[Bug 2061891] Re: Noble upgrade breaks iptables-persistent and netfilter-persistent usage
This bug was fixed in the package ubuntu-release-upgrader - 1:24.04.18
---
ubuntu-release-upgrader (1:24.04.18) noble; urgency=medium
[ Nick Rosbrook ]
* tests: fix un-templated expected ubuntu.sources
* DistUpgradeQuirks: prevent upgrades of TPM FDE desktops (LP: #2065229)
* Run pre-build.sh: updating mirrors, demotions, and translations.
[ Dave Jones ]
* New quirk to add KMS overlay on Pi Server images (LP: #2065051)
ubuntu-release-upgrader (1:24.04.17) noble; urgency=medium
[ Nick Rosbrook ]
* Revert "DistUpgrade.cfg.jammy: keep {netfilter,iptables}-persistent
installed"
* DistUpgradeQuirks: keep {netfilter,iptables}-persistent instead of ufw
(LP: #2061891)
[ Julian Andres Klode ]
* DistUpgrade.cfg.jammy: Add systemd-resolved to PostUpgradeInstall
(LP: #2063464)
* Transition the automatically installed bit to t64 libraries, and
do not write automatically installed bit in simulation (LP: #2064090)
* Run pre-build.sh: updating mirrors, demotions, and translations.
-- Nick Rosbrook Thu, 09 May 2024 15:39:56 -0400
** Changed in: ubuntu-release-upgrader (Ubuntu Noble)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2061891
Title:
Noble upgrade breaks iptables-persistent and netfilter-persistent
usage
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-release-notes/+bug/2061891/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2061891] Re: Noble upgrade breaks iptables-persistent and netfilter-persistent usage
This bug was fixed in the package ubuntu-release-upgrader - 1:24.10.3 --- ubuntu-release-upgrader (1:24.10.3) oracular; urgency=medium [ Nick Rosbrook ] * tests: fix un-templated expected ubuntu.sources * DistUpgradeQuirks: prevent upgrades of TPM FDE desktops (LP: #2065229) * Run pre-build.sh: updating mirrors, demotions, and translations. [ Dave Jones ] * New quirk to add KMS overlay on Pi Server images (LP: #2065051) -- Nick Rosbrook Thu, 09 May 2024 15:29:17 -0400 ** Changed in: ubuntu-release-upgrader (Ubuntu) Status: In Progress => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2061891 Title: Noble upgrade breaks iptables-persistent and netfilter-persistent usage To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-release-notes/+bug/2061891/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2061891] Re: Noble upgrade breaks iptables-persistent and netfilter-persistent usage
I re-confirmed the fix using the upgrader tarball for noble-proposed: I have verified using the upgrader tarball for noble-proposed: root@j:~# wget http://archive.ubuntu.com/ubuntu/dists/noble-proposed/main/dist-upgrader-all/24.04.18/noble.tar.gz --2024-05-16 13:41:34-- http://archive.ubuntu.com/ubuntu/dists/noble-proposed/main/dist-upgrader-all/24.04.18/noble.tar.gz Resolving archive.ubuntu.com (archive.ubuntu.com)... 91.189.91.82, 185.125.190.39, 91.189.91.81, ... Connecting to archive.ubuntu.com (archive.ubuntu.com)|91.189.91.82|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 1274850 (1.2M) [application/x-gzip] Saving to: ‘noble.tar.gz’ noble.tar.gz 100%[>] 1.21M 1.50MB/sin 0.8s 2024-05-16 13:41:35 (1.50 MB/s) - ‘noble.tar.gz’ saved [1274850/1274850] root@j:~# tar xf noble.tar.gz root@j:~# apt install netfilter-persistent iptables-persistent -y Reading package lists... Done Building dependency tree... Done Reading state information... Done The following NEW packages will be installed: iptables-persistent netfilter-persistent 0 upgraded, 2 newly installed, 0 to remove and 0 not upgraded. Need to get 13.9 kB of archives. After this operation, 93.2 kB of additional disk space will be used. Get:1 http://archive.ubuntu.com/ubuntu jammy/universe amd64 netfilter-persistent all 1.0.16 [7440 B] Get:2 http://archive.ubuntu.com/ubuntu jammy/universe amd64 iptables-persistent all 1.0.16 [6488 B] Fetched 13.9 kB in 1s (17.8 kB/s) Preconfiguring packages ... Selecting previously unselected package netfilter-persistent. (Reading database ... 