2349297 – iptables-services package should be renamed or removed entirely

Bug 2349297 - iptables-services package should be renamed or removed entirely

Summary: iptables-services package should be renamed or removed entirely

Keywords:
Status:	NEW
Alias:	None
Product:	Fedora EPEL
Classification:	Fedora
Component:	iptables-epel
Sub Component:
Version:	epel9
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Michel Lind
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2025-03-02 22:20 UTC by James Ralston
Modified:	2025-03-10 07:05 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Type:	Bug
Embargoed:

Attachments	(Terms of Use)

Description James Ralston 2025-03-02 22:20:07 UTC

Description of problem:

EPEL provides the `iptables-services` package for EPEL 9, but this package duplicates the functionality of the `iptables-nft-services` that RHEL 9 already provides:

EPEL:

```
$ curl -L -O -R -J https://dl.fedoraproject.org/pub/epel/9/Everything/x86_64/Packages/i/iptables-services-1.8.10-11.1.el9.noarch.rpm
$ rpm -qplv iptables-services-1.8.10-11.1.el9.noarch.rpm
warning: iptables-services-1.8.10-11.1.el9.noarch.rpm: Header V4 RSA/SHA256 Signature, key ID 3228467c: NOKEY
-rw-------    1 root     root                      635 Feb 12 22:59 /etc/sysconfig/ip6tables
-rw-------    1 root     root                     2134 Feb 12 22:59 /etc/sysconfig/ip6tables-config
-rw-------    1 root     root                      550 Feb 12 22:59 /etc/sysconfig/iptables
-rw-------    1 root     root                     2116 Feb 12 22:59 /etc/sysconfig/iptables-config
-rw-r--r--    1 root     root                      439 Feb 12 22:59 /usr/lib/systemd/system/ip6tables.service
-rw-r--r--    1 root     root                      434 Feb 12 22:59 /usr/lib/systemd/system/iptables.service
drwxr-xr-x    2 root     root                        0 Feb 12 22:59 /usr/libexec/initscripts/legacy-actions/ip6tables
-rwxr-xr-x    1 root     root                       64 Feb 12 22:59 /usr/libexec/initscripts/legacy-actions/ip6tables/panic
-rwxr-xr-x    1 root     root                       63 Feb 12 22:59 /usr/libexec/initscripts/legacy-actions/ip6tables/save
drwxr-xr-x    2 root     root                        0 Feb 12 22:59 /usr/libexec/initscripts/legacy-actions/iptables
-rwxr-xr-x    1 root     root                       63 Feb 12 22:59 /usr/libexec/initscripts/legacy-actions/iptables/panic
-rwxr-xr-x    1 root     root                       62 Feb 12 22:59 /usr/libexec/initscripts/legacy-actions/iptables/save
drwxr-xr-x    2 root     root                        0 Feb 12 22:59 /usr/libexec/iptables
-rwxr-xr-x    1 root     root                    10586 Feb 12 22:59 /usr/libexec/iptables/ip6tables.init
-rwxr-xr-x    1 root     root                    10459 Feb 12 22:59 /usr/libexec/iptables/iptables.init
```

