Dear Maintainer,
upgrades of nftables stop the service but do not start it (even if the
service is actually enabled).
This can lead to lockouts, e.g. when using special rules for ssh access.
nft.preinst:
#!/bin/sh
set -e
# Automatically added by dh_installsystemd/13.7.1
if [ -z "${DPKG_ROOT:-}" ] && [ "$1" = upgrade ] && [ -d
/run/systemd/system ] ; then
deb-systemd-invoke stop 'nftables.service' >/dev/null || true
fi
# End automatically added section
nft.postinst:
#!/bin/sh
set -e
# Automatically added by dh_installsystemd/13.7.1
if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" =
"abort-deconfigure" ] || [ "$1" = "abort-remove" ] ; then
if deb-systemd-helper debian-installed 'nftables.service'; then
# This will only remove masks created by d-s-h on
package removal.
deb-systemd-helper unmask 'nftables.service' >/dev/null || true
if deb-systemd-helper --quiet was-enabled
'nftables.service'; then
# Create new symlinks, if any.
deb-systemd-helper enable 'nftables.service'
fi
fi
# Update the statefile to add new symlinks (if any), which need
to be cleaned
# up on purge. Also remove old symlinks.
deb-systemd-helper update-state 'nftables.service' >/dev/null || true
fi
# End automatically added section
=== 8< ===
⌂0.65 arturo@nostromo:~ $ apt-cache policy nftables
nftables:
Installed: 1.0.2-1
Candidate: 1.0.4-1
Version table:
1.0.4-1 500
500 http://deb.debian.org/debian sid/main amd64 Packages
*** 1.0.2-1 500
500 http://deb.debian.org/debian testing/main amd64 Packages
100 /var/lib/dpkg/status
⌂0.68 arturo@nostromo:~ $ sudo systemctl status nftables
● nftables.service - nftables
Loaded: loaded (/lib/systemd/system/nftables.service; disabled;
vendor preset: enabled)
Active: active (exited) since Sun 2022-06-19 13:38:11 CEST; 51s ago
Docs: man:nft(8)
http://wiki.nftables.org
Process: 5537 ExecStart=/usr/sbin/nft -f /etc/nftables.conf
(code=exited, status=0/SUCCESS)
Main PID: 5537 (code=exited, status=0/SUCCESS)
CPU: 13ms
Jun 19 13:38:11 nostromo systemd[1]: Starting nftables...
Jun 19 13:38:11 nostromo systemd[1]: Finished nftables.
⌂0.70 arturo@nostromo:~ $ sudo nft list ruleset
table inet filter {
chain input {
type filter hook input priority filter; policy accept;
iif "lo" accept
ct state established,related accept
tcp dport 22 ct state new accept
ip6 nexthdr ipv6-icmp icmpv6 type { nd-router-advert,
nd-neighbor-solicit, nd-neighbor-advert } accept
counter packets 6 bytes 898 drop
}
}
⌂0.65 arturo@nostromo:~ $ sudo aptitude install nftables
The following packages will be upgraded:
libnftables1 nftables
2 packages upgraded, 0 newly installed, 0 to remove and 754 not upgraded.
Need to get 365 kB of archives. After unpacking 27.6 kB will be used.
Do you want to continue? [Y/n/?] Y
Get: 1 http://deb.debian.org/debian sid/main amd64 nftables amd64
1.0.4-1 [71.9 kB]
Get: 2 http://deb.debian.org/debian sid/main amd64 libnftables1 amd64
1.0.4-1 [294 kB]
Fetched 365 kB in 0s (4,064 kB/s)
Reading changelogs... Done
(Reading database ... 273043 files and directories currently installed.)
Preparing to unpack .../nftables_1.0.4-1_amd64.deb ...
Unpacking nftables (1.0.4-1) over (1.0.2-1) ...
Preparing to unpack .../libnftables1_1.0.4-1_amd64.deb ...
Unpacking libnftables1:amd64 (1.0.4-1) over (1.0.2-1) ...
Setting up libnftables1:amd64 (1.0.4-1) ...
Setting up nftables (1.0.4-1) ...
Processing triggers for man-db (2.10.2-1) ...
Processing triggers for libc-bin (2.33-7) ...
Current status: 754 (-2) upgradable.
⌂0.78 arturo@nostromo:~ $ sudo nft list ruleset
⌂0.78 arturo@nostromo:~ $ sudo systemctl status nftables
○ nftables.service - nftables
Loaded: loaded (/lib/systemd/system/nftables.service; disabled;
vendor preset: enabled)
Active: inactive (dead)
Docs: man:nft(8)
http://wiki.nftables.org
Jun 19 13:38:11 nostromo systemd[1]: Starting nftables...
Jun 19 13:38:11 nostromo systemd[1]: Finished nftables.
Jun 19 13:39:13 nostromo systemd[1]: Stopping nftables...
Jun 19 13:39:13 nostromo systemd[1]: nftables.service: Deactivated
successfully.
Jun 19 13:39:13 nostromo systemd[1]: Stopped nftables.
=== 8< ===
@Alberto, @Jeremy,
It seems to me like we need to play with the dh_installsystemd
--no-restart-after-upgrade option, but don't have time to figure out the
right logic.
I'm currently unable to handle this. Could you please take a look?
regards.
Yup. J.
