Bug#933531: accept hostnames with one IPv4 address and one IPv6 address in single-stack chain?

2019-08-27 Thread Arturo Borrero Gonzalez 
Control: tags -1 wontfix

On Wed, 31 Jul 2019 18:54:42 +1000 "Trent W. Buck"  wrote:
> Package: nftables
> Version: 0.9.1-2
> Severity: wishlist
> 
> In iptables-restore, if a hostname has 3 addresses, you will end up with 3 
> rules, e.g.
> 
> -A INPUT -d www -j ACCEPT
> 
> --expands to-->
> 
> -A INPUT -d 127.0.0.1  -j ACCEPT
> -A INPUT -d 10.0.0.1   -j ACCEPT
> -A INPUT -d 172.16.0.1 -j ACCEPT
> 
> In nftables, this is simply not allowed, which is reasonable:
> 
> # nft table inet a
> # nft chain inet a b
> # nft  rule inet a b ip saddr one-ipv4-address
> # nft  rule inet a b ip saddr two-ipv4-addresses
> Error: Hostname resolves to multiple addresses
> rule inet a b ip saddr two-ipv4-addresses
>^^
> 
> I think there is one case where nftables COULD make a smarter decision:
> the hostname has one IPv4 address and one IPv6 address, AND
> we are operating in a single-stack table.
> 

This is specifically designed this way. Building firewall rules from FQDNs is
confusing and can lead to errors. Typical case is: the rule won't change if the
A register change in DNS.

I believe nft accepting FQDNs in such a simple way is the right balance between
not accepting them at all and doing smart things.

I think doing DNS tricks is a thing for higher level wrappers such as firewalld.

Bug#933531: accept hostnames with one IPv4 address and one IPv6 address in single-stack chain?

2019-07-31 Thread Trent W. Buck 
Package: nftables
Version: 0.9.1-2
Severity: wishlist

In iptables-restore, if a hostname has 3 addresses, you will end up with 3 
rules, e.g.

-A INPUT -d www -j ACCEPT

--expands to-->

-A INPUT -d 127.0.0.1  -j ACCEPT
-A INPUT -d 10.0.0.1   -j ACCEPT
-A INPUT -d 172.16.0.1 -j ACCEPT

In nftables, this is simply not allowed, which is reasonable:

# nft table inet a
# nft chain inet a b
# nft  rule inet a b ip saddr one-ipv4-address
# nft  rule inet a b ip saddr two-ipv4-addresses
Error: Hostname resolves to multiple addresses
rule inet a b ip saddr two-ipv4-addresses
   ^^

I think there is one case where nftables COULD make a smarter decision:
the hostname has one IPv4 address and one IPv6 address, AND
we are operating in a single-stack table.

For example:

# grep one-of-each /etc/hosts
127.1.2.3  one-of-each
::1  one-of-each

# nft flush ruleset
# nft table ip a
# nft chain ip a b
# nft  rule ip a b dnat to one-of-each  # SHOULD just ignore the IPv6 addr
Error: Hostname resolves to multiple addresses
rule ip a b dnat to one-of-each
^^^

While testing this, I ran into this behaviour, which I don't understand *AT 
ALL*.
How and why is nftables converting from ::1 to 127.0.0.1?

# grep one-ipv6-address /etc/hosts
::1 one-ipv6-address
# nft flush ruleset
# nft table ip a
# nft chain ip a b
# nft rule  ip a b dnat to one-ipv6-address
# nft list ruleset
table ip a {
chain b {
dnat to 127.0.0.1
}
}

It looks like when nftables gets a hostname, it resolves it to a
single address in any family.  Then later, if it's the wrong family
for that chain, it reverse-resolves the address to a hostname, then
forward-resolves that hostname to the desired address family?

That sort of makes sense, but I can see it confusing people whose
forward- and reverse- name resolution don't match.

# cat >>/etc/hosts
::1:2:3:4 another-one-ipv6-address
# getent hosts another-one-ipv6-address
::1:2:3:4   another-one-ipv6-address
# nft 'flush ruleset; table ip a; chain ip a b; rule ip a b dnat to 
another-one-ipv6-address; list ruleset'
Error: Could not resolve hostname: Name or service not known
flush ruleset; table ip a; chain ip a b; rule ip a b dnat to 
another-one-ipv6-address; list ruleset