33926 files and directories currently installed.) Preparing to unpack .../netfilter-persistent_1.0.16_all.deb ... Unpacking netfilter-persistent (1.0.16) ... Selecting previously unselected package iptables-persistent. Preparing to unpack .../iptables-persistent_1.0.16_all.deb ... Unpacking iptables-persistent (1.0.16) ... Setting up netfilter-persistent (1.0.16) ... Created symlink /etc/systemd/system/multi-user.target.wants/netfilter-persistent.service → /lib/systemd/system/netfilte r-persistent.service. Setting up iptables-persistent (1.0.16) ... update-alternatives: using /lib/systemd/system/netfilter-persistent.service to provide /lib/systemd/system/iptables.ser vice (iptables.service) in auto mode Processing triggers for man-db (2.10.2-1) ... Scanning processes... No services need to be restarted. No containers need to be restarted. No user sessions are running outdated binaries. No VM guests are running outdated hypervisor (qemu) binaries on this host. root@j:~# apt policy ufw iptables-persistent netfilter-persistent ufw: Installed: 0.36.1-4ubuntu0.1 Candidate: 0.36.1-4ubuntu0.1 Version table: *** 0.36.1-4ubuntu0.1 500 500 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 Packages 100 /var/lib/dpkg/status 0.36.1-4build1 500 500 http://archive.ubuntu.com/ubuntu jammy/main amd64 Packages iptables-persistent: Installed: 1.0.16 Candidate: 1.0.16 Version table: *** 1.0.16 500 500 http://archive.ubuntu.com/ubuntu jammy/universe amd64 Packages 100 /var/lib/dpkg/status netfilter-persistent: Installed: 1.0.16 Candidate: 1.0.16 Version table: *** 1.0.16 500 500 http://archive.ubuntu.com/ubuntu jammy/universe amd64 Packages 100 /var/lib/dpkg/status root@j:~# ./noble --frontend DistUpgradeViewNonInteractive [ ... upgrading ... ] root@j:~# apt policy ufw iptables-persistent netfilter-persistent ufw: Installed: (none) Candidate: 0.36.2-6 Version table: 0.36.2-6 500 500 http://archive.ubuntu.com/ubuntu noble/main amd64 Packages 0.36.1-4ubuntu0.1 -1 100 /var/lib/dpkg/status iptables-persistent: Installed: 1.0.20 Candidate: 1.0.20 Version table: *** 1.0.20 500 500 http://archive.ubuntu.com/ubuntu noble/universe amd64 Packages 100 /var/lib/dpkg/status netfilter-persistent: Installed: 1.0.20 Candidate: 1.0.20 Version table: *** 1.0.20 500 500 http://archive.ubuntu.com/ubuntu noble/universe amd64 Packages 100 /var/lib/dpkg/status ** Tags removed: verification-needed verification-needed-noble ** Tags added: verification-done verification-done-noble -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2061891 Title: Noble upgrade breaks iptables-persistent and netfilter-persistent usage To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-release-notes/+bug/2061891/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2061891] Re: Noble upgrade breaks iptables-persistent and netfilter-persistent usage
Hello Stefan, or anyone else affected, Accepted ubuntu-release-upgrader into noble-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/ubuntu-release-upgrader/1:24.04.18 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed- noble to verification-done-noble. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification- failed-noble. In either case, without details of your testing we will not be able to proceed. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping! N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days. ** Tags removed: verification-done-noble ** Tags added: verification-needed-noble -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2061891 Title: Noble upgrade breaks iptables-persistent and netfilter-persistent usage To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-release-notes/+bug/2061891/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2061891] Re: Noble upgrade breaks iptables-persistent and netfilter-persistent usage
Howdy, the testing was a success. Version: ubuntu-release-upgrader (1:24.04.17) noble Testing Proc: - Start with fresh jammy instance - Install ufw and verify both *-persistent and ufw are installed. - Run release upgrade with Nick and Julian's changes then reboot. - Use apt to verify *-persistent is installed and NOT ufw. - Install ufw again and confirm *-persistent was removed. - Install *-persistent and confirm ufw was removed. ** Tags removed: verification-needed-noble ** Tags added: verification-done-noble -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2061891 Title: Noble upgrade breaks iptables-persistent and netfilter-persistent usage To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-release-notes/+bug/2061891/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2061891] Re: Noble upgrade breaks iptables-persistent and netfilter-persistent usage
