Package: ferm Version: 2.1-1 Severity: wishlist Hi,
the appearance of the resolve function and the corresponding warning in the documentation has made me thing about possibilities to make DNS lookups in packet filter rules a little less dangerous. My idea would be to add a possibility to give the packet filter rule set the possibility to judge what to expect from a lookup. For example, a function @match could be implemented using regexp and/or Net::Patricia, allowing the code to judge whether the return of a lookup is reasonable. For example: @match(<ip address>,<list of prefixes>) would return the empty string if ip address is not in any of the prefixes, and the ip address if ip address is in one of the prefixes, allowing code like proto tcp dport 80 daddr @match(@lookup("www.strato.de"),"2a01:238::/32") ACCEPT; which will only produce a valid rule if www.strato.de is inside Strato's IPv6 network. That way, IP address changes inside the expected range are processed transparently with the system failing to the safe side (not producing any rule) if the DNS answer is bogus. Depending on the format of the match string, the function could choose whether to match IPv4, IPv6 or regular expressions. Greetings Marc -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org