Control: tags -1 wontfix On Wed, 31 Jul 2019 18:54:42 +1000 "Trent W. Buck" <trentb...@gmail.com> wrote: > Package: nftables > Version: 0.9.1-2 > Severity: wishlist > > In iptables-restore, if a hostname has 3 addresses, you will end up with 3 > rules, e.g. > > -A INPUT -d www -j ACCEPT > > --expands to--> > > -A INPUT -d 127.0.0.1 -j ACCEPT > -A INPUT -d 10.0.0.1 -j ACCEPT > -A INPUT -d 172.16.0.1 -j ACCEPT > > In nftables, this is simply not allowed, which is reasonable: > > # nft table inet a > # nft chain inet a b > # nft rule inet a b ip saddr one-ipv4-address > # nft rule inet a b ip saddr two-ipv4-addresses > Error: Hostname resolves to multiple addresses > rule inet a b ip saddr two-ipv4-addresses > ^^^^^^^^^^^^^^^^^^ > > I think there is one case where nftables COULD make a smarter decision: > the hostname has one IPv4 address and one IPv6 address, AND > we are operating in a single-stack table. >
This is specifically designed this way. Building firewall rules from FQDNs is confusing and can lead to errors. Typical case is: the rule won't change if the A register change in DNS. I believe nft accepting FQDNs in such a simple way is the right balance between not accepting them at all and doing smart things. I think doing DNS tricks is a thing for higher level wrappers such as firewalld.