** Description changed: + [Availability] - * The package is present in universe and is built for all architectures. + * The package is already in universe and has been supported by Ubuntu + kernels since at least Ubuntu 18.04 LTS. It builds and is supported + on all Ubuntu architectures. [Rationale] - * nftables is the future CLI and backend for firewalling which should be - avalable on Ubuntu by default. + * nftables is the future CLI and backend for firewalling which should + be available on Ubuntu by default, and is the preferred tool by the + upstream kernel community. * iptables will be switching to nftables backened, but iptables - availability and usage will probably continue for forseeable future. It - is epxected that newer software will be adopting nftables directly, + availability and usage will probably continue for forseeable future. + It is expected that newer software will be adopting nftables directly, rather than via iptables compat tools. + + [Security] + + * There is no history of of vulnerabilities in the nftables user + space tools (CVE-2015-1573 is in the kernel portion of nftables). + + * The nftables binary package contains the binary `/usr/bin/nft` which + is neither setuid nor setgid. This binary is the utility that interacts + with and configures the nftables subsystem in the Linux kernel. + + * The package also includes a oneshot systemd service used during + boot to load the nftables configuration in /etc/nftables.conf. As + packaged in Debian, this service is disabled by default. + + * It interacts with and configures the network filtering as performed + by the Linux kernel. + + [Quality Assurance - function/usage] + + * The package works as installed; it does require enabling the systemd + oneshot service to automatically reload defined rules on boot. + + [Quality assurance - maintenance] + + LP bugs: https://bugs.launchpad.net/ubuntu/+source/nftables/+bugs + Debian: https://bugs.debian.org/cgi-bin/pkgreport.cgi?repeatmerged=no&src=nftables + Upstream: https://bugzilla.netfilter.org/buglist.cgi?bug_status=__open__&content=&no_redirect=1&order=Importance&product=nftables&query_format=specific + + * Ubuntu and Debian bugs are reasonably under control. Upstream has + a larger set of bugs that are mostly about parsing errors (flex/yacc + are complex) and documentation or feature requests. + + [Quality Assurance - testing] + + * Tests are not run at build time; there are many tests run during + autopkgtests across all architectures, but the more extensive ones + have been marked as flaky. Example autopkgtest log: + https://autopkgtest.ubuntu.com/results/autopkgtest-jammy/jammy/amd64/n/nftables/20220117_122101_70524@/log.gz + + [Quality Assurance - packaging] + + * A debian/watch file is present and works. Lintian reports + nothing substantial, just minor standards version lag as + well as debian/control missing the Rules-Requires-Root: field + (silent-on-rules-requiring-root). It does not depend on obsolete + or about to be demoted packages. There are no debconf settings or + questions. + + [UI Standards] + + * It is primarily a command line system tool that is sysadmin facing, + that does not contain translations. + + [Dependencies] + + * Documentation tools used during the build are in universe; all + runtime dependencies are in main. It uses libjannson for JSON handling, + not sure if there's a preferred JSON library in main. + + [Standards compliance] + + * This package correctly follows FHS and Debian Policy + + [Maintenance/Owner] + + * The ubuntu-security team is not yet but will be subscribed to + bugs for nftables. There are no static builds. There are some very + minor embedded code copies that are either disabled at build time + (system gmp is used over embedded mini-gmp) or are fairly small + (David Woodhouse's rbtree). It is relatively mature software with + active upstream commits (http://git.netfilter.org/nftables/log/) + as well as reasonably active maintenance in Debian. + + [Background information] + + * The package description explains the package well. The upstream + project is part of the larger netfilter project, and is documented + at https://netfilter.org/projects/nftables/index.html .
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1887187 Title: [MIR] nftables To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nftables/+bug/1887187/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs