* [PATCH iptables] libxtables: Call ipaddr_to_network before ipaddr_to_host. @ 2013-12-09 20:02 Hani Benhabiles 2013-12-30 17:46 ` Pablo Neira Ayuso 0 siblings, 1 reply; 3+ messages in thread From: Hani Benhabiles @ 2013-12-09 20:02 UTC (permalink / raw) To: netfilter-devel Call ipaddr_to_network before ipaddr_to_host. This saves waiting for a reverse DNS lookup query when the entry is present in /etc/networks. This also follows the same order as in rules creation. Signed-off-by: Hani Benhabiles <kroosec@gmail.com> --- libxtables/xtables.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libxtables/xtables.c b/libxtables/xtables.c index fb60c01..bb25262 100644 --- a/libxtables/xtables.c +++ b/libxtables/xtables.c @@ -1207,8 +1207,8 @@ const char *xtables_ipaddr_to_anyname(const struct in_addr *addr) { const char *name; - if ((name = ipaddr_to_host(addr)) != NULL || - (name = ipaddr_to_network(addr)) != NULL) + if ((name = ipaddr_to_network(addr)) != NULL || + (name = ipaddr_to_host(addr)) != NULL) return name; return xtables_ipaddr_to_numeric(addr); -- 1.8.3.2 ^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH iptables] libxtables: Call ipaddr_to_network before ipaddr_to_host. 2013-12-09 20:02 [PATCH iptables] libxtables: Call ipaddr_to_network before ipaddr_to_host Hani Benhabiles @ 2013-12-30 17:46 ` Pablo Neira Ayuso 2013-12-31 17:50 ` Hani Benhabiles 0 siblings, 1 reply; 3+ messages in thread From: Pablo Neira Ayuso @ 2013-12-30 17:46 UTC (permalink / raw) To: Hani Benhabiles; +Cc: netfilter-devel On Mon, Dec 09, 2013 at 09:02:23PM +0100, Hani Benhabiles wrote: > Call ipaddr_to_network before ipaddr_to_host. > > This saves waiting for a reverse DNS lookup query when the entry is present in > /etc/networks. This also follows the same order as in rules creation. This saves time and it makes sense to me to check local file before name resolution via network, but... > Signed-off-by: Hani Benhabiles <kroosec@gmail.com> > --- > libxtables/xtables.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/libxtables/xtables.c b/libxtables/xtables.c > index fb60c01..bb25262 100644 > --- a/libxtables/xtables.c > +++ b/libxtables/xtables.c > @@ -1207,8 +1207,8 @@ const char *xtables_ipaddr_to_anyname(const struct in_addr *addr) > { > const char *name; > > - if ((name = ipaddr_to_host(addr)) != NULL || > - (name = ipaddr_to_network(addr)) != NULL) > + if ((name = ipaddr_to_network(addr)) != NULL || > + (name = ipaddr_to_host(addr)) != NULL) My only concern is the remote case in which you may have a network name that overlaps with some existing host name, in that case the expected output different. ^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH iptables] libxtables: Call ipaddr_to_network before ipaddr_to_host. 2013-12-30 17:46 ` Pablo Neira Ayuso @ 2013-12-31 17:50 ` Hani Benhabiles 0 siblings, 0 replies; 3+ messages in thread From: Hani Benhabiles @ 2013-12-31 17:50 UTC (permalink / raw) To: Pablo Neira Ayuso; +Cc: netfilter-devel Hi Pablo, On Mon, Dec 30, 2013 at 06:46:03PM +0100, Pablo Neira Ayuso wrote: > On Mon, Dec 09, 2013 at 09:02:23PM +0100, Hani Benhabiles wrote: > > Call ipaddr_to_network before ipaddr_to_host. > > > > This saves waiting for a reverse DNS lookup query when the entry is present in > > /etc/networks. This also follows the same order as in rules creation. > > This saves time and it makes sense to me to check local file before > name resolution via network, but... > > > Signed-off-by: Hani Benhabiles <kroosec@gmail.com> > > --- > > libxtables/xtables.c | 4 ++-- > > 1 file changed, 2 insertions(+), 2 deletions(-) > > > > diff --git a/libxtables/xtables.c b/libxtables/xtables.c > > index fb60c01..bb25262 100644 > > --- a/libxtables/xtables.c > > +++ b/libxtables/xtables.c > > @@ -1207,8 +1207,8 @@ const char *xtables_ipaddr_to_anyname(const struct in_addr *addr) > > { > > const char *name; > > > > - if ((name = ipaddr_to_host(addr)) != NULL || > > - (name = ipaddr_to_network(addr)) != NULL) > > + if ((name = ipaddr_to_network(addr)) != NULL || > > + (name = ipaddr_to_host(addr)) != NULL) > > My only concern is the remote case in which you may have a network > name that overlaps with some existing host name, in that case the > expected output different. > This is already the case in rules creation. In xtables.c:ipparse_hostnetwork() we have network_to_ipaddr() call prior to host_to_ipaddr(). I believe that a consistent behaviour for users is important ie. either network names or host names should come first in both resolving and reverse resolving. Maybe be consistent, and make host names a priority in rules creation, then ? However, I believe networks should come first, mainly due to the potential time/bandwidth save. Regards, Hani. ^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2013-12-31 17:50 UTC | newest] Thread overview: 3+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2013-12-09 20:02 [PATCH iptables] libxtables: Call ipaddr_to_network before ipaddr_to_host Hani Benhabiles 2013-12-30 17:46 ` Pablo Neira Ayuso 2013-12-31 17:50 ` Hani Benhabiles
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).