git.ipfire.org Git - thirdparty/nftables.git/commit

author	Thomas Haller <thaller@redhat.com>
	Fri, 18 Aug 2023 09:40:37 +0000 (11:40 +0200)
committer	Pablo Neira Ayuso <pablo@netfilter.org>
	Thu, 24 Aug 2023 07:01:45 +0000 (09:01 +0200)
commit	3684a1b69c255d5268dd2b1590c1dc039e48052d
tree	6dab3f3dc8e948338b47ac08248f23923699ea21	tree \| snapshot
parent	4496b390ed2a086c4abbaa864798f36d891fa933	commit \| diff

src: add input flag NFT_CTX_INPUT_NO_DNS to avoid blocking

getaddrinfo() blocks while trying to resolve the name. Blocking the
caller of the library is in many cases undesirable. Also, while
reconfiguring the firewall, it's not clear that resolving names via
the network will work or makes sense.

Add a new input flag NFT_CTX_INPUT_NO_DNS to opt-out from getaddrinfo()
and only accept plain IP addresses.

We could also use AI_NUMERICHOST with getaddrinfo() instead of
inet_pton(). By parsing via inet_pton(), we are better aware of
what we expect and can generate a better error message in case of
failure.

Signed-off-by: Thomas Haller <thaller@redhat.com>
Reviewed-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

doc/libnftables.adoc		diff \| blob \| blame \| history
include/datatype.h		diff \| blob \| blame \| history
include/nftables.h		diff \| blob \| blame \| history
include/nftables/libnftables.h		diff \| blob \| blame \| history
src/datatype.c		diff \| blob \| blame \| history
src/evaluate.c		diff \| blob \| blame \| history