[Bug 1887187] Re: [MIR] nftables
This shows in component mismatches (seed change landed) nftables: libnftables-dev libnftables1 nftables MIR: #1887187 (Fix Committed) [Reverse-Depends: Rescued from nftables (Uploader: paelzer) (Uploader: paelzer), Ubuntu.Jammy standard seed, nftables (Uploader: paelzer)] It is only in jammy (not in proposed). nftables | 1.0.2-1ubuntu2 | jammy/universe | source, amd64, arm64, armhf, ppc64el, riscv64, s390x Dependencies right now pull in only source + libnftables1 nftables - that is what I'll promote to avoid demoting the others later. If you want more e.g. -dev you'll need to seed/depend on it. Override component to main libnftables1 1.0.2-1ubuntu2 in jammy amd64: universe/libs/optional/100% -> main libnftables1 1.0.2-1ubuntu2 in jammy arm64: universe/libs/optional/100% -> main libnftables1 1.0.2-1ubuntu2 in jammy armhf: universe/libs/optional/100% -> main libnftables1 1.0.2-1ubuntu2 in jammy ppc64el: universe/libs/optional/100% -> main libnftables1 1.0.2-1ubuntu2 in jammy riscv64: universe/libs/optional/100% -> main libnftables1 1.0.2-1ubuntu2 in jammy s390x: universe/libs/optional/100% -> main nftables 1.0.2-1ubuntu2 in jammy amd64: universe/net/extra/100% -> main nftables 1.0.2-1ubuntu2 in jammy arm64: universe/net/extra/100% -> main nftables 1.0.2-1ubuntu2 in jammy armhf: universe/net/extra/100% -> main nftables 1.0.2-1ubuntu2 in jammy ppc64el: universe/net/extra/100% -> main nftables 1.0.2-1ubuntu2 in jammy riscv64: universe/net/extra/100% -> main nftables 1.0.2-1ubuntu2 in jammy s390x: universe/net/extra/100% -> main Override [y|N]? y 12 publications overridden. $ ./change-override -c main -s jammy nftables --source-only Override component to main nftables 1.0.2-1ubuntu2 in jammy: universe/misc -> main Override [y|N]? y 1 publication overridden. ** Changed in: nftables (Ubuntu) Status: In Progress => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1887187 Title: [MIR] nftables To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nftables/+bug/1887187/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1887187] Re: [MIR] nftables
** Changed in: nftables (Ubuntu) Status: Fix Committed => In Progress ** Changed in: nftables (Ubuntu) Assignee: Steve Beattie (sbeattie) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1887187 Title: [MIR] nftables To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nftables/+bug/1887187/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1887187] Re: [MIR] nftables
** Changed in: nftables (Ubuntu) Status: In Progress => Fix Committed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1887187 Title: [MIR] nftables To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nftables/+bug/1887187/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1887187] Re: [MIR] nftables
The seed change[1] is approved, we are just waiting for the jammy beta block to be lifted to merge it. 1. https://code.launchpad.net/~alexmurray/ubuntu-seeds/+git/ubuntu- seeds/+merge/417621 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1887187 Title: [MIR] nftables To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nftables/+bug/1887187/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1887187] Re: [MIR] nftables
** Merge proposal linked: https://code.launchpad.net/~alexmurray/ubuntu-seeds/+git/ubuntu-seeds/+merge/417621 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1887187 Title: [MIR] nftables To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nftables/+bug/1887187/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1887187] Re: [MIR] nftables
Ok, summarizing the change Required: #1 embedded source => Done: security said that is ok for them #2 symbols tracking => Done: resolved and improved via bug 1965464 Recommended: #3 some vague security concerns => Done: did not come up in the security review #4 does not have a test suite that runs at build time, please try to enable some tests at build time. We're good for now, though, as we have automated autopkgtests => Open: but not blocking #5 The distutils package is deprecated => Thanks seth for the pointer, that is ok then as it will be resolved and should be ok a future merge. Overall, we are good to go now. There is nothing in seeds or dependency yet, that would be up to you (?Steve B.?) to update. Once done it would show up in component mismatches and we can promote it. Assigning it back to you to be clear. P.S. are there any follow on actions in packages using iptables to switch over, if so could they be filed as bugs? ** Changed in: nftables (Ubuntu) Status: Incomplete => In Progress ** Changed in: nftables (Ubuntu) Assignee: (unassigned) => Steve Beattie (sbeattie) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1887187 Title: [MIR] nftables To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nftables/+bug/1887187/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1887187] Re: [MIR] nftables
