On Tue, 2023-08-08 at 15:24 +0200, Phil Sutter wrote: > On Thu, Aug 03, 2023 at 09:35:16PM +0200, Thomas Haller wrote: > > getaddrinfo() blocks while trying to resolve the name. Blocking the > > caller of the library is in many cases undesirable. Also, while > > reconfiguring the firewall, it's not clear that resolving names via > > the network will work or makes sense. > > > > Add a new input flag NFT_CTX_INPUT_NO_DNS to opt-out from > > getaddrinfo() > > and only accept plain IP addresses. > > This sounds like user input validation via backend. Another way to > solve > the problem at hand is to not insert host names into the rules(et) > fed > into libnftables, right? Right. More generally, ensure not to pass any non-addresses in JSON that would be resolved. Which requires that the user application is keenly aware, understands and validates the input data. For example, there couldn't be a "expert option" where the admin configures arbitrary JSON. And that the application doesn't make a mistake with that ([1]). [1] https://github.com/firewalld/firewalld/commit/4db89e316f2d60f3cf856a7025a96a61e40b1e5a Thomas