** Information type changed from Public to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2061891 Title: Noble upgrade breaks iptables-persistent and netfilter-persistent usage To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-release-notes/+bug/2061891/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2061891] Re: Noble upgrade breaks iptables-persistent and netfilter-persistent usage
Hello Stefan, or anyone else affected, Accepted ubuntu-release-upgrader into noble-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/ubuntu-release-upgrader/1:24.04.17 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed- noble to verification-done-noble. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification- failed-noble. In either case, without details of your testing we will not be able to proceed. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping! N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days. ** Changed in: ubuntu-release-upgrader (Ubuntu Noble) Status: In Progress => Fix Committed ** Tags added: verification-needed verification-needed-noble -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2061891 Title: Noble upgrade breaks iptables-persistent and netfilter-persistent usage To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-release-notes/+bug/2061891/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2061891] Re: Noble upgrade breaks iptables-persistent and netfilter-persistent usage
Ok; thanks for clarifying. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2061891 Title: Noble upgrade breaks iptables-persistent and netfilter-persistent usage To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-release-notes/+bug/2061891/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2061891] Re: Noble upgrade breaks iptables-persistent and netfilter-persistent usage
If users had installed both, any configuration made by ufw would have been persisted by the -persistent packages and hence would be restored by it. They inadvertently had no Conflicts relationship declared, but sure enough conflicted in practice. There doesn't seem to be a reason why you'd install persistent and disable its persistence service units. ** Changed in: ubuntu-release-upgrader (Ubuntu Noble) Status: Incomplete => Triaged ** Changed in: ubuntu-release-upgrader (Ubuntu Noble) Status: Triaged => In Progress -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2061891 Title: Noble upgrade breaks iptables-persistent and netfilter-persistent usage To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-release-notes/+bug/2061891/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2061891] Re: Noble upgrade breaks iptables-persistent and netfilter-persistent usage
Hi Nick and Julian,
Thanks for the fix and SRU template!
Question:
IIUIC, the fix simply removes 'ufw' if '{iptables,netfilter}-persistent'
is installed.
But is it possible that removing ufw is the wrong thing to do in some
particular case?
Say, if the user actually used/configured ufw instead of the -persistent
packages.
That seems possible, as users could have both installed previously, right?
(The bug report says both ufw/-persistent 'had no conflicts in jammy').
Thanks!
PS: I added an 'Other Info' section to the SRU template to clarify the
'fix released' in comment #1.
** Changed in: ubuntu-release-upgrader (Ubuntu Noble)
Status: In Progress => Incomplete
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2061891
Title:
Noble upgrade breaks iptables-persistent and netfilter-persistent
usage
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-release-notes/+bug/2061891/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2061891] Re: Noble upgrade breaks iptables-persistent and netfilter-persistent usage
