netfilter buglog - Dec 2018 - [Bug 1309] New: Error: Hostname resolves to multiple addresses

https://bugzilla.netfilter.org/show_bug.cgi?id=1309

            Bug ID: 1309
           Summary: Error: Hostname resolves to multiple addresses
           Product: nftables
           Version: unspecified
          Hardware: x86_64
                OS: All
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: nft
          Assignee: pablo at netfilter.org
          Reporter: netfilter.moschroe at xoxy.net

Created attachment 551
  --> https://bugzilla.netfilter.org/attachment.cgi?id=551&action=edit
minimal nftables ruleset producing the issue

Overview:

Unable to define rules applying to runtime-resolved hostnames when said
hostnames resolve to multiple ip addresses. This is a major impediment to
adopting nftables at our site.

Steps to Reproduce:

1.  Define a ruleset depending on an affected hostname, like the attached
    sample.nft.
2.  Run nft check command like so:
    ------
    execution of nft command:

    $  nft -c -f sample.nft

Actual Results:

sample.nft:5:18-37: Error: Hostname resolves to multiple addresses
        ip daddr "archive.ubuntu.com" accept
                ^^^^^^^^^^^^^^^^^^^^
------
The command exits with code 1.

Expected Results:

1.  If at the particular point only a single result would be valid, then a
    suggestion should be made to refactor to using a set.
2.  It ought to be possible to define such a set of type ipv4_addr (or
    ipv6_addr) from resolving one or more hostnames, either ad hoc or named.
    A hostname not resolving into an IP of the appropriate type (A/AAAA) should
    not lead to an error and instead produce an empty set.


Examples:
1.  ip daddr {"archive.ubuntu.com"} accept

2.  #!/usr/sbin/nft -f
    table inet firewall {
        set testset { type ipv4_addr; elements = {
"archive.ubuntu.com" }}
        chain out {
            type filter hook output priority 0; policy drop;
            ip daddr @testset accept
        }
    }

Version:

$  nft --version
nftables v0.9.0 (Fearless Fosdick)

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20181214/8f7ff171/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1309

Didier <didier.barthe at univ-reims.fr> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |didier.barthe at univ-reims.fr

--- Comment #1 from Didier <didier.barthe at univ-reims.fr> ---
Hello,

I also have this problem on my debian buster (kernel 4.19.0-12-amd64 ; nftables
v0.9.0).

On iptables (iptables v1.8.2 (nf_tables)) it works perfectly, so I can't
change
to nftables until this does not work.

Best regards,
Didier

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20201201/fd4c9fb7/attachment.html>