The support for hostname-based rules (including multiple resolutions of an hostname) has been there at least since the following commit: commit 2ad8dc895ec28a173c629c695c2e11c41b625b6e Date: Mon Feb 21 19:10:10 2011 -0500 but probably much earlier, so it's been there for more than 20 years ! Security (and software in general) should not be viewed in absolutistic terms, I believe, which is why software has features and options, it depends on different circumstances, if an option is there, the user has the choice on whether it needs it or not, on whether is convenient or not, on whether is safe or not. It's just a very simple patch to improve an existing feature. It's up to you whether to merge it or not, I can't add much more to this discussion at this point because it's just looping... Guido On Fri, 07/03/2025 at 21.48 +0100, Reindl Harald wrote: > > Am 07.03.25 um 21:37 schrieb Guido Trentalancia: > > Apart from the case of DNS Round-robin, quite often an hostname > > (for > > example, a server hostname) is DNS-mapped to a static IP address, > > but > > over the time (several months or years) that IP address might > > change, > > even though it's still statically mapped. > > > > In that case, if a client behind an iptables packet filter does not > > use > > hostname-based rules, it won't be able to connect to that server > > anymore. > > > > So, there are cases where hostname-based rules give an advantage. > > sorry, but hostanme based access lists are even on a webserver a bad > idea and on a packet filter it's unacceptable > > if a host changes it's IP rules have to be adjusted - it's as simple > as > that for the past 20 years in networking and will continue so the > next > 20 years > > ------------ > > and frankly if a service partner can't assign a static IP it's the > wrong > partner to begin with - we are talking about security > > either you have a static ip or there is a vpn-tunnel with > certificates > done within seconds with wireguard - the dynamic host is the one to > build up the tunnel, case closed
