Conflict between iptables-persistent and ufw Packages on Debian12 Bookworm

[Rutuja]

I've encountered issue while working with Debian 12 Bookworm Backport while installing `iptables-persistent` package.
It appears that there is a conflict between the `iptables-persistent` and `ufw` packages, leading to the automatic removal of the `ufw` package during the installation process.

Problem Description:

When attempting to install `iptables-persistent` on Debian 12 Bookworm, I noticed that it automatically removes the `ufw` package.
This behavior is different from Debian 10 Buster, where both packages could coexist without any issues.

Steps to Reproduce:
1. Attempt to install `iptables-persistent` on Debian 12 Bookworm.
2. Observe that the installation process automatically removes the `ufw` package.

Expected Behavior:
Ideally, both `iptables-persistent` and `ufw` should be able to coexist on the system without one package being automatically removed during the installation of the other.

Installation Issue:

Code: Select all

root@DEB-NUC11TNH-BTTN22900SU1:~# apt-get install iptables-persistent 
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following additional packages will be installed:
  netfilter-persistent
The following packages will be REMOVED:
  ufw
The following NEW packages will be installed:
  iptables-persistent netfilter-persistent
0 upgraded, 2 newly installed, 1 to remove and 3 not upgraded.
Need to get 0 B/16.4 kB of archives.
After this operation, 788 kB disk space will be freed.
Do you want to continue? [Y/n]

**Additional Information:**

This issue appears to be specific to Debian 12 Bookworm, as there were no such conflicts observed on Debian 10 Buster.

System Details :

Code: Select all

root@DEB-NUC11TNH-BTTN22900SU1:~# cat /etc/os-release 
PRETTY_NAME="Debian GNU/Linux 12 (bookworm)"
NAME="Debian GNU/Linux"
VERSION_ID="12"
VERSION="12 (bookworm)"
VERSION_CODENAME=bookworm
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"

root@DEB-NUC11TNH-BTTN22900SU1:~# uname -a
Linux DEB-NUC11TNH-BTTN22900SU1 6.5.0-0.deb12.4-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.5.10-1~bpo12+1 (2023-11-23) x86_64 GNU/Linux
root@DEB-NUC11TNH-BTTN22900SU1:~#

Thank you for your attention, and I look forward to your contributions and insights on this matter.

[CwF]

I took a cursory look in two bookworm images with iptables installed, a i686 and amd64.

Asking synaptic to install 'ufw' and 'iptables-persistent', it notified the inclusion of 'netfilter-persistent'. No conflicts, warnings or removals. I did not continue.

[fabien]

Asking synaptic to install 'ufw' and 'iptables-persistent', it notified the inclusion of 'netfilter-persistent'. No conflicts, warnings or removals.

It's strange. Does apt say the same thing?

Code: Select all

#> apt -sV install ufw netfilter-persistent
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Some packages could not be installed. This may mean that you have
requested an impossible situation or if you are using the unstable
distribution that some required packages have not yet been created
or been moved out of Incoming.
The following information may help to resolve the situation:

The following packages have unmet dependencies:
 ufw : Breaks: netfilter-persistent but 1.0.20 is to be installed
E: Unable to correct problems, you have held broken packages.

Code: Select all

$> apt --no-pre-depends --no-depends --no-recommends --no-suggests depends ufw
ufw
  Breaks: iptables-persistent
  Breaks: netfilter-persistent

Expected Behavior:
Ideally, both `iptables-persistent` and `ufw` should be able to coexist on the system without one package being automatically removed during the installation of the other.

See /usr/share/doc/ufw/changelog.Debian.gz or https://metadata.ftp-master.debian.org/ ... _changelog

ufw (0.36.2-1) unstable; urgency=medium
[...]
* debian/control:
- Breaks with iptables-persistent and netfilter-persistent. When ufw is
installed, it is not enabled by default, so it doesn't interfere with
other firewall software (until it is enabled). In contrast,
iptables-persistent and netfilter-persistent install enabled, which
interferes with ufw. Add a breaks on these to avoid them being
co-installed with ufw (and causing problems for users).
[...]
Sat, 15 Oct 2022 12:54:27 +0200

[CwF]

Does apt say the same thing?

No, I get the same warning with apt as you do, interesting.

I'd expect if I continued with synaptic I would see the warning with listchanges, which is not installed either. I didn't want to blow anything up at the moment!

On tangent, one take away may be apt-listchanges is appropriate even for stable! I may have read some opinion thinking it is not applicable to stable. The minimal images would be upgraded after others with listchanges, so I'd see it there...

Back on point, I'm not so familiar yet. If the two methodologies compete and are now diverging then the answer is to pick one?