[Bug 2061891] Re: Noble upgrade breaks iptables-persistent and netfilter-persistent usage
Nick Rosbrook
2061891 at bugs.launchpad.net
Thu May 16 13:55:24 UTC 2024
I re-confirmed the fix using the upgrader tarball for noble-proposed:
I have verified using the upgrader tarball for noble-proposed:
root at j:~# wget http://archive.ubuntu.com/ubuntu/dists/noble-proposed/main/dist-upgrader-all/24.04.18/noble.tar.gz
--2024-05-16 13:41:34-- http://archive.ubuntu.com/ubuntu/dists/noble-proposed/main/dist-upgrader-all/24.04.18/noble.tar.gz
Resolving archive.ubuntu.com (archive.ubuntu.com)... 91.189.91.82, 185.125.190.39, 91.189.91.81, ...
Connecting to archive.ubuntu.com (archive.ubuntu.com)|91.189.91.82|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1274850 (1.2M) [application/x-gzip]
Saving to: ‘noble.tar.gz’
noble.tar.gz
100%[================================================>] 1.21M
1.50MB/s in 0.8s
2024-05-16 13:41:35 (1.50 MB/s) - ‘noble.tar.gz’ saved [1274850/1274850]
root at j:~# tar xf noble.tar.gz
root at j:~# apt install netfilter-persistent iptables-persistent -y
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following NEW packages will be installed:
iptables-persistent netfilter-persistent
0 upgraded, 2 newly installed, 0 to remove and 0 not upgraded.
Need to get 13.9 kB of archives.
After this operation, 93.2 kB of additional disk space will be used.
Get:1 http://archive.ubuntu.com/ubuntu jammy/universe amd64 netfilter-persistent all 1.0.16 [7440 B]
Get:2 http://archive.ubuntu.com/ubuntu jammy/universe amd64 iptables-persistent all 1.0.16 [6488 B]
Fetched 13.9 kB in 1s (17.8 kB/s)
Preconfiguring packages ...
Selecting previously unselected package netfilter-persistent.
(Reading database ... 33926 files and directories currently installed.)
Preparing to unpack .../netfilter-persistent_1.0.16_all.deb ...
Unpacking netfilter-persistent (1.0.16) ...
Selecting previously unselected package iptables-persistent.
Preparing to unpack .../iptables-persistent_1.0.16_all.deb ...
Unpacking iptables-persistent (1.0.16) ...
Setting up netfilter-persistent (1.0.16) ...
Created symlink /etc/systemd/system/multi-user.target.wants/netfilter-persistent.service → /lib/systemd/system/netfilte
r-persistent.service.
Setting up iptables-persistent (1.0.16) ...
update-alternatives: using /lib/systemd/system/netfilter-persistent.service to provide /lib/systemd/system/iptables.ser
vice (iptables.service) in auto mode
Processing triggers for man-db (2.10.2-1) ...
Scanning processes...
No services need to be restarted.
No containers need to be restarted.
No user sessions are running outdated binaries.
No VM guests are running outdated hypervisor (qemu) binaries on this host.
root at j:~# apt policy ufw iptables-persistent netfilter-persistent
ufw:
Installed: 0.36.1-4ubuntu0.1
Candidate: 0.36.1-4ubuntu0.1
Version table:
*** 0.36.1-4ubuntu0.1 500
500 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 Packages
100 /var/lib/dpkg/status
0.36.1-4build1 500
500 http://archive.ubuntu.com/ubuntu jammy/main amd64 Packages
iptables-persistent:
Installed: 1.0.16
Candidate: 1.0.16
Version table:
*** 1.0.16 500
500 http://archive.ubuntu.com/ubuntu jammy/universe amd64 Packages
100 /var/lib/dpkg/status
netfilter-persistent:
Installed: 1.0.16
Candidate: 1.0.16
Version table:
*** 1.0.16 500
500 http://archive.ubuntu.com/ubuntu jammy/universe amd64 Packages
100 /var/lib/dpkg/status
root at j:~# ./noble --frontend DistUpgradeViewNonInteractive
[ ... upgrading ... ]
root at j:~# apt policy ufw iptables-persistent netfilter-persistent
ufw:
Installed: (none)
Candidate: 0.36.2-6
Version table:
0.36.2-6 500
500 http://archive.ubuntu.com/ubuntu noble/main amd64 Packages
0.36.1-4ubuntu0.1 -1
100 /var/lib/dpkg/status
iptables-persistent:
Installed: 1.0.20
Candidate: 1.0.20
Version table:
*** 1.0.20 500
500 http://archive.ubuntu.com/ubuntu noble/universe amd64 Packages
100 /var/lib/dpkg/status
netfilter-persistent:
Installed: 1.0.20
Candidate: 1.0.20
Version table:
*** 1.0.20 500
500 http://archive.ubuntu.com/ubuntu noble/universe amd64 Packages
100 /var/lib/dpkg/status
** Tags removed: verification-needed verification-needed-noble
** Tags added: verification-done verification-done-noble
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to ubuntu-release-upgrader in
Ubuntu.
