system-config/playbooks/filter_plugins
Ian Wienand 11343cc75d dns_[a|aaaa] filter; use host for lookup
After adding iptables configuration to allow bridge.o.o to send stats
to graphite.o.o in I299c0ab5dc3dea4841e560d8fb95b8f3e7df89f2, I
encountered the weird failure that ipv6 rules seemed to be applied on
graphite.o.o, but not the ipv4 ones.

Eventually I realised that the dns_a filter as written is using
socket.getaddrinfo() on bridge.o.o and querying for itself.  It thus
gets matches the loopback entry in /etc/hosts and passes along a rule
for 127.0.1.1 or similar.  The ipv6 hostname is not in /etc/hosts so
this works there.

What we really want the dns_<a|aaaa> filters to do is lookup the
address in DNS, rather than the local resolver.  Without wanting to
get involved in new libraries, etc. the simplest option seems to be to
use the well-known 'host' tool.  We can easily parse the output of
this to ensure we're getting the actual DNS addresses for hostnames.

An ipv6 match is added to the existing test.  This is effectively
tested by the existing usage of the iptables role which sets up rules
for cacti.o.o access.

Change-Id: Ia7988626e9b1fba998fee796d4016fc66332ec03
2018-09-13 22:50:40 +10:00
..
__init__.py Add iptables role 2018-08-27 14:33:32 +00:00
getaddrinfo.py dns_[a|aaaa] filter; use host for lookup 2018-09-13 22:50:40 +10:00