> only when listing the rules?

Only when adding/removing/listing rules.
iptables comes in two parts :
1) A userland part, usually the iptables command, adds/removes/lists 
rules into the kernel. Before doing so it may do DNS lookups to resolve 
names into addresses.
2) A kernel part which enforces the ruleset for every packet. It does 
not do DNS lookups, as the kernel itself does not even know about DNS 
(/etc/resolv.conf et al. are userland stuff).

next prev parent reply	other threads:[~2009-04-27 11:48 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2009-04-25 12:12 Dynamic IP address in a rule? Paddie O'Brien
2009-04-26 19:43 ` Jorge Bastos
2009-04-26 22:38   ` Bruno Moreira Guedes
2009-04-27  8:30     ` Jorge Bastos
2009-04-27  8:52       ` Daniel Huhardeaux
2009-04-27  8:56         ` Jorge Bastos
2009-04-27 11:48       ` Pascal Hambourg [this message]
2009-04-27  6:41   ` lists
2009-04-27  6:46     ` Ivan Petrushev
2009-04-27  6:56       ` lists
2009-04-27  7:08         ` Ivan Petrushev
2009-04-27 13:23     ` Bruno Moreira Guedes
2009-04-27 11:57 ` Pascal Hambourg

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=49F59B89.3060706@plouf.fr.eu.org \
    --to=pascal.mail@plouf.fr.eu.org \
    --cc=netfilter@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.