Versus RHEL 9 (CentOS Stream 9 actually, but RHEL 9 is the same):

```
$ curl -L -O -R -J https://mirror.stream.centos.org/9-stream/AppStream/x86_64/os/Packages/iptables-nft-services-1.8.10-11.el9.noarch.rpm
$ rpm -qplv iptables-nft-services-1.8.10-11.el9.noarch.rpm
-rw-r--r--    1 root     root                        0 Dec 23 11:54 /etc/sysconfig/arptables
-rw-r--r--    1 root     root                        0 Dec 23 11:54 /etc/sysconfig/ebtables
-rw-------    1 root     root                      417 Dec 23 11:54 /etc/sysconfig/ebtables-config
-rw-------    1 root     root                      635 Dec 23 11:54 /etc/sysconfig/ip6tables
-rw-------    1 root     root                     2134 Dec 23 11:54 /etc/sysconfig/ip6tables-config
-rw-------    1 root     root                      550 Dec 23 11:54 /etc/sysconfig/iptables
-rw-------    1 root     root                     2116 Dec 23 11:54 /etc/sysconfig/iptables-config
-rw-r--r--    1 root     root                      265 Dec 23 11:53 /usr/lib/systemd/system/arptables.service
-rw-r--r--    1 root     root                      222 Dec 23 11:53 /usr/lib/systemd/system/ebtables.service
-rw-r--r--    1 root     root                      439 Dec 23 11:54 /usr/lib/systemd/system/ip6tables.service
-rw-r--r--    1 root     root                      434 Dec 23 11:54 /usr/lib/systemd/system/iptables.service
-rwxr-xr-x    1 root     root                     1931 Dec 23 11:54 /usr/libexec/ebtables-helper
drwxr-xr-x    2 root     root                        0 Dec 23 11:54 /usr/libexec/initscripts/legacy-actions/ip6tables
-rwxr-xr-x    1 root     root                       64 Dec 23 11:54 /usr/libexec/initscripts/legacy-actions/ip6tables/panic
-rwxr-xr-x    1 root     root                       63 Dec 23 11:54 /usr/libexec/initscripts/legacy-actions/ip6tables/save
drwxr-xr-x    2 root     root                        0 Dec 23 11:54 /usr/libexec/initscripts/legacy-actions/iptables
-rwxr-xr-x    1 root     root                       63 Dec 23 11:54 /usr/libexec/initscripts/legacy-actions/iptables/panic
-rwxr-xr-x    1 root     root                       62 Dec 23 11:54 /usr/libexec/initscripts/legacy-actions/iptables/save
drwxr-xr-x    2 root     root                        0 Dec 23 11:54 /usr/libexec/iptables
-rwxr-xr-x    1 root     root                    10586 Dec 23 11:54 /usr/libexec/iptables/ip6tables.init
-rwxr-xr-x    1 root     root                    10459 Dec 23 11:54 /usr/libexec/iptables/iptables.init
```

Moreover, the RHEL 9 `iptables-nft-services` package has a virtual provides for `iptables-services`, so anything that requires `iptables-services` can be satisfied by `iptables-nft-services`:

```
$ rpm -qp --provides iptables-nft-services-1.8.10-11.el9.noarch.rpm
arptables-services
config(iptables-nft-services) = 1.8.10-11.el9
ebtables-services
iptables-nft-services = 1.8.10-11.el9
iptables-services = 1.8.10-11.el9
```

But explicit dependencies on `iptables-services` will be preferentially satisfied via the `iptables-services` package (if present), instead of the `iptables-nft-services` package, because `iptables-nft-services` obsoletes only older versions of `iptables-services`:

```
$ rpm -qp --obsoletes iptables-nft-services-1.8.10-11.el9.noarch.rpm
iptables-arptables <= 1.8.4
iptables-ebtables <= 1.8.4
iptables-nft-compat <= 1.8.7-19
iptables-services <= 1.8.4
```

Thus, the presence of the `iptables-services` package in EPEL 9 will cause systems that enable EPEL to preferentially install `iptables-services` over `iptables-nft-iptables`.

Moreover, the presence of this package has created downstream confusion, where others believe that the package is necessary:

(https://github.com/puppetlabs/puppetlabs-firewall/issues/1254)

Finally, due to version-specific dependencies, whenever Red Hat release updated iptables packages, the presence of the EPEL `iptables-services` package typically breaks `dnf upgrade`.  In fact, most of the recent tickets filed against the `iptables-epel` package have been precipitated by exactly this breakage.

Based on all of the above, I believe the correct response is to remove the `iptables-services` packages from EPEL 9 entirely:

* This package duplicates the `iptables-nft-services` package that Red
  Hat provides, and it is the policy of EPEL to not duplicate Red Hat
  packages.

* The duplication is not innocuous; it has broken `dnf upgrade` in the
  past, and can be expected to do so again in the future.

* Anything that requires `iptables-services` will be satisfied by the
  `iptables-nft-services` package that RHEL 9 already provides, which
  provides the same functionality.

Please remove the `iptables-services` package from EPEL 9.

If the goal of the `iptables-services` package is to enable the `iptables-legacy` package to work correctly if the NFT-based iptables cannot be used, and it needs to be present for that reason, then probably the best solution is to rename the EPEL 9 `iptables-services` package to `iptables-legacy-services`.

Note You need to log in before you can comment on or make changes to this bug.