How to update an ipset name-based entry

WoJ asked:

I need to handle on my firewall (Firehol, which is then transformed into iptables) a few dynamic entries. In an ideal world I would use a name (instead of an IP address) which always points to the right IP but this does not work (for good reasons).

In order to keep a stable configuration, I am considering to use ipset. (EDIT: for the sake of the example below, let’s assume that www.google.com has only one IP at a given time, but which may change)

[email protected] ~# ipset create google hash:ip
[email protected] ~# ipset add google www.google.com
[email protected] ~# ipset list google
Name: google
Type: hash:ip
Revision: 4
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 136
References: 0
Number of entries: 1
Members:
216.58.206.228

I can add/delete IPs for the set. This does not solve the problem of updating an IP.

To take the example above, I would like to be able to re-add www.google.com and (if its IP changed), have 216.58.206.228 removed and replaced by its new IP.

This is not the case:

[email protected] ~# ipset add google www.google.com
[email protected] ~# ipset list google
Name: google
Type: hash:ip
Revision: 4
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 184
References: 0
Number of entries: 2
Members:
216.58.206.228
216.58.204.132

Is there a mechanism which allows to update an IP in a set, to match the current resolution of a name?

EDIT: to clarify following some answers: I do not want to solve the problem of a name which has several addresses and cover them all (say, making sure that I have all resolutions for www.google.com). I have a site which has one single IP, but that IP may change.

My answer:


That doesn’t seem like the best way to block a web site that has many IP addresses.

Nevertheless, this will work even if you have multiple IP addresses in an ipset list:

Instead of rewriting the same ipset list, create a new list and then ipset swap them.

ipset create temp hash:ip

for address in $(dig a www.google.com +short); do
    ipset add temp $address
done

ipset swap temp google
ipset destroy temp

View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.