Comment 0 for bug 1984043

Given the text of the preinstall script in the ubuntu version of nftables (not in the debian version),

# cat /var/lib/dpkg/info/nftables.preinst
#!/bin/sh
set -e
# Automatically added by dh_installsystemd/13.6ubuntu1
if [ -z "${DPKG_ROOT:-}" ] && [ "$1" = upgrade ] && [ -d /run/systemd/system ] ; then
        deb-systemd-invoke stop 'nftables.service' >/dev/null || true
fi
# End automatically added section

and the fact that there's no start or reload in the postinst script, upgrading or reinstalling the nftables package results in flushing the ruleset (as per the ExecStop variable in /lib/systemd/system/nftables), which won't be restored until the next reboot.

As a consequence, machines can be left exposed to attacks after an upgrade, or become unreachable if e.g. the ruleset contains a rule that NATs an unusual port to the ssh port (blocked by an external fw).

nftables version: 1.0.2-1ubuntu2
ubuntu version: 22.04.1

Best regards
g.b.