[Bug 1130] New: Better handling DNS names in nft ruleset

bugzilla-daemon at netfilter.org bugzilla-daemon at netfilter.org
Tue Mar 14 15:05:26 CET 2017


            Bug ID: 1130
           Summary: Better handling DNS names in nft ruleset
           Product: nftables
           Version: unspecified
          Hardware: All
                OS: All
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: nft
          Assignee: pablo at netfilter.org
          Reporter: pascal.ernster+bugzilla.netfilter.org at rub.de

nft currently allows the usage of DNS hostnames instead of IP addresses in the
ruleset, however it doesn't handle them very well. For instance, if the
hostname cannot be resolved immediately at the time the ruleset is loaded, nft
simply bails out and doesn't load the entire ruleset.

This is problematic, because in a typical scenario, during system boot, nft is
run on purpose *before* the network interfaces are brought up to prevent the
machine from letting through unfiltered traffic from potentially untrusted

IMHO, it would be desirable that nft handles this more gracefully. For example,
if DNS resolution fails, nft could log a warning and at least load all rules
which do not require a functional DNS resolution, wait a few seconds, try if
DNS resolution works again, and then automatically reload the ruleset (this
time of course including rules containing DNS hostnames).

At the very least though, the loading of an entire ruleset should not be
prevented by the inability to resolve a single DNS name.

Another possible solution might be some form of persistent local DNS cache.
Keep in mind though that "just update the cache on loading a ruleset" might not
be the best idea because such a ruleset might have been loaded weeks or even
months before the machine running nftables is rebooted.

I'm reluctant to use something like /etc/hosts to hack around this problem
because this would remove any benefit of using DNS in the first place.

You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20170314/f60de7e6/attachment.html>

More information about the netfilter-buglog mailing list