[pkg-netfilter-team] Bug#933531: accept hostnames with one IPv4 address and one IPv6 address in single-stack chain?
Arturo Borrero Gonzalez
arturo at debian.org
Tue Aug 27 18:59:13 BST 2019
Control: tags -1 wontfix
On Wed, 31 Jul 2019 18:54:42 +1000 "Trent W. Buck" <trentbuck at gmail.com> wrote:
> Package: nftables
> Version: 0.9.1-2
> Severity: wishlist
>
> In iptables-restore, if a hostname has 3 addresses, you will end up with 3 rules, e.g.
>
> -A INPUT -d www -j ACCEPT
>
> --expands to-->
>
> -A INPUT -d 127.0.0.1 -j ACCEPT
> -A INPUT -d 10.0.0.1 -j ACCEPT
> -A INPUT -d 172.16.0.1 -j ACCEPT
>
> In nftables, this is simply not allowed, which is reasonable:
>
> # nft table inet a
> # nft chain inet a b
> # nft rule inet a b ip saddr one-ipv4-address
> # nft rule inet a b ip saddr two-ipv4-addresses
> Error: Hostname resolves to multiple addresses
> rule inet a b ip saddr two-ipv4-addresses
> ^^^^^^^^^^^^^^^^^^
>
> I think there is one case where nftables COULD make a smarter decision:
> the hostname has one IPv4 address and one IPv6 address, AND
> we are operating in a single-stack table.
>
This is specifically designed this way. Building firewall rules from FQDNs is
confusing and can lead to errors. Typical case is: the rule won't change if the
A register change in DNS.
I believe nft accepting FQDNs in such a simple way is the right balance between
not accepting them at all and doing smart things.
I think doing DNS tricks is a thing for higher level wrappers such as firewalld.
More information about the pkg-netfilter-team
mailing list