** Description changed: - [Impact / Original Description] + [Impact] + ufw and -persistent packages both manage the firewall, hence they conflict but they accidentally had no conflicts in jammy. If both are installed, persistent packages will store and restore firewall configuration, so ufw cannot really be used. - Upgrade from Jammy to Noble breaks iptables-persistent and netfilter- - persistent firewall configuration if ufw is also installed pre-upgrade. + Noble adds a conflicts from ufw to the persistent packages, but we end + up removing the persistent packages rather than the ufw which is wrong - + they are in charge. + + [Test plan] + persistent and netfilter-persistent should remain installed, and ufw removed to preserve user config. + + [Where problems could occur] + There may be ufw reverse dependencies that could get removed. + + [Other Info] + The fix (released) in 1:24.04.15 is reverted and improved in 1:24.04.17 (upload). + + [Original bug report] + Upgrade from Jammy to Noble breaks iptables-persistent and netfilter-persistent firewall configuration if ufw is also installed pre-upgrade., removing them. from /var/log/dist-upgrade/apt.log: Broken ufw:amd64 Breaks on iptables-persistent:amd64 < 1.0.16 -> 1.0.20 @ii umU > Considering iptables-persistent:amd64 -1 as a solution to ufw:amd64 5 Added iptables-persistent:amd64 to the remove list Conflicts//Breaks against version 1.0.16 for iptables-persistent but that is not InstVer, ignoring Broken ufw:amd64 Breaks on netfilter-persistent:amd64 < 1.0.16 -> 1.0.20 @ii umU > Considering netfilter-persistent:amd64 0 as a solution to ufw:amd64 5 Added netfilter-persistent:amd64 to the remove list Conflicts//Breaks against version 1.0.16 for netfilter-persistent but that is not InstVer, ignoring MarkDelete iptables-persistent:amd64 < 1.0.16 -> 1.0.20 @ii umU > FU=0 Fixing ufw:amd64 via remove of iptables-persistent:amd64 MarkDelete netfilter-persistent:amd64 < 1.0.16 -> 1.0.20 @ii umU > FU=0 Fixing ufw:amd64 via remove of netfilter-persistent:amd64 ufw 0.36.2-1 add the breaks $ apt show ufw Package: ufw Version: 0.36.2-6 Priority: standard Section: admin Origin: Ubuntu Maintainer: Jamie Strandboge Bugs: https://bugs.launchpad.net/ubuntu/+filebug Installed-Size: 869 kB Depends: iptables, ucf, python3:any, debconf (>= 0.5) | debconf-2.0 Suggests: rsyslog Breaks: iptables-persistent, netfilter-persistent Homepage: https://launchpad.net/ufw Task: standard Download-Size: 169 kB APT-Manual-Installed: no APT-Sources: http://phx-ad-3.clouds.archive.ubuntu.com/ubuntu noble/main amd64 Packages Description: program for managing a Netfilter firewall The Uncomplicated FireWall is a front-end for iptables, to make managing a Netfilter firewall easier. It provides a command line interface with syntax similar to OpenBSD's Packet Filter. It is particularly well-suited as a host-based firewall. Post do-release-upgrade, iptables-persistent and netfilter-persistent are removed, which breaks any machines that relied on their configuration. - - [Test Plan] - - 1. Start a Jammy LXD container and obtain a shell. - - $ lxc launch ubuntu-daily:jammy jammy - $ lxc exec jammy bash - - 2. In the container, install netfilter-persistent and iptables- - persistent. - - $ apt install netfilter-persistent iptables-persistent -y - - 3. Run a release upgrade. To test with noble-proposed, the --proposed - flag is needed. - - $ do-release-upgrade --proposed - - 4. Answer prompts as needed so that the upgrade runs as expected. After - the upgrade has finished, verify that the packages have not been - removed. - - $ apt policy netfilter-persistent iptables-persistent - - 5. Check the upgrade log to verify messages are present explaining that - these packages are kept. - - $ grep "Keeping.*-persistent" /var/log/dist-upgrade/main.log - - [Where problems could occur] - - This quirk requires manipulating the apt cache. It does so only for the - ufw, netfilter-persistent, and iptables-persistent packages. If these - package names were misspelled in the code, that would cause the quirk to - be wrong. Any problems would most likely be surrounding whether or not - these packages are installed. This quirk _should_ do nothing when (a) - not upgrading from jammy, (b) ufw is not installed, or (c) neither - netfilter-persistent nor iptables-persistent are installed. