[capirca-dev] possibility of using hostnames for iptables rule definitions?
10 views
Skip to first unread message
Kristian Erik Hermansen
Apr 27, 2010, 3:08:39 PM4/27/10
to capir...@googlegroups.com
Hello,
Is it, or will it be possible, to utilize hostnames for iptables
policies? iptables allows this. Understandably, capirca cannot use
the ipaddr lib to aggregate the ip space in such instances, but having
this ability to add individual hostnames would really be super
helpful, especially for organizations that manage a large number of
frequently changing IPs. Yes, we trust our own internal and hardened
DNS servers :) Thoughts? Here is an example...
"""
# iptables -A INPUT -s google.com -j ACCEPT
# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- nuq04s01-in-f104.1e100.net anywhere
ACCEPT all -- nuq04s01-in-f147.1e100.net anywhere
ACCEPT all -- nuq04s01-in-f99.1e100.net anywhere
ACCEPT all -- nuq04s01-in-f103.1e100.net anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
"""
--
Kristian Erik Hermansen
--
Subscription settings: http://groups.google.com/group/capirca-dev/subscribe?hl=en
Is it, or will it be possible, to utilize hostnames for iptables
policies? iptables allows this. Understandably, capirca cannot use
the ipaddr lib to aggregate the ip space in such instances, but having
this ability to add individual hostnames would really be super
helpful, especially for organizations that manage a large number of
frequently changing IPs. Yes, we trust our own internal and hardened
DNS servers :) Thoughts? Here is an example...
"""
# iptables -A INPUT -s google.com -j ACCEPT
# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- nuq04s01-in-f104.1e100.net anywhere
ACCEPT all -- nuq04s01-in-f147.1e100.net anywhere
ACCEPT all -- nuq04s01-in-f99.1e100.net anywhere
ACCEPT all -- nuq04s01-in-f103.1e100.net anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
"""
--
Kristian Erik Hermansen
--
Subscription settings: http://groups.google.com/group/capirca-dev/subscribe?hl=en
Tony Watson
Apr 27, 2010, 7:57:13 PM4/27/10
to capir...@googlegroups.com
No plans to support it right now. The other supported platforms do not support DNS resolution in filters, so adding this would be a one-off hack for iptables. The focus of Capirca isn't to be the best generator of Iptables policies, but rather to be good at "cross platform" filter generation.
Kristian Erik Hermansen
Apr 27, 2010, 8:28:07 PM4/27/10
to capir...@googlegroups.com
On Tue, Apr 27, 2010 at 4:57 PM, Tony Watson <wat...@google.com> wrote:
> No plans to support it right now. The other supported platforms do not
> support DNS resolution in filters, so adding this would be a one-off hack
> for iptables. The focus of Capirca isn't to be the best generator of
> Iptables policies, but rather to be good at "cross platform" filter
> generation.
Totally understandable. I am just trying to give some feedback for
> No plans to support it right now. The other supported platforms do not
> support DNS resolution in filters, so adding this would be a one-off hack
> for iptables. The focus of Capirca isn't to be the best generator of
> Iptables policies, but rather to be good at "cross platform" filter
> generation.
iptables specifically because it doesn't seem to be as well-tested.
As I have found out by some interesting "quirks", like seemingly
randomly adding a default -P DROP policy when not specified. So, I
hope my input helps.
I do know that Google is mostly a Juniper shop and that this is
probably what has been most tested. I also have heard that Google is
"fed up" with Juniper and is seeking other ways to work around them,
which might include rolling their own solution. Who knows -- maybe
you do :)
In any event. Thanks for the feedback and I do hope that my testing
is helpful. I also committed some fixes to svn for some other
brokenness in generating output files...
Cheers,
--
Kristian Erik Hermansen
Reply all
Reply to author
Forward
0 new messages