[pkg-netfilter-team] Bug#944748: nftables: no init script
Thorsten Glaser
tg at mirbsd.de
Thu Nov 14 18:00:15 GMT 2019
Package: nftables
Version: 0.9.0-2
Severity: serious
Justification: Policy 9.11
I’m trying to set up a simple firewall (just filter an exposed
servive so only select source IP addresses can use it) and was
told that nftables should be used for new setups.
While https://wiki.debian.org/nftables is a bit short on actual
helpful information, https://wiki.gentoo.org/wiki/Nftables has
more useful info, but incidentally, while Gentoo ships an init
script with nftables (one that can save and restore rules even)
Debian doesn’t.
This is a problem, as this way the firewall rules are not
reboot-safe (i.e. gone after rebooting) unless I add something
to /etc/rc.local or something.
However, nftables appears to ship a systemd unit, which is a
clear violation of Policy §9.11:
“However, any package integrating with other init systems
must also be backwards-compatible with sysvinit by providing a SysV-
style init script with the same name as and equivalent functionality
to any init-specific job, as this is the only start-up configuration
method guaranteed to be supported by all init implementations.”
I checked latest version of Policy, and this is still there.
So please make a stable update adding an init script.
-- System Information:
Debian Release: 10.1
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.19.0-6-amd64 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE=C (charmap=UTF-8)
Shell: /bin/sh linked to /bin/lksh
Init: sysvinit (via /sbin/init)
Versions of packages nftables depends on:
ii dpkg 1.19.7
ii libc6 2.28-10
ii libgmp10 2:6.1.2+dfsg-4
ii libjansson4 2.12-1
ii libnftables0 0.9.0-2
ii libreadline7 7.0-5
nftables recommends no packages.
nftables suggests no packages.
-- no debconf information
More information about the pkg-netfilter-team
mailing list