[MIR] nftables
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
nftables (Ubuntu) |
Fix Released
|
Critical
|
Unassigned |
Bug Description
[Availability]
* The package is already in universe and has been supported
by Ubuntu kernels since at least Ubuntu 18.04 LTS. It
builds and is supported on all Ubuntu architectures.
[Rationale]
* nftables is the future CLI and backend for firewalling
which should be available on Ubuntu by default, and is
the preferred tool by the upstream kernel community.
* iptables will be switching to nftables backend, but
iptables availability and usage will probably continue for
forseeable future. It is expected that newer software will
be adopting nftables directly, rather than via iptables
compat tools.
[Security]
* There is no history of of vulnerabilities in the nftables
user space tools (CVE-2015-1573 is in the kernel portion
of nftables).
* The nftables binary package contains the binary
`/usr/bin/nft` which is neither setuid nor setgid. This
binary is the utility that interacts with and configures
the nftables subsystem in the Linux kernel.
* The package also includes a oneshot systemd service
used during boot to load the nftables configuration in
/etc/nftables.conf. As packaged in Debian, this service
is disabled by default.
* It interacts with and configures the network filtering
as performed by the Linux kernel.
[Quality Assurance - function/usage]
* The package works as installed; it does require enabling
the systemd oneshot service to automatically reload defined
rules on boot.
[Quality assurance - maintenance]
LP bugs: https:/
Debian: https:/
Upstream: https:/
* Ubuntu and Debian bugs are reasonably under
control. Upstream has a larger set of bugs that are
mostly about parsing errors (flex/yacc are complex) and
documentation or feature requests.
[Quality Assurance - testing]
* Tests are not run at build time; there are many tests
run during autopkgtests across all architectures, but the
more extensive ones have been marked as flaky. Example
autopkgtest log:
https:/
[Quality Assurance - packaging]
* A debian/watch file is present and works. Lintian reports
nothing substantial, just minor standards version lag as
well as debian/control missing the Rules-Requires-
field (silent-
on obsolete or about to be demoted packages. There are no
debconf settings or questions.
[UI Standards]
* It is primarily a command line system tool that is
sysadmin facing, that does not contain translations.
[Dependencies]
* Documentation tools used during the build are in
universe; all runtime dependencies are in main. It uses
libjannson for JSON handling, not sure if there's a
preferred JSON library in main.
[Standards compliance]
* This package correctly follows FHS and Debian Policy
[Maintenance/Owner]
* The ubuntu-security team is subscribed to bugs for
nftables. There are no static builds. There are some very
minor embedded code copies that are either disabled at
build time (system gmp is used over embedded mini-gmp)
or are fairly small (David Woodhouse's rbtree). It is
relatively mature software with active upstream commits
(http://
reasonably active maintenance in Debian.
[Background information]
* The package description explains the package
well. The upstream project is part of the
larger netfilter project, and is documented at
https:/
Related branches
- Steve Langasek: Needs Fixing
- Dimitri John Ledkov: Needs Information
-
Diff: 14 lines (+2/-1)1 file modifiedstandard (+2/-1)
description: | updated |
tags: | added: id-5eab0494b1f7785110eb0898 |
description: | updated |
Changed in nftables (Ubuntu): | |
status: | Incomplete → New |
Changed in nftables (Ubuntu): | |
status: | Expired → Incomplete |
description: | updated |
description: | updated |
description: | updated |
Changed in nftables (Ubuntu): | |
assignee: | Seth Arnold (seth-arnold) → nobody |
status: | Confirmed → New |
Changed in nftables (Ubuntu): | |
assignee: | nobody → Ioanna Alifieraki (joalif) |
Changed in nftables (Ubuntu): | |
status: | Confirmed → New |
Changed in nftables (Ubuntu): | |
status: | In Progress → Fix Committed |
Changed in nftables (Ubuntu): | |
status: | Fix Committed → In Progress |
assignee: | Steve Beattie (sbeattie) → nobody |
Status changed to 'Confirmed' because the bug affects multiple users.