Given the text of the preinstall script in the ubuntu version of nftables (not in the debian version),
# cat /var/lib/dpkg/info/nftables.preinst
#!/bin/sh
set -e
# Automatically added by dh_installsystemd/13.6ubuntu1
if [ -z "${DPKG_ROOT:-}" ] && [ "$1" = upgrade ] && [ -d /run/systemd/system ] ; then deb-systemd-invoke stop 'nftables.service' >/dev/null || true
fi
# End automatically added section
and the fact that there's no start or reload in the postinst script, upgrading or reinstalling the nftables package results in flushing the ruleset (as per the ExecStop variable in /lib/systemd/system/nftables), which won't be restored until the next reboot.
As a consequence, machines can be left exposed to attacks after an upgrade, or become unreachable if e.g. the ruleset contains a rule that NATs an unusual port to the ssh port (blocked by an external fw).
Given the text of the preinstall script in the ubuntu version of nftables (not in the debian version),
# cat /var/lib/ dpkg/info/ nftables. preinst md/13.6ubuntu1
deb-systemd- invoke stop 'nftables.service' >/dev/null || true
#!/bin/sh
set -e
# Automatically added by dh_installsyste
if [ -z "${DPKG_ROOT:-}" ] && [ "$1" = upgrade ] && [ -d /run/systemd/system ] ; then
fi
# End automatically added section
and the fact that there's no start or reload in the postinst script, upgrading or reinstalling the nftables package results in flushing the ruleset (as per the ExecStop variable in /lib/systemd/ system/ nftables) , which won't be restored until the next reboot.
As a consequence, machines can be left exposed to attacks after an upgrade, or become unreachable if e.g. the ruleset contains a rule that NATs an unusual port to the ssh port (blocked by an external fw).
nftables version: 1.0.2-1ubuntu2
ubuntu version: 22.04.1
Best regards
g.b.