netfilter buglog - Jul 2018 - [Bug 1269] New: using the internal lookup table vs. the local system's /etc/services (or so) generally prevents nft from working

https://bugzilla.netfilter.org/show_bug.cgi?id=1269

            Bug ID: 1269
           Summary: using the internal lookup table vs. the local system's
                    /etc/services (or so) generally prevents nft from
                    working
           Product: nftables
           Version: unspecified
          Hardware: All
                OS: Gentoo
            Status: NEW
          Severity: blocker
          Priority: P5
         Component: nft
          Assignee: pablo at netfilter.org
          Reporter: d at zaitceff.me

An old enough commit ccc5da470e76032f8e175920553516835efb30f1
(http://git.netfilter.org/nftables/commit/?id=ccc5da470e76032f8e175920553516835efb30f1)
prevents the nft utility from using the host's _real_ list of known services
(e.g. from /etc/services).  In my case - the latest Gentoo - nft doesn't
know
anymore what are the port numbers of imap, smtps and ms-wbt-server.  While all
of them are (legally!:) listed in /etc/services.  These three services are just
my exact case, while the difference between the general (not Gentoo-specific)
/etc/services content and the hardcoded inet_service_tbl (which was created
from the patch author's /etc/services of some time and from some Ubuntu
distro)
are just _big_.

As for me, the whole idea to hardcode the list of services was erroneous,
because the local list of services is not even the distro-specific entity, but
just the local admin's possession.  And nobody can know in advance the
somebody's service names and port numbers...

Example:

tcp dport imap ip daddr X.X.X.X counter dnat Y.Y.Y.Y

This line can't be used after the mentioned patch has been applied.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20180708/0b4eaacd/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1269

Pablo Neira Ayuso <pablo at netfilter.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |ASSIGNED

--- Comment #1 from Pablo Neira Ayuso <pablo at netfilter.org> ---
Probably better use variables for what you want? eg.

define imap = 143

tcp dport $imap ip daddr X.X.X.X counter dnat Y.Y.Y.Y

So definitions are self-contained?

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20180709/23ebaea9/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1269

--- Comment #2 from D.Zaitceff <d at zaitceff.me> ---
(In reply to Pablo Neira Ayuso from comment #1)
> Probably better use variables for what you want? eg.
> 
> define imap = 143
> 
> tcp dport $imap ip daddr X.X.X.X counter dnat Y.Y.Y.Y
> 
> So definitions are self-contained?
But it is not the correct side of the problem.

Nevertheless and by the way, look:

gentoo: grep imap /etc/services
imap            143/tcp         imap2           # Internet Message Access
Protocol
imap            143/udp         imap2
imap3           220/tcp                         # Interactive Mail Access
imap3           220/udp
imaps           993/tcp                         # imap4 protocol over TLS/SSL
imaps           993/udp

(Here I assume that Ubuntu is Debian-like)
debian: grep imap /etc/services 
imap2           143/tcp         imap            # Interim Mail Access P 2 and 4
imaps           993/tcp                         # IMAP over SSL

So, IMAP is always here.  But, in Gentoo it is the primary service name, while
in Debian IMAP2 is the primary one and IMAP is an alias.  So, at first sight
the problem is the obviously incorrect implementation of the aforementioned
patch - alias names of the services are just forgotten.  And so the IMAP name
is lost.

But this first sight is a short sight too.  The real problem is not the
implementation, but the whole idea of the patch: to fake the system-level,
well-known and content-volatile database with a hard-coded snapshot of it.  And
thus to lose the view of the reality - the actual list of the portnames -
forever...

It is like if one of the SHADOW project's authors decided to hardcode its
current /etc/passwd file into the sources... and just gave up using getpwent()
for the purpose.

/etc/services (or its NIS variant, or hesiod's one or whatever) is the
official, well known, stable, understood, simple, nice etc. database of
mappings between service names and port numbers.  And _standard_ API is here. 
To reinvent this weel is not just pointless, but also means to surely break the
way the system works.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20180712/b0d4d68b/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1269

--- Comment #3 from Pablo Neira Ayuso <pablo at netfilter.org> ---
commit 9e45a28ca467f08b9c01baf73d1849055e53ea0b
Author: Pablo Neira Ayuso <pablo at netfilter.org>
Date:   Fri Aug 24 11:04:30 2018 +0200

    src: honor /etc/services

Fixes this upstream.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20190326/4c6e4cb8/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1269

Sven Strickroth <email at cs-ware.de> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           See Also|                            |https://bugzilla.netfilter.
                   |                            |org/show_bug.cgi?id=1236
                 CC|                            |email at cs-ware.de

--- Comment #4 from Sven Strickroth <email at cs-ware.de> ---
nft 0.7 and 0.9 both don't honor aliases defined in /etc/services (example
where this issue gets visible are the aliases smtps=465 and imap=143).

Please make nft honor the aliases of /etc/services.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20190327/1f105c34/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1269

Pablo Neira Ayuso <pablo at netfilter.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|ASSIGNED                    |RESOLVED
         Resolution|---                         |FIXED

--- Comment #5 from Pablo Neira Ayuso <pablo at netfilter.org> ---
This is fixed in nft 0.9.1, thanks for reporting.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20190712/98d4440e/attachment.html>