Bug#984570: orphan-sysvinit-scripts: nftables interaction with local iptables script

[Gedalya]

Package: orphan-sysvinit-scripts
Version: 0.07

Hi,

I just got orphan-sysvinit-scripts pulled in on a few boxes where I happen to have nftables installed but rules are still defined and loaded by iptables, called by a locally-defined init script.

/etc/rcS.d/ contains (among others):
S10iptables-rules
S11networking
S12nftables

Since /etc/nftables.conf is empty (as shipped), this ends up wiping out my rules, and I need to fix that with 'update-rc.d nftables remove'.

Perhaps a NEWS entry should be made for this, or more aggressively, users should be advised to 'update-rc.d nftables defaults' as they see fit, considering they have lived thus far without a distribution-shipped init script.

Another comment: my iptables-rules init script says:

# Required-Start:    $local_fs
# Required-Stop:
# Default-Start:     S
# Default-Stop:

which makes sense to me. The points: load the rules before any network interfaces are brought up, and, why would I ever want the rules to be automatically unloaded during shutdown?

By contrast, the nftables script says:

# Required-Start:    $local_fs $network
# Required-Stop:     $local_fs $network
# Should-Start:     
# Default-Start:     S
# Default-Stop:      0 1 6

Which has stop actions (which actually flush the ruleset) and loads *after* network interfaces are already up.

Thanks,

Gedalya