11343cc75d
After adding iptables configuration to allow bridge.o.o to send stats to graphite.o.o in I299c0ab5dc3dea4841e560d8fb95b8f3e7df89f2, I encountered the weird failure that ipv6 rules seemed to be applied on graphite.o.o, but not the ipv4 ones. Eventually I realised that the dns_a filter as written is using socket.getaddrinfo() on bridge.o.o and querying for itself. It thus gets matches the loopback entry in /etc/hosts and passes along a rule for 127.0.1.1 or similar. The ipv6 hostname is not in /etc/hosts so this works there. What we really want the dns_<a|aaaa> filters to do is lookup the address in DNS, rather than the local resolver. Without wanting to get involved in new libraries, etc. the simplest option seems to be to use the well-known 'host' tool. We can easily parse the output of this to ensure we're getting the actual DNS addresses for hostnames. An ipv6 match is added to the existing test. This is effectively tested by the existing usage of the iptables role which sets up rules for cacti.o.o access. Change-Id: Ia7988626e9b1fba998fee796d4016fc66332ec03 |
||
---|---|---|
.. | ||
__init__.py | ||
getaddrinfo.py |