python distutils deprecation has been filed as a bug upstream at https://bugzilla.netfilter.org/show_bug.cgi?id=1594 For the security review, while I did do some review while preparing the MIR request, I supsect it is preferable for the submitter to not also be the one to do the security review. Alex gracefully agreed to perform it, as seen above. Yes, we would like to land this for 22.04 LTS, if possible. Thanks! ** Bug watch added: bugzilla.netfilter.org/ #1594 http://bugzilla.netfilter.org/show_bug.cgi?id=1594 ** Changed in: nftables (Ubuntu) Milestone: None => ubuntu-22.04-beta ** Changed in: nftables (Ubuntu) Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1887187 Title: [MIR] nftables To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nftables/+bug/1887187/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1887187] Re: [MIR] nftables
I reviewed nftables 1.0.2-1ubuntu1 as checked into jammy. This shouldn't be considered a full audit but rather a quick gauge of maintainability. nftables is a replacement for iptables etc - it provides userspace tooling to control the Netfilter packet classification system within the Linux kernel and can be used to implemenent firewall, advanced packet routing, traffic control and other use-cases. - No CVE History - Security relevant Build-Depends: - libjansson-dev for JSON parsing - libmnl-dev for netlink message handling - pre/post inst/rm scripts - nftables binary package has autogenerated (by dh_installsystemd) scripts to setup systemd for nftables daemon service - python3-nftables binary package has autogenerated (by dh_python3) scripts to compile python files on install - No init scripts - systemd units for the nft daemon - Loads / unloads nft rules on startup / shutdown - Confines the daemon by using both ProtectSystem=full and ProtectHome=true so that it cannot write to /usr, /boot, /efi and /etc and that /home, /root and /run/user are inaccessible - No dbus services - No setuid binaries - 1 binary in PATH - -rwxr-xr-x root/root 26856 2022-03-18 11:45 ./usr/sbin/nft - No sudo fragments - No polkit files - No udev rules - No unit tests run during build - Autopkgtests - Runs the high level 'shell' based internal test suite - Runs internal nft monitor testsuite to ensure output of 'nft monitor' is as expected - Runs test of systemd service to ensure rules get loaded / unloaded appropriately by the systemd unit - Contains a reference to running the internal python-based regression testsuite of nft but this is commented out - I thought it might be easy to get this running (see LP: #1966017) but turns out there are still issues there so perhaps that is best left for a future task - No cron jobs - Clean build logs - No processes spawned - Lots of dynamic memory management (since is written in C) but appears to be careful / defensive - exit's with an error if fails to allocate memory which is fine as this is a command-line tool and appears to check buffer sizes etc as needed - File IO - Paths are specified in input files / rules etc as input - Files are not written to, only read from - Logging appears careful and defensive - Environment variable usage - HOME is used to store a history file for cli interface to store past commands etc - No apparent use of privileged functions - No use of cryptography / random number sources etc - No apparent use of temp files - No direct use of networking - Uses netlink for communication with kernel but whilst this is socket based it does not allow remote access or any other such similar attack surface nor does it handle untrusted input - No use of WebKit - No use of PolicyKit - No significant cppcheck results - Lots of Coverity results but none look super critical - given nftables is expected to handle only trusted input I can't see how they could be used to cross a security boundary etc - Lots of shellcheck results generated by upstream 'shell' and 'monitor' test suites but since these come from upstream and are part of the tests they can be safely ignored IMO In general nftables looks well written and maintained - whilst it is a tool which interfaces directly with the kernel to manage complex security policies and so could be seen as a security risk, it is expected to only handle trusted input and so this reduces the threat model significantly. Security team ACK for promoting nftables to main. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1887187 Title: [MIR] nftables To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nftables/+bug/1887187/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1887187] Re: [MIR] nftables
