<html>

    <head>

      <base href="https://bugzilla.netfilter.org/" />

    </head>

    <body><table border="1" cellspacing="0" cellpadding="8">

        <tr>

          <th>Bug ID</th>

          <td><a class="bz_bug_link 

          bz_status_NEW "

   title="NEW - Better handling DNS names in nft ruleset"

   href="https://bugzilla.netfilter.org/show_bug.cgi?id=1130">1130</a>

          </td>

        </tr>

        <tr>

          <th>Summary</th>

          <td>Better handling DNS names in nft ruleset

          </td>

        </tr>

        <tr>

          <th>Product</th>

          <td>nftables

          </td>

        </tr>

        <tr>

          <th>Version</th>

          <td>unspecified

          </td>

        </tr>

        <tr>

          <th>Hardware</th>

          <td>All

          </td>

        </tr>

        <tr>

          <th>OS</th>

          <td>All

          </td>

        </tr>

        <tr>

          <th>Status</th>

          <td>NEW

          </td>

        </tr>

        <tr>

          <th>Severity</th>

          <td>enhancement

          </td>

        </tr>

        <tr>

          <th>Priority</th>

          <td>P5

          </td>

        </tr>

        <tr>

          <th>Component</th>

          <td>nft

          </td>

        </tr>

        <tr>

          <th>Assignee</th>

          <td>pablo@netfilter.org

          </td>

        </tr>

        <tr>

          <th>Reporter</th>

          <td>pascal.ernster+bugzilla.netfilter.org@rub.de

          </td>

        </tr></table>

      <p>

        <div>

        <pre>nft currently allows the usage of DNS hostnames instead of IP addresses in the

ruleset, however it doesn't handle them very well. For instance, if the

hostname cannot be resolved immediately at the time the ruleset is loaded, nft

simply bails out and doesn't load the entire ruleset.

This is problematic, because in a typical scenario, during system boot, nft is

run on purpose *before* the network interfaces are brought up to prevent the

machine from letting through unfiltered traffic from potentially untrusted

networks.

IMHO, it would be desirable that nft handles this more gracefully. For example,

if DNS resolution fails, nft could log a warning and at least load all rules

which do not require a functional DNS resolution, wait a few seconds, try if

DNS resolution works again, and then automatically reload the ruleset (this

time of course including rules containing DNS hostnames).

At the very least though, the loading of an entire ruleset should not be

prevented by the inability to resolve a single DNS name.

Another possible solution might be some form of persistent local DNS cache.

Keep in mind though that "just update the cache on loading a ruleset" might not

be the best idea because such a ruleset might have been loaded weeks or even

months before the machine running nftables is rebooted.

I'm reluctant to use something like /etc/hosts to hack around this problem

because this would remove any benefit of using DNS in the first place.</pre>

        </div>

      </p>

      <hr>

      <span>You are receiving this mail because:</span>

      <ul>

          <li>You are watching all bug changes.</li>

      </ul>

    </body>

</html>