From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Jan Engelhardt <jengelh@inai.de>
Cc: netfilter-devel@vger.kernel.org
Subject: Re: [PATCH 3/3] libxtables: avoid returning duplicate address for host resolution
Date: Fri, 10 Mar 2017 19:22:19 +0100 [thread overview]
Message-ID: <20170310182219.GA26144@salvia> (raw)
In-Reply-To: <alpine.LSU.2.20.1703081753170.6259@n3.vanv.qr>
On Wed, Mar 08, 2017 at 05:56:43PM +0100, Jan Engelhardt wrote:
> On Wednesday 2017-03-08 17:45, Pablo Neira Ayuso wrote:
>
> >On Wed, Mar 08, 2017 at 05:26:58PM +0100, Jan Engelhardt wrote:
> >> A long-standing problem has been that `iptables -s any_host_here`
> >> could yield multiple rules with the same address if the DNS was
> >> indeed so populated.
> >
> >When did anyone report this problem out of the localhost case?
>
> It's been a long time. I think the issue was actually that one can
> specify multiple host names, and if those hostnames happen to resolve to
> the same address in the end, iptables would emit two rules of which one
> is essentially redundant.
>
> iptables -A INPUT -s www2.company.com,www3.company.com
Got me thinking, are you sure we want to fix this?
I think this rule expansion based on DNS is probably one of the most
creepy features that we have in iptables... Probably if we leave it
broken this will just scare people away from using this :).
But your call.
next prev parent reply other threads:[~2017-03-10 18:22 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-03-08 14:33 [PATCH] libxtables: duplicated loopback address via host_to_ipaddr() Pablo Neira Ayuso
2017-03-08 16:25 ` Jan Engelhardt
2017-03-08 16:25 ` [PATCH 1/3] extensions: libxt_socket: add --restore-skmark option Jan Engelhardt
2017-03-08 16:25 ` [PATCH 2/3] build: resolve build error involving libnftnl Jan Engelhardt
2017-03-08 16:25 ` [PATCH 3/3] extensions: restore matching any SPI id by default Jan Engelhardt
2017-03-08 16:26 ` Filter duplicate IP addresses from libxtables Jan Engelhardt
2017-03-08 16:26 ` [PATCH 1/3] libxtables: remove unnecessary nesting from host_to_ip(6)addr Jan Engelhardt
2017-03-08 16:45 ` Pablo Neira Ayuso
2017-03-08 16:26 ` [PATCH 2/3] libxtables: abolish AI_CANONNAME Jan Engelhardt
2017-03-08 16:46 ` Pablo Neira Ayuso
2017-03-08 16:26 ` [PATCH 3/3] libxtables: avoid returning duplicate address for host resolution Jan Engelhardt
2017-03-08 16:45 ` Pablo Neira Ayuso
2017-03-08 16:56 ` Jan Engelhardt
2017-03-10 18:22 ` Pablo Neira Ayuso [this message]
2017-03-08 16:42 ` [PATCH 1/3] libxtables: remove unnecessary nesting from host_to_ip(6)addr Jan Engelhardt
2017-03-08 16:42 ` [PATCH 2/3] libxtables: abolish AI_CANONNAME Jan Engelhardt
2017-03-08 16:42 ` [PATCH 3/3] libxtables: avoid returning duplicate address for host resolution Jan Engelhardt
2017-03-09 7:32 ` [PATCH] libxtables: duplicated loopback address via host_to_ipaddr() Alexander Alemayhu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170310182219.GA26144@salvia \
--to=pablo@netfilter.org \
--cc=jengelh@inai.de \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).