netfilter buglog - Jul 2013 - [Bug 616] Duplicate rules for multi-homed hostnames. IPv4 and IPv6 inconsistent treatment.

https://bugzilla.netfilter.org/show_bug.cgi?id=616

--- Comment #7 from - <kd6lvw at yahoo.com> 2013-07-09 09:35:30 CEST ---
Re: Comment #6 - It is up to the author of the ruleset to determine policy.  It
is the duty of the software to properly execute that policy.  Here, the
software fails to do so because it produces duplicate redundant rules which are
never used.

Note that iptables-save (and its IPv6 equivalent) operates by storing IP
address literals, not the originating host name.  Systems which intend to
preserve ruleset counts across reboots won't be affected by the policy
problem
you raise until the rules are manually reloaded using a host or network name
from the DNS; an action [generally] commanded by human intervention.

This is not a matter of "should...."  It's a matter of not doing
it correctly
to begin with.  Similarly, "rm -rf /" is a valid unix command (or
"format C:"
for DOS/Windows systems), but that doesn't mean that one should ever execute
it
(especially the superuser) and expect the system to continue functioning, but
if one were to command it, it should function properly (or abort with an error
or issue a warning to the user; not appropriate for this iptables instant
case).

This bug is not about a policy issue.

If some adminstrator chooses to define a network mask in terms of a host or
network name from the DNS and a netmask, knowing that such a DNS label may
return multiple values outside of his control, who are you to say he can't? 
It's his choice and if that's how he decided to define his firewall, so
be it.

-- 
Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.