#1012613 nftables: upgrade stops but does not start service

Package:
nftables
Source:
nftables
Description:
Program to control packet filtering rules by Netfilter project
Submitter:
Christian Göttsche
Date:
2022-06-19 18:21:03 UTC
Severity:
serious
#1012613#5
Date:
2022-06-10 10:21:37 UTC
From:
To:
Dear Maintainer,

upgrades of nftables stop the service but do not start it (even if the
service is actually enabled).
This can lead to lockouts, e.g. when using special rules for ssh access.


nft.preinst:

#!/bin/sh
set -e
# Automatically added by dh_installsystemd/13.7.1
if [ -z "${DPKG_ROOT:-}" ] && [ "$1" = upgrade ] && [ -d
/run/systemd/system ] ; then
       deb-systemd-invoke stop 'nftables.service' >/dev/null || true
fi
# End automatically added section


nft.postinst:

#!/bin/sh
set -e
# Automatically added by dh_installsystemd/13.7.1
if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" =
"abort-deconfigure" ] || [ "$1" = "abort-remove" ] ; then
       if deb-systemd-helper debian-installed 'nftables.service'; then
               # This will only remove masks created by d-s-h on
package removal.
               deb-systemd-helper unmask 'nftables.service' >/dev/null || true

               if deb-systemd-helper --quiet was-enabled
'nftables.service'; then
                       # Create new symlinks, if any.
                       deb-systemd-helper enable 'nftables.service'
               fi
       fi

       # Update the statefile to add new symlinks (if any), which need
to be cleaned
       # up on purge. Also remove old symlinks.
       deb-systemd-helper update-state 'nftables.service' >/dev/null || true
fi
# End automatically added section

#1012613#10
Date:
2022-06-19 11:48:59 UTC
From:
To:
=== 8< ===
⌂0.65 arturo@nostromo:~ $ apt-cache policy nftables
nftables:
   Installed: 1.0.2-1
   Candidate: 1.0.4-1
   Version table:
      1.0.4-1 500
         500 http://deb.debian.org/debian sid/main amd64 Packages
  *** 1.0.2-1 500
         500 http://deb.debian.org/debian testing/main amd64 Packages
         100 /var/lib/dpkg/status
⌂0.68 arturo@nostromo:~ $ sudo systemctl status nftables
● nftables.service - nftables
      Loaded: loaded (/lib/systemd/system/nftables.service; disabled;
vendor preset: enabled)
      Active: active (exited) since Sun 2022-06-19 13:38:11 CEST; 51s ago
        Docs: man:nft(8)
http://wiki.nftables.org
     Process: 5537 ExecStart=/usr/sbin/nft -f /etc/nftables.conf
(code=exited, status=0/SUCCESS)
    Main PID: 5537 (code=exited, status=0/SUCCESS)
         CPU: 13ms

Jun 19 13:38:11 nostromo systemd[1]: Starting nftables...
Jun 19 13:38:11 nostromo systemd[1]: Finished nftables.
⌂0.70 arturo@nostromo:~ $ sudo nft list ruleset
table inet filter {
	chain input {
		type filter hook input priority filter; policy accept;
		iif "lo" accept
		ct state established,related accept
		tcp dport 22 ct state new accept
		ip6 nexthdr ipv6-icmp icmpv6 type { nd-router-advert,
nd-neighbor-solicit, nd-neighbor-advert } accept
		counter packets 6 bytes 898 drop
	}
}
⌂0.65 arturo@nostromo:~ $ sudo aptitude install nftables
The following packages will be upgraded:
   libnftables1 nftables
2 packages upgraded, 0 newly installed, 0 to remove and 754 not upgraded.
Need to get 365 kB of archives. After unpacking 27.6 kB will be used.
Do you want to continue? [Y/n/?] Y
Get: 1 http://deb.debian.org/debian sid/main amd64 nftables amd64
1.0.4-1 [71.9 kB]
Get: 2 http://deb.debian.org/debian sid/main amd64 libnftables1 amd64
1.0.4-1 [294 kB]
Fetched 365 kB in 0s (4,064 kB/s)
Reading changelogs... Done
(Reading database ... 273043 files and directories currently installed.)
Preparing to unpack .../nftables_1.0.4-1_amd64.deb ...
Unpacking nftables (1.0.4-1) over (1.0.2-1) ...
Preparing to unpack .../libnftables1_1.0.4-1_amd64.deb ...
Unpacking libnftables1:amd64 (1.0.4-1) over (1.0.2-1) ...
Setting up libnftables1:amd64 (1.0.4-1) ...
Setting up nftables (1.0.4-1) ...
Processing triggers for man-db (2.10.2-1) ...
Processing triggers for libc-bin (2.33-7) ...

