AlmaLinux 9 - yum update - iptables-legacy and iptables-libs conflict

Support
1

Hey! Does anyone know how to fix this?

I use iptables and don’t want to lose the current rules. I also have fail2ban and docker (which add rules too), and ipsets (manually managed).

I’ve updated everything else I could, using the --skip-broken --nobest flags.

Thanks!

# yum update
Last metadata expiration check: 1:02:11 ago on Tue 02 Apr 2024 07:48:49 AM UTC.
Error:
 Problem 1: package iptables-legacy-1.8.8-6.el9.2.x86_64 from @System requires (iptables-libs(x86-64) = 1.8.8-6.el9 or iptables-libs(x86-64) = 1.8.8-6.el9_1), but none of the providers can be installed
  - cannot install both iptables-libs-1.8.10-2.el9.x86_64 from baseos and iptables-libs-1.8.8-6.el9.x86_64 from @System
  - cannot install both iptables-libs-1.8.8-6.el9.x86_64 from baseos and iptables-libs-1.8.10-2.el9.x86_64 from baseos
  - cannot install the best update candidate for package iptables-libs-1.8.8-6.el9.x86_64
  - cannot install the best update candidate for package iptables-legacy-1.8.8-6.el9.2.x86_64
 Problem 2: problem with installed package iptables-legacy-1.8.8-6.el9.2.x86_64
  - package iptables-legacy-1.8.8-6.el9.2.x86_64 from @System requires (iptables-libs(x86-64) = 1.8.8-6.el9 or iptables-libs(x86-64) = 1.8.8-6.el9_1), but none of the providers can be installed
  - package iptables-legacy-1.8.8-6.el9.2.x86_64 from epel requires (iptables-libs(x86-64) = 1.8.8-6.el9 or iptables-libs(x86-64) = 1.8.8-6.el9_1), but none of the providers can be installed
  - cannot install both iptables-libs-1.8.10-2.el9.x86_64 from baseos and iptables-libs-1.8.8-6.el9.x86_64 from @System
  - cannot install both iptables-libs-1.8.8-6.el9.x86_64 from baseos and iptables-libs-1.8.10-2.el9.x86_64 from baseos
  - package iptables-nft-1.8.10-2.el9.x86_64 from baseos requires iptables-libs(x86-64) = 1.8.10-2.el9, but none of the providers can be installed
  - cannot install the best update candidate for package iptables-nft-1.8.8-6.el9.x86_64
(try to add '--allowerasing' to command line to replace conflicting packages or '--skip-broken' to skip uninstallable packages or '--nobest' to use not only best candidate packages)
2

It seems like there is a conflict with versions of iptables-libs, I’m not sure how to solve it precisely but you can try clearing yum cache using yum clean all then running yum update again.

You can also try running yum list installed iptables\* to view what is currently installed and conflicts with what you want to install, remove if possible, then install the desired versions.

Hopefully this is helpful, I’ll admit I haven’t messed around with yum that much lately.

1 Like
3

First, a note: the yum is symlink to dnf. Two names, same tool. The update is an deprecated alias. Another alias is up. So dnf up is yum up is yum update.

The AlmaLinux 9 has iptables-nft-1.8.8-6.el9_1 and iptables-libs-1.8.8-6.el9_1
The EPEL has iptables-legacy-1.8.8-6.el9.2 and iptables-legacy-libs-1.8.8-6.el9.2

I had iptables-nft and iptables-libs installed and dnf install iptables-legacy
did pull in iptables-legacy and iptables-legacy-libs from EPEL with no issue.

If one has copy of rules, then it should not be an issue to uninstall the iptables-legacy and then reinstall. Or perhaps install iptables-legacy-libs explicitly.

The iptables-nft and iptables-legacy seem to coexist via the alternatives.

The iptables-nft includes tools iptables-translate and ip6tables-translate that can be used to
translate an iptables ruleset into nftables syntax for use natively with nftables.service.

How do the fail2ban and docker actually update rules?
Do they call iptables? The version from iptables-nft should be able to handle most calls.
Can they be configured to use nftables as backend?

1 Like