Thanks for the info Steve, glad to see progress on that. If I might ask - what about the security review? I assume you have kind of done that already before trying to suggest to promote it, but formally security should state somewhere here that you have done your usual checks. Oh and finally this hasn't a milestone yet, do you expect to make the change for 22.04 still or is this for later? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1887187 Title: [MIR] nftables To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nftables/+bug/1887187/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1887187] Re: [MIR] nftables
For the required todos: 1) yes, the Ubuntu Security team is willing to maintain the embedded code copies. 2) debian symbols tracking: https://bugs.launchpad.net/ubuntu/+source/nftables/+bug/1965464 For the recommended todos, we will try to make progress on those. Thanks! -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1887187 Title: [MIR] nftables To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nftables/+bug/1887187/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1887187] Re: [MIR] nftables
Marking as incomplete to reflect that there were TODOs identified. This is on security twice now: - security review - driving the case overall ** Changed in: nftables (Ubuntu) Status: New => Incomplete -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1887187 Title: [MIR] nftables To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nftables/+bug/1887187/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1887187] Re: [MIR] nftables
** Changed in: nftables (Ubuntu) Status: Confirmed => New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1887187 Title: [MIR] nftables To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nftables/+bug/1887187/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1887187] Re: [MIR] nftables
Review for Package: src:nftables Author: @joalif Reviewed-by: @slyon [Summary] nftables is the future CLI for firewalling which should be available on Ubuntu. iptables CLI switched to using a nftables backend, but will probably still exist for a while. The package is looking good from a MIR perspective, except for missing symbols tracking of libnftables1 and an explicit agreement about the maintenance of the embedded sources. MIR team ACK under the constraint to resolve the below listed required TODOs and as much as possible having a look at the recommended TODOs. This does need a security review, so I'll assign ubuntu-security List of specific binary packages to be promoted to main: libnftables-dev_1.0.2-1_amd64.deb libnftables1_1.0.2-1_amd64.deb nftables_1.0.2-1_amd64.deb python3-nftables_1.0.2-1_amd64.deb Specific binary packages built, but NOT to be promoted to main: Notes: - The package is owned by ubuntu-security, so they might already have checked it. I'm still assigning it to ubuntu-security. - The team bug subscriber is already set to ubuntu-security. Required TODOs: #1 embedded source present (as stated in bug description: src/rbtree.c), as the the security team will be the maintainer of this package, we do not need security-team's agreement, but please explicitly state your willingness to also maintain those embedded sources in a comment. #2 symbols tracking is not in place (we see a lintian warning about it), please create a .symbols file for libnftables1 Recommended TODOs: #3 some vague security concerns have been raised, but as the security team will be the maintainer of this package I think it will be in good hands #4 does not have a test suite that runs at build time, please try to enable some tests at build time. We're good for now, though, as we have automated autopkgtests #5 The distutils package is deprecated (to be removed in in Python 3.12), try to fix this build-time warning by switching to setuptools [Duplication] This package replaces iptables. (but iptables will still be around for a while) [Dependencies] OK: - no other Dependencies to MIR due to this - checked with check-mir - not listed in seeded-in-ubuntu - none of the (potentially auto-generated) dependencies (Depends and Recommends) that are present after build are not in main - no -dev/-debug/-doc packages that need exclusion - No dependencies in main that are only superficially tested requiring more tests now. Problems: None [Embedded sources and static linking] OK: - no static linking - does not have odd Built-Using entries - not a go package, no extra constraints to consider in that regard Problems: - embedded source present (as stated in bug description: src/rbtree.c) [Security] OK: - history of CVEs does not look concerning - does not use webkit1,2 - does not use lib*v8 directly - does not process arbitrary web content - does not use centralized online accounts - does not integrate arbitrary javascript into the desktop - does not deal with