[Bug 1309] New: Error: Hostname resolves to multiple addresses

bugzilla-daemon at netfilter.org bugzilla-daemon at netfilter.org
Fri Dec 14 11:05:11 CET 2018 

https://bugzilla.netfilter.org/show_bug.cgi?id=1309

            Bug ID: 1309
           Summary: Error: Hostname resolves to multiple addresses
           Product: nftables
           Version: unspecified
          Hardware: x86_64
                OS: All
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: nft
          Assignee: pablo at netfilter.org
          Reporter: netfilter.moschroe at xoxy.net

Created attachment 551
  --> https://bugzilla.netfilter.org/attachment.cgi?id=551&action=edit
minimal nftables ruleset producing the issue

Overview:

Unable to define rules applying to runtime-resolved hostnames when said
hostnames resolve to multiple ip addresses. This is a major impediment to
adopting nftables at our site.

Steps to Reproduce:

1.  Define a ruleset depending on an affected hostname, like the attached
    sample.nft.
2.  Run nft check command like so:
    ------
    execution of nft command:

    $  nft -c -f sample.nft

Actual Results:

sample.nft:5:18-37: Error: Hostname resolves to multiple addresses
        ip daddr "archive.ubuntu.com" accept
                ^^^^^^^^^^^^^^^^^^^^
------
The command exits with code 1.

Expected Results:

1.  If at the particular point only a single result would be valid, then a
    suggestion should be made to refactor to using a set.
2.  It ought to be possible to define such a set of type ipv4_addr (or
    ipv6_addr) from resolving one or more hostnames, either ad hoc or named.
    A hostname not resolving into an IP of the appropriate type (A/AAAA) should
    not lead to an error and instead produce an empty set.


Examples:
1.  ip daddr {"archive.ubuntu.com"} accept

2.  #!/usr/sbin/nft -f
    table inet firewall {
        set testset { type ipv4_addr; elements = { "archive.ubuntu.com" }}
        chain out {
            type filter hook output priority 0; policy drop;
            ip daddr @testset accept
        }
    }

Version:

$  nft --version
nftables v0.9.0 (Fearless Fosdick)

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20181214/8f7ff171/attachment.html>

More information about the netfilter-buglog mailing list