[PATCH iptables]: xtables: tolerate DNS lookup failures

Guido Trentalancia <guido@xxxxxxxxxxxxxxxx> · Fri, 07 Mar 2025 14:42:08 +0100

libxtables: tolerate DNS lookup failures

Do not abort on DNS lookup failure, just skip the
rule and keep processing the rest of the rules.

This is particularly useful, for example, when
iptables-restore is called at system bootup
before the network is up and the DNS can be
reached.

Signed-off-by: Guido Trentalancia <guido@xxxxxxxxxxxxxxxx>
---
 libxtables/xtables.c |   14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff -pru iptables-1.8.9-orig/libxtables/xtables.c iptables-1.8.9-new/libxtables/xtables.c

--- iptables-1.8.9-orig/libxtables/xtables.c	2023-01-12 11:27:35.000000000 +0100
+++ iptables-1.8.9-new/libxtables/xtables.c	2025-03-07 14:03:35.907011754 +0100
@@ -1710,7 +1710,8 @@ ipparse_hostnetwork(const char *name, un
 	if ((addrptmp = host_to_ipaddr(name, naddrs)) != NULL)
 		return addrptmp;
 
-	xt_params->exit_err(PARAMETER_PROBLEM, "host/network `%s' not found", name);
+	fprintf(stderr, "host/network `%s' not found - skipping rule\n", name);
+	return NULL;
 }
 
 static struct in_addr *parse_ipmask(const char *mask)
@@ -1788,6 +1789,8 @@ void xtables_ipparse_multiple(const char
 			strcpy(buf, "0.0.0.0");
 
 		addrp = ipparse_hostnetwork(buf, &n);
+		if (addrp == NULL)
+			continue;
 		if (n > 1) {
 			count += n - 1;
 			*addrpp = xtables_realloc(*addrpp,
@@ -1847,6 +1850,8 @@ void xtables_ipparse_any(const char *nam
 		strcpy(buf, "0.0.0.0");
 
 	addrp = *addrpp = ipparse_hostnetwork(buf, naddrs);
+	if (addrp == NULL)
+		return;
 	n = *naddrs;
 	for (i = 0, j = 0; i < n; ++i) {
 		addrp[j++].s_addr &= maskp->s_addr;
@@ -2005,7 +2010,8 @@ ip6parse_hostnetwork(const char *name, u
 	if ((addrp = host_to_ip6addr(name, naddrs)) != NULL)
 		return addrp;
 
-	xt_params->exit_err(PARAMETER_PROBLEM, "host/network `%s' not found", name);
+	fprintf(stderr, "host/network `%s' not found - skipping rule\n", name);
+	return NULL;
 }
 
 static struct in6_addr *parse_ip6mask(char *mask)
@@ -2084,6 +2090,8 @@ xtables_ip6parse_multiple(const char *na
 			strcpy(buf, "::");
 
 		addrp = ip6parse_hostnetwork(buf, &n);
+		if (addrp == NULL)
+			continue;
 		if (n > 1) {
 			count += n - 1;
 			*addrpp = xtables_realloc(*addrpp,
@@ -2137,6 +2145,8 @@ void xtables_ip6parse_any(const char *na
 		strcpy(buf, "::");
 
 	addrp = *addrpp = ip6parse_hostnetwork(buf, naddrs);
+	if (addrp == NULL)
+		return;
 	n = *naddrs;
 	for (i = 0, j = 0; i < n; ++i) {
 		for (k = 0; k < 4; ++k)







