Bug#984570: orphan-sysvinit-scripts: nftables interaction with local iptables script

[Gedalya]

On 3/5/21 6:55 PM, Matthew Vernon wrote:
> Hi,
>
>> I just got orphan-sysvinit-scripts pulled in on a few boxes where I
>> happen to have nftables installed but rules are still defined and
>> loaded by iptables, called by a locally-defined init script.
>
> I'm slightly confused by your report, sorry. Historically nftables did have a sysvinit script (though it was removed from the package in a previous version).
OK, I wasn't keeping track of that. On the three boxes I was just upgrading, there was no nftables init script until now.
>
> You installed a version of nftables without a sysvinit script on a sysvinit system, and made your own sysvinit script for it that you didn't call /etc/init.d/nftables ?
>
> And you installed your nftables config somewhere that wasn't the expected location /etc/nftables.conf ?

iptables. I'm using iptables. Not using nftables. nftables is just installed, so I can play with it, towards migrating to it. Having it installed, while not actively used, didn't pose an issue until now. I have my own iptables-rules init.d script which does iptables-restore < /etc/iptables.conf

The issue is that now the distribution-shipped nftables script wipes out my iptables rules, which are important. I would suspect that iptables being used isn't a rare thing, and using an init script as a means of loading the rules might be common as well, and it would sometimes be done by a locally-defined script. Looking at the changelog now, it seems like the init script was last shipped in the nftables package in 2016? So going through this scenario, of having nftables with no init script, and one popping up now, shouldn't be very unusual?