[Bug 616] Duplicate rules for multi-homed hostnames. IPv4 and IPv6 inconsistent treatment.

bugzilla-daemon at netfilter.org bugzilla-daemon at netfilter.org
Tue Jul 9 21:35:59 CEST 2013


https://bugzilla.netfilter.org/show_bug.cgi?id=616

Phil Oester <netfilter at linuxace.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|ASSIGNED                    |RESOLVED
         Resolution|                            |WONTFIX

--- Comment #10 from Phil Oester <netfilter at linuxace.com> 2013-07-09 21:35:57 CEST ---
(In reply to comment #9)
> RE: Comment #7:  "It seems your best solution is to add a single rule with
> 208.83.136.0/22."
> 
> Yet, it adds THREE rules, two of which will never fire, thus the problem and
> bug report.

You appear to be missing the point.  iptables is doing EXACTLY what it should
do here, by design.  So instead of using a rule with "-s
discovery.razor.cloudmark.com/22" you should use a rule with "-s
208.83.136.0/22" if you only want to get a single rule.

> Extend your quota example:  When the first rule reaches the quota, it will stop
> firing.  The first duplicate will then fire.  In this case, as there are three
> rules, one ends up with a situation where three times the quota is permitted,
> and that by itself is a clear error.

Yes, and presumably the admin KNOWS this, as by your logic he knows the DNS RR
contains three entries, knows they all fall in the same /22, and blindly
believes this will never change.  

We can debate this endlessly, but the point remains that we CANNOT change this
behavior as iptables has behaved this way since the beginning of time, and
admins MAY be relying upon the current behavior.  Further, adding additional
rules which never fire might be an annoyance for you, but they DO NO HARM. 
Breaking existing rulesets DOES HARM.  If this annoyance is such a problem for
you, use the trivial workaround provided: use the CIDR instead of a DNS RR.

Closing this bug - no further action can be taken.

-- 
Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.



More information about the netfilter-buglog mailing list