Re: Signature for newly released iptables-1.8.11 package

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Guido Trentalancia <guido@trentalancia.com>
Cc: netfilter-devel@vger.kernel.org
Subject: Re: Signature for newly released iptables-1.8.11 package
Date: Wed, 12 Mar 2025 13:07:32 +0100	[thread overview]
Message-ID: <Z9F5BA6nx35fIYHW@calendula> (raw)
In-Reply-To: <1741780160.5386.23.camel@trentalancia.com>

Hi,

On Wed, Mar 12, 2025 at 12:49:20PM +0100, Guido Trentalancia wrote:
> Hello Pablo this is off-list.
> 
> By the way, there is a patch that seems to be stuck on the basis of the
> fact that an existing feature such as hostname-based iptables rules are
> presumably unsafe.
> 
> I am referring to the following patch:
> 
> https://lore.kernel.org/netfilter-devel/1741369231.5380.37.camel@trenta
> lancia.com/T/#m5e68fc86c299f9d7d372813397253dcda1086170
> 
> The comments have just been looping on the assumption that hostname-
> based filtering is unsafe and should not be used, while circumstances
> might vary, the feature is not necessarily unsafe and in any case the
> real problem of possible DNS failures, which might cause the dropping
> of all rules (leaving the system in a truly unsafe state), is not being
> addressed.
> 
> I hope this helps.

Thanks for your feedback.

I agree with what has been said on this already on the mailing list,
you should not rely on filter by name

     prev parent reply	other threads:[~2025-03-12 12:07 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-03-07 16:40 Signature for newly released iptables-1.8.11 package Guido Trentalancia
2025-03-07 16:49 ` Jeremy Sowden
2025-03-07 16:56   ` Guido Trentalancia
2025-03-10 10:05   ` Pablo Neira Ayuso
     [not found]     ` <1741780160.5386.23.camel@trentalancia.com>
2025-03-12 12:07       ` Pablo Neira Ayuso [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=Z9F5BA6nx35fIYHW@calendula \
    --to=pablo@netfilter.org \
    --cc=guido@trentalancia.com \
    --cc=netfilter-devel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.