On Fri, 10 Jun 2022 12:21:37 +0200 =?UTF-8?Q?Christian_G=C3=B6ttsche?=
<cgzo...@googlemail.com> wrote:
Package: nftables
Version: 1.0.4-1
Severity: serious
Dear Maintainer,
upgrades of nftables stop the service but do not start it (even if the
service is actually enabled).
This can lead to lockouts, e.g. when using special rules for ssh access.
nft.preinst:
#!/bin/sh
set -e
# Automatically added by dh_installsystemd/13.7.1
if [ -z "${DPKG_ROOT:-}" ] && [ "$1" = upgrade ] && [ -d
/run/systemd/system ] ; then
deb-systemd-invoke stop 'nftables.service' >/dev/null || true
fi
# End automatically added section
nft.postinst:
#!/bin/sh
set -e
# Automatically added by dh_installsystemd/13.7.1
if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" =
"abort-deconfigure" ] || [ "$1" = "abort-remove" ] ; then
if deb-systemd-helper debian-installed 'nftables.service'; then
# This will only remove masks created by d-s-h on
package removal.
deb-systemd-helper unmask 'nftables.service' >/dev/null || true
if deb-systemd-helper --quiet was-enabled
'nftables.service'; then
# Create new symlinks, if any.
deb-systemd-helper enable 'nftables.service'
>/dev/null || true
fi
fi
# Update the statefile to add new symlinks (if any), which need
to be cleaned
# up on purge. Also remove old symlinks.
deb-systemd-helper update-state 'nftables.service' >/dev/null || true
fi
# End automatically added section
I confirmed this can be a problem:
=== 8< ===
⌂0.65 arturo@nostromo:~ $ apt-cache policy nftables
nftables:
Installed: 1.0.2-1
Candidate: 1.0.4-1
Version table:
1.0.4-1 500
500 http://deb.debian.org/debian sid/main amd64 Packages
*** 1.0.2-1 500
500 http://deb.debian.org/debian testing/main amd64 Packages
100 /var/lib/dpkg/status
⌂0.68 arturo@nostromo:~ $ sudo systemctl status nftables
● nftables.service - nftables
Loaded: loaded (/lib/systemd/system/nftables.service; disabled;
vendor preset: enabled)
Active: active (exited) since Sun 2022-06-19 13:38:11 CEST; 51s ago
Docs: man:nft(8)
http://wiki.nftables.org
Process: 5537 ExecStart=/usr/sbin/nft -f /etc/nftables.conf
(code=exited, status=0/SUCCESS)
Main PID: 5537 (code=exited, status=0/SUCCESS)
CPU: 13ms
Jun 19 13:38:11 nostromo systemd[1]: Starting nftables...
Jun 19 13:38:11 nostromo systemd[1]: Finished nftables.
⌂0.70 arturo@nostromo:~ $ sudo nft list ruleset
table inet filter {
chain input {
type filter hook input priority filter; policy accept;
iif "lo" accept
ct state established,related accept
tcp dport 22 ct state new accept
ip6 nexthdr ipv6-icmp icmpv6 type { nd-router-advert,
nd-neighbor-solicit, nd-neighbor-advert } accept
counter packets 6 bytes 898 drop
}
}
⌂0.65 arturo@nostromo:~ $ sudo aptitude install nftables
The following packages will be upgraded:
libnftables1 nftables
2 packages upgraded, 0 newly installed, 0 to remove and 754 not upgraded.
Need to get 365 kB of archives. After unpacking 27.6 kB will be used.
Do you want to continue? [Y/n/?] Y
Get: 1 http://deb.debian.org/debian sid/main amd64 nftables amd64
1.0.4-1 [71.9 kB]
Get: 2 http://deb.debian.org/debian sid/main amd64 libnftables1 amd64
1.0.4-1 [294 kB]
Fetched 365 kB in 0s (4,064 kB/s)
Reading changelogs... Done
(Reading database ... 273043 files and directories currently installed.)
Preparing to unpack .../nftables_1.0.4-1_amd64.deb ...
Unpacking nftables (1.0.4-1) over (1.0.2-1) ...
Preparing to unpack .../libnftables1_1.0.4-1_amd64.deb ...
Unpacking libnftables1:amd64 (1.0.4-1) over (1.0.2-1) ...
Setting up libnftables1:amd64 (1.0.4-1) ...
Setting up nftables (1.0.4-1) ...
Processing triggers for man-db (2.10.2-1) ...
Processing triggers for libc-bin (2.33-7) ...
Current status: 754 (-2) upgradable.
⌂0.78 arturo@nostromo:~ $ sudo nft list ruleset
⌂0.78 arturo@nostromo:~ $ sudo systemctl status nftables
○ nftables.service - nftables
Loaded: loaded (/lib/systemd/system/nftables.service; disabled;
vendor preset: enabled)
Active: inactive (dead)
Docs: man:nft(8)
http://wiki.nftables.org
Jun 19 13:38:11 nostromo systemd[1]: Starting nftables...
Jun 19 13:38:11 nostromo systemd[1]: Finished nftables.
Jun 19 13:39:13 nostromo systemd[1]: Stopping nftables...
Jun 19 13:39:13 nostromo systemd[1]: nftables.service: Deactivated
successfully.
Jun 19 13:39:13 nostromo systemd[1]: Stopped nftables.
=== 8< ===
@Alberto, @Jeremy,
It seems to me like we need to play with the dh_installsystemd
--no-restart-after-upgrade option, but don't have time to figure out the
right logic.
I'm currently unable to handle this. Could you please take a look?
regards.
