Dear Maintainer, During unattended-upgrade from nftables version 1.1.2-1 to 1.1.3-1, my containers with exposed ports no longer work until I restart them. It seems that during package upgrade, nftables.postinst tried to restart nftables.service and executed the command line specified in ExecStop= directive, which flushed the whole ruleset. Although nftables rules can be loaded from /etc/nftables.conf via ExecStart=, all iptables rules were lost and exposed ports for my containers stop working. I didn't expect flushing the whole ruleset during package upgrade. As that breaks all application maintaining iptables rule in runtime.
Hey. Isn't this also a security issue? I mean: - a simple systemctl restart will cause a stop first and for a short amount of time, all packets will be allowed... and presumably, if the nft config contains an error, the subsequent start would fail and netfilter would stay completely open - similarly, during shutdown all rules will be unloaded.... if for some reason the networking would be still up and processes running, security could be compromised IMO, stop should simply be a no-op, perhaps merely printing some text that nothing is done and how a flush would be performed manually. Cheers, Chris.