I figured something else out that I believe makes this a much less complicated problem to solve.
It turns out that Ubuntu, despite having nftables installed by default, does not directly have /usr/sbin/nft invoked by the UFW binary. In reality, UFW configures its rules via /usr/sbin/iptables, which is by default a symlink to /etc/alternatives/iptables, which is a symlink to /usr/sbin/iptables-nft. However, NetworkManager defaults to using /usr/sbin/nft if it's installed, even though we really probably want it to go through /etc/alternatives/iptables, since it seems like the UFW (and I think also Docker's) rules are being directly set there. (and I'm guessing that's why I am not having any luck overriding them via /usr/sbin/nft). We discussed this internally, and we think the most appropriate approach would be to override the default firewall backend via a config option, which is already possible without any changes to upstream NM itself. I'll submit a PR to Ubuntu's NM to install the following config: debian/default-firewall-use-iptables.conf: [main] firewall-backend = iptables -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2128668 Title: Wi-Fi hotspot startup does not configure firewalls as needed for internet sharing To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/2128668/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
