Package: miniupnpd-nftables Version: 2.3.4-1 Severity: important Dear Maintainer,
I've changed my system to use nftables for firewall rules and found out that miniupnpd-nftables clobbered everything else on FORWARD. (specifically, docker containers) Looking at all the rules and nft_init.sh, it seems like creating the forward table for miniupnpd and setting the default policy to deny breaks everything. Changing the default policy to accept makes everything work again. -- System Information: Debian Release: trixie/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 6.1.0-9-amd64 (SMP w/4 CPU threads; PREEMPT) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages miniupnpd-nftables depends on: ii libc6 2.37-15.1 ii libmnl0 1.0.5-2 ii libnftnl11 1.2.6-2 ii miniupnpd 2.3.4-1 miniupnpd-nftables recommends no packages. miniupnpd-nftables suggests no packages. -- Configuration Files: /etc/miniupnpd/nft_init.sh changed: . "$(dirname "$0")/miniupnpd_functions.sh" $NFT --check list table inet $TABLE > /dev/null 2>&1 if [ $? -eq "0" ] then echo "Table $TABLE already exists" exit 0 fi echo "Creating nftables structure" cat > /tmp/miniupnpd.nft <<EOF table inet $TABLE { chain forward { type filter hook forward priority 0; policy accept; # miniupnpd jump $CHAIN # Add other rules here } # miniupnpd chain $CHAIN { } EOF if [ "$TABLE" != "$NAT_TABLE" ] then cat >> /tmp/miniupnpd.nft <<EOF } table inet $NAT_TABLE { EOF fi cat >> /tmp/miniupnpd.nft <<EOF chain prerouting { type nat hook prerouting priority -100; policy accept; # miniupnpd jump $PREROUTING_CHAIN # Add other rules here } chain postrouting { type nat hook postrouting priority 100; policy accept; # miniupnpd jump $POSTROUTING_CHAIN # Add other rules here } chain $PREROUTING_CHAIN { } chain $POSTROUTING_CHAIN { } } EOF $NFT -f /tmp/miniupnpd.nft -- no debconf information