[Bug 616] Duplicate rules for multi-homed hostnames. IPv4 and IPv6 inconsistent treatment.

bugzilla-daemon at netfilter.org bugzilla-daemon at netfilter.org
Tue Jul 9 15:56:47 CEST 2013


--- Comment #8 from Phil Oester <netfilter at linuxace.com> 2013-07-09 15:56:45 CEST ---
(In reply to comment #7)
> It is the duty of the software to properly execute that policy.  Here, the
> software fails to do so because it produces duplicate redundant rules which are
> never used.

And where is it documented that the software is failing to execute that policy?
 It is doing exactly what you asked for.  Nowhere in the iptables documentation
does it state "we will not add duplicate rules".

As you note, admins can do silly things (like rm -rf /).  Who's to say there
isn't one out there today doing something like:

    iptables -A foo -s, -d

Sure, that is of questionable sanity, but you are suggesting we should
completely ignore what the admin asked for in the rule above and only add ONE
rule instead of two.  This conflicts with your view that we should allow the
admin to do whatever they want.  There are likely to be some admins a bit
perturbed by our arrogance in trying to second guess them.

Let's take your example and extend it a bit with the quota match:

    iptables -A INPUT -j ACCEPT -p tcp -m tcp --sport 2703 -s
    discovery.razor.cloudmark.com/22 -m quota --quota 1000000

Here the admin wants to limit cloudmark traffic to 3MB.  Because he knows there
are 3 IPs in the DNS RR, he uses 1MB as the limit for each rule (and, like you,
he ignores that DNS RR entries can change at any time).  If we implement the
change you are suggesting, we break his ruleset.  

The bottom line is that we cannot make the change you are suggesting without
potentially breaking lots of existing rulesets.  It seems your best solution is
to add a single rule with  Since you trust that Cloudmark will
never move off of this /22, there should be no reason this is not acceptable.

Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.

More information about the netfilter-buglog mailing list