system authentication (eg, pam), etc) - does not deal with security attestation (secure boot, tpm, signatures) Problems: - does parse data formats - can be used to open a port/socket - does not run a daemon as root, but a (one-shot) system service can be enabled to (re-)load the firewall rules at boot time [Common blockers] OK: - does not FTBFS currently - does have a non-trivial test suite that runs as autopkgtest - no new python2 dependency - Python package, but using dh_python (has a python part, using debhelper) Problems: - does not have a test suite that runs at build time - test suite fails will fail the build upon error. (package has a test suite but cannot see it running while builing, this suite runs as autopackage though) [Packaging red flags] OK: - Ubuntu does not carry a delta - d/watch is present and looks ok - Upstream update history is good - Debian/Ubuntu update history is good - the current release is packaged - promoting this does not seem to cause issues for MOTUs that so far maintained the package - no massive Lintian warnings - d/rules is rather clean - It is not on the lto-disabled list Problems: - symbols tracking not in place I: libnftables1: no-symbols-control-file usr/lib/x86_64-linux-gnu/libnftables.so.1.1.0 [Upstream red flags] OK: - no incautious use of malloc/sprintf (as far as we can check it) - no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH (usage is OK inside tests) - no use of user nobody - no use of setuid - no important open bugs (crashers, etc) in Debian or Ubuntu - no dependency on webkit, qtwebkit, seed or libgoa-* - not part of the UI for extra checks - no translation present, but none needed for this case (user visible)? Problems: - DeprecationWarning during build: setup.py:2: DeprecationWarning: The distutils package is deprecated and slated for removal in Python 3.12. Use setuptools or check PEP 632 for potential alternatives from distutils.core import setup ** Changed in:
[Bug 1887187] Re: [MIR] nftables
** Changed in: nftables (Ubuntu) Assignee: (unassigned) => Ioanna Alifieraki (joalif) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1887187 Title: [MIR] nftables To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nftables/+bug/1887187/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1887187] Re: [MIR] nftables
** Changed in: nftables (Ubuntu) Assignee: Seth Arnold (seth-arnold) => (unassigned) ** Changed in: nftables (Ubuntu) Status: Confirmed => New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1887187 Title: [MIR] nftables To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nftables/+bug/1887187/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1887187] Re: [MIR] nftables
** Description changed: - [Availability] * The package is already in universe and has been supported by Ubuntu kernels since at least Ubuntu 18.04 LTS. It builds and is supported on all Ubuntu architectures. [Rationale] * nftables is the future CLI and backend for firewalling which should be available on Ubuntu by default, and is the preferred tool by the upstream kernel community. * iptables will be switching to nftables backend, but iptables availability and usage will probably continue for forseeable future. It is expected that newer software will be adopting nftables directly, rather than via iptables compat tools. [Security] * There is no history of of vulnerabilities in the nftables user space tools (CVE-2015-1573 is in the kernel portion of nftables). * The nftables binary package contains the binary `/usr/bin/nft` which is neither setuid nor setgid. This binary is the utility that interacts with and configures the nftables subsystem in the Linux kernel. * The package also includes a oneshot systemd service used during boot to load the nftables configuration in /etc/nftables.conf. As packaged in Debian, this service is disabled by default. * It interacts with and configures the network filtering as performed by the Linux kernel. [Quality Assurance - function/usage] * The package works as installed; it does require enabling the systemd oneshot service to automatically reload defined rules on boot. [Quality assurance - maintenance] LP bugs: https://bugs.launchpad.net/ubuntu/+source/nftables/+bugs Debian: https://bugs.debian.org/cgi-bin/pkgreport.cgi?repeatmerged=no=nftables Upstream: https://bugzilla.netfilter.org/buglist.cgi?bug_status=__open__=_redirect=1=Importance=nftables_format=specific * Ubuntu and Debian bugs are reasonably under control. Upstream has a larger set of bugs that are mostly about parsing errors (flex/yacc are complex) and documentation or feature requests. [Quality Assurance - testing] * Tests are not run at build time; there are many tests run during autopkgtests across all architectures, but the more extensive ones have been marked