> Beowulf/Buster has moved from iptables to nftables. You can still use
> iptables* with iptables-legacy*, but you'll need to edit your scripts
> to reflect this. The option to save existing rules is part of the
> upgrade but assumes that the existing rules haven't already been
> overwritten with the default 'allow anything and everything'.

Thanks for that catch. I forgot about the move, which was publicized
years ago already IIRC.

Are you implying the upgrade process (ie no reboot) already replaced the
rules? Well... That is not surprising in the usual Debian's way (and why
loads of people hate it ;o) ), but still damaging if that was the case...
That is something I definitely did not check for, and might explain
while all of the sudden rulesets were empty (noticed only after reboot).

My scripts, using ip(6)tables-save binaries and then loading through
ip(6)tables, are still working.
I am not used to the nftables interface (yet). Time to learn at last, I
guess. :o)

> I use a second root terminal to check the current ruleset before making the
> decision to accept; I also check that the correct ruleset has been
> applied after the first few reboots and any updates just to be sure.

Whatever way it is done: it means manual backup & restoration whenever
needed.

Bernard Rosset
https://rosset.net/