On Thu, Aug 03, 2023 at 09:35:16PM +0200, Thomas Haller wrote: > getaddrinfo() blocks while trying to resolve the name. Blocking the > caller of the library is in many cases undesirable. Also, while > reconfiguring the firewall, it's not clear that resolving names via > the network will work or makes sense. > > Add a new input flag NFT_CTX_INPUT_NO_DNS to opt-out from getaddrinfo() > and only accept plain IP addresses. This sounds like user input validation via backend. Another way to solve the problem at hand is to not insert host names into the rules(et) fed into libnftables, right? Cheers, Phil
