netfilter buglog - Mar 2018 - [Bug 1236] New: Services list is confusingly different from the /etc/services

https://bugzilla.netfilter.org/show_bug.cgi?id=1236

            Bug ID: 1236
           Summary: Services list is confusingly different from the
                    /etc/services
           Product: nftables
           Version: unspecified
          Hardware: All
                OS: All
            Status: NEW
          Severity: normal
          Priority: P5
         Component: nft
          Assignee: pablo at netfilter.org
          Reporter: robin at mccorkell.me.uk

When specifying services by their string form (e.g. "domain" to refer
to port
53), an internal service mapping is used (services.c in the source) rather than
the system services database at /etc/services (well, via nsswitch). This
internal service mapping is much smaller than /etc/services, and differs in the
names of some services. This makes it extremely confusing when writing rules.

I'm reporting this as a bug, not as an enhancement, since I think it's a
severe
usability issue.

Context:

I've used iptables for a few years, and I wanted to make the switch to
nftables
to unify IPv4 and IPv6 configuration. A lot of the syntax is great, a
significant improvement on iptables; but the one thing that stands out badly is
the service mapping. As a new user of nftables, I expect the service mapping to
be identical to /etc/services, and not have a custom, incomplete and
incompatible service list.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20180324/27fff617/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1236

Pablo Neira Ayuso <pablo at netfilter.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |ASSIGNED

--- Comment #1 from Pablo Neira Ayuso <pablo at netfilter.org> ---
Hi,

(In reply to Robin McCorkell from comment #0)
> [...] I expect the service mapping to be identical to /etc/services, and
> not have a custom, incomplete and incompatible service list.
For the record, you can get the list of defined services via:

# nft describe tcp dport

If you're missing standard services, we can add them to the existing list.

If you need custom services, you can probably use variables instead:

define service_x = 456

We can also add infrastructure to allow people to define custom services in a
way that is self-contained, ie. from inside nftables policy file.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20180326/cb4c57b5/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1236

--- Comment #2 from Robin McCorkell <robin at mccorkell.me.uk> ---
While adding more standard services to the list would help, and the ability to
define custom services is useful, it misses the point.

As a new user of nftables coming from an iptables world, when I see a service
name (e.g. 'domain') I expect that to be identical to /etc/services - as
soon
as there is *any* incompatibility I get frustrated. The service list used by
nft should be /etc/services, not some custom internal table.

As long as a custom internal table is used, there will always be issues. Just
use the system-provided services database via nsswitch.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20180326/0aa862a4/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1236

--- Comment #3 from Pablo Neira Ayuso <pablo at netfilter.org> ---
(In reply to Robin McCorkell from comment #2)
> While adding more standard services to the list would help, and the ability
> to define custom services is useful, it misses the point.
> 
> As a new user of nftables coming from an iptables world, when I see a
> service name (e.g. 'domain') I expect that to be identical to
/etc/services
> - as soon as there is *any* incompatibility I get frustrated. The service
> list used by nft should be /etc/services, not some custom internal table.
iptables-save doesn't use service names, and this is the prefered way to
save/restore/display rulesets these days.
> As long as a custom internal table is used, there will always be issues.
> Just use the system-provided services database via nsswitch.
These service lists are inconsistent under /etc/services from vendor to vendor,
hence moving one ruleset policy using service names from one linux vendor to
another may break.

I understand there's is a mind shift from iptables users, we're aiming
to have
a self-contained scripting language in nftables.

I think defining variables for custom services should be good enough.

If there's any service name clearly wrong or default/standard list of
services
is missing anything important, we can make patches for this too, let us know if
that is the case :-)

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20180326/4ca7ec6c/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1236

--- Comment #4 from Robin McCorkell <robin at mccorkell.me.uk> ---
I personally don't think system configuration files (like rulesets) should
be
expected to be migratable without tweaks between vendors/distributions; other
NSS databases like passwd/group affect the system as a whole, and prevent other
configuration files from being verbatim copied around. My belief is that the
tools on the system should be tied to the vendor-specific lookup databases
(services), since that is what the admin is configuring everything else with
respect to.

However, since cross-distro compability seems to be an aim of nft, I guess this
isn't an acceptable solution. Feel free to close this issue if my conclusion
is
correct - I'll submit separate reports for any missing/wrong services.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20180403/0156b808/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1236

Sven Strickroth <email at cs-ware.de> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           See Also|                            |https://bugzilla.netfilter.
                   |                            |org/show_bug.cgi?id=1269

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20190327/68b2f469/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1236

--- Comment #5 from Sven Strickroth <email at cs-ware.de>
---
> These service lists are inconsistent under /etc/services from vendor to
vendor, hence moving one ruleset policy using service names from one linux
vendor to another may break.
Local lookups are a general problem when you want to migrate from one machine
to another (just to name UIDs and usernames, network device names, network
addresses, ...).

I think this is a non-issue as one can easily use the "-n -n"
parameter (mabye
this needs to be more fine grained). Also, when people published old iptables
rulesets with contained local names this "issue" was also prevent.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20190327/a91d575e/attachment-0001.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1236

kfm at plushkava.net changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |kfm at plushkava.net

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200128/50389573/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1236

--- Comment #6 from Pablo Neira Ayuso <pablo at netfilter.org> ---
/etc/services is used by nftables since:

commit 9e45a28ca467f08b9c01baf73d1849055e53ea0b
Author: Pablo Neira Ayuso <pablo at netfilter.org>
Date:   Fri Aug 24 11:04:30 2018 +0200

    src: honor /etc/services

Default listing prints services using numeric notation. You can display service
names via -S.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200721/bd68857b/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1236

Pablo Neira Ayuso <pablo at netfilter.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |FIXED
             Status|ASSIGNED                    |RESOLVED

--- Comment #7 from Pablo Neira Ayuso <pablo at netfilter.org> ---
Closing, thanks for reporting.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200729/6c01fec2/attachment.html>