[pkg-netfilter-team] Bug#1012613: nftables: upgrade stops but does not start service

Sun Jun 19 18:47:19 BST 2022

On 2022-06-19, at 13:48:59 +0200, Arturo Borrero Gonzalez wrote:
> On Fri, 10 Jun 2022 12:21:37 +0200 Christian Göttsche wrote:
> > Package: nftables
> > Version: 1.0.4-1
> > Severity: serious
> >
> > Dear Maintainer,
> >
> > upgrades of nftables stop the service but do not start it (even if the
> > service is actually enabled).
> > This can lead to lockouts, e.g. when using special rules for ssh access.
> >
> >
> > nft.preinst:
> >
> > #!/bin/sh
> > set -e
> > # Automatically added by dh_installsystemd/13.7.1
> > if [ -z "${DPKG_ROOT:-}" ] && [ "$1" = upgrade ] && [ -d /run/systemd/system ] ; then
> >        deb-systemd-invoke stop 'nftables.service' >/dev/null || true
> > fi
> > # End automatically added section
> >
> >
> > nft.postinst:
> >
> > #!/bin/sh
> > set -e
> > # Automatically added by dh_installsystemd/13.7.1
> > if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-deconfigure" ] || [ "$1" = "abort-remove" ] ; then
> >        if deb-systemd-helper debian-installed 'nftables.service'; then
> >                # This will only remove masks created by d-s-h on package removal.
> >                deb-systemd-helper unmask 'nftables.service' >/dev/null || true
> >
> >                if deb-systemd-helper --quiet was-enabled 'nftables.service'; then
> >                        # Create new symlinks, if any.
> >                        deb-systemd-helper enable 'nftables.service' >/dev/null || true
> >                fi
> >        fi
> >
> >        # Update the statefile to add new symlinks (if any), which need to be cleaned
> >        # up on purge. Also remove old symlinks.
> >        deb-systemd-helper update-state 'nftables.service' >/dev/null || true
> > fi
> > # End automatically added section
>
> I confirmed this can be a problem:
>
> [...]
>
> @Alberto, @Jeremy,
>
> It seems to me like we need to play with the dh_installsystemd
> --no-restart-after-upgrade option, but don't have time to figure out the
> right logic.
>
> I'm currently unable to handle this. Could you please take a look?

Passing `--restart-after-upgrade` does the trick:

  diff -u nftables_1.0.4-1/postinst nftables_1.0.4-2/postinst
  --- nftables_1.0.4-1/postinst   2022-06-07 23:59:59.000000000 +0100
  +++ nftables_1.0.4-2/postinst   2022-06-19 18:04:19.000000000 +0100
  @@ -17,3 +17,13 @@
  deb-systemd-helper update-state 'nftables.service' >/dev/null || true
  fi
  # End automatically added section
  +# Automatically added by dh_installsystemd/13.7.1
  +if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-deconfigure" ] || [ "$1" = "abort-remove" ] ; then
  +       if [ -z "${DPKG_ROOT:-}" ] && [ -d /run/systemd/system ]; then
  +               systemctl --system daemon-reload >/dev/null || true
  +               if [ -n "$2" ]; then
  +                       deb-systemd-invoke try-restart 'nftables.service' >/dev/null || true
  +               fi
  +       fi
  +fi
  +# End automatically added section

I've pushed that and a few other changes to Salsa.

J.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-netfilter-team/attachments/20220619/4af21b7e/attachment.sig>