[pkg-netfilter-team] Bug#1068678: nftables: on sysvinit the init script does not start nftables at boot

Jeremy Sowden azazel at debian.org
Tue Apr 9 09:13:21 BST 2024 

On 2024-04-09, at 02:35:51 +0200, Davide Baldini wrote:
> Package: nftables
> Version: 1.0.6-2+deb12u2
> Severity: normal
> 
> Dear Maintainer,
> 
> the installation of nftables completed via apt from the stable repository
> leads to the creation of the following init script on a system with sysvinit
> without Systemd:
> 
>   /etc/init.d/nftables
> 
> whose LSB section is:
> 
>   ### BEGIN INIT INFO
>   # Provides:          nftables
>   # Required-Start:    $local_fs $network
>   # Required-Stop:     $local_fs $network
>   # Should-Start:
>   # Default-Start:     S
>   # Default-Stop:      0 1 6
>   # Short-Description: Loads nftables firewall rules
>   # Description: Loads nftables firewall rules
>   ### END INIT INFO
> 
> The "Default-Start" tag is set to "S", which is problematic as it causes the
> script to never run at boot. If "S" is replaced by "1 2 3" the script
> instead runs at boot as intended. This seems to be a general problem with
> all init scripts under Debian whose "Default-Start" tag is set to "S".

The nftables package has not installed an init-script for many years.
It provides an example script in
/usr/share/doc/nftables/examples/sysvinit, along with a README file
which reads in part:

  The file /usr/share/doc/nftables/examples/sysvinit/nftables.init is a
  typical sysvinit script for you to use as /etc/init.d/nftables.

  Given Debian default init system is systemd, I have no intention to
  support sysvinit apart of providing this example file.

  Read the script carefully before using it, as is just an example.  You
  will likely require to manually edit and install the script in order
  to properly use it.

If your system has an init script installed, then either it was left
over when the nftables package stopped providing one, because it had
been locally modified and so was not removed, or it was manually
installed as described in the README.

J.

> For example, I created the test file
> 
>   /etc/init.d/test.sh
> 
> with the following content:
> 
>   #!/bin/bash
> 
>   ### BEGIN INIT INFO
>   # Provides:          test
>   # Required-Start:
>   # Required-Stop:
>   # Should-Start:
>   # Default-Start:     S
>   # Default-Stop:      0 1 6
>   # Short-Description: Test
>   # Description: Test
>   ### END INIT INFO
> 
>   echo $(date) "$@" >>/root/test.txt
> 
> and I enable it with:
> 
>   update-rc.d test.sh defaults
> 
> which results in these, and only these, rc symlinks being created:
> 
>   rc0.d/K01test.sh
>   rc1.d/K01test.sh
>   rc6.d/K01test.sh
>   rcS.d/S01test.sh
> 
> After rebooting the system from an empty '/root/test.txt' file, the contents
> of this file become:
> 
>   Tue Apr 9 01:26:50 CEST 2024 stop
> 
> in which only one line is logged, corresponding to the time when I issued
> the reboot command, with no follow-up lines after the reboot.
> My sysvinit configuration is unremarkably default and I encountered this
> problem on every Debian system under sysvinit.
> 
> -- System Information:
> Debian Release: 12.4
>   APT prefers stable-updates
>   APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
> Architecture: amd64 (x86_64)
> 
> Kernel: Linux 6.1.0-9-amd64 (SMP w/1 CPU thread; PREEMPT)
> Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored:
> LC_ALL set to en_US.UTF-8), LANGUAGE not set
> Shell: /bin/sh linked to /usr/bin/dash
> Init: sysvinit (via /sbin/init)
> LSM: AppArmor: enabled
> 
> Versions of packages nftables depends on:
> ii  libc6         2.36-9+deb12u3
> ii  libedit2      3.1-20221030-2
> ii  libnftables1  1.0.6-2+deb12u2
> 
> Versions of packages nftables recommends:
> ii  netbase  6.4
> 
> Versions of packages nftables suggests:
> pn  firewalld  <none>
> 
> -- Configuration Files:
> /etc/nftables.conf changed [not included]
> 
> -- no debconf information
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-netfilter-team/attachments/20240409/ead793fb/attachment.sig>

More information about the pkg-netfilter-team mailing list