2009/4/27 <lists@xxxxxxxxxxxxxxx>: >> That's a nice question, instead of the dynamic IP on the rule, >> having a dynamic host on it like: >> >> Iptables -I INPUT -I eth0 -d myhost.dyndns.org -p tcp --dport 80 -j >> ACCEPT >> >> When this run's, the rule will stay with the IP address that was >> grabbed from the dynamic host, and when the IP changes, the rule >> won't work anymore. >> My question is, there's no way to make iptables to check always the >> host instead of translation the host do IP on the rule apply stage? > > If iptables would have to perform a DNS lookup everytime a packet > passes, I think it would be terribly slow and probably not usable for > packetfiltering. > > > Grts, > Rob > > > -- > To unsubscribe from this list: send the line "unsubscribe netfilter" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html > Would you imagine what's the netfilter's behaviour if you add a rule like: iptables -A OUTPUT -p udp --dport 53 -s myhost.mydomain.ext -j ACCEPT I really don't know even if kernel is able to resolve a DNS, because in the most common cases libc does it for us. So, the DNS resolution is done by the iptables user-space tool, at the moment you add the rule, and it sends the resolved IP(s) to the kernel. This is because iptables won't perform a DNS lookup everytime a packet passes. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