https://bugs.launchpad.net/bugs/2061891
Title:
Noble upgrade breaks iptables-persistent and netfilter-persistent
usage
Status in Release Notes for Ubuntu:
New
Status in ubuntu-release-upgrader package in Ubuntu:
In Progress
Status in ubuntu-release-upgrader source package in Noble:
Fix Committed
Bug description:
[Impact]
ufw and -persistent packages both manage the firewall, hence they conflict but they accidentally had no conflicts in jammy. If both are installed, persistent packages will store and restore firewall configuration, so ufw cannot really be used.
Noble adds a conflicts from ufw to the persistent packages, but we end
up removing the persistent packages rather than the ufw which is wrong
- they are in charge.
[Test plan]
persistent and netfilter-persistent should remain installed, and ufw removed to preserve user config.
[Where problems could occur]
There may be ufw reverse dependencies that could get removed.
[Other Info]
The fix (released) in 1:24.04.15 is reverted and improved in 1:24.04.17 (upload).
[Original bug report]
Upgrade from Jammy to Noble breaks iptables-persistent and netfilter-persistent firewall configuration if ufw is also installed pre-upgrade., removing them.
from /var/log/dist-upgrade/apt.log:
Broken ufw:amd64 Breaks on iptables-persistent:amd64 < 1.0.16 -> 1.0.20 @ii umU >
Considering iptables-persistent:amd64 -1 as a solution to ufw:amd64 5
Added iptables-persistent:amd64 to the remove list
Conflicts//Breaks against version 1.0.16 for iptables-persistent but that is not InstVer, ignoring
Broken ufw:amd64 Breaks on netfilter-persistent:amd64 < 1.0.16 -> 1.0.20 @ii umU >
Considering netfilter-persistent:amd64 0 as a solution to ufw:amd64 5
Added netfilter-persistent:amd64 to the remove list
Conflicts//Breaks against version 1.0.16 for netfilter-persistent but that is not InstVer, ignoring
MarkDelete iptables-persistent:amd64 < 1.0.16 -> 1.0.20 @ii umU > FU=0
Fixing ufw:amd64 via remove of iptables-persistent:amd64
MarkDelete netfilter-persistent:amd64 < 1.0.16 -> 1.0.20 @ii umU > FU=0
Fixing ufw:amd64 via remove of netfilter-persistent:amd64
ufw 0.36.2-1 add the breaks
$ apt show ufw
Package: ufw
Version: 0.36.2-6
Priority: standard
Section: admin
Origin: Ubuntu
Maintainer: Jamie Strandboge <jdstrand at ubuntu.com>
Bugs: https://bugs.launchpad.net/ubuntu/+filebug
Installed-Size: 869 kB
Depends: iptables, ucf, python3:any, debconf (>= 0.5) | debconf-2.0
Suggests: rsyslog
Breaks: iptables-persistent, netfilter-persistent
Homepage: https://launchpad.net/ufw
Task: standard
Download-Size: 169 kB
APT-Manual-Installed: no
APT-Sources: http://phx-ad-3.clouds.archive.ubuntu.com/ubuntu noble/main amd64 Packages
Description: program for managing a Netfilter firewall
The Uncomplicated FireWall is a front-end for iptables, to make managing a
Netfilter firewall easier. It provides a command line interface with syntax
similar to OpenBSD's Packet Filter. It is particularly well-suited as a
host-based firewall.
Post do-release-upgrade, iptables-persistent and netfilter-persistent
are removed, which breaks any machines that relied on their
configuration.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-release-notes/+bug/2061891/+subscriptions
More information about the foundations-bugs
mailing list