From owner-freebsd-ipfw@FreeBSD.ORG Fri Aug 29 12:18:58 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0C52B16A4EB; Fri, 29 Aug 2003 12:18:58 -0700 (PDT) Received: from gateway.posi.net (adsl-63-201-90-66.dsl.snfc21.pacbell.net [63.201.90.66]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2CDE743FBF; Fri, 29 Aug 2003 12:18:32 -0700 (PDT) (envelope-from kbyanc@posi.net) Received: from localhost (localhost [127.0.0.1]) by gateway.posi.net (8.12.6/8.12.8) with ESMTP id h7TJIUYl004861; Fri, 29 Aug 2003 12:18:31 -0700 (PDT) (envelope-from kbyanc@posi.net) Date: Fri, 29 Aug 2003 12:18:30 -0700 (PDT) From: Kelly Yancey To: Philip Reynolds In-Reply-To: <20030825235426.GA74887@rfc-networks.ie> Message-ID: <20030829121458.W4705-100000@gateway.posi.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-ipfw@freebsd.org cc: luigi@freebsd.org Subject: Re: hostnames resolving problem X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Aug 2003 19:18:58 -0000 On Mon, 25 Aug 2003, Philip Reynolds wrote: > Marcin Gryszkalis 33 lines of wisdom included: > > On 2003-08-23 05:11, Kelly Yancey wrote: > > > The name resolution feature is already questionable: if the DNS mapping > > >changes, should the firewall rule somehow be magically updated? I mean, > > >you > > >*did* ask for packets to be allowed to smtp.o2.pl didn't you? > > I understand the point of view that it's questionable, but - as it *is* > > implemented, it's just inconsistent. Relation between hosts and ips > > is treated as 1-to-1 where it's 1-to-many. > > > > I know I can just write > > > > ip=`host smtp.o2.pl | cut -f4 -d' ' | paste -s -d, -` > > ${ipfw} add tcp from any to ${ip} setup > > > > or something similar instead of changing ipfw code. But that's my just > > opinion > > - that command interface is inconsistent. > > Perhaps where more than one host is returned, the user should > receive a warning? > Great idea. How about something along the lines of this (untested) patch: RCS file: /home/ncvs/src/sbin/ipfw/ipfw2.c,v retrieving revision 1.4.2.17 diff -u -p -r1.4.2.17 ipfw2.c --- ipfw2.c 25 Jul 2003 08:23:07 -0000 1.4.2.17 +++ ipfw2.c 29 Aug 2003 19:14:33 -0000 @@ -1879,6 +1879,10 @@ lookup_host (char *host, struct in_addr if ((he = gethostbyname(host)) == NULL) return(-1); *ipaddr = *(struct in_addr *)he->h_addr_list[0]; + if (he->h_addr_list[1] != NULL) { + warn("%s resolved to multiple addresses, only using %s", + host, inet_ntoa(*ipaddr)); + } } return(0); } Kelly -- Kelly Yancey -- kbyanc@{posi.net,FreeBSD.org} -- kelly@nttmcl.com Join distributed.net Team FreeBSD: http://www.posi.net/freebsd/Team-FreeBSD/