** Description changed: - [Availability] * The package is already in universe and has been supported by Ubuntu kernels since at least Ubuntu 18.04 LTS. It builds and is supported on all Ubuntu architectures. [Rationale] * nftables is the future CLI and backend for firewalling which should be available on Ubuntu by default, and is the preferred tool by the upstream kernel community. * iptables will be switching to nftables backend, but iptables availability and usage will probably continue for forseeable future. It is expected that newer software will be adopting nftables directly, rather than via iptables compat tools. [Security] * There is no history of of vulnerabilities in the nftables user space tools (CVE-2015-1573 is in the kernel portion of nftables). * The nftables binary package contains the binary `/usr/bin/nft` which is neither setuid nor setgid. This binary is the utility that interacts with and configures the nftables subsystem in the Linux kernel. * The package also includes a oneshot systemd service used during boot to load the nftables configuration in /etc/nftables.conf. As packaged in Debian, this service is disabled by default. * It interacts with and configures the network filtering as performed by the Linux kernel. [Quality Assurance - function/usage] * The package works as installed; it does require enabling the systemd oneshot service to automatically reload defined rules on boot. [Quality assurance - maintenance] LP bugs: https://bugs.launchpad.net/ubuntu/+source/nftables/+bugs Debian: https://bugs.debian.org/cgi-bin/pkgreport.cgi?repeatmerged=no&src=nftables Upstream: https://bugzilla.netfilter.org/buglist.cgi?bug_status=__open__&content=&no_redirect=1&order=Importance&product=nftables&query_format=specific * Ubuntu and Debian bugs are reasonably under control. Upstream has a larger set of bugs that are mostly about parsing errors (flex/yacc are complex) and documentation or feature requests. [Quality Assurance - testing] * Tests are not run at build time; there are many tests run during autopkgtests across all architectures, but the more extensive ones have been marked as flaky. Example autopkgtest log: https://autopkgtest.ubuntu.com/results/autopkgtest-jammy/jammy/amd64/n/nftables/20220117_122101_70524@/log.gz [Quality Assurance - packaging] * A debian/watch file is present and works. Lintian reports nothing substantial, just minor standards version lag as well as debian/control missing the Rules-Requires-Root: field (silent-on-rules-requiring-root). It does not depend on obsolete or about to be demoted packages. There are no debconf settings or questions. [UI Standards] * It is primarily a command line system tool that is sysadmin facing, that does not contain translations. [Dependencies] * Documentation tools used during the build are in universe; all runtime dependencies are in main. It uses libjannson for JSON handling, not sure if there's a preferred JSON library in main. [Standards compliance] * This package correctly follows FHS and Debian Policy [Maintenance/Owner] - * The ubuntu-security team is not yet but will be - subscribed to bugs for nftables. There are no static - builds. There are some very minor embedded code copies that - are either disabled at build time (system gmp is used over - embedded mini-gmp) or are fairly small (David Woodhouse's - rbtree). It is relatively mature software with active - upstream commits (http://git.netfilter.org/nftables/log/) - as well as reasonably active maintenance in Debian. + * The ubuntu-security team is subscribed to bugs for + nftables. There are no static builds. There are some very + minor embedded code copies that are either disabled at + build time (system gmp is used over embedded mini-gmp) + or are fairly small (David Woodhouse's rbtree). It is + relatively mature software with active upstream commits + (http://git.netfilter.org/nftables/log/) as well as + reasonably active maintenance in Debian. [Background information] * The package description explains the package well. The upstream project is part of the larger netfilter project, and is documented at https://netfilter.org/projects/nftables/index.html
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1887187 Title: [MIR] nftables To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nftables/+bug/1887187/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
