Package: miniupnpd-nftables
Version: 2.3.4-1
Severity: important
Dear Maintainer,
I've changed my system to use nftables for firewall rules and found out that
miniupnpd-nftables
clobbered everything else on FORWARD.
(specifically, docker containers)
Looking at all the rules and nft_init.sh, it seems like creating the forward
table for miniupnpd
and setting the default policy to deny breaks everything. Changing the default
policy to accept
makes everything work again.
-- System Information:
Debian Release: trixie/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 6.1.0-9-amd64 (SMP w/4 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages miniupnpd-nftables depends on:
ii libc6 2.37-15.1
ii libmnl0 1.0.5-2
ii libnftnl11 1.2.6-2
ii miniupnpd 2.3.4-1
miniupnpd-nftables recommends no packages.
miniupnpd-nftables suggests no packages.
-- Configuration Files:
/etc/miniupnpd/nft_init.sh changed:
. "$(dirname "$0")/miniupnpd_functions.sh"
$NFT --check list table inet $TABLE > /dev/null 2>&1
if [ $? -eq "0" ]
then
echo "Table $TABLE already exists"
exit 0
fi
echo "Creating nftables structure"
cat > /tmp/miniupnpd.nft <<EOF
table inet $TABLE {
chain forward {
type filter hook forward priority 0;
policy accept;
# miniupnpd
jump $CHAIN
# Add other rules here
}
# miniupnpd
chain $CHAIN {
}
EOF
if [ "$TABLE" != "$NAT_TABLE" ]
then
cat >> /tmp/miniupnpd.nft <<EOF
}
table inet $NAT_TABLE {
EOF
fi
cat >> /tmp/miniupnpd.nft <<EOF
chain prerouting {
type nat hook prerouting priority -100;
policy accept;
# miniupnpd
jump $PREROUTING_CHAIN
# Add other rules here
}
chain postrouting {
type nat hook postrouting priority 100;
policy accept;
# miniupnpd
jump $POSTROUTING_CHAIN
# Add other rules here
}
chain $PREROUTING_CHAIN {
}
chain $POSTROUTING_CHAIN {
}
}
EOF
$NFT -f /tmp/miniupnpd.nft
-- no debconf information
