Public bug reported:
Using `systemctl reload nftables` deletes the `table ip sshguard` and
`table ip6 sshguard` nftables entries and these entries do not appear to
be restored until a subsequent `systemctl restart sshguard` is
performed.
Therefore, editing `/etc/nftables.conf` to customize a firewall rule
(for example), then using `systemctl reload nftables` to apply the
change results in sshguard no longer blocking any blacklisted IPs.
It seems that sshguard's nftables backend either needs to hook into the
nftable reload process, or regularly check that its nftables entries
still exist, or the nftable reload process needs to avoid flushing
rulesets created by other services.
$ lsb_release -rd
No LSB modules are available.
Description: Ubuntu 24.04.1 LTS
Release: 24.04
$ apt-cache policy nftables
nftables:
Installed: 1.0.9-1build1
Candidate: 1.0.9-1build1
Version table:
*** 1.0.9-1build1 500
500 http://archive.ubuntu.com/ubuntu noble/main amd64 Packages
100 /var/lib/dpkg/status
$ apt-cache policy sshguard
sshguard:
Installed: 2.4.2-1
Candidate: 2.4.2-1
Version table:
*** 2.4.2-1 500
500 http://archive.ubuntu.com/ubuntu noble/universe amd64 Packages
100 /var/lib/dpkg/status
** Affects: nftables (Ubuntu)
Importance: Undecided
Status: New
** Affects: sshguard (Ubuntu)
Importance: Undecided
Status: New
** Also affects: sshguard (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2108012
Title:
nftables reload breaks sshguard
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nftables/+bug/2108012/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
