diff options
author | Thomas Haller <thaller@redhat.com> | 2023-08-18 11:40:37 +0200 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2023-08-24 09:01:45 +0200 |
commit | 3684a1b69c255d5268dd2b1590c1dc039e48052d (patch) | |
tree | 6dab3f3dc8e948338b47ac08248f23923699ea21 /include | |
parent | 4496b390ed2a086c4abbaa864798f36d891fa933 (diff) |
src: add input flag NFT_CTX_INPUT_NO_DNS to avoid blocking
getaddrinfo() blocks while trying to resolve the name. Blocking the
caller of the library is in many cases undesirable. Also, while
reconfiguring the firewall, it's not clear that resolving names via
the network will work or makes sense.
Add a new input flag NFT_CTX_INPUT_NO_DNS to opt-out from getaddrinfo()
and only accept plain IP addresses.
We could also use AI_NUMERICHOST with getaddrinfo() instead of
inet_pton(). By parsing via inet_pton(), we are better aware of
what we expect and can generate a better error message in case of
failure.
Signed-off-by: Thomas Haller <thaller@redhat.com>
Reviewed-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'include')
-rw-r--r-- | include/datatype.h | 1 | ||||
-rw-r--r-- | include/nftables.h | 5 | ||||
-rw-r--r-- | include/nftables/libnftables.h | 4 |
3 files changed, 10 insertions, 0 deletions
diff --git a/include/datatype.h b/include/datatype.h index 4b59790b..be5c6d1b 100644 --- a/include/datatype.h +++ b/include/datatype.h @@ -182,6 +182,7 @@ struct datatype *dtype_clone(const struct datatype *orig_dtype); struct parse_ctx { struct symbol_tables *tbl; + const struct input_ctx *input; }; extern struct error_record *symbol_parse(struct parse_ctx *ctx, diff --git a/include/nftables.h b/include/nftables.h index 7d35a95a..666a17ae 100644 --- a/include/nftables.h +++ b/include/nftables.h @@ -27,6 +27,11 @@ struct input_ctx { unsigned int flags; }; +static inline bool nft_input_no_dns(const struct input_ctx *ictx) +{ + return ictx->flags & NFT_CTX_INPUT_NO_DNS; +} + struct output_ctx { unsigned int flags; union { diff --git a/include/nftables/libnftables.h b/include/nftables/libnftables.h index 9a05d3c4..e109805f 100644 --- a/include/nftables/libnftables.h +++ b/include/nftables/libnftables.h @@ -48,6 +48,10 @@ enum nft_optimize_flags { uint32_t nft_ctx_get_optimize(struct nft_ctx *ctx); void nft_ctx_set_optimize(struct nft_ctx *ctx, uint32_t flags); +enum { + NFT_CTX_INPUT_NO_DNS = (1 << 0), +}; + unsigned int nft_ctx_input_get_flags(struct nft_ctx *ctx); unsigned int nft_ctx_input_set_flags(struct nft_ctx *ctx, unsigned int flags); |