Package: nftables Version: 0.7-1 Severity: normal Dear Maintainer,
The systemd unit file /lib/systemd/system/nftables.service should contain a Before=network-pre.target statement, so that firewall rules are established before network interfaces are up. Otherwise, there may be a small time window during which the host is not protected by the firewall. This is also recommended in the systemd documentation; see https://www.freedesktop.org/wiki/Software/systemd/NetworkTarget/ Furthermore, the unit should be WantedBy=network.target instead of WantedBy=multi-user.target, so that it is started when the network is started, even if the system is not in multi-user mode. Best regards, Martin --- /lib/systemd/system/nftables.service.ORIG 2017-07-02 13:27:00.310036693 +0200 +++ /lib/systemd/system/nftables.service 2017-07-02 13:31:24.827267347 +0200 @@ -1,6 +1,7 @@ [Unit] Description=nftables Documentation=man:nft(8) http://wiki.nftables.org +Before=network-pre.target [Service] Type=oneshot @@ -13,4 +14,4 @@ ExecStop=/usr/sbin/nft flush ruleset [Install] -WantedBy=multi-user.target +WantedBy=network.target -- System Information: Debian Release: buster/sid APT prefers testing APT policy: (500, 'testing'), (200, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.9.0-3-amd64 (SMP w/12 CPU cores) Locale: LANG=C, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE=C (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages nftables depends on: ii dpkg 1.18.24 ii init-system-helpers 1.48 ii libc6 2.24-12 ii libgmp10 2:6.1.2+dfsg-1 ii libmnl0 1.0.4-2 ii libnftnl4 1.0.7-1 ii libreadline7 7.0-3 ii libxtables12 1.6.0+snapshot20161117-6