Current status: 754 (-2) upgradable.
⌂0.78 arturo@nostromo:~ $ sudo nft list ruleset
⌂0.78 arturo@nostromo:~ $ sudo systemctl status nftables
○ nftables.service - nftables
      Loaded: loaded (/lib/systemd/system/nftables.service; disabled;
vendor preset: enabled)
      Active: inactive (dead)
        Docs: man:nft(8)
http://wiki.nftables.org

Jun 19 13:38:11 nostromo systemd[1]: Starting nftables...
Jun 19 13:38:11 nostromo systemd[1]: Finished nftables.
Jun 19 13:39:13 nostromo systemd[1]: Stopping nftables...
Jun 19 13:39:13 nostromo systemd[1]: nftables.service: Deactivated
successfully.
Jun 19 13:39:13 nostromo systemd[1]: Stopped nftables.
=== 8< ===

@Alberto, @Jeremy,

It seems to me like we need to play with the dh_installsystemd
--no-restart-after-upgrade option, but don't have time to figure out the 
right logic.

I'm currently unable to handle this. Could you please take a look?

regards.

#1012613#15
Date:
2022-06-19 12:36:49 UTC
From:
To:
Yup.

J.

#1012613#20
Date:
2022-06-19 17:47:19 UTC
From:
To:
Passing `--restart-after-upgrade` does the trick:

  diff -u nftables_1.0.4-1/postinst nftables_1.0.4-2/postinst
  --- nftables_1.0.4-1/postinst   2022-06-07 23:59:59.000000000 +0100
  +++ nftables_1.0.4-2/postinst   2022-06-19 18:04:19.000000000 +0100
  @@ -17,3 +17,13 @@
  deb-systemd-helper update-state 'nftables.service' >/dev/null || true
  fi
  # End automatically added section
  +# Automatically added by dh_installsystemd/13.7.1
  +if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-deconfigure" ] || [ "$1" = "abort-remove" ] ; then
  +       if [ -z "${DPKG_ROOT:-}" ] && [ -d /run/systemd/system ]; then
  +               systemctl --system daemon-reload >/dev/null || true
  +               if [ -n "$2" ]; then
  +                       deb-systemd-invoke try-restart 'nftables.service' >/dev/null || true
  +               fi
  +       fi
  +fi
  +# End automatically added section

I've pushed that and a few other changes to Salsa.

J.