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2061891 Title: Noble upgrade breaks iptables-persistent and netfilter-persistent usage To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-release-notes/+bug/2061891/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2061891] Re: Noble upgrade breaks iptables-persistent and netfilter-persistent usage
** Description changed: - [Impact] - ufw and -persistent packages both manage the firewall, hence they conflict but they accidentally had no conflicts in jammy. If both are installed, persistent packages will store and restore firewall configuration, so ufw cannot really be used. + [Impact / Original Description] - Noble adds a conflicts from ufw to the persistent packages, but we end - up removing the persistent packages rather than the ufw which is wrong - - they are in charge. - - [Test plan] - persistent and netfilter-persistent should remain installed, and ufw removed to preserve user config. - - [Where problems could occur] - There may be ufw reverse dependencies that could get removed. - - [Original bug report] - Upgrade from Jammy to Noble breaks iptables-persistent and netfilter-persistent firewall configuration if ufw is also installed pre-upgrade., removing them. - + Upgrade from Jammy to Noble breaks iptables-persistent and netfilter- + persistent firewall configuration if ufw is also installed pre-upgrade. from /var/log/dist-upgrade/apt.log: Broken ufw:amd64 Breaks on iptables-persistent:amd64 < 1.0.16 -> 1.0.20 @ii umU > Considering iptables-persistent:amd64 -1 as a solution to ufw:amd64 5 Added iptables-persistent:amd64 to the remove list Conflicts//Breaks against version 1.0.16 for iptables-persistent but that is not InstVer, ignoring Broken ufw:amd64 Breaks on netfilter-persistent:amd64 < 1.0.16 -> 1.0.20 @ii umU > Considering netfilter-persistent:amd64 0 as a solution to ufw:amd64 5 Added netfilter-persistent:amd64 to the remove list Conflicts//Breaks against version 1.0.16 for netfilter-persistent but that is not InstVer, ignoring MarkDelete iptables-persistent:amd64 < 1.0.16 -> 1.0.20 @ii umU > FU=0 Fixing ufw:amd64 via remove of iptables-persistent:amd64 MarkDelete netfilter-persistent:amd64 < 1.0.16 -> 1.0.20 @ii umU > FU=0 Fixing ufw:amd64 via remove of netfilter-persistent:amd64 ufw 0.36.2-1 add the breaks $ apt show ufw Package: ufw Version: 0.36.2-6 Priority: standard Section: admin Origin: Ubuntu Maintainer: Jamie Strandboge Bugs: https://bugs.launchpad.net/ubuntu/+filebug Installed-Size: 869 kB Depends: iptables, ucf, python3:any, debconf (>= 0.5) | debconf-2.0 Suggests: rsyslog Breaks: iptables-persistent, netfilter-persistent Homepage: https://launchpad.net/ufw Task: standard Download-Size: 169 kB APT-Manual-Installed: no APT-Sources: http://phx-ad-3.clouds.archive.ubuntu.com/ubuntu noble/main amd64 Packages Description: program for managing a Netfilter firewall The Uncomplicated FireWall is a front-end for iptables, to make managing a Netfilter firewall easier. It provides a command line interface with syntax similar to OpenBSD's Packet Filter. It is particularly well-suited as a host-based firewall. Post do-release-upgrade, iptables-persistent and netfilter-persistent are removed, which breaks any machines that relied on their configuration. + + [Test Plan] + + 1. Start a Jammy LXD container and obtain a shell. + + $ lxc launch ubuntu-daily:jammy jammy + $ lxc exec jammy bash + + 2. In the container, install netfilter-persistent and iptables- + persistent. + + $ apt install netfilter-persistent iptables-persistent -y + + 3. Run a release upgrade. To test with noble-proposed, the --proposed + flag is needed. + + $ do-release-upgrade --proposed + + 4. Answer prompts as needed so that the upgrade runs as expected. After + the upgrade has finished, verify that the packages have not been + removed. + + $ apt policy netfilter-persistent iptables-persistent + + 5. Check the upgrade log to verify messages are present explaining that + these packages are kept. + + $ grep "Keeping.*-persistent" /var/log/dist-upgrade/main.log + + [Where problems could occur] + + This quirk requires manipulating the apt cache. It does so only for the + ufw, netfilter-persistent, and iptables-persistent packages. If these + package names were misspelled in the code, that would cause the quirk to + be wrong. Any problems would most likely be surrounding whether or not + these packages are installed. This quirk _should_ do nothing when (a) + not upgrading from jammy, (b) ufw is not installed, or (c) neither + netfilter-persistent nor iptables-persistent are installed. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2061891 Title: Noble upgrade breaks iptables-persistent and netfilter-persistent usage To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-release-notes/+bug/2061891/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2061891] Re: Noble upgrade breaks iptables-persistent and netfilter-persistent usage
** Description changed: - Upgrade from Jammy to Noble breaks iptables-persistent and netfilter- - persistent firewall configuration if ufw is also installed pre-upgrade. + [Impact] + Upgrade from Jammy to Noble breaks iptables-persistent and netfilter-persistent firewall configuration if ufw is also installed pre-upgrade. + [Test plan] + persistent and netfilter-persistent should remain installed, and ufw removed to preserve user config. + + [Where problems could occur] + There may be ufw reverse dependencies that could get removed. + + [Original bug report] from /var/log/dist-upgrade/apt.log: Broken ufw:amd64 Breaks on iptables-persistent:amd64 < 1.0.16 -> 1.0.20 @ii umU > - Considering iptables-persistent:amd64 -1 as a solution to ufw:amd64 5 - Added iptables-persistent:amd64 to the remove list - Conflicts//Breaks against version 1.0.16 for iptables-persistent but that is not InstVer, ignoring + Considering iptables-persistent:amd64 -1 as a solution to ufw:amd64 5 + Added iptables-persistent:amd64 to the remove list + Conflicts//Breaks against version 1.0.16 for iptables-persistent but that is not InstVer, ignoring Broken ufw:amd64 Breaks on netfilter-persistent:amd64 < 1.0.16 -> 1.0.20 @ii umU > - Considering netfilter-persistent:amd64 0 as a solution to ufw:amd64 5 - Added netfilter-persistent:amd64 to the remove list - Conflicts//Breaks against version 1.0.16 for netfilter-persistent but that is not InstVer, ignoring - MarkDelete iptables-persistent:amd64 < 1.0.16 -> 1.0.20 @ii umU > FU=0 - Fixing ufw:amd64 via remove of iptables-persistent:amd64 - MarkDelete netfilter-persistent:amd64 < 1.0.16 -> 1.0.20 @ii umU > FU=0 - Fixing ufw:amd64 via remove of netfilter-persistent:amd64 + Considering netfilter-persistent:amd64 0 as a solution to ufw:amd64 5 + Added netfilter-persistent:amd64 to the remove list + Conflicts//Breaks against version 1.0.16 for netfilter-persistent but that is not InstVer, ignoring + MarkDelete iptables-persistent:amd64 < 1.0.16 -> 1.0.20 @ii umU > FU=0 + Fixing ufw:amd64 via remove of iptables-persistent:amd64 + MarkDelete netfilter-persistent:amd64 < 1.0.16 -> 1.0.20 @ii umU > FU=0 + Fixing ufw:amd64 via remove of netfilter-persistent:amd64 ufw 0.36.2-1 add the breaks $ apt show ufw Package: ufw Version: 0.36.2-6 Priority: standard Section: admin Origin: Ubuntu Maintainer: Jamie Strandboge Bugs: https://bugs.launchpad.net/ubuntu/+filebug Installed-Size: 869 kB Depends: iptables, ucf, python3:any, debconf (>= 0.5) | debconf-2.0 Suggests: rsyslog Breaks: iptables-persistent, netfilter-persistent Homepage: https://launchpad.net/ufw Task: standard Download-Size: 169 kB APT-Manual-Installed: no APT-Sources: http://phx-ad-3.clouds.archive.ubuntu.com/ubuntu noble/main amd64 Packages Description: program for managing a Netfilter firewall - The Uncomplicated FireWall is a front-end for iptables, to make managing a - Netfilter firewall easier. It provides a command line interface with syntax - similar to OpenBSD's Packet Filter. It is particularly well-suited as a - host-based firewall. + The Uncomplicated FireWall is a front-end for iptables, to make managing a + Netfilter firewall easier. It provides a command line interface with syntax + similar to OpenBSD's Packet Filter. It is particularly well-suited as a + host-based firewall. Post do-release-upgrade, iptables-persistent and netfilter-persistent are removed, which breaks any machines that relied on their configuration. ** Description changed: - [Impact] - Upgrade from Jammy to Noble breaks iptables-persistent and netfilter-persistent firewall configuration if ufw is also installed pre-upgrade. + [Impact] + Upgrade from Jammy to Noble breaks iptables-persistent and netfilter-persistent firewall configuration if ufw is also installed pre-upgrade., removing them. + + ufw and -persistent packages both manage the firewall, hence they + conflict but they accidentally had no conflicts in jammy. + [Test plan] persistent and netfilter-persistent should remain installed, and ufw removed to preserve user config. [Where problems could occur] There may be ufw reverse dependencies that could get removed. [Original bug report] from /var/log/dist-upgrade/apt.log: Broken ufw:amd64 Breaks on