I reviewed nftables 1.0.2-1ubuntu1 as checked into jammy. This shouldn't be considered a full audit but rather a quick gauge of maintainability. nftables is a replacement for iptables etc - it provides userspace tooling to control the Netfilter packet classification system within the Linux kernel and can be used to implemenent firewall, advanced packet routing, traffic control and other use-cases. - No CVE History - Security relevant Build-Depends: - libjansson-dev for JSON parsing - libmnl-dev for netlink message handling - pre/post inst/rm scripts - nftables binary package has autogenerated (by dh_installsystemd) scripts to setup systemd for nftables daemon service - python3-nftables binary package has autogenerated (by dh_python3) scripts to compile python files on install - No init scripts - systemd units for the nft daemon - Loads / unloads nft rules on startup / shutdown - Confines the daemon by using both ProtectSystem=full and ProtectHome=true so that it cannot write to /usr, /boot, /efi and /etc and that /home, /root and /run/user are inaccessible - No dbus services - No setuid binaries - 1 binary in PATH - -rwxr-xr-x root/root 26856 2022-03-18 11:45 ./usr/sbin/nft - No sudo fragments - No polkit files - No udev rules - No unit tests run during build - Autopkgtests - Runs the high level 'shell' based internal test suite - Runs internal nft monitor testsuite to ensure output of 'nft monitor' is as expected - Runs test of systemd service to ensure rules get loaded / unloaded appropriately by the systemd unit - Contains a reference to running the internal python-based regression testsuite of nft but this is commented out - I thought it might be easy to get this running (see LP: #1966017) but turns out there are still issues there so perhaps that is best left for a future task - No cron jobs - Clean build logs - No processes spawned - Lots of dynamic memory management (since is written in C) but appears to be careful / defensive - exit's with an error if fails to allocate memory which is fine as this is a command-line tool and appears to check buffer sizes etc as needed - File IO - Paths are specified in input files / rules etc as input - Files are not written to, only read from - Logging appears careful and defensive - Environment variable usage - HOME is used to store a history file for cli interface to store past commands etc - No apparent use of privileged functions - No use of cryptography / random number sources etc - No apparent use of temp files - No direct use of networking - Uses netlink for communication with kernel but whilst this is socket based it does not allow remote access or any other such similar attack surface nor does it handle untrusted input - No use of WebKit - No use of PolicyKit - No significant cppcheck results - Lots of Coverity results but none look super critical - given nftables is expected to handle only trusted input I can't see how they could be used to cross a security boundary etc - Lots of shellcheck results generated by upstream 'shell' and 'monitor' test suites but since these come from upstream and are part of the tests they can be safely ignored IMO In general nftables looks well written and maintained - whilst it is a tool which interfaces directly with the kernel to manage complex security policies and so could be seen as a security risk, it is expected to only handle trusted input and so this reduces the threat model significantly. Security team ACK for promoting nftables to main.