netfilter buglog - Oct 2009 - [Bug 616] New: Duplicate rules for multi-homed hostnames. IPv4 and IPv6 inconsistent treatment.

http://bugzilla.netfilter.org/show_bug.cgi?id=616

           Summary: Duplicate rules for multi-homed hostnames. IPv4 and IPv6
                    inconsistent treatment.
           Product: iptables
           Version: unspecified
          Platform: i386
        OS/Version: All
            Status: NEW
          Severity: minor
          Priority: P4
         Component: iptables
        AssignedTo: laforge at netfilter.org
        ReportedBy: kd6lvw at yahoo.com


Example rule:
iptables -A INPUT -j ACCEPT -p tcp -m tcp --sport 2703 -s
discovery.razor.cloudmark.com/22

DNS resolution:  (BIND 9.7.0a3)
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 6, ADDITIONAL: 0
;; ANSWER SECTION:
discovery.razor.cloudmark.com. 3600 IN  A       208.83.137.118
discovery.razor.cloudmark.com. 3600 IN  A       208.83.139.205
discovery.razor.cloudmark.com. 3600 IN  A       208.83.137.117

Result in ruleset:  THREE entries
   52  3192 ACCEPT  tcp  --  any  any  anywhere  208.83.136.0/22  tcp  dpt:2703 
    0     0 ACCEPT  tcp  --  any  any  anywhere  208.83.136.0/22  tcp  dpt:2703 
    0     0 ACCEPT  tcp  --  any  any  anywhere  208.83.136.0/22  tcp  dpt:2703 

1)  As one can see, the rule gets installed three times, once for each address.
 However, due to the CIDR subnet mask used, each resulting IPv4 address range
is identical, thus three identical rules are installed.  So as NOT to enter
duplicate rules, we should only install multiple rules if the POST-subnet-mask
address values are different.  It appears that current code installs one rule
for each returned A record regardless of the post-mask value.

2)  The above happens only for iptables (IPv4).  Ip6tables (IPv6) does not seem
to permute around multiple AAAA records but picks the first one (which could be
any if the DNS randomizes multiple records for a multi-homed host).  We should
have consistency between the two programs.  Please port the permutation feature
to ip6tables after fixing the subnet masking issue.

Bugzilla doesn't seem to understand that we have iptables 1.4.x series
releases.  I have observed this with iptables 1.4.5 and I use the Slackware
distribution of Linux.

PS: For ip6tables consistency, can we drop printing "/128" like we do
for
iptables and "/32"?  Thanks.


-- 
Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.netfilter.org/show_bug.cgi?id=616


jengelh at medozas.de changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         AssignedTo|laforge at netfilter.org       |jengelh at medozas.de




-- 
Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
You are the assignee for the bug, or are watching the assignee.