bugzilla-daemon at netfilter.org
2018-Jul-08 15:06 UTC
[Bug 1269] New: using the internal lookup table vs. the local system's /etc/services (or so) generally prevents nft from working
https://bugzilla.netfilter.org/show_bug.cgi?id=1269 Bug ID: 1269 Summary: using the internal lookup table vs. the local system's /etc/services (or so) generally prevents nft from working Product: nftables Version: unspecified Hardware: All OS: Gentoo Status: NEW Severity: blocker Priority: P5 Component: nft Assignee: pablo at netfilter.org Reporter: d at zaitceff.me An old enough commit ccc5da470e76032f8e175920553516835efb30f1 (http://git.netfilter.org/nftables/commit/?id=ccc5da470e76032f8e175920553516835efb30f1) prevents the nft utility from using the host's _real_ list of known services (e.g. from /etc/services). In my case - the latest Gentoo - nft doesn't know anymore what are the port numbers of imap, smtps and ms-wbt-server. While all of them are (legally!:) listed in /etc/services. These three services are just my exact case, while the difference between the general (not Gentoo-specific) /etc/services content and the hardcoded inet_service_tbl (which was created from the patch author's /etc/services of some time and from some Ubuntu distro) are just _big_. As for me, the whole idea to hardcode the list of services was erroneous, because the local list of services is not even the distro-specific entity, but just the local admin's possession. And nobody can know in advance the somebody's service names and port numbers... Example: tcp dport imap ip daddr X.X.X.X counter dnat Y.Y.Y.Y This line can't be used after the mentioned patch has been applied. -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20180708/0b4eaacd/attachment.html>
bugzilla-daemon at netfilter.org
2018-Jul-09 14:00 UTC
[Bug 1269] using the internal lookup table vs. the local system's /etc/services (or so) generally prevents nft from working
https://bugzilla.netfilter.org/show_bug.cgi?id=1269 Pablo Neira Ayuso <pablo at netfilter.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED --- Comment #1 from Pablo Neira Ayuso <pablo at netfilter.org> --- Probably better use variables for what you want? eg. define imap = 143 tcp dport $imap ip daddr X.X.X.X counter dnat Y.Y.Y.Y So definitions are self-contained? -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20180709/23ebaea9/attachment.html>
bugzilla-daemon at netfilter.org
2018-Jul-12 22:34 UTC
[Bug 1269] using the internal lookup table vs. the local system's /etc/services (or so) generally prevents nft from working
https://bugzilla.netfilter.org/show_bug.cgi?id=1269 --- Comment #2 from D.Zaitceff <d at zaitceff.me> --- (In reply to Pablo Neira Ayuso from comment #1)> Probably better use variables for what you want? eg. > > define imap = 143 > > tcp dport $imap ip daddr X.X.X.X counter dnat Y.Y.Y.Y > > So definitions are self-contained?But it is not the correct side of the problem. Nevertheless and by the way, look: gentoo: grep imap /etc/services imap 143/tcp imap2 # Internet Message Access Protocol imap 143/udp imap2 imap3 220/tcp # Interactive Mail Access imap3 220/udp imaps 993/tcp # imap4 protocol over TLS/SSL imaps 993/udp (Here I assume that Ubuntu is Debian-like) debian: grep imap /etc/services imap2 143/tcp imap # Interim Mail Access P 2 and 4 imaps 993/tcp # IMAP over SSL So, IMAP is always here. But, in Gentoo it is the primary service name, while in Debian IMAP2 is the primary one and IMAP is an alias. So, at first sight the problem is the obviously incorrect implementation of the aforementioned patch - alias names of the services are just forgotten. And so the IMAP name is lost. But this first sight is a short sight too. The real problem is not the implementation, but the whole idea of the patch: to fake the system-level, well-known and content-volatile database with a hard-coded snapshot of it. And thus to lose the view of the reality - the actual list of the portnames - forever... It is like if one of the SHADOW project's authors decided to hardcode its current /etc/passwd file into the sources... and just gave up using getpwent() for the purpose. /etc/services (or its NIS variant, or hesiod's one or whatever) is the official, well known, stable, understood, simple, nice etc. database of mappings between service names and port numbers. And _standard_ API is here. To reinvent this weel is not just pointless, but also means to surely break the way the system works. -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20180712/b0d4d68b/attachment.html>
bugzilla-daemon at netfilter.org
2019-Mar-26 12:40 UTC
[Bug 1269] using the internal lookup table vs. the local system's /etc/services (or so) generally prevents nft from working
https://bugzilla.netfilter.org/show_bug.cgi?id=1269 --- Comment #3 from Pablo Neira Ayuso <pablo at netfilter.org> --- commit 9e45a28ca467f08b9c01baf73d1849055e53ea0b Author: Pablo Neira Ayuso <pablo at netfilter.org> Date: Fri Aug 24 11:04:30 2018 +0200 src: honor /etc/services Fixes this upstream. -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20190326/4c6e4cb8/attachment.html>
bugzilla-daemon at netfilter.org
2019-Mar-27 07:29 UTC
[Bug 1269] using the internal lookup table vs. the local system's /etc/services (or so) generally prevents nft from working
https://bugzilla.netfilter.org/show_bug.cgi?id=1269 Sven Strickroth <email at cs-ware.de> changed: What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugzilla.netfilter. | |org/show_bug.cgi?id=1236 CC| |email at cs-ware.de --- Comment #4 from Sven Strickroth <email at cs-ware.de> --- nft 0.7 and 0.9 both don't honor aliases defined in /etc/services (example where this issue gets visible are the aliases smtps=465 and imap=143). Please make nft honor the aliases of /etc/services. -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20190327/1f105c34/attachment.html>
bugzilla-daemon at netfilter.org
2019-Jul-12 10:04 UTC
[Bug 1269] using the internal lookup table vs. the local system's /etc/services (or so) generally prevents nft from working
https://bugzilla.netfilter.org/show_bug.cgi?id=1269 Pablo Neira Ayuso <pablo at netfilter.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |RESOLVED Resolution|--- |FIXED --- Comment #5 from Pablo Neira Ayuso <pablo at netfilter.org> --- This is fixed in nft 0.9.1, thanks for reporting. -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20190712/98d4440e/attachment.html>
Seemingly Similar Threads
- [Bug 1118] New: nft: nft -f and nft list ruleset use different sets of service -> port mappings
- [Bug 1236] New: Services list is confusingly different from the /etc/services
- [Bug 1327] New: Cannot use named set for matching IPv4 networks
- [Bug 1100] New: Support 'nft flush set'
- [Bug 1403] New: Timeout object with invalid time unit crashes nft