[pkg-netfilter-team] Bug#933531: accept hostnames with one IPv4 address and one IPv6 address in single-stack chain?

Trent W. Buck trentbuck at gmail.com
Wed Jul 31 09:54:42 BST 2019 

Package: nftables
Version: 0.9.1-2
Severity: wishlist

In iptables-restore, if a hostname has 3 addresses, you will end up with 3 rules, e.g.

    -A INPUT -d www -j ACCEPT

    --expands to-->

    -A INPUT -d 127.0.0.1  -j ACCEPT
    -A INPUT -d 10.0.0.1   -j ACCEPT
    -A INPUT -d 172.16.0.1 -j ACCEPT

In nftables, this is simply not allowed, which is reasonable:

    # nft table inet a
    # nft chain inet a b
    # nft  rule inet a b ip saddr one-ipv4-address
    # nft  rule inet a b ip saddr two-ipv4-addresses
    Error: Hostname resolves to multiple addresses
    rule inet a b ip saddr two-ipv4-addresses
                           ^^^^^^^^^^^^^^^^^^

I think there is one case where nftables COULD make a smarter decision:
the hostname has one IPv4 address and one IPv6 address, AND
we are operating in a single-stack table.

For example:

    # grep one-of-each /etc/hosts
    127.1.2.3  one-of-each
    ::1  one-of-each

    # nft flush ruleset
    # nft table ip a
    # nft chain ip a b
    # nft  rule ip a b dnat to one-of-each  # SHOULD just ignore the IPv6 addr
    Error: Hostname resolves to multiple addresses
    rule ip a b dnat to one-of-each
                        ^^^^^^^^^^^

While testing this, I ran into this behaviour, which I don't understand *AT ALL*.
How and why is nftables converting from ::1 to 127.0.0.1?

    # grep one-ipv6-address /etc/hosts
    ::1 one-ipv6-address
    # nft flush ruleset
    # nft table ip a
    # nft chain ip a b
    # nft rule  ip a b dnat to one-ipv6-address
    # nft list ruleset
    table ip a {
            chain b {
                    dnat to 127.0.0.1
            }
    }

It looks like when nftables gets a hostname, it resolves it to a
single address in any family.  Then later, if it's the wrong family
for that chain, it reverse-resolves the address to a hostname, then
forward-resolves that hostname to the desired address family?

That sort of makes sense, but I can see it confusing people whose
forward- and reverse- name resolution don't match.

    # cat >>/etc/hosts
    ::1:2:3:4 another-one-ipv6-address
    # getent hosts another-one-ipv6-address
    ::1:2:3:4       another-one-ipv6-address
    # nft 'flush ruleset; table ip a; chain ip a b; rule ip a b dnat to another-one-ipv6-address; list ruleset'
    Error: Could not resolve hostname: Name or service not known
    flush ruleset; table ip a; chain ip a b; rule ip a b dnat to another-one-ipv6-address; list ruleset
                                                                 ^^^^^^^^^^^^^^^^^^^^^^^^

More information about the pkg-netfilter-team mailing list