Passing `--restart-after-upgrade` does the trick:
diff -u nftables_1.0.4-1/postinst nftables_1.0.4-2/postinst
--- nftables_1.0.4-1/postinst 2022-06-07 23:59:59.000000000 +0100
+++ nftables_1.0.4-2/postinst 2022-06-19 18:04:19.000000000 +0100
@@ -17,3 +17,13 @@
deb-systemd-helper update-state 'nftables.service' >/dev/null || true
fi
# End automatically added section
+# Automatically added by dh_installsystemd/13.7.1
+if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-deconfigure" ] || [ "$1" = "abort-remove" ] ; then
+ if [ -z "${DPKG_ROOT:-}" ] && [ -d /run/systemd/system ]; then
+ systemctl --system daemon-reload >/dev/null || true
+ if [ -n "$2" ]; then
+ deb-systemd-invoke try-restart 'nftables.service' >/dev/null || true
+ fi
+ fi
+fi
+# End automatically added section
I've pushed that and a few other changes to Salsa.
J.
We believe that the bug you reported is fixed in the latest version of
nftables, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1012613@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jeremy Sowden <jeremy@azazel.net> (supplier of updated nftables package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Sun, 19 Jun 2022 18:04:19 +0100
Source: nftables
Architecture: source
Version: 1.0.4-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Netfilter Packaging Team <pkg-netfilter-team@lists.alioth.debian.org>
Changed-By: Jeremy Sowden <jeremy@azazel.net>
Closes: 1012613
Changes:
nftables (1.0.4-2) unstable; urgency=medium
.
* [9e654e0] d/nftables.conf: use named priorities
* [0e9757f] d/u/signing-key.asc: minimize signing key
* [49d2aee] d/libnftables1.symbols: add `Build-Depends-Package` field
* [1a50850] d/control: set R³: no.
* [1699c66] d/control: add myself to uploaders.
* [cd9f31f] d/watch: use HTTPS URL
* [a6a05b6] d/watch: use `pgpmode=auto`
* [072624b] d/gbp.conf: buildpackage, import-orig: enable `pristine-tar`
* [92a12a3] d/gbp.conf: dch: set `id-length`
* [6ad5a0b] d/not-installed: remove static archive
* [c53e37d] d/rules: remove obsolete dh_installinit override
* [fb41a26] d/rules: move dh_auto_configure override
* [59c9317] d/rules: include architecture.mk
* [8f18fcd] d/rules: pass `--restart-after-upgrade` to dh_installsystemd
(closes: #1012613)
* [f9d8a42] d/copyright: remove obsolete files
* [75426a2] d/changelog: wrap long line
Checksums-Sha1:
e77619690cc0883b7c5ff9849837ef6b8d6203b5 2692 nftables_1.0.4-2.dsc
6b4c538242c1061fe23d4ce226c79519482eeacc 20920 nftables_1.0.4-2.debian.tar.xz
ce631278eeda5fed78c5ae830c62d27c94f0a99b 8797 nftables_1.0.4-2_amd64.buildinfo
Checksums-Sha256:
e678a100fcdb25a721ca8365abc1bff8d4c69853eba6e68c9aefb19dd40568b4 2692 nftables_1.0.4-2.dsc
67d7e9aa4e97e25c84850ac2b9b8c3657180c258f74363931e5c5eacca6163ae 20920 nftables_1.0.4-2.debian.tar.xz
c57bdca73d9cfa76cfc81d57ff833f2ecb625c96c2058c1b8b1c35fa3fe79264 8797 nftables_1.0.4-2_amd64.buildinfo
Files:
b7a9825a85e87c34f857736fe73c93ee 2692 net important nftables_1.0.4-2.dsc
265f99a59f4e798c7e48002e3de7807b 20920 net important nftables_1.0.4-2.debian.tar.xz
b7710134c7cff14df5f6194395619802 8797 net important nftables_1.0.4-2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE3ZhhqyPcMzOJLgepaOcTmB0VFfgFAmKvZNgACgkQaOcTmB0V
FfgxaA/+KDtf55xle2LKvNMuNG1YYa1q5FDX+L7Llsv/JD/b8QKG+dkziC1Zkru0
JheZAVqs+nma98pGO4BidhFWSoXXrTU4vtg/nimfjcdVC1f++Q/t3hRNOwPav6Km
GyJycQKMSq9GLtvoOveub6NAqSfrg6GgWN9S5m6kAWSiPv4INFiUMD4ErayODBGy
+ktKvUQ51A+tSimrnQ0x7lXXh9sILUH66gx5WJKgaPrttv5zvEE0l9D73baqWgNL
/7PC/SgKSLAFtykbwBKuz5ESpe4HdPPo0Irqk0Jc9cEmVsdkMwpQhbcCmGUNu6CG
NLJkbImw3tLJ8RSBFtRTDK66Y5lcreG1mKerUiq/rjbmsofB/5v+xVmuCQEVe0JJ
EaYWTE1nCMbm/f7IKake/TtBO+Iw06y58tfzsHDXVjDeMzcntNlCMkK9MZL/ORg7
F5WxEYlMbA/WDzc/bbdB3P7KksKS6TEJx1wTXh0En0R2nPekZzYZUkUFLX5TFS5Z
QNN7xD1QfGCmhUmHx/SQFdVQcW0WvGzn563UJ9uk6XBbWZoAVewaDAH1sRx7ud+S
sipNjAXj++TA5J7uF1k6/3L7a2KWZ1qqopvg3J/j9RFlZsjGf8Oai9c40ZAafHkX
imH/HRTIbGibvSloaGKWv9dQtrV6mhHb4AT9c+kxSx4prUsd7AU=
=lTpM
-----END PGP SIGNATURE-----