When using the patch, the error is not silent, it's properly logged on stderr. The patch solves a well defined problem: when iptables are loaded (usually at system bootup) the network might not be available (e.g. laptop computer with wireless connectivity), so iptables should be tolerant to DNS unavailability, while keeping producing an error, but not aborting the rest of iptables rules (which might be needed for local network connectivity, for example). Please consider that if DNS is not available, then the "evil hacker" host that needs to be rejected in your previous example is also most likely unreachable. Consider that iptables can always be loaded again when Internet connectivity becomes available (for example, by a script used to turn the wireless connection up). Regards, Guido On Fri, 07/03/2025 at 17.51 +0100, Jan Engelhardt wrote: > On Friday 2025-03-07 16:24, Guido Trentalancia wrote: > > > Of course, if the DNS is not available the "evil hacker" rule is > > skipped when this patch is merged. > > > > However the drawbacks of not applying this patch are far worse, > > because > > if the DNS is not available and some rules in the table contain > > domain > > names, then all rules are skipped and the operation is aborted even > > for > > numeric IP addresses and resolvable names. > > A silent/ignored error is much worse than an explicit error; > the latter you can at least test for, scripting or otherwise. >
