Package: nftables Version: 0.9.8-3 Tags: fixed-in-experimental Hi, I wanted to raise awareness for an issue [1] that was originally filed by Michael Biebl but not further pursued in the nftables package AFAICS.
In Debian CI that isn't obvious as the tests are all skipped https://ci.debian.net/data/autopkgtest/testing/amd64/f/firewalld/13738304/log.gz But the Ubuntu CI flags the issue https://autopkgtest.ubuntu.com/results/autopkgtest-impish/impish/amd64/f/firewalld/20210510_135128_36f9c@/log.gz I was looking into the case in [2] and found that in the meantime there is a fix for that [3] available upstream. I see that there is nftables 0.9.9-1~exp1 in experimental and I have tagged this bug as fixed there. Surely we would not want to move to 0.9.9 in the current release while in the final freeze. But given that it would be a regression for upgraders buster->bullseye I wonder if the isolated patch [3] should maybe be applied. I have done so in an Ubuntu PPA [4] and re-run the firewalld tests against it. Those tests - and in general the issue of deleting too many icmp rules - is fixed by that. [1]: https://github.com/firewalld/firewalld/issues/752 [2]: https://bugs.launchpad.net/ubuntu/+source/nftables/+bug/1936902 [3]: https://git.netfilter.org/nftables/commit/?id=533565244d88a818d8828ebabd7625e5a8a4c374 [4]: https://launchpad.net/~ci-train-ppa-service/+archive/ubuntu/4626/+packages -- Christian Ehrhardt Staff Engineer, Ubuntu Server Canonical Ltd
