<html>
<head>
<base href="https://bugzilla.netfilter.org/" />
</head>
<body><table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Bug ID</th>
<td><a class="bz_bug_link
bz_status_NEW "
title="NEW - Better handling DNS names in nft ruleset"
href="https://bugzilla.netfilter.org/show_bug.cgi?id=1130">1130</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>Better handling DNS names in nft ruleset
</td>
</tr>
<tr>
<th>Product</th>
<td>nftables
</td>
</tr>
<tr>
<th>Version</th>
<td>unspecified
</td>
</tr>
<tr>
<th>Hardware</th>
<td>All
</td>
</tr>
<tr>
<th>OS</th>
<td>All
</td>
</tr>
<tr>
<th>Status</th>
<td>NEW
</td>
</tr>
<tr>
<th>Severity</th>
<td>enhancement
</td>
</tr>
<tr>
<th>Priority</th>
<td>P5
</td>
</tr>
<tr>
<th>Component</th>
<td>nft
</td>
</tr>
<tr>
<th>Assignee</th>
<td>pablo@netfilter.org
</td>
</tr>
<tr>
<th>Reporter</th>
<td>pascal.ernster+bugzilla.netfilter.org@rub.de
</td>
</tr></table>
<p>
<div>
<pre>nft currently allows the usage of DNS hostnames instead of IP addresses in the
ruleset, however it doesn't handle them very well. For instance, if the
hostname cannot be resolved immediately at the time the ruleset is loaded, nft
simply bails out and doesn't load the entire ruleset.
This is problematic, because in a typical scenario, during system boot, nft is
run on purpose *before* the network interfaces are brought up to prevent the
machine from letting through unfiltered traffic from potentially untrusted
networks.
IMHO, it would be desirable that nft handles this more gracefully. For example,
if DNS resolution fails, nft could log a warning and at least load all rules
which do not require a functional DNS resolution, wait a few seconds, try if
DNS resolution works again, and then automatically reload the ruleset (this
time of course including rules containing DNS hostnames).
At the very least though, the loading of an entire ruleset should not be
prevented by the inability to resolve a single DNS name.
Another possible solution might be some form of persistent local DNS cache.
Keep in mind though that "just update the cache on loading a ruleset" might not
be the best idea because such a ruleset might have been loaded weeks or even
months before the machine running nftables is rebooted.
I'm reluctant to use something like /etc/hosts to hack around this problem
because this would remove any benefit of using DNS in the first place.</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are watching all bug changes.</li>
</ul>
</body>
</html>