Am 02.05.2025 um 11:50 schrieb Chris Hofstaedtler:
I investigated a curious networking problem in Debian's autopkgtest
infrastructure along with Paul. We found that a recent (innocent) nftables
update caused needrestart to trigger a nftables.service restart which
flushed volatile firewall rules installed into the kernel by
lxc. Specifically by lxc-net.service see /usr/libexec/lxc/lxc-net.
Isn't this really a bug in nftables and maybe lxc? If restarting a
service wipes its configuration, maybe it should be fixed there.
Chris
I ACK here. Also for those kind of special configurations a user can add
an override for himself. I dont think this is a serious problem at all.
If Thomas wants to add this in the upstream ignore list I am ok with it,
but for this we should not do a stable update.
