Ubuntu
nftables package

nftables ruleset is flushed on package upgrade or reinstall

Bug #1984043 reported by g1pi
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
nftables (Ubuntu)
New
Undecided
Unassigned
Jammy
Fix Released
Undecided
Unassigned

Bug Description

[Impact]

 * When upgrading nftables, the nftables.service is stopped and not
   restarted. As a result any rules which were configured previously
   get cleared.

 * Depending on what rules have been configured this could have a
   variety of impacts from locking out SSH users to allowing unauthorized
   access to various services or causing a denial of service against
   various applications / services as well.

 * This upload fixes the issue by ensuring the nftables.service is
   restarted after being upgraded.

[Test Plan]

 * Enable nftables.service in a bionic container / VM and configure a
   simple rule:

   apt install nftables
   # edit /etc/nftables.conf to add the following under the output chain
   # ip daddr 9.9.9.9 counter

   systemctl enable nftables
   systemctl start nftables
   # check the custom output counter rule is present
   nft list ruleset -s

 * Upgrade the container / VM:

   do-release-update

 * Check the nftables service is still enabled and the custom rule

   systemctl status nftables
   nft list ruleset -s

[Where problems could occur]

 * Since the service is already not restarted it is unlikely this will have any negative effect other than still not restarting the service if something goes wrong.

[Other Info]

 * None

See original description
g1pi (g1pi)
description: updated
g1pi (g1pi)
information type: Private Security → Public Security
description: updated
Revision history for this message
Alex Murray (alexmurray) wrote :

Thanks for reporting this issue - it looks like Debian fixed this already via https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1012613 so a similar fix can be used for Ubuntu.

Revision history for this message
Alex Murray (alexmurray) wrote :
Revision history for this message
Alex Murray (alexmurray) wrote :

The attached debdiff updates debian/rules the same as was done for nftables in debian and fixes this issue for me. I will look to SRU this change into nftables for ubuntu/jammy.

Revision history for this message
g1pi (g1pi) wrote :

In debian bullseye, preinst and postinst script leave the current ruleset alone.

The ruleset lives in the kernel: it doesn't really make sense to flush and reload it just because something changed in the userspace utility.

Revision history for this message
Alex Murray (alexmurray) wrote :

Yes, perhaps it would be better to use --no-stop-on-upgrade, although then the Ubuntu packaging for nftables would diverge more from what Debian is doing - see https://sources.debian.org/src/nftables/1.0.4-2/debian/rules/?hl=24#L24

Revision history for this message
Alex Murray (alexmurray) wrote :

Also it looks like Debian has been doing it this was for quite a while - https://salsa.debian.org/pkg-netfilter-team/pkg-nftables/-/commit/680e9d020a950264ad81d9f037ecfceda3c531ab - so most likely it is better to just do it the same way in Ubuntu to avoid having to carry another delta from Debian.

Ubuntu Foundations Team Bug Bot (crichton)
tags: added: patch
Alex Murray (alexmurray)
description: updated
Revision history for this message
Chris Halse Rogers (raof) wrote : Please test proposed package

Hello g1pi, or anyone else affected,

Accepted nftables into jammy-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/nftables/1.0.2-1ubuntu3 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-jammy to verification-done-jammy. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-jammy. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in nftables (Ubuntu Jammy):
status: New → Fix Committed
tags: added: verification-needed verification-needed-jammy
Revision history for this message
Alex Murray (alexmurray) wrote :

I have verified the version of nftables in jammy-proposed (1.0.2-1ubuntu3) in a jammy lxc container as follows:

# create container
lxc launch ubuntu:22.04 lp1984043
# enter the container environment - all the commands following this one are then done
# inside the container
lxc shell lp1984043

# add simple counter rule for output chain as per the test plan in the bug description
vi /etc/nftables.conf

# enable and start the nftables service to get this counter rule loaded
systemctl enable nftables
systemctl start nftables

# check the rule is loaded in the first place
nft -s list ruleset | grep 'ip daddr 9.9.9.9 counter'

# now upgrade to the new package version from -proposed
cat <<EOF | sudo tee /etc/apt/sources.list.d/ubuntu-$(lsb_release -cs)-proposed.list
# Enable Ubuntu proposed archive
deb http://archive.ubuntu.com/ubuntu/ $(lsb_release -cs)-proposed restricted main multiverse universe
EOF

cat <<EOF | sudo tee /etc/apt/preferences.d/proposed-updates
# Configure apt to allow selective installs of packages from proposed
Package: *
Pin: release a=$(lsb_release -cs)-proposed
Pin-Priority: 400
EOF

apt update
apt install nftables/$(lsb_release -cs)-proposed

# and check the rule is still loaded and the nftables service is still active
systemctl is-enabled nftables
nft -s list ruleset | grep 'ip daddr 9.9.9.9 counter'

tags: added: verification-done verification-done-jammy
removed: verification-needed verification-needed-jammy
Revision history for this message
Chris Halse Rogers (raof) wrote : Update Released

The verification of the Stable Release Update for nftables has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package nftables - 1.0.2-1ubuntu3

---------------
nftables (1.0.2-1ubuntu3) jammy; urgency=medium

  * d/rules: ensure systemd service is restarted after upgrade (LP: #1984043)

 -- Alex Murray <email address hidden> Wed, 10 Aug 2022 15:06:29 +0930

Changed in nftables (Ubuntu Jammy):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.