Your message dated Fri, 20 Oct 2023 12:02:08 +0200
with message-id <[email protected]>
and subject line Re: [pkg-netfilter-team] Bug#944748: nftables: no init script
has caused the Debian Bug report #944748,
regarding nftables: no init script
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
944748: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=944748
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: nftables
Version: 0.9.0-2
Severity: serious
Justification: Policy 9.11
I’m trying to set up a simple firewall (just filter an exposed
servive so only select source IP addresses can use it) and was
told that nftables should be used for new setups.
While https://wiki.debian.org/nftables is a bit short on actual
helpful information, https://wiki.gentoo.org/wiki/Nftables has
more useful info, but incidentally, while Gentoo ships an init
script with nftables (one that can save and restore rules even)
Debian doesn’t.
This is a problem, as this way the firewall rules are not
reboot-safe (i.e. gone after rebooting) unless I add something
to /etc/rc.local or something.
However, nftables appears to ship a systemd unit, which is a
clear violation of Policy §9.11:
“However, any package integrating with other init systems
must also be backwards-compatible with sysvinit by providing a SysV-
style init script with the same name as and equivalent functionality
to any init-specific job, as this is the only start-up configuration
method guaranteed to be supported by all init implementations.”
I checked latest version of Policy, and this is still there.
So please make a stable update adding an init script.
-- System Information:
Debian Release: 10.1
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.19.0-6-amd64 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE=C (charmap=UTF-8)
Shell: /bin/sh linked to /bin/lksh
Init: sysvinit (via /sbin/init)
Versions of packages nftables depends on:
ii dpkg 1.19.7
ii libc6 2.28-10
ii libgmp10 2:6.1.2+dfsg-4
ii libjansson4 2.12-1
ii libnftables0 0.9.0-2
ii libreadline7 7.0-5
nftables recommends no packages.
nftables suggests no packages.
-- no debconf information
--- End Message ---
--- Begin Message ---
On Fri, 20 Oct 2023 11:35:38 +0200 Magnus Holmgren <[email protected]> wrote:
Reminder that this bug isn't about building support for saving the currently
loaded ruleset to a file and reloading it after reboot, only about adding a
minimal init script that does the same job as the existing systemd unit.
There wont be any sysvinit integration in this package. Sorry.
rules and then saving the changes, but to facilitate integration of other
packages with nftables, I think coming up with some scheme where those
packages can drop configuration snippets in /etc/nftables.d, or perhaps /etc/
This should be done by other components such as firewalld.
No such functions will be added to the nftables package. The nftables package
will just deploy the `nft` binary plus a few skeleton ruleset and other example.
I'm already regretting the systemd integration at all.
--- End Message ---
