From 1bd2f0a20596e47c082c2415369a209ed1b329f6 Mon Sep 17 00:00:00 2001
From: Jan Engelhardt <jengelh@medozas.de>
Date: Wed, 18 Nov 2009 00:00:37 +0100
Subject: doc: name resolution clarification

Sometimes there are users who wonder about when name resolutions/DNS
queries are done, so let's add that for completeness.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
 ip6tables.8.in | 10 ++++++----
 iptables.8.in  |  8 +++++---
 2 files changed, 11 insertions(+), 7 deletions(-)

diff --git a/ip6tables.8.in b/ip6tables.8.in
index 66d8543c..56881331 100644
--- a/ip6tables.8.in
+++ b/ip6tables.8.in
@@ -240,10 +240,12 @@ option is omitted.
 .TP
 [\fB!\fP] \fB\-s\fP, \fB\-\-source\fP \fIaddress\fP[\fB/\fP\fImask\fP]
 Source specification.
-\fIAddress\fP can be either a hostname (please note that specifying
-any name to be resolved with a remote query such as DNS is a really bad idea),
-a network IPv6 address (with \fB/\fP\fImask\fP), or a plain IPv6 address.
-(the network name isn't supported now).
+\fIAddress\fP can be either be a hostname,
+a network IP address (with \fB/\fP\fImask\fP), or a plain IP address.
+Names will be resolved once only, before the rule is submitted to the kernel.
+Please note that specifying any name to be resolved with a remote query such as
+DNS is a really bad idea.
+(Resolving network names is not supported at this time.)
 The \fImask\fP is a plain number,
 specifying the number of 1's at the left side of the network mask.
 A "!" argument before the address specification inverts the sense of
diff --git a/iptables.8.in b/iptables.8.in
index 928f46a9..d29deb2e 100644
--- a/iptables.8.in
+++ b/iptables.8.in
@@ -239,9 +239,11 @@ option is omitted.
 .TP
 [\fB!\fP] \fB\-s\fP, \fB\-\-source\fP \fIaddress\fP[\fB/\fP\fImask\fP][\fB,\fP\fI...\fP]
 Source specification. \fIAddress\fP
-can be either a network name, a hostname (please note that specifying
-any name to be resolved with a remote query such as DNS is a really bad idea),
-a network IP address (with \fB/\fP\fImask\fP), or a plain IP address.
+can be either a network name, a hostname, a network IP address (with
+\fB/\fP\fImask\fP), or a plain IP address. Hostnames will
+be resolved once only, before the rule is submitted to the kernel.
+Please note that specifying any name to be resolved with a remote query such as
+DNS is a really bad idea.
 The \fImask\fP
 can be either a network mask or a plain number,
 specifying the number of 1's at the left side of the network mask.
-- 
cgit v1.2.3