Re: [ipset] adding a fqdn and get all A or AAAA registers in the set

Arturo Borrero <aborrero@xxxxxxx> · Wed, 10 Oct 2012 19:58:44 +0200

> you can use some script to do the resolving and then add the results to the
> set one by one.
>
> how ipset behave is the same as iptables.

It seems that iptables is able to handle multiple resolutions:

root@xwing:~# iptables-save
root@xwing:~# host dl.dropbox.com
dl.dropbox.com is an alias for
dl-balancer3-985632286.us-east-1.elb.amazonaws.com.
dl-balancer3-985632286.us-east-1.elb.amazonaws.com has address 107.22.210.127
dl-balancer3-985632286.us-east-1.elb.amazonaws.com has address 107.22.253.68
dl-balancer3-985632286.us-east-1.elb.amazonaws.com has address 184.73.159.129
dl-balancer3-985632286.us-east-1.elb.amazonaws.com has address 23.21.123.227
dl-balancer3-985632286.us-east-1.elb.amazonaws.com has address 23.23.132.187
dl-balancer3-985632286.us-east-1.elb.amazonaws.com has address 50.17.253.115
dl-balancer3-985632286.us-east-1.elb.amazonaws.com has address 107.20.159.63
dl-balancer3-985632286.us-east-1.elb.amazonaws.com has address 107.20.162.145
root@xwing:~# iptables -A INPUT -s dl.dropbox.com -j ACCEPT
root@xwing:~# iptables-save
# Generated by iptables-save v1.4.14 on Wed Oct 10 19:47:19 2012
*filter
:INPUT ACCEPT [2:1201]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2:274]
-A INPUT -s 184.73.159.129/32 -j ACCEPT
-A INPUT -s 23.21.123.227/32 -j ACCEPT
-A INPUT -s 23.23.132.187/32 -j ACCEPT
-A INPUT -s 50.17.253.115/32 -j ACCEPT
-A INPUT -s 107.20.159.63/32 -j ACCEPT
-A INPUT -s 107.20.162.145/32 -j ACCEPT
-A INPUT -s 107.22.210.127/32 -j ACCEPT
-A INPUT -s 107.22.253.68/32 -j ACCEPT
COMMIT
# Completed on Wed Oct 10 19:47:19 2012

> Yes, that's right. If hostname is supplied as input, just the first
> resolved IP address is used. Look at into lib/parse.c

I see it now. Reading man page getaddrinfo(3), it is implemented as
some kind of linked list, specially for cases where there are multiple
resolutions.

So, the function get_addrinfo in lib/parse.c needs to do something
more inside that for loop. (By now, I don't know what means the code
inside the loop if found==0, so I can't write a patch)

Regards

-- 
Arturo Borrero González
Departamento de Seguridad Informática, @NIS_CICA (twitter)
Centro Informatico Cientifico de Andalucia (CICA)
Avda. Reina Mercedes s/n - 41012 - Sevilla (Spain)
Tfno.: +34 955 056 600 / FAX: +34 955 056 650
Consejería de Economía, Innovación, Ciencia y Empleo
Junta de Andalucía
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html