Re: [PATCH iptables]: xtables: tolerate DNS lookup failures

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



When using the patch, the error is not silent, it's properly logged on
stderr.

The patch solves a well defined problem: when iptables are loaded
(usually at system bootup) the network might not be available (e.g.
laptop computer with wireless connectivity), so iptables should be
tolerant to DNS unavailability, while keeping producing an error, but
not aborting the rest of iptables rules (which might be needed for
local network connectivity, for example).

Please consider that if DNS is not available, then the "evil hacker"
host that needs to be rejected in your previous example is also most
likely unreachable.

Consider that iptables can always be loaded again when Internet
connectivity becomes available (for example, by a script used to turn
the wireless connection up).

Regards,

Guido

On Fri, 07/03/2025 at 17.51 +0100, Jan Engelhardt wrote:
> On Friday 2025-03-07 16:24, Guido Trentalancia wrote:
> 
> > Of course, if the DNS is not available the "evil hacker" rule is
> > skipped when this patch is merged.
> > 
> > However the drawbacks of not applying this patch are far worse,
> > because
> > if the DNS is not available and some rules in the table contain
> > domain
> > names, then all rules are skipped and the operation is aborted even
> > for
> > numeric IP addresses and resolvable names.
> 
> A silent/ignored error is much worse than an explicit error;
> the latter you can at least test for, scripting or otherwise.
> 




[Index of Archives]     [Netfitler Users]     [Berkeley Packet Filter]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux