iptables deactivate "getportbyname"

iptables deactivate "getportbyname"

[Manuel Scheub]

Hello,

after an upgrade of iptables from version 1.4.3.2 to 1.4.16.3, some 
rules doesn't work anymore.
e.g. all rules with protocol UDP an port information:

#iptables -A INPUT -p udp -i eth0 --dport 67 --sport 68 -j ACCEPT
#iptables v1.4.16.3: Port "67" does not resolve to anything.

If I replace the port with the resolving name defined in /etc/services, 
all rules will be accepted:

#iptables -A INPUT -p udp -i eth0 --dport bootps --sport bootpc -j ACCEPT

I saw a "getportbyname" in the source code - is it possible to 
deactivate this "feature"?
I would like to still use numbers instead of names, because if there are 
some special portforwarding rules in my network, it is not guaranteed 
that there is an entry in /etc/services for that port.

Any help would be greatly appreciated!

Greetz
Manu

Re: iptables deactivate "getportbyname"

[Jan Engelhardt]

On Tuesday 2013-01-15 13:14, Manuel Scheub wrote:
>
> after an upgrade of iptables from version 1.4.3.2 to 1.4.16.3, some rules
> doesn't work anymore.
> e.g. all rules with protocol UDP an port information:
>
> #iptables -A INPUT -p udp -i eth0 --dport 67 --sport 68 -j ACCEPT
> iptables v1.4.16.3: Port "67" does not resolve to anything.

Hrm. I cannot reproduce this so far, but I have a suspicion:
Do you have some libc other than glibc, perhaps?

Re: iptables deactivate "getportbyname"

[Manuel Scheub]

Am 15.01.2013 13:51, schrieb Jan Engelhardt:
> On Tuesday 2013-01-15 13:14, Manuel Scheub wrote:
>> after an upgrade of iptables from version 1.4.3.2 to 1.4.16.3, some rules
>> doesn't work anymore.
>> e.g. all rules with protocol UDP an port information:
>>
>> #iptables -A INPUT -p udp -i eth0 --dport 67 --sport 68 -j ACCEPT
>> iptables v1.4.16.3: Port "67" does not resolve to anything.
> Hrm. I cannot reproduce this so far, but I have a suspicion:
> Do you have some libc other than glibc, perhaps?

Sorry to be such a noob - what exactly do you mean?

For compiling the iptables 1.4.16.3 I did the same as for compiling the 
older version 1.4.3.2:

#./configure --with-kernel=/opt/linux-2.6.23 
--with-xtlibdir=/usr/lib/iptables

Maybe I need to upgrade my kernel-sources?

Re: iptables deactivate "getportbyname"

[Jan Engelhardt]

On Tuesday 2013-01-15 15:26, Manuel Scheub wrote:
> Am 15.01.2013 13:51, schrieb Jan Engelhardt:
>> On Tuesday 2013-01-15 13:14, Manuel Scheub wrote:
>>> after an upgrade of iptables from version 1.4.3.2 to 1.4.16.3, some rules
>>> doesn't work anymore.
>>> e.g. all rules with protocol UDP an port information:
>>>
>>> #iptables -A INPUT -p udp -i eth0 --dport 67 --sport 68 -j ACCEPT
>>> iptables v1.4.16.3: Port "67" does not resolve to anything.
>> Hrm. I cannot reproduce this so far, but I have a suspicion:
>> Do you have some libc other than glibc, perhaps?
>
> Sorry to be such a noob - what exactly do you mean?

Do you run glibc, eglibc, µClibc, Bionic, or Something Completely Different™?
Please tell us details about the system you have.

> #./configure --with-kernel=/opt/linux-2.6.23 --with-xtlibdir=/usr/lib/iptables
>
> Maybe I need to upgrade my kernel-sources?

The kernel is not required at all.

Re: iptables deactivate "getportbyname"

[Manuel Scheub]

Am 15.01.2013 15:35, schrieb Jan Engelhardt:
> On Tuesday 2013-01-15 15:26, Manuel Scheub wrote:
>> Am 15.01.2013 13:51, schrieb Jan Engelhardt:
>>> On Tuesday 2013-01-15 13:14, Manuel Scheub wrote:
>>>> after an upgrade of iptables from version 1.4.3.2 to 1.4.16.3, some rules
>>>> doesn't work anymore.
>>>> e.g. all rules with protocol UDP an port information:
>>>>
>>>> #iptables -A INPUT -p udp -i eth0 --dport 67 --sport 68 -j ACCEPT
>>>> iptables v1.4.16.3: Port "67" does not resolve to anything.
>>> Hrm. I cannot reproduce this so far, but I have a suspicion:
>>> Do you have some libc other than glibc, perhaps?
>> Sorry to be such a noob - what exactly do you mean?
> Do you run glibc, eglibc, µClibc, Bionic, or Something Completely Different™?
> Please tell us details about the system you have.
>
>> #./configure --with-kernel=/opt/linux-2.6.23 --with-xtlibdir=/usr/lib/iptables
>>
>> Maybe I need to upgrade my kernel-sources?
> The kernel is not required at all.

I have a production system which is really, really old for generating 
firmware for embedded devices, and I run glibc:

# /lib/libc.so.6
GNU C Library stable release version 2.3.2

so, anyway - I thought there is a simple solution, but now I think it's 
time to upgrade my whole development system!
However, thank you very much!

Re: iptables deactivate "getportbyname"

[Jan Engelhardt]

On Tuesday 2013-01-15 16:57, Manuel Scheub wrote:

>>>>> #iptables -A INPUT -p udp -i eth0 --dport 67 --sport 68 -j ACCEPT
>>>>> iptables v1.4.16.3: Port "67" does not resolve to anything.
>
> # /lib/libc.so.6
> GNU C Library stable release version 2.3.2

Fixed and posted a 2-patch fix on netfilter-devel:

==
The following changes since commit 983196ceb4d3bb7b6d3cf6da18bb6d5a5eafb347:

  doc: document the -4 and -6 options (2013-01-07 02:26:16 +0100)

are available in the git repository at:

  git://git.inai.de/iptables old-linux

for you to fetch changes up to 1071ec54e6d7af406fe34afea1ce2c3e49ee1914:

  parser: workaround glibc-2.3.2 bug 358 (2013-01-15 19:16:55 +0100)

----------------------------------------------------------------
Jan Engelhardt (2):
      build: fix libiptc build failure on old linux-glibc-devel headers
      parser: workaround glibc-2.3.2 bug 358

 libiptc/linux_list.h   |    4 ++--
 libiptc/linux_stddef.h |    4 ++--
 libxtables/xtoptions.c |   14 ++++++++++++++
 3 files changed, 18 insertions(+), 4 deletions(-)

Re: iptables deactivate "getportbyname"

[Manuel Scheub]

Am 15.01.2013 19:22, schrieb Jan Engelhardt:
> On Tuesday 2013-01-15 16:57, Manuel Scheub wrote:
>
>>>>>> #iptables -A INPUT -p udp -i eth0 --dport 67 --sport 68 -j ACCEPT
>>>>>> iptables v1.4.16.3: Port "67" does not resolve to anything.
>> # /lib/libc.so.6
>> GNU C Library stable release version 2.3.2
> Fixed and posted a 2-patch fix on netfilter-devel:
>
> ==
> The following changes since commit 983196ceb4d3bb7b6d3cf6da18bb6d5a5eafb347:
>
>    doc: document the -4 and -6 options (2013-01-07 02:26:16 +0100)
>
> are available in the git repository at:
>
>    git://git.inai.de/iptables old-linux
>
> for you to fetch changes up to 1071ec54e6d7af406fe34afea1ce2c3e49ee1914:
>
>    parser: workaround glibc-2.3.2 bug 358 (2013-01-15 19:16:55 +0100)
>
> ----------------------------------------------------------------
> Jan Engelhardt (2):
>        build: fix libiptc build failure on old linux-glibc-devel headers
>        parser: workaround glibc-2.3.2 bug 358
>
>   libiptc/linux_list.h   |    4 ++--
>   libiptc/linux_stddef.h |    4 ++--
>   libxtables/xtoptions.c |   14 ++++++++++++++
>   3 files changed, 18 insertions(+), 4 deletions(-)

Awesome - Thank you very much!