I have upgraded several machines to Beowulf over the last few months.
It has only once been problematic, but that was probably due to student
error. However, there is an ongoing issue with the upgrade to
iptables-nft so before starting the upgrade I opened a separate
terminal and issued # watch iptables -L. I expected to see the existing
tables overwritten with the default (ACCEPT everything and anything)
and was ready to issue a prompt # iptables-restore < /existing/rule/set

However, what I was not prepared for was to see that, during the
download process and before the upgraded iptables package was
installed, the 'watching' terminal suddenly report that the iptables
command couldn't be found. It was over 5 minutes before the watching
terminal reported the expected 'upgraded' ruleset. I have two
questions.

1) Does this mean that during the upgrade process to Beowulf, there is
a minutes-long window during which the machine has no firewall at all?

2) Is this sufficiently alarming as to constitute a bug?

Best wishes

fraser