nftables ruleset is flushed on package upgrade or reinstall
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
nftables (Ubuntu) |
New
|
Undecided
|
Unassigned | ||
Jammy |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
[Impact]
* When upgrading nftables, the nftables.service is stopped and not
restarted. As a result any rules which were configured previously
get cleared.
* Depending on what rules have been configured this could have a
variety of impacts from locking out SSH users to allowing unauthorized
access to various services or causing a denial of service against
various applications / services as well.
* This upload fixes the issue by ensuring the nftables.service is
restarted after being upgraded.
[Test Plan]
* Enable nftables.service in a bionic container / VM and configure a
simple rule:
apt install nftables
# edit /etc/nftables.conf to add the following under the output chain
# ip daddr 9.9.9.9 counter
systemctl enable nftables
systemctl start nftables
# check the custom output counter rule is present
nft list ruleset -s
* Upgrade the container / VM:
do-release-
* Check the nftables service is still enabled and the custom rule
systemctl status nftables
nft list ruleset -s
[Where problems could occur]
* Since the service is already not restarted it is unlikely this will have any negative effect other than still not restarting the service if something goes wrong.
[Other Info]
* None
description: | updated |
information type: | Private Security → Public Security |
description: | updated |
tags: | added: patch |
description: | updated |
Thanks for reporting this issue - it looks like Debian fixed this already via https:/ /bugs.debian. org/cgi- bin/bugreport. cgi?bug= 1012613 so a similar fix can be used for Ubuntu.