hostnames resolving problem
Kelly Yancey
kbyanc at posi.net
Fri Aug 29 12:18:58 PDT 2003
On Mon, 25 Aug 2003, Philip Reynolds wrote:
> Marcin Gryszkalis <mg at fork.pl> 33 lines of wisdom included:
> > On 2003-08-23 05:11, Kelly Yancey wrote:
> > > The name resolution feature is already questionable: if the DNS mapping
> > >changes, should the firewall rule somehow be magically updated? I mean,
> > >you
> > >*did* ask for packets to be allowed to smtp.o2.pl didn't you?
> > I understand the point of view that it's questionable, but - as it *is*
> > implemented, it's just inconsistent. Relation between hosts and ips
> > is treated as 1-to-1 where it's 1-to-many.
> >
> > I know I can just write
> >
> > ip=`host smtp.o2.pl | cut -f4 -d' ' | paste -s -d, -`
> > ${ipfw} add tcp from any to ${ip} setup
> >
> > or something similar instead of changing ipfw code. But that's my just
> > opinion
> > - that command interface is inconsistent.
>
> Perhaps where more than one host is returned, the user should
> receive a warning?
>
Great idea. How about something along the lines of this (untested) patch:
RCS file: /home/ncvs/src/sbin/ipfw/ipfw2.c,v
retrieving revision 1.4.2.17
diff -u -p -r1.4.2.17 ipfw2.c
--- ipfw2.c 25 Jul 2003 08:23:07 -0000 1.4.2.17
+++ ipfw2.c 29 Aug 2003 19:14:33 -0000
@@ -1879,6 +1879,10 @@ lookup_host (char *host, struct in_addr
if ((he = gethostbyname(host)) == NULL)
return(-1);
*ipaddr = *(struct in_addr *)he->h_addr_list[0];
+ if (he->h_addr_list[1] != NULL) {
+ warn("%s resolved to multiple addresses, only using %s",
+ host, inet_ntoa(*ipaddr));
+ }
}
return(0);
}
Kelly
--
Kelly Yancey -- kbyanc@{posi.net,FreeBSD.org} -- kelly at nttmcl.com
Join distributed.net Team FreeBSD: http://www.posi.net/freebsd/Team-FreeBSD/
More information about the freebsd-ipfw
mailing list