1. Forum
  2. Usenet
  3. LINUX.DEBIAN.BUGS.DIST

  • Bug#1066874: miniupnpd-nftables: nft_init.sh clobbers all other FORWARD

    From Guyang Mao@21:1/5 to All on Thu Mar 14 20:00:01 2024
    Package: miniupnpd-nftables
    Version: 2.3.4-1
    Severity: important

    Dear Maintainer,

    I've changed my system to use nftables for firewall rules and found out that miniupnpd-nftables
    clobbered everything else on FORWARD.

    (specifically, docker containers)

    Looking at all the rules and nft_init.sh, it seems like creating the forward table for miniupnpd
    and setting the default policy to deny breaks everything. Changing the default policy to accept
    makes everything work again.



    -- System Information:
    Debian Release: trixie/sid
    APT prefers unstable
    APT policy: (500, 'unstable')
    Architecture: amd64 (x86_64)

    Kernel: Linux 6.1.0-9-amd64 (SMP w/4 CPU threads; PREEMPT)
    Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
    Shell: /bin/sh linked to /usr/bin/dash
    Init: systemd (via /run/systemd/system)
    LSM: AppArmor: enabled

    Versions of packages miniupnpd-nftables depends on:
    ii libc6 2.37-15.1
    ii libmnl0 1.0.5-2
    ii libnftnl11 1.2.6-2
    ii miniupnpd 2.3.4-1

    miniupnpd-nftables recommends no packages.

    miniupnpd-nftables suggests no packages.

    -- Configuration Files:
    /etc/miniupnpd/nft_init.sh changed:
    . "$(dirname "$0")/miniupnpd_functions.sh"
    $NFT --check list table inet $TABLE > /dev/null 2>&1
    if [ $? -eq "0" ]
    then
    echo "Table $TABLE already exists"
    exit 0
    fi
    echo "Creating nftables structure"
    cat > /tmp/miniupnpd.nft <<EOF
    table inet $TABLE {
    chain forward {
    type filter hook forward priority 0;
    policy accept;
    # miniupnpd
    jump $CHAIN
    # Add other rules here
    }
    # miniupnpd
    chain $CHAIN {
    }
    EOF
    if [ "$TABLE" != "$NAT_TABLE" ]
    then
    cat >> /tmp/miniupnpd.nft <<EOF
    }
    table inet $NAT_TABLE {
    EOF
    fi
    cat >> /tmp/miniupnpd.nft <<EOF
    chain prerouting {
    type nat hook prerouting priority -100;
    policy accept;
    # miniupnpd
    jump $PREROUTING_CHAIN
    # Add other rules here
    }
    chain postrouting {
    type nat hook postrouting priority 100;
    policy accept;
    # miniupnpd
    jump $POSTROUTING_CHAIN
    # Add other rules here
    }
    chain $PREROUTING_CHAIN {
    }
    chain $POSTROUTING_CHAIN {
    }
    }
    EOF
    $NFT -f /tmp/miniupnpd.nft


    -- no debconf information

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)