Bug#399177: iptables does not always resolve HOSTNAME/MASKLEN correctly

Sat, 18 Nov 2006 02:51:09 -0800 

Package: iptables
Version: 1.3.6.0debian1-2
Severity: normal
Tags: patch

This is in a situation where DNS is unavailable:

  iptables -A INPUT -j ACCEPT -s orcus

works -- orcus is resolved correctly via /etc/hosts --, but

  iptables -A INPUT -j ACCEPT -s orcus/24

does not, /etc/hosts resolving does not work, and it falls back to DNS
(which also does not work *and* incurs a wait for a timeout).

It is the same when "orcus" is replaced with "localnet" which can be
found in /etc/networks. The form "orcus/255.255.255.0" runs fine.

This seems to be a recent breakage ... I didn't pinpoint the version, though.

I the culprit in parse_hostnetworkmask(); if I apply the ipt-hosts.patch
the problem goes away. What the problematic code does is pad "orcus" to
"orcus.0.0.0" with the obvious consequences. Actually the idea is good (allow
e.g. "1.2/16") but the condition before pad_cidr() is completely bogus. So
my suggestion is to remove this ill thought-out feature until
correctly implemented.

FWIW, I'm also attaching a patch that fixes a mini-bug in the Makefile: the
"-a" in a test commandline usually means and, so "-a FILE" should probably
read "-e FILE".

diff -ruN iptables-1.3.6.0debian1/iptables/iptables.c 
iptables-1.3.6.0debian1+/iptables/iptables.c
--- iptables-1.3.6.0debian1/iptables/iptables.c 2006-11-18 11:17:14.000000000 
+0100
+++ iptables-1.3.6.0debian1+/iptables/iptables.c        2006-11-18 
10:44:07.000000000 +0100
@@ -702,8 +702,6 @@
        if ((p = strrchr(buf, '/')) != NULL) {
                *p = '\0';
                addrp = parse_mask(p + 1);
-               if (strrchr(p + 1, '.') == NULL)
-                       pad_cidr(buf);
        } else
                addrp = parse_mask(NULL);
        inaddrcpy(maskp, addrp);

diff -ruN iptables-1.3.6.0debian1/iptables/Makefile 
iptables-1.3.6.0debian1+/iptables/Makefile
--- iptables-1.3.6.0debian1/iptables/Makefile   2006-11-18 11:17:14.000000000 
+0100
+++ iptables-1.3.6.0debian1+/iptables/Makefile  2006-11-18 09:45:00.000000000 
+0100
@@ -79,7 +79,7 @@
 # Generic test if arch wasn't found above
 ifneq ($(POINTERTEST),1)
        # Try to determine if kernel is 64bit and we are compiling for 32bit
-       ifeq ($(shell [ -a $(KERNEL_DIR)/include/asm ] && echo YES), YES)
+       ifeq ($(shell [ -e $(KERNEL_DIR)/include/asm ] && echo YES), YES)
                64bitkernel := $(shell echo -e "\#include <asm/types.h>\n\#if 
BITS_PER_LONG == 64\nkernel_is_64bits\n\#endif" | $(CC) $(CFLAGS) -D__KERNEL__ 
-E - | grep kernel_is_64bits)
                ifdef 64bitkernel
                        32bituser := $(shell echo -e "\#include <stdio.h>\n\#if 
!defined(__arch64__) && !defined(_LP64)\nuserspace_is_32bit\n\#endif" | $(CC) 
$(CFLAGS) -E - | grep userspace_is_32bit)

Reply via email to