iptables-persistent:amd64 < 1.0.16 -> 1.0.20 @ii umU > Considering iptables-persistent:amd64 -1 as a solution to ufw:amd64 5 Added iptables-persistent:amd64 to the remove list Conflicts//Breaks against version 1.0.16 for iptables-persistent but that is not InstVer, ignoring Broken ufw:amd64 Breaks on netfilter-persistent:amd64 < 1.0.16 -> 1.0.20 @ii umU > Considering netfilter-persistent:amd64 0 as a solution to ufw:amd64 5 Added netfilter-persistent:amd64 to the remove list Conflicts//Breaks against version 1.0.16 for netfilter-persistent but that is not InstVer, ignoring
[Bug 2061891] Re: Noble upgrade breaks iptables-persistent and netfilter-persistent usage
** Merge proposal linked: https://code.launchpad.net/~juliank/ubuntu/+source/ubuntu-release-upgrader/+git/ubuntu-release-upgrader/+merge/465146 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2061891 Title: Noble upgrade breaks iptables-persistent and netfilter-persistent usage To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-release-notes/+bug/2061891/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2061891] Re: Noble upgrade breaks iptables-persistent and netfilter-persistent usage
** Changed in: ubuntu-release-upgrader (Ubuntu Noble) Status: Fix Released => In Progress -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2061891 Title: Noble upgrade breaks iptables-persistent and netfilter-persistent usage To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-release-notes/+bug/2061891/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2061891] Re: Noble upgrade breaks iptables-persistent and netfilter-persistent usage
** Merge proposal linked: https://code.launchpad.net/~enr0n/ubuntu-release-upgrader/+git/ubuntu-release-upgrader/+merge/464775 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2061891 Title: Noble upgrade breaks iptables-persistent and netfilter-persistent usage To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-release-notes/+bug/2061891/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2061891] Re: Noble upgrade breaks iptables-persistent and netfilter-persistent usage
This bug was fixed in the package ubuntu-release-upgrader - 1:24.04.15
---
ubuntu-release-upgrader (1:24.04.15) noble; urgency=medium
* DistUpgrade.cfg.jammy: keep {netfilter,iptables}-persistent installed
(LP: #2061891)
* Run pre-build.sh: updating mirrors, demotions, and translations.
-- Nick Rosbrook Wed, 17 Apr 2024 17:10:33 -0400
** Changed in: ubuntu-release-upgrader (Ubuntu Noble)
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2061891
Title:
Noble upgrade breaks iptables-persistent and netfilter-persistent
usage
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-release-notes/+bug/2061891/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2061891] Re: Noble upgrade breaks iptables-persistent and netfilter-persistent usage
** Changed in: ubuntu-release-upgrader (Ubuntu Noble) Status: Triaged => In Progress ** Changed in: ubuntu-release-upgrader (Ubuntu Noble) Assignee: (unassigned) => Nick Rosbrook (enr0n) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2061891 Title: Noble upgrade breaks iptables-persistent and netfilter-persistent usage To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-release-notes/+bug/2061891/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2061891] Re: Noble upgrade breaks iptables-persistent and netfilter-persistent usage
** Changed in: ubuntu-release-upgrader (Ubuntu Noble) Status: New => Triaged -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2061891 Title: Noble upgrade breaks iptables-persistent and netfilter-persistent usage To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-release-notes/+bug/2061891/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2061891] Re: Noble upgrade breaks iptables-persistent and netfilter-persistent usage
** Also affects: ubuntu-release-upgrader (Ubuntu Noble) Importance: Undecided Status: New ** Changed in: ubuntu-release-upgrader (Ubuntu Noble) Milestone: None => ubuntu-24.04 ** Also affects: ubuntu-release-notes Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2061891 Title: Noble upgrade breaks iptables-persistent and netfilter-persistent usage To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-release-notes/+bug/2061891/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
