Hello, I might have found a bug in ipset domain name resolving code: -------------------------------------------------------------- # ipset create testset hash:ip # ipset add testset hyphen-containing.example.com ipset v7.2x: Syntax error: cannot parse hyphen: resolving to IPv4 address failed ---------------------------------------------------------------- This is the output of ipset 7.22 in an up-to-date debian testing system as well as of 7.24 directly compiled from the git repository. The issue seems to be located in the parse_ipaddr function of lib/parse.c: the function attempts to find if the string pointed by the str argument is a range of IPs containing IPSET_RANGE_SEPARATOR defined in include/libipset/parse.h as "-". If IPSET_RANGE_SEPARATOR is found, it is replaced by '\0' which results in the truncation of the string pointed by the str argument. If the string is a domain name then the subsequent attempt to resolve it fails because it is incomplete compared to what was passed initially to the parse_ipaddr function. I don't have any understanding of what is done before or after this step. Therefore, if you consider this report as valid, I'll leave to the relevant developer the task to fix this issue in the most secure and appropriate way. Many thanks to all involved developers and non developers for their work on this very important set of tools that is netfilter ! Pierre
