[Bug 1269] New: using the internal lookup table vs. the local system's /etc/services (or so) generally prevents nft from working
bugzilla-daemon at netfilter.org
bugzilla-daemon at netfilter.org
Sun Jul 8 17:06:17 CEST 2018
https://bugzilla.netfilter.org/show_bug.cgi?id=1269
Bug ID: 1269
Summary: using the internal lookup table vs. the local system's
/etc/services (or so) generally prevents nft from
working
Product: nftables
Version: unspecified
Hardware: All
OS: Gentoo
Status: NEW
Severity: blocker
Priority: P5
Component: nft
Assignee: pablo at netfilter.org
Reporter: d at zaitceff.me
An old enough commit ccc5da470e76032f8e175920553516835efb30f1
(http://git.netfilter.org/nftables/commit/?id=ccc5da470e76032f8e175920553516835efb30f1)
prevents the nft utility from using the host's _real_ list of known services
(e.g. from /etc/services). In my case - the latest Gentoo - nft doesn't know
anymore what are the port numbers of imap, smtps and ms-wbt-server. While all
of them are (legally!:) listed in /etc/services. These three services are just
my exact case, while the difference between the general (not Gentoo-specific)
/etc/services content and the hardcoded inet_service_tbl (which was created
from the patch author's /etc/services of some time and from some Ubuntu distro)
are just _big_.
As for me, the whole idea to hardcode the list of services was erroneous,
because the local list of services is not even the distro-specific entity, but
just the local admin's possession. And nobody can know in advance the
somebody's service names and port numbers...
Example:
tcp dport imap ip daddr X.X.X.X counter dnat Y.Y.Y.Y
This line can't be used after the mentioned patch has been applied.
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20180708/0b4eaacd/attachment.html>
More information about the netfilter-buglog
mailing list