Ubuntu
ubuntu-release-upgrader package

Noble upgrade breaks iptables-persistent and netfilter-persistent usage

Bug #2061891 reported by Stefan Hammer
24
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Release Notes for Ubuntu
New
Undecided
Unassigned
ubuntu-release-upgrader (Ubuntu)
In Progress
Undecided
Nick Rosbrook
Ubuntu ubuntu-24.04
Noble
Fix Committed
Undecided
Nick Rosbrook
Ubuntu ubuntu-24.04

Bug Description

[Impact]
ufw and -persistent packages both manage the firewall, hence they conflict but they accidentally had no conflicts in jammy. If both are installed, persistent packages will store and restore firewall configuration, so ufw cannot really be used.

Noble adds a conflicts from ufw to the persistent packages, but we end up removing the persistent packages rather than the ufw which is wrong - they are in charge.

[Test plan]
persistent and netfilter-persistent should remain installed, and ufw removed to preserve user config.

[Where problems could occur]
There may be ufw reverse dependencies that could get removed.

[Other Info]
The fix (released) in 1:24.04.15 is reverted and improved in 1:24.04.17 (upload).

[Original bug report]
Upgrade from Jammy to Noble breaks iptables-persistent and netfilter-persistent firewall configuration if ufw is also installed pre-upgrade., removing them.

from /var/log/dist-upgrade/apt.log:
Broken ufw:amd64 Breaks on iptables-persistent:amd64 < 1.0.16 -> 1.0.20 @ii umU >
  Considering iptables-persistent:amd64 -1 as a solution to ufw:amd64 5
  Added iptables-persistent:amd64 to the remove list
  Conflicts//Breaks against version 1.0.16 for iptables-persistent but that is not InstVer, ignoring
Broken ufw:amd64 Breaks on netfilter-persistent:amd64 < 1.0.16 -> 1.0.20 @ii umU >
  Considering netfilter-persistent:amd64 0 as a solution to ufw:amd64 5
  Added netfilter-persistent:amd64 to the remove list
  Conflicts//Breaks against version 1.0.16 for netfilter-persistent but that is not InstVer, ignoring
  MarkDelete iptables-persistent:amd64 < 1.0.16 -> 1.0.20 @ii umU > FU=0
  Fixing ufw:amd64 via remove of iptables-persistent:amd64
  MarkDelete netfilter-persistent:amd64 < 1.0.16 -> 1.0.20 @ii umU > FU=0
  Fixing ufw:amd64 via remove of netfilter-persistent:amd64

ufw 0.36.2-1 add the breaks
$ apt show ufw
Package: ufw
Version: 0.36.2-6
Priority: standard
Section: admin
Origin: Ubuntu
Maintainer: Jamie Strandboge <email address hidden>
Bugs: https://bugs.launchpad.net/ubuntu/+filebug
Installed-Size: 869 kB
Depends: iptables, ucf, python3:any, debconf (>= 0.5) | debconf-2.0
Suggests: rsyslog
Breaks: iptables-persistent, netfilter-persistent
Homepage: https://launchpad.net/ufw
Task: standard
Download-Size: 169 kB
APT-Manual-Installed: no
APT-Sources: http://phx-ad-3.clouds.archive.ubuntu.com/ubuntu noble/main amd64 Packages
Description: program for managing a Netfilter firewall
 The Uncomplicated FireWall is a front-end for iptables, to make managing a
 Netfilter firewall easier. It provides a command line interface with syntax
 similar to OpenBSD's Packet Filter. It is particularly well-suited as a
 host-based firewall.

Post do-release-upgrade, iptables-persistent and netfilter-persistent are removed, which breaks any machines that relied on their configuration.

See original description

Related branches

~enr0n/ubuntu-release-upgrader:lp-2061891
Julian Andres Klode: Approve
Diff: 65 lines (+38/-1)
2 files modified
DistUpgrade/DistUpgradeQuirks.py (+37/-0)
data/DistUpgrade.cfg.jammy (+1/-1)
Brian Murray (brian-murray)
Changed in ubuntu-release-upgrader (Ubuntu Noble):
milestone: none → ubuntu-24.04
Brian Murray (brian-murray)
Changed in ubuntu-release-upgrader (Ubuntu Noble):
status: New → Triaged
Nick Rosbrook (enr0n)
Changed in ubuntu-release-upgrader (Ubuntu Noble):
status: Triaged → In Progress
assignee: nobody → Nick Rosbrook (enr0n)
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ubuntu-release-upgrader - 1:24.04.15

---------------
ubuntu-release-upgrader (1:24.04.15) noble; urgency=medium

  * DistUpgrade.cfg.jammy: keep {netfilter,iptables}-persistent installed
    (LP: #2061891)
  * Run pre-build.sh: updating mirrors, demotions, and translations.

 -- Nick Rosbrook <email address hidden> Wed, 17 Apr 2024 17:10:33 -0400

Changed in ubuntu-release-upgrader (Ubuntu Noble):
status: In Progress → Fix Released
Nick Rosbrook (enr0n)
Changed in ubuntu-release-upgrader (Ubuntu Noble):
status: Fix Released → In Progress
Julian Andres Klode (juliank)
description: updated
description: updated
description: updated
Nick Rosbrook (enr0n)
description: updated
Mauricio Faria de Oliveira (mfo)
description: updated
Revision history for this message
Mauricio Faria de Oliveira (mfo) wrote :

Hi Nick and Julian,

Thanks for the fix and SRU template!

Question:

IIUIC, the fix simply removes 'ufw' if '{iptables,netfilter}-persistent' is installed.

But is it possible that removing ufw is the wrong thing to do in some particular case?
Say, if the user actually used/configured ufw instead of the -persistent packages.

That seems possible, as users could have both installed previously, right?
(The bug report says both ufw/-persistent 'had no conflicts in jammy').

Thanks!

PS: I added an 'Other Info' section to the SRU template to clarify the 'fix released' in comment #1.

Changed in ubuntu-release-upgrader (Ubuntu Noble):
status: In Progress → Incomplete
Revision history for this message
Julian Andres Klode (juliank) wrote :

If users had installed both, any configuration made by ufw would have been persisted by the -persistent packages and hence would be restored by it.

They inadvertently had no Conflicts relationship declared, but sure enough conflicted in practice.

There doesn't seem to be a reason why you'd install persistent and disable its persistence service units.

Changed in ubuntu-release-upgrader (Ubuntu Noble):
status: Incomplete → Triaged
status: Triaged → In Progress
Revision history for this message
Mauricio Faria de Oliveira (mfo) wrote :

Ok; thanks for clarifying.

Revision history for this message
Steve Langasek (vorlon) wrote : Please test proposed package

Hello Stefan, or anyone else affected,

Accepted ubuntu-release-upgrader into noble-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/ubuntu-release-upgrader/1:24.04.17 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-noble to verification-done-noble. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-noble. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in ubuntu-release-upgrader (Ubuntu Noble):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-noble
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.