Package: nftables
Version: 1.1.5-1
Severity: normal
X-Debbugs-Cc: [email protected]
Dear Maintainer,
* What led up to the situation?
I tried to include files with the include directive in an nftables
config file.
* What exactly did you do (or not do) that was effective (or
ineffective)?
I am loading this file:
#!/usr/bin/nft -f
#
flush ruleset
table inet filter {
chain input {
type filter hook input priority 0;
include "nftables-prometheus.*"
}
}
with /etc/nftables-prometheus.conf containing the following:
tcp dport {9100} accept
I am loading the rules with the following command:
nft -f nftables-test.conf
* What was the outcome of this action?
The nftables ruleset was:
table inet filter {
chain input {
type filter hook input priority filter; policy accept;
tcp dport 9100 accept
tcp dport 9100 accept
}
}
the tcp dport 9100 accept statement appears twice.
* What outcome did you expect instead?
I expected the tcp dport 9100 accept statement to be there only
once.
* Further information
The same behaviour was found in nftables 1.1.3 (Debian 13) and
1.1.4 (unstable). I was not able to reproduce this on 1.1.5 on
Arch Linux.
Removing the wildcard in the include resolves the issue.
There are no other files matching the wildcard.
-- System Information:
Debian Release: forky/sid
APT prefers stable-security
APT policy: (500, 'stable-security'), (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 6.16.3+deb14-amd64 (SMP w/2 CPU threads; PREEMPT)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages nftables depends on:
ii libc6 2.41-12
ii libedit2 3.1-20250104-1
ii libnftables1 1.1.5-1
Versions of packages nftables recommends:
ii netbase 6.5
Versions of packages nftables suggests:
pn firewalld <none>
-- Configuration Files:
/etc/nftables.conf changed [not included]
-- no debconf information
