** Description changed: - [Impact / Original Description] + [Impact] + ufw and -persistent packages both manage the firewall, hence they conflict but they accidentally had no conflicts in jammy. If both are installed, persistent packages will store and restore firewall configuration, so ufw cannot really be used. - Upgrade from Jammy to Noble breaks iptables-persistent and netfilter- - persistent firewall configuration if ufw is also installed pre-upgrade. + Noble adds a conflicts from ufw to the persistent packages, but we end + up removing the persistent packages rather than the ufw which is wrong - + they are in charge. + + [Test plan] + persistent and netfilter-persistent should remain installed, and ufw removed to preserve user config. + + [Where problems could occur] + There may be ufw reverse dependencies that could get removed. + + [Other Info] + The fix (released) in 1:24.04.15 is reverted and improved in 1:24.04.17 (upload). + + [Original bug report] + Upgrade from Jammy to Noble breaks iptables-persistent and netfilter-persistent firewall configuration if ufw is also installed pre-upgrade., removing them. from /var/log/dist-upgrade/apt.log: Broken ufw:amd64 Breaks on iptables-persistent:amd64 < 1.0.16 -> 1.0.20 @ii umU > Considering iptables-persistent:amd64 -1 as a solution to ufw:amd64 5 Added iptables-persistent:amd64 to the remove list Conflicts//Breaks against version 1.0.16 for iptables-persistent but that is not InstVer, ignoring Broken ufw:amd64 Breaks on netfilter-persistent:amd64 < 1.0.16 -> 1.0.20 @ii umU > Considering netfilter-persistent:amd64 0 as a solution to ufw:amd64 5 Added netfilter-persistent:amd64 to the remove list Conflicts//Breaks against version 1.0.16 for netfilter-persistent but that is not InstVer, ignoring MarkDelete iptables-persistent:amd64 < 1.0.16 -> 1.0.20 @ii umU > FU=0 Fixing ufw:amd64 via remove of iptables-persistent:amd64 MarkDelete netfilter-persistent:amd64 < 1.0.16 -> 1.0.20 @ii umU > FU=0 Fixing ufw:amd64 via remove of netfilter-persistent:amd64 ufw 0.36.2-1 add the breaks $ apt show ufw Package: ufw Version: 0.36.2-6 Priority: standard Section: admin Origin: Ubuntu Maintainer: Jamie Strandboge <jdstr...@ubuntu.com> Bugs: https://bugs.launchpad.net/ubuntu/+filebug Installed-Size: 869 kB Depends: iptables, ucf, python3:any, debconf (>= 0.5) | debconf-2.0 Suggests: rsyslog Breaks: iptables-persistent, netfilter-persistent Homepage: https://launchpad.net/ufw Task: standard Download-Size: 169 kB APT-Manual-Installed: no APT-Sources: http://phx-ad-3.clouds.archive.ubuntu.com/ubuntu noble/main amd64 Packages Description: program for managing a Netfilter firewall The Uncomplicated FireWall is a front-end for iptables, to make managing a Netfilter firewall easier. It provides a command line interface with syntax similar to OpenBSD's Packet Filter. It is particularly well-suited as a host-based firewall. Post do-release-upgrade, iptables-persistent and netfilter-persistent are removed, which breaks any machines that relied on their configuration. - - [Test Plan] - - 1. Start a Jammy LXD container and obtain a shell. - - $ lxc launch ubuntu-daily:jammy jammy - $ lxc exec jammy bash - - 2. In the container, install netfilter-persistent and iptables- - persistent. - - $ apt install netfilter-persistent iptables-persistent -y - - 3. Run a release upgrade. To test with noble-proposed, the --proposed - flag is needed. - - $ do-release-upgrade --proposed - - 4. Answer prompts as needed so that the upgrade runs as expected. After - the upgrade has finished, verify that the packages have not been - removed. - - $ apt policy netfilter-persistent iptables-persistent - - 5. Check the upgrade log to verify messages are present explaining that - these packages are kept. - - $ grep "Keeping.*-persistent" /var/log/dist-upgrade/main.log - - [Where problems could occur] - - This quirk requires manipulating the apt cache. It does so only for the - ufw, netfilter-persistent, and iptables-persistent packages. If these - package names were misspelled in the code, that would cause the quirk to - be wrong. Any problems would most likely be surrounding whether or not - these packages are installed. This quirk _should_ do nothing when (a) - not upgrading from jammy, (b) ufw is not installed, or (c) neither - netfilter-persistent nor iptables-persistent are installed.
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2061891 Title: Noble upgrade breaks iptables-persistent and netfilter-persistent usage To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-release-notes/+bug/2061891/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
