bugzilla-daemon at netfilter.org
2013-Jul-09 19:35 UTC
[Bug 616] Duplicate rules for multi-homed hostnames. IPv4 and IPv6 inconsistent treatment.
https://bugzilla.netfilter.org/show_bug.cgi?id=616 Phil Oester <netfilter at linuxace.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |RESOLVED Resolution| |WONTFIX --- Comment #10 from Phil Oester <netfilter at linuxace.com> 2013-07-09 21:35:57 CEST --- (In reply to comment #9)> RE: Comment #7: "It seems your best solution is to add a single rule with > 208.83.136.0/22." > > Yet, it adds THREE rules, two of which will never fire, thus the problem and > bug report.You appear to be missing the point. iptables is doing EXACTLY what it should do here, by design. So instead of using a rule with "-s discovery.razor.cloudmark.com/22" you should use a rule with "-s 208.83.136.0/22" if you only want to get a single rule.> Extend your quota example: When the first rule reaches the quota, it will stop > firing. The first duplicate will then fire. In this case, as there are three > rules, one ends up with a situation where three times the quota is permitted, > and that by itself is a clear error.Yes, and presumably the admin KNOWS this, as by your logic he knows the DNS RR contains three entries, knows they all fall in the same /22, and blindly believes this will never change. We can debate this endlessly, but the point remains that we CANNOT change this behavior as iptables has behaved this way since the beginning of time, and admins MAY be relying upon the current behavior. Further, adding additional rules which never fire might be an annoyance for you, but they DO NO HARM. Breaking existing rulesets DOES HARM. If this annoyance is such a problem for you, use the trivial workaround provided: use the CIDR instead of a DNS RR. Closing this bug - no further action can be taken. -- Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
Apparently Analagous Threads
- [Bug 616] Duplicate rules for multi-homed hostnames. IPv4 and IPv6 inconsistent treatment.
- [Bug 616] Duplicate rules for multi-homed hostnames. IPv4 and IPv6 inconsistent treatment.
- [Bug 616] Duplicate rules for multi-homed hostnames. IPv4 and IPv6 inconsistent treatment.
- [Bug 616] New: Duplicate rules for multi-homed hostnames. IPv4 and IPv6 inconsistent treatment.
- [Bug 616] Duplicate rules for multi-homed hostnames. IPv4 and IPv6 inconsistent treatment.