#1108900 nftables: unexpected ruleset flush during package upgrade

Package:
nftables
Source:
nftables
Description:
Program to control packet filtering rules by Netfilter project
Submitter:
Youfu Zhang
Date:
2025-09-21 22:47:03 UTC
Severity:
normal
Tags:
#1108900#5
Date:
2025-07-07 11:10:06 UTC
From:
To:
Dear Maintainer,

During unattended-upgrade from nftables version 1.1.2-1 to 1.1.3-1,
my containers with exposed ports no longer work until I restart them.

It seems that during package upgrade, nftables.postinst tried to
restart nftables.service and executed the command line specified
in ExecStop= directive, which flushed the whole ruleset.

Although nftables rules can be loaded from /etc/nftables.conf via
ExecStart=, all iptables rules were lost and exposed ports for my
containers stop working.

I didn't expect flushing the whole ruleset during package upgrade.
As that breaks all application maintaining iptables rule in runtime.

#1108900#10
Date:
2025-09-21 22:37:12 UTC
From:
To:
Hey.

Isn't this also a security issue?

I mean:
- a simple systemctl restart will cause a stop first and for a short
  amount of time, all packets will be allowed... and presumably, if the
  nft config contains an error, the subsequent start would fail and
  netfilter would stay completely open
- similarly, during shutdown all rules will be unloaded.... if for some
  reason the networking would be still up and processes running,
  security could be compromised

IMO, stop should simply be a no-op, perhaps merely printing some text
that nothing is done and how a flush would be performed manually.

Cheers,
Chris.