as flaky. Example autopkgtest log: https://autopkgtest.ubuntu.com/results/autopkgtest-jammy/jammy/amd64/n/nftables/20220117_122101_70524@/log.gz [Quality Assurance - packaging] * A debian/watch file is present and works. Lintian reports nothing substantial, just minor standards version lag as well as debian/control missing the Rules-Requires-Root: field (silent-on-rules-requiring-root). It does not depend on obsolete or about to be demoted packages. There are no debconf settings or questions. [UI Standards] * It is primarily a command line system tool that is sysadmin facing, that does not contain translations. [Dependencies] * Documentation tools used during the build are in universe; all runtime dependencies are in main. It uses libjannson for JSON handling, not sure if there's a preferred JSON library in main. [Standards compliance] * This package correctly follows FHS and Debian Policy [Maintenance/Owner] - * The ubuntu-security team is not yet but will be - subscribed to bugs for nftables. There are no static - builds. There are some very minor embedded code copies that - are either disabled at build time (system gmp is used over - embedded mini-gmp) or are fairly small (David Woodhouse's - rbtree). It is relatively mature software with active - upstream commits (http://git.netfilter.org/nftables/log/) - as well as reasonably active maintenance in Debian. + * The ubuntu-security team is subscribed to bugs for + nftables. There are no static builds. There are some very + minor embedded code copies that are either disabled at + build time (system gmp is used over embedded mini-gmp) + or are fairly small (David Woodhouse's rbtree). It is + relatively mature software with active upstream commits + (http://git.netfilter.org/nftables/log/) as well as + reasonably active maintenance in Debian. [Background information] * The package description explains the package well. The upstream project is part of the larger netfilter project, and is documented at https://netfilter.org/projects/nftables/index.html -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1887187 Title: [MIR] nftables To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nftables/+bug/1887187/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1887187] Re: [MIR] nftables
** Description changed: [Availability] - * The package is already in universe and has been supported by Ubuntu - kernels since at least Ubuntu 18.04 LTS. It builds and is supported - on all Ubuntu architectures. + * The package is already in universe and has been supported + by Ubuntu kernels since at least Ubuntu 18.04 LTS. It + builds and is supported on all Ubuntu architectures. [Rationale] - * nftables is the future CLI and backend for firewalling which should - be available on Ubuntu by default, and is the preferred tool by the - upstream kernel community. + * nftables is the future CLI and backend for firewalling + which should be available on Ubuntu by default, and is + the preferred tool by the upstream kernel community. - * iptables will be switching to nftables backened, but iptables - availability and usage will probably continue for forseeable future. - It is expected that newer software will be adopting nftables directly, - rather than via iptables compat tools. + * iptables will be switching to nftables backend, but + iptables availability and usage will probably continue for + forseeable future. It is expected that newer software will + be adopting nftables directly, rather than via iptables + compat tools. [Security] - * There is no history of of vulnerabilities in the nftables user - space tools (CVE-2015-1573 is in the kernel portion of nftables). + * There is no history of of vulnerabilities in the nftables + user space tools (CVE-2015-1573 is in the kernel portion + of nftables). - * The nftables binary package contains the binary `/usr/bin/nft` which - is neither setuid nor setgid. This binary is the utility that interacts - with and configures the nftables subsystem in the Linux kernel. + * The nftables binary package contains the binary + `/usr/bin/nft` which is neither setuid nor setgid. This + binary is the utility that interacts with and configures + the nftables subsystem in the Linux kernel. - * The package also includes a oneshot systemd service used during - boot to load the nftables configuration in /etc/nftables.conf. As - packaged in Debian, this service is disabled by default. + * The package also includes a oneshot systemd service + used during boot to load the nftables configuration in + /etc/nftables.conf. As packaged in Debian, this service + is disabled by default. - * It interacts with and configures the network filtering as performed - by the Linux kernel. + * It interacts with and configures the network filtering + as performed by