[pkg-netfilter-team] Bug#1012613: nftables: upgrade stops but does not start service

Arturo Borrero Gonzalez arturo at debian.org
Sun Jun 19 12:48:59 BST 2022 

On Fri, 10 Jun 2022 12:21:37 +0200 =?UTF-8?Q?Christian_G=C3=B6ttsche?= 
<cgzones at googlemail.com> wrote:
> Package: nftables
> Version: 1.0.4-1
> Severity: serious
> 
> Dear Maintainer,
> 
> upgrades of nftables stop the service but do not start it (even if the
> service is actually enabled).
> This can lead to lockouts, e.g. when using special rules for ssh access.
> 
> 
> nft.preinst:
> 
> #!/bin/sh
> set -e
> # Automatically added by dh_installsystemd/13.7.1
> if [ -z "${DPKG_ROOT:-}" ] && [ "$1" = upgrade ] && [ -d
> /run/systemd/system ] ; then
>        deb-systemd-invoke stop 'nftables.service' >/dev/null || true
> fi
> # End automatically added section
> 
> 
> nft.postinst:
> 
> #!/bin/sh
> set -e
> # Automatically added by dh_installsystemd/13.7.1
> if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" =
> "abort-deconfigure" ] || [ "$1" = "abort-remove" ] ; then
>        if deb-systemd-helper debian-installed 'nftables.service'; then
>                # This will only remove masks created by d-s-h on
> package removal.
>                deb-systemd-helper unmask 'nftables.service' >/dev/null || true
> 
>                if deb-systemd-helper --quiet was-enabled
> 'nftables.service'; then
>                        # Create new symlinks, if any.
>                        deb-systemd-helper enable 'nftables.service'
> >/dev/null || true
>                fi
>        fi
> 
>        # Update the statefile to add new symlinks (if any), which need
> to be cleaned
>        # up on purge. Also remove old symlinks.
>        deb-systemd-helper update-state 'nftables.service' >/dev/null || true
> fi
> # End automatically added section
> 
> 

I confirmed this can be a problem:

=== 8< ===
⌂0.65 arturo at nostromo:~ $ apt-cache policy nftables
nftables:
   Installed: 1.0.2-1
   Candidate: 1.0.4-1
   Version table:
      1.0.4-1 500
         500 http://deb.debian.org/debian sid/main amd64 Packages
  *** 1.0.2-1 500
         500 http://deb.debian.org/debian testing/main amd64 Packages
         100 /var/lib/dpkg/status
⌂0.68 arturo at nostromo:~ $ sudo systemctl status nftables
● nftables.service - nftables
      Loaded: loaded (/lib/systemd/system/nftables.service; disabled; 
vendor preset: enabled)
      Active: active (exited) since Sun 2022-06-19 13:38:11 CEST; 51s ago
        Docs: man:nft(8)
              http://wiki.nftables.org
     Process: 5537 ExecStart=/usr/sbin/nft -f /etc/nftables.conf 
(code=exited, status=0/SUCCESS)
    Main PID: 5537 (code=exited, status=0/SUCCESS)
         CPU: 13ms

Jun 19 13:38:11 nostromo systemd[1]: Starting nftables...
Jun 19 13:38:11 nostromo systemd[1]: Finished nftables.
⌂0.70 arturo at nostromo:~ $ sudo nft list ruleset
table inet filter {
	chain input {
		type filter hook input priority filter; policy accept;
		iif "lo" accept
		ct state established,related accept
		tcp dport 22 ct state new accept
		ip6 nexthdr ipv6-icmp icmpv6 type { nd-router-advert, 
nd-neighbor-solicit, nd-neighbor-advert } accept
		counter packets 6 bytes 898 drop
	}
}
⌂0.65 arturo at nostromo:~ $ sudo aptitude install nftables
The following packages will be upgraded:
   libnftables1 nftables
2 packages upgraded, 0 newly installed, 0 to remove and 754 not upgraded.
Need to get 365 kB of archives. After unpacking 27.6 kB will be used.
Do you want to continue? [Y/n/?] Y
Get: 1 http://deb.debian.org/debian sid/main amd64 nftables amd64 
1.0.4-1 [71.9 kB]
Get: 2 http://deb.debian.org/debian sid/main amd64 libnftables1 amd64 
1.0.4-1 [294 kB]
Fetched 365 kB in 0s (4,064 kB/s)
Reading changelogs... Done
(Reading database ... 273043 files and directories currently installed.)
Preparing to unpack .../nftables_1.0.4-1_amd64.deb ...
Unpacking nftables (1.0.4-1) over (1.0.2-1) ...
Preparing to unpack .../libnftables1_1.0.4-1_amd64.deb ...
Unpacking libnftables1:amd64 (1.0.4-1) over (1.0.2-1) ...
Setting up libnftables1:amd64 (1.0.4-1) ...
Setting up nftables (1.0.4-1) ...
Processing triggers for man-db (2.10.2-1) ...
Processing triggers for libc-bin (2.33-7) ...

Current status: 754 (-2) upgradable.
⌂0.78 arturo at nostromo:~ $ sudo nft list ruleset
⌂0.78 arturo at nostromo:~ $ sudo systemctl status nftables
○ nftables.service - nftables
      Loaded: loaded (/lib/systemd/system/nftables.service; disabled; 
vendor preset: enabled)
      Active: inactive (dead)
        Docs: man:nft(8)
              http://wiki.nftables.org

Jun 19 13:38:11 nostromo systemd[1]: Starting nftables...
Jun 19 13:38:11 nostromo systemd[1]: Finished nftables.
Jun 19 13:39:13 nostromo systemd[1]: Stopping nftables...
Jun 19 13:39:13 nostromo systemd[1]: nftables.service: Deactivated 
successfully.
Jun 19 13:39:13 nostromo systemd[1]: Stopped nftables.
=== 8< ===

@Alberto, @Jeremy,

It seems to me like we need to play with the dh_installsystemd 
--no-restart-after-upgrade option, but don't have time to figure out the 
right logic.

I'm currently unable to handle this. Could you please take a look?

regards.

More information about the pkg-netfilter-team mailing list