Of course, if the DNS is not available the "evil hacker" rule is skipped when this patch is merged. However the drawbacks of not applying this patch are far worse, because if the DNS is not available and some rules in the table contain domain names, then all rules are skipped and the operation is aborted even for numeric IP addresses and resolvable names. Finally, consider that nowadays many host names are allocated dynamically and therefore for several hosts it is not possible to enter their numeric IP address. I hope this helps... Guido On Fri, 07/03/2025 at 15.07 +0100, Jan Engelhardt wrote: > On Friday 2025-03-07 14:42, Guido Trentalancia wrote: > > > libxtables: tolerate DNS lookup failures > > > > Do not abort on DNS lookup failure, just skip the > > rule and keep processing the rest of the rules. > > > > This is particularly useful, for example, when > > iptables-restore is called at system bootup > > before the network is up and the DNS can be > > reached. > > Not a good idea. Given > > -F INPUT > -P INPUT ACCEPT > -A INPUT -s evil.hacker.com -j REJECT > -A INPUT -j ACCEPT > > if you skip the rule, you now have a questionable hole in your > security. >