#1012613#25
Date:
2022-06-19 18:18:54 UTC
From:
To:
We believe that the bug you reported is fixed in the latest version of
nftables, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1012613@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jeremy Sowden <jeremy@azazel.net> (supplier of updated nftables package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Sun, 19 Jun 2022 18:04:19 +0100
Source: nftables
Architecture: source
Version: 1.0.4-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Netfilter Packaging Team <pkg-netfilter-team@lists.alioth.debian.org>
Changed-By: Jeremy Sowden <jeremy@azazel.net>
Closes: 1012613
Changes:
 nftables (1.0.4-2) unstable; urgency=medium
 .
   * [9e654e0] d/nftables.conf: use named priorities
   * [0e9757f] d/u/signing-key.asc: minimize signing key
   * [49d2aee] d/libnftables1.symbols: add `Build-Depends-Package` field
   * [1a50850] d/control: set R³: no.
   * [1699c66] d/control: add myself to uploaders.
   * [cd9f31f] d/watch: use HTTPS URL
   * [a6a05b6] d/watch: use `pgpmode=auto`
   * [072624b] d/gbp.conf: buildpackage, import-orig: enable `pristine-tar`
   * [92a12a3] d/gbp.conf: dch: set `id-length`
   * [6ad5a0b] d/not-installed: remove static archive
   * [c53e37d] d/rules: remove obsolete dh_installinit override
   * [fb41a26] d/rules: move dh_auto_configure override
   * [59c9317] d/rules: include architecture.mk
   * [8f18fcd] d/rules: pass `--restart-after-upgrade` to dh_installsystemd
     (closes: #1012613)
   * [f9d8a42] d/copyright: remove obsolete files
   * [75426a2] d/changelog: wrap long line
Checksums-Sha1:
 e77619690cc0883b7c5ff9849837ef6b8d6203b5 2692 nftables_1.0.4-2.dsc
 6b4c538242c1061fe23d4ce226c79519482eeacc 20920 nftables_1.0.4-2.debian.tar.xz
 ce631278eeda5fed78c5ae830c62d27c94f0a99b 8797 nftables_1.0.4-2_amd64.buildinfo
Checksums-Sha256:
 e678a100fcdb25a721ca8365abc1bff8d4c69853eba6e68c9aefb19dd40568b4 2692 nftables_1.0.4-2.dsc
 67d7e9aa4e97e25c84850ac2b9b8c3657180c258f74363931e5c5eacca6163ae 20920 nftables_1.0.4-2.debian.tar.xz
 c57bdca73d9cfa76cfc81d57ff833f2ecb625c96c2058c1b8b1c35fa3fe79264 8797 nftables_1.0.4-2_amd64.buildinfo
Files:
 b7a9825a85e87c34f857736fe73c93ee 2692 net important nftables_1.0.4-2.dsc
 265f99a59f4e798c7e48002e3de7807b 20920 net important nftables_1.0.4-2.debian.tar.xz
 b7710134c7cff14df5f6194395619802 8797 net important nftables_1.0.4-2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE3ZhhqyPcMzOJLgepaOcTmB0VFfgFAmKvZNgACgkQaOcTmB0V
FfgxaA/+KDtf55xle2LKvNMuNG1YYa1q5FDX+L7Llsv/JD/b8QKG+dkziC1Zkru0
JheZAVqs+nma98pGO4BidhFWSoXXrTU4vtg/nimfjcdVC1f++Q/t3hRNOwPav6Km
GyJycQKMSq9GLtvoOveub6NAqSfrg6GgWN9S5m6kAWSiPv4INFiUMD4ErayODBGy
+ktKvUQ51A+tSimrnQ0x7lXXh9sILUH66gx5WJKgaPrttv5zvEE0l9D73baqWgNL
/7PC/SgKSLAFtykbwBKuz5ESpe4HdPPo0Irqk0Jc9cEmVsdkMwpQhbcCmGUNu6CG
NLJkbImw3tLJ8RSBFtRTDK66Y5lcreG1mKerUiq/rjbmsofB/5v+xVmuCQEVe0JJ
EaYWTE1nCMbm/f7IKake/TtBO+Iw06y58tfzsHDXVjDeMzcntNlCMkK9MZL/ORg7
F5WxEYlMbA/WDzc/bbdB3P7KksKS6TEJx1wTXh0En0R2nPekZzYZUkUFLX5TFS5Z
QNN7xD1QfGCmhUmHx/SQFdVQcW0WvGzn563UJ9uk6XBbWZoAVewaDAH1sRx7ud+S
sipNjAXj++TA5J7uF1k6/3L7a2KWZ1qqopvg3J/j9RFlZsjGf8Oai9c40ZAafHkX
imH/HRTIbGibvSloaGKWv9dQtrV6mhHb4AT9c+kxSx4prUsd7AU=
=lTpM
-----END PGP SIGNATURE-----