From: Phil Sutter <phil@nwl.cc>
To: Jan Engelhardt <jengelh@inai.de>
Cc: Pablo Neira Ayuso <pablo@netfilter.org>, netfilter-devel@vger.kernel.org
Subject: Re: [iptables PATCH 9/9] extensions: DNAT: Support service names in all spots
Date: Wed, 30 Mar 2022 22:57:23 +0200 [thread overview]
Message-ID: <YkTEM8r6tv+fkOOK@orbyte.nwl.cc> (raw)
In-Reply-To: <89qp85o0-704s-5280-sqp6-s71so14n7487@vanv.qr>
Hi Jan,
On Wed, Mar 30, 2022 at 08:38:28PM +0200, Jan Engelhardt wrote:
>
> On Wednesday 2022-03-30 17:58, Phil Sutter wrote:
>
> >When parsing (parts of) a port spec, if it doesn't start with a digit,
> >try to find the largest substring getservbyname() accepts.
>
> > -p tcp -j DNAT --to-destination 1.1.1.1:1000-2000/65536;;FAIL
> > -p tcp -j DNAT --to-destination 1.1.1.1:ssh;-p tcp -j DNAT --to-destination 1.1.1.1:22;OK
> > -p tcp -j DNAT --to-destination 1.1.1.1:ftp-data;-p tcp -j DNAT --to-destination 1.1.1.1:20;OK
> >+-p tcp -j DNAT --to-destination 1.1.1.1:ftp-data-ssh;-p tcp -j DNAT --to-destination 1.1.1.1:20-22;OK
> >+-p tcp -j DNAT --to-destination 1.1.1.1:echo-ftp-data;-p tcp -j DNAT --to-destination 1.1.1.1:7-20;OK
> >+-p tcp -j DNAT --to-destination 1.1.1.1:ftp-data-ssh/echo;-p tcp -j DNAT --to-destination 1.1.1.1:20-22/7;OK
> >+-p tcp -j DNAT --to-destination 1.1.1.1:echo-ftp-data/ssh;-p tcp -j DNAT --to-destination 1.1.1.1:7-20/22;OK
> > -j DNAT;;FAIL
>
> This looks dangerous. It is why I originally never allowed service names in
> port ranges that use dash as the range character. a-b-c could mean a..b-c
> today, and could mean a-b..c tomorrow, either because someone managed to
> inject a-b into the service list.
Yes, it is a rather sloppy solution. I could at least do a shortest
substring first search in addition to check if the input is ambiguous.
Guess if someone is able to manipulate /etc/services, any service names
are problematic, not just in ranges.
Another potential problem I didn't have in mind though is that 'a-b'
could mean [a; b] or [a-b] assuming that all three exist. But I haven't
found a valid example in my /etc/services, yet. :)
> The "solution" would be to use : as the range character, but that would require
> a new --dport option for reasons of command-line compatibility.
Well, we could allow both (a-b with numeric a and b only) and use it in
output only if non-numeric was requested.
Maybe also just limit service names in DNAT to non-ranges. I wanted to
write "like with REDIRECT before the merge", but it looks like it
accepted them as upper boundary, e.g. '10-ftp-data'.
Hmm. I also noticed my series drops support for port 0 from REDIRECT
which commit 84d758b3bc312 ("extensions: REDIRECT: fix --to-ports
parser") explicitly allowed.
Thanks, Phil
next prev parent reply other threads:[~2022-03-30 20:57 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-03-30 15:58 [iptables PATCH 0/9] extensions: Merge *_DNAT and *_REDIRECT Phil Sutter
2022-03-30 15:58 ` [iptables PATCH 1/9] man: DNAT: Describe shifted port range feature Phil Sutter
2022-03-30 15:58 ` [iptables PATCH 2/9] Revert "libipt_[SD]NAT: avoid false error about multiple destinations specified" Phil Sutter
2022-03-30 15:58 ` [iptables PATCH 3/9] extensions: ipt_DNAT: Merge v1 and v2 parsers Phil Sutter
2022-03-30 15:58 ` [iptables PATCH 4/9] extensions: ipt_DNAT: Merge v1/v2 print/save code Phil Sutter
2022-03-30 15:58 ` [iptables PATCH 5/9] extensions: ipt_DNAT: Combine xlate functions also Phil Sutter
2022-03-30 15:58 ` [iptables PATCH 6/9] extensions: DNAT: Rename from libipt to libxt Phil Sutter
2022-03-30 15:58 ` [iptables PATCH 7/9] extensions: Merge IPv4 and IPv6 DNAT targets Phil Sutter
2022-03-30 15:58 ` [iptables PATCH 8/9] extensions: Merge REDIRECT into DNAT Phil Sutter
2022-03-30 15:58 ` [iptables PATCH 9/9] extensions: DNAT: Support service names in all spots Phil Sutter
2022-03-30 18:38 ` Jan Engelhardt
2022-03-30 20:57 ` Phil Sutter [this message]
2022-03-31 0:19 ` Jan Engelhardt
2022-03-31 10:04 ` Phil Sutter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YkTEM8r6tv+fkOOK@orbyte.nwl.cc \
--to=phil@nwl.cc \
--cc=jengelh@inai.de \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).