[Ferm] @ipfilter on FQDNs or so

Kiss Gabor (Bitman) kissg at ssg.ki.iif.hu
Thu Jun 13 19:15:18 CEST 2013 

Hi Marc,

> > A more realistic example from my practice:

> Ouch. This is _very_ ugly.

Don't panic. I show just a simplified version. :-)

I'd happily study other peoples' complex firewall configuration
if possible. I'd really learn better style. Unfortunately one can find
zillion lines of code on the network in any programming language
but firewall configs.

> > A flaw of ip6tables related to FQDNs also inspires a workaround in Ferm.
> > Iptables generates multiple rules if host has multiple A records.
> > Meanwhile ip6tables (as of version 1.4.8) does not follow this practice
> > but inserts a single rule even if host has several AAAA records.
> 
> So it only generates a rule for the first AAAA record returned?

Exactly.
File xtables.c:

static struct in6_addr *
host_to_ip6addr(const char *name, unsigned int *naddr)
{
[...]
                /* Get the first element of the address-chain */
                addr = xtables_malloc(sizeof(struct in6_addr));
                memcpy(addr, &((const struct sockaddr_in6 *)res->ai_addr)->sin6_addr,
                       sizeof(struct in6_addr));
                freeaddrinfo(res);
                *naddr = 1;
                return addr;
        }

See also function xtables_ip6parse_multiple():

                addrp = ip6parse_hostnetwork(buf, &n);
                /* ip6parse_hostnetwork only ever returns one IP
                address (it exits if the resolution fails).
                Therefore, n will always be 1 here.  Leaving the
                code below in anyway in case ip6parse_hostnetwork
                is improved some day to behave like
                ipparse_hostnetwork: */


Meanwhile the IPv4 version of host_to_ip6addr() returns the full
chain of the addresses.

I repeat this is version 1.4.8 that is used in Debian squeeze for
example. We also have 1.4.4/1.3.5 on aging SuSE/Red Hat systems
shipped with our supercomputers by Silicon Graphics/Hewlett Packard.

Source code of version 1.4.14 (used in Debian wheezy) looks much
better. However I did not test it yet.

Regards

Gabor
-- 
Spider-Pig, Spider-Pig
Does whatever a Spider-Pig does.
Can he swing from a web?
No, he can't, he's a pig.
Look out! He is a Spider-Pig.

More information about the Ferm mailing list