the Linux kernel. [Quality Assurance - function/usage] - * The package works as installed; it does require enabling the systemd - oneshot service to automatically reload defined rules on boot. + * The package works as installed; it does require enabling + the systemd oneshot service to automatically reload defined + rules on boot. [Quality assurance - maintenance] LP bugs: https://bugs.launchpad.net/ubuntu/+source/nftables/+bugs Debian: https://bugs.debian.org/cgi-bin/pkgreport.cgi?repeatmerged=no=nftables Upstream: https://bugzilla.netfilter.org/buglist.cgi?bug_status=__open__=_redirect=1=Importance=nftables_format=specific - * Ubuntu and Debian bugs are reasonably under control. Upstream has - a larger set of bugs that are mostly about parsing errors (flex/yacc - are complex) and documentation or feature requests. + * Ubuntu and Debian bugs are reasonably under + control. Upstream has a larger set of bugs that are + mostly about parsing errors (flex/yacc are complex) and + documentation or feature requests. [Quality Assurance - testing] - * Tests are not run at build time; there are many tests run during - autopkgtests across all architectures, but the more extensive ones - have been marked as flaky. Example autopkgtest log: + * Tests are not run at build time; there are many tests + run during autopkgtests across all architectures, but the + more extensive ones have been marked as flaky. Example + autopkgtest log: https://autopkgtest.ubuntu.com/results/autopkgtest-jammy/jammy/amd64/n/nftables/20220117_122101_70524@/log.gz [Quality Assurance - packaging] * A debian/watch file is present and works. Lintian reports nothing substantial, just minor standards version lag as - well as debian/control missing the Rules-Requires-Root: field - (silent-on-rules-requiring-root). It does not depend on obsolete - or about to be demoted packages. There are no debconf settings or - questions. + well as debian/control missing the Rules-Requires-Root: + field (silent-on-rules-requiring-root). It does not depend + on obsolete or about to be demoted packages. There are no + debconf settings or questions. [UI Standards] - * It is primarily a command line system tool that is sysadmin facing, - that does not contain translations. + * It is primarily a command line system tool that is + sysadmin facing, that does not contain translations. [Dependencies] -
[Bug 1887187] Re: [MIR] nftables
** Description changed: + [Availability] - * The package is present in universe and is built for all architectures. + * The package is already in universe and has been supported by Ubuntu + kernels since at least Ubuntu 18.04 LTS. It builds and is supported + on all Ubuntu architectures. [Rationale] - * nftables is the future CLI and backend for firewalling which should be - avalable on Ubuntu by default. + * nftables is the future CLI and backend for firewalling which should + be available on Ubuntu by default, and is the preferred tool by the + upstream kernel community. * iptables will be switching to nftables backened, but iptables - availability and usage will probably continue for forseeable future. It - is epxected that newer software will be adopting nftables directly, + availability and usage will probably continue for forseeable future. + It is expected that newer software will be adopting nftables directly, rather than via iptables compat tools. + + [Security] + + * There is no history of of vulnerabilities in the nftables user + space tools (CVE-2015-1573 is in the kernel portion of nftables). + + * The nftables binary package contains the binary `/usr/bin/nft` which + is neither setuid nor setgid. This binary is the utility that interacts + with and configures the nftables subsystem in the Linux kernel. + + * The package also includes a oneshot systemd service used during + boot to load the nftables configuration in /etc/nftables.conf. As + packaged in Debian, this service is disabled by default. + + * It interacts with and configures the network filtering as performed + by the Linux kernel. + + [Quality Assurance - function/usage] + + * The package works as installed; it does require enabling the systemd + oneshot service to automatically reload defined rules on boot. + + [Quality assurance - maintenance] + + LP bugs: https://bugs.launchpad.net/ubuntu/+source/nftables/+bugs + Debian: https://bugs.debian.org/cgi-bin/pkgreport.cgi?repeatmerged=no=nftables + Upstream: https://bugzilla.netfilter.org/buglist.cgi?bug_status=__open__=_redirect=1=Importance=nftables_format=specific + + * Ubuntu and Debian bugs are reasonably under control. Upstream has + a larger set of bugs that are mostly about parsing errors (flex/yacc + are complex) and documentation or feature requests. + + [Quality Assurance - testing] + + * Tests are not run at