Fedora Account System
Red Hat Associate
Red Hat Customer
Description of problem: EPEL provides the `iptables-services` package for EPEL 9, but this package duplicates the functionality of the `iptables-nft-services` that RHEL 9 already provides: EPEL: ``` $ curl -L -O -R -J https://dl.fedoraproject.org/pub/epel/9/Everything/x86_64/Packages/i/iptables-services-1.8.10-11.1.el9.noarch.rpm $ rpm -qplv iptables-services-1.8.10-11.1.el9.noarch.rpm warning: iptables-services-1.8.10-11.1.el9.noarch.rpm: Header V4 RSA/SHA256 Signature, key ID 3228467c: NOKEY -rw------- 1 root root 635 Feb 12 22:59 /etc/sysconfig/ip6tables -rw------- 1 root root 2134 Feb 12 22:59 /etc/sysconfig/ip6tables-config -rw------- 1 root root 550 Feb 12 22:59 /etc/sysconfig/iptables -rw------- 1 root root 2116 Feb 12 22:59 /etc/sysconfig/iptables-config -rw-r--r-- 1 root root 439 Feb 12 22:59 /usr/lib/systemd/system/ip6tables.service -rw-r--r-- 1 root root 434 Feb 12 22:59 /usr/lib/systemd/system/iptables.service drwxr-xr-x 2 root root 0 Feb 12 22:59 /usr/libexec/initscripts/legacy-actions/ip6tables -rwxr-xr-x 1 root root 64 Feb 12 22:59 /usr/libexec/initscripts/legacy-actions/ip6tables/panic -rwxr-xr-x 1 root root 63 Feb 12 22:59 /usr/libexec/initscripts/legacy-actions/ip6tables/save drwxr-xr-x 2 root root 0 Feb 12 22:59 /usr/libexec/initscripts/legacy-actions/iptables -rwxr-xr-x 1 root root 63 Feb 12 22:59 /usr/libexec/initscripts/legacy-actions/iptables/panic -rwxr-xr-x 1 root root 62 Feb 12 22:59 /usr/libexec/initscripts/legacy-actions/iptables/save drwxr-xr-x 2 root root 0 Feb 12 22:59 /usr/libexec/iptables -rwxr-xr-x 1 root root 10586 Feb 12 22:59 /usr/libexec/iptables/ip6tables.init -rwxr-xr-x 1 root root 10459 Feb 12 22:59 /usr/libexec/iptables/iptables.init ``` Versus RHEL 9 (CentOS Stream 9 actually, but RHEL 9 is the same): ``` $ curl -L -O -R -J https://mirror.stream.centos.org/9-stream/AppStream/x86_64/os/Packages/iptables-nft-services-1.8.10-11.el9.noarch.rpm $ rpm -qplv iptables-nft-services-1.8.10-11.el9.noarch.rpm -rw-r--r-- 1 root root 0 Dec 23 11:54 /etc/sysconfig/arptables -rw-r--r-- 1 root root 0 Dec 23 11:54 /etc/sysconfig/ebtables -rw------- 1 root root 417 Dec 23 11:54 /etc/sysconfig/ebtables-config -rw------- 1 root root 635 Dec 23 11:54 /etc/sysconfig/ip6tables -rw------- 1 root root 2134 Dec 23 11:54 /etc/sysconfig/ip6tables-config -rw------- 1 root root 550 Dec 23 11:54 /etc/sysconfig/iptables -rw------- 1 root root 2116 Dec 23 11:54 /etc/sysconfig/iptables-config -rw-r--r-- 1 root root 265 Dec 23 11:53 /usr/lib/systemd/system/arptables.service -rw-r--r-- 1 root root 222 Dec 23 11:53 /usr/lib/systemd/system/ebtables.service -rw-r--r-- 1 root root 439 Dec 23 11:54 /usr/lib/systemd/system/ip6tables.service -rw-r--r-- 1 root root 434 Dec 23 11:54 /usr/lib/systemd/system/iptables.service -rwxr-xr-x 1 root root 1931 Dec 23 11:54 /usr/libexec/ebtables-helper drwxr-xr-x 2 root root 0 Dec 23 11:54 /usr/libexec/initscripts/legacy-actions/ip6tables -rwxr-xr-x 1 root root 64 Dec 23 11:54 /usr/libexec/initscripts/legacy-actions/ip6tables/panic -rwxr-xr-x 1 root root 63 Dec 23 11:54 /usr/libexec/initscripts/legacy-actions/ip6tables/save drwxr-xr-x 2 root root 0 Dec 23 11:54 /usr/libexec/initscripts/legacy-actions/iptables -rwxr-xr-x 1 root root 63 Dec 23 11:54 /usr/libexec/initscripts/legacy-actions/iptables/panic -rwxr-xr-x 1 root root 62 Dec 23 11:54 /usr/libexec/initscripts/legacy-actions/iptables/save drwxr-xr-x 2 root root 0 Dec 23 11:54 /usr/libexec/iptables -rwxr-xr-x 1 root root 10586 Dec 23 11:54 /usr/libexec/iptables/ip6tables.init -rwxr-xr-x 1 root root 10459 Dec 23 11:54 /usr/libexec/iptables/iptables.init ``` Moreover, the RHEL 9 `iptables-nft-services` package has a virtual provides for `iptables-services`, so anything that requires `iptables-services` can be satisfied by `iptables-nft-services`: ``` $ rpm -qp --provides iptables-nft-services-1.8.10-11.el9.noarch.rpm arptables-services config(iptables-nft-services) = 1.8.10-11.el9 ebtables-services iptables-nft-services = 1.8.10-11.el9 iptables-services = 1.8.10-11.el9 ``` But explicit dependencies on `iptables-services` will be preferentially satisfied via the `iptables-services` package (if present), instead of the `iptables-nft-services` package, because `iptables-nft-services` obsoletes only older versions of `iptables-services`: ``` $ rpm -qp --obsoletes iptables-nft-services-1.8.10-11.el9.noarch.rpm iptables-arptables <= 1.8.4 iptables-ebtables <= 1.8.4 iptables-nft-compat <= 1.8.7-19 iptables-services <= 1.8.4 ``` Thus, the presence of the `iptables-services` package in EPEL 9 will cause systems that enable EPEL to preferentially install `iptables-services` over `iptables-nft-iptables`. Moreover, the presence of this package has created downstream confusion, where others believe that the package is necessary: (https://github.com/puppetlabs/puppetlabs-firewall/issues/1254) Finally, due to version-specific dependencies, whenever Red Hat release updated iptables packages, the presence of the EPEL `iptables-services` package typically breaks `dnf upgrade`. In fact, most of the recent tickets filed against the `iptables-epel` package have been precipitated by exactly this breakage. Based on all of the above, I believe the correct response is to remove the `iptables-services` packages from EPEL 9 entirely: * This package duplicates the `iptables-nft-services` package that Red Hat provides, and it is the policy of EPEL to not duplicate Red Hat packages. * The duplication is not innocuous; it has broken `dnf upgrade` in the past, and can be expected to do so again in the future. * Anything that requires `iptables-services` will be satisfied by the `iptables-nft-services` package that RHEL 9 already provides, which provides the same functionality. Please remove the `iptables-services` package from EPEL 9. If the goal of the `iptables-services` package is to enable the `iptables-legacy` package to work correctly if the NFT-based iptables cannot be used, and it needs to be present for that reason, then probably the best solution is to rename the EPEL 9 `iptables-services` package to `iptables-legacy-services`.
Bug reports like this usually show how a small issue can create a bigger chain of problems later. It reminds me of planning projects where details matter early, because fixing things afterward is always more frustrating. I had a similar thought while reading https://bathroom-remodelingconroetx.com/custom-bathroom-renovations/ since layout and planning choices upfront often save time and avoid unnecessary headaches later in the process.