netfilter buglog - Jul 2013 - [Bug 616] Duplicate rules for multi-homed hostnames. IPv4 and IPv6 inconsistent treatment.

https://bugzilla.netfilter.org/show_bug.cgi?id=616

--- Comment #5 from - <kd6lvw at yahoo.com> 2013-07-09 03:45:06 CEST ---
Re: Comment #4.  One doesn't know what the addresses are until they are
retrieved from the DNS.  The point is that the routines which generate the
rules are NOT checking the values AFTER the CIDR netmask is applied to
eliminate POST-MASK duplicate answers.  The mask used comes from the rule, not
the DNS.

In the example I gave in the initial report, note that there are three distinct
IPv4 addresses which are in separate /24's, but when the CIDR netmask of /22
(from the rule) is applied, all three of these differing addresses produce the
same masked result.  Thus the example produces the same rule THREE times even
though there is only a single, unique result of the masking.  The current
implementation assumes that because there are three DNS results, three rules
are needed.  It fails to check for duplicate results AFTER applying the mask.

Whether the current code checks for duplicate addresses before applying a
netmask I have not checked, nor would such a check be necessary.  It might be
assumed from the DNS data that there are no duplicates for fully specified
addresses (i.e. IPv4 /32 and IPv6 /128).  However, it is improper to assume
that there will be no post-mask duplicates.

-- 
Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.