build time; there are many tests run during + autopkgtests across all architectures, but the more extensive ones + have been marked as flaky. Example autopkgtest log: + https://autopkgtest.ubuntu.com/results/autopkgtest-jammy/jammy/amd64/n/nftables/20220117_122101_70524@/log.gz + + [Quality Assurance - packaging] + + * A debian/watch file is present and works. Lintian reports + nothing substantial, just minor standards version lag as + well as debian/control missing the Rules-Requires-Root: field + (silent-on-rules-requiring-root). It does not depend on obsolete + or about to be demoted packages. There are no debconf settings or + questions. + + [UI Standards] + + * It is primarily a command line system tool that is sysadmin facing, + that does not contain translations. + + [Dependencies] + + * Documentation tools used during the build are in universe; all + runtime dependencies are in main. It uses libjannson for JSON handling, + not sure if there's a preferred JSON library in main. + + [Standards compliance] + + * This package correctly follows FHS and Debian Policy + + [Maintenance/Owner] + + * The ubuntu-security team is not yet but will be subscribed to + bugs for nftables. There are no static builds. There are some very + minor embedded code copies that are either disabled at build time + (system gmp is used over embedded mini-gmp) or are fairly small + (David Woodhouse's rbtree). It is relatively mature software with + active upstream commits (http://git.netfilter.org/nftables/log/) + as well as reasonably active maintenance in Debian. + + [Background information] + + * The package description explains the package well. The upstream + project is part of the larger netfilter project, and is documented + at https://netfilter.org/projects/nftables/index.html . -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1887187 Title: [MIR] nftables To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nftables/+bug/1887187/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1887187] Re: [MIR] nftables
https://media.giphy.com/media/FoH28ucxZFJZu/giphy.gif -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1887187 Title: [MIR] nftables To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nftables/+bug/1887187/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1887187] Re: [MIR] nftables
Could we get this in time for the next LTS? Even the bionic kernel supports nftables, and we missed this in focal too. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1887187 Title: [MIR] nftables To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nftables/+bug/1887187/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1887187] Re: [MIR] nftables
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: nftables (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1887187 Title: [MIR] nftables To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nftables/+bug/1887187/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1887187] Re: [MIR] nftables
Hi Xnox, I think you misinterpreted the sarnold assignment as waiting for security review. It wasn't that far. This was waiting for #4: quoting "... I think the MIR preparations will be done by the Security Team, who will own nftables itself, too." Only once that is done and fully opened it will go 1. MIR Team review 2. (likely) security team review >From the MIR team the info that this might not be as fast as you'd like: [16:50] to quote "... I think the MIR preparations will be done by the Security Team, who will own nftables itself, too." [16:51] cpaelzer: I can re-raise it at our next team meeting, but given $everything I can't imagine it'll be a priority for the team to push on this [16:52] ok sarnold, I'll update the bug accordingly and re-assign it to you for doing that [16:52] cpaelzer: cool, thanks ** Changed in: nftables (Ubuntu) Assignee: (unassigned) => Seth Arnold (seth-arnold) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1887187 Title: [MIR] nftables To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nftables/+bug/1887187/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1887187] Re: [MIR] nftables
In trello, there is no asignee to perform the security review. Thus removing assignee. @ Security Team, when and who can do security review of nftables? we are overdue to seed nftables by default. ** Changed in: nftables (Ubuntu) Importance: Undecided => Critical ** Changed in: nftables (Ubuntu) Status: Incomplete => New ** Changed in: nftables (Ubuntu) Assignee: Seth Arnold (seth-arnold) => (unassigned) ** Information type changed from Public to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1887187 Title: [MIR] nftables To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nftables/+bug/1887187/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1887187] Re: [MIR] nftables
Ok rbalint, since it is incomplete we need to reflect that this is waiting on someone. Re-reading the discussion so far that someone is sarnold whom I assigning to this bug for now. ** Changed in: nftables (Ubuntu) Assignee: (unassigned) => Seth Arnold (seth-arnold) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1887187 Title: [MIR] nftables To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nftables/+bug/1887187/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1887187] Re: [MIR] nftables
keep this MIR alive -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1887187 Title: [MIR] nftables To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nftables/+bug/1887187/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1887187] Re: [MIR] nftables
** Changed in: nftables (Ubuntu) Status: Expired => Incomplete -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1887187 Title: [MIR] nftables To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nftables/+bug/1887187/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1887187] Re: [MIR] nftables
[Expired for nftables (Ubuntu) because there has been no activity for 60 days.] ** Changed in: nftables (Ubuntu) Status: Incomplete => Expired -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1887187 Title: [MIR] nftables To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nftables/+bug/1887187/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1887187] Re: [MIR] nftables
Assigned to sarnold for security then, re-open when you think it is ready and the team actually has a chance to focus on it. ** Changed in: nftables (Ubuntu) Status: New => Incomplete -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1887187 Title: [MIR] nftables To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nftables/+bug/1887187/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1887187] Re: [MIR] nftables
** Description changed: [Availability] * The package is present in universe and is built for all architectures. [Rationale] - * nftables is replacing iptables as the default CLI interface to - interact with the Netfilter framework and to help that iptables is - planned to Recommend: nftables. + * nftables is the future CLI and backend for firewalling which should be + avalable on Ubuntu by default. - ... TODO + * iptables will be switching to nftables backened, but iptables + availability and usage will probably continue for forseeable future. It + is epxected that newer software will be adopting nftables directly, + rather than via iptables compat tools. ** Changed in: nftables (Ubuntu) Status: Incomplete => New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1887187 Title: [MIR] nftables To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nftables/+bug/1887187/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1887187] Re: [MIR] nftables
@paelzer This is not planned for 20.10 because in the 20.10 cycle only the iptables backend has been changed to nft. I can't comment on the timing of this MIR because I think the MIR preparations will be done by the Security Team, who will own nftables itself, too. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1887187 Title: [MIR] nftables To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nftables/+bug/1887187/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1887187] Re: [MIR] nftables
Thanks Seth, but since it is yet incomplete let us set the state to it. That way we will see it in the incomplete list but know that we can't action yet. @RBalint - what is the schedule on this 21.04? ** Changed in: nftables (Ubuntu) Status: Confirmed => Incomplete -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1887187 Title: [MIR] nftables To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nftables/+bug/1887187/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1887187] Re: [MIR] nftables
(subscribing ubuntu-mir even though this isn't done yet, just in case that was overlooked :) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1887187 Title: [MIR] nftables To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nftables/+bug/1887187/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1887187] Re: [MIR] nftables
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: nftables (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1887187 Title: [MIR] nftables To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nftables/+bug/1887187/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1887187] Re: [MIR] nftables
** Tags added: id-5eab0494b1f7785110eb0898 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1887187 Title: [MIR] nftables To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nftables/+bug/1887187/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs