ERROR: problem running ufw-init iptables-restore: line 39 failed Problem running '/usr/lib/ufw/user.rules'

Related: https://github.com/archlinuxarm/PKGBUILDs/issues/578

I compiled myself the ufw-bzr version 859

I'm guessing this is because ufw-track-forward and ufw6-track-forward don't exist yet. Ubuntu is doing this on upgrades:
diff -Nru ufw-0.34~rc/debian/ufw.postinst ufw-0.34~rc/debian/ufw.postinst
--- ufw-0.34~rc/debian/ufw.postinst 2014-02-20 14:22:02.000000000 +0000
+++ ufw-0.34~rc/debian/ufw.postinst 2014-02-21 00:14:50.000000000 +0000
@@ -53,6 +53,24 @@
     fi
 }

+# If a primary chain is added to upstream, we should add it on upgrade so
+# reload works correctly
+add_primary_chain() {
+ chain="$1"
+ builtin="$2"
+ ver="$3"
+
+ exe="iptables"
+ if [ "$ver" = "6" ]; then
+ exe="ip6tables"
+ fi
+ if $exe -L "$chain" -n >/dev/null 2>&1 ; then
+ return
+ fi
+ $exe -N "$chain" || true
+ $exe -A "$builtin" -j "$chain" || true
+}
+
 case "$1" in
     configure)
         # these files are required, but don't want to change them if
@@ -110,10 +128,10 @@
         # try to use iptables, which breaks the installer
         enable_ufw "$enabled"

- # reload the firewall for IPv6 enabled by default
- if [ "$enabled" = "true" ] && [ ! -z "$2" ] && dpkg --compare-versions "$2" lt "0.30.1-2" ; then
- /lib/ufw/ufw-init stop || true
- /lib/ufw/ufw-init start || true
+ # add new primary chains on upgrade
+ if [ "$enabled" = "true" ] && [ ! -z "$2" ] && dpkg --compare-versions "$2" lt "0.34~rc-0ubuntu2" ; then
+ add_primary_chain ufw-track-forward FORWARD
+ add_primary_chain ufw6-track-forward FORWARD 6
         fi
         ;;
     triggered)

Note, this is not needed after a reboot or if you do:
sudo ufw disable
sudo /lib/ufw/ufw-init flush-all
sudo ufw enable

I get the same error:

# ufw disable
Firewall stopped and disabled on system startup
[root@serviedre ~]# /lib/ufw/ufw-init flush-all
[root@serviedre ~]# ufw enable
Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
ERROR: problem running ufw-init
iptables-restore: line 39 failed

Problem running '/usr/lib/ufw/user.rules'

[root@serviedre ~]#

Where is the line 39 of the iptables-restore? Can I attach some file for triage this bug?

Yes, please attach /usr/lib/ufw/user.rules.

Also, can you paste the output of:
$ sudo /usr/share/ufw/check-requirements

Here it is:

1)

# cat /usr/lib/ufw/user.rules
*filter
:ufw-user-input - [0:0]
:ufw-user-output - [0:0]
:ufw-user-forward - [0:0]
:ufw-before-logging-input - [0:0]
:ufw-before-logging-output - [0:0]
:ufw-before-logging-forward - [0:0]
:ufw-user-logging-input - [0:0]
:ufw-user-logging-output - [0:0]
:ufw-user-logging-forward - [0:0]
:ufw-after-logging-input - [0:0]
:ufw-after-logging-output - [0:0]
:ufw-after-logging-forward - [0:0]
:ufw-logging-deny - [0:0]
:ufw-logging-allow - [0:0]
:ufw-user-limit - [0:0]
:ufw-user-limit-accept - [0:0]
### RULES ###

### tuple ### allow any 22 0.0.0.0/0 any 172.26.0.0/24 in
-A ufw-user-input -p tcp --dport 22 -s 172.26.0.0/24 -j ACCEPT
-A ufw-user-input -p udp --dport 22 -s 172.26.0.0/24 -j ACCEPT

### END RULES ###

### LOGGING ###
-A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10
-A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10
-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10
-A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10
-A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10
### END LOGGING ###

### RATE LIMITING ###
-A ufw-user-limit -m limit --limit 3/minute -j LOG --log-prefix "[UFW LIMIT BLOCK] "
-A ufw-user-limit -j REJECT
-A ufw-user-limit-accept -j ACCEPT
### END RATE LIMITING ###
COMMIT

2)

# cat /usr/share/ufw/check-requirements
cat: /usr/share/ufw/check-requirements: No such file or directory

Is it enough?

Thanks,

Ok, I guess Arch doesn't ship check-requirements. Can you grab it from here:
http://bazaar.launchpad.net/~jdstrand/ufw/trunk/view/head:/tests/check-requirements

and then execute it on the affected system?

Yes, of course: after wget it, I get:

# chmod +x check-requirements
[root@serviedre ~]# ./check-requirements
Has python: pass (binary: python2.7, version: 2.7.6, py2)
Has iptables: pass
Has ip6tables: pass

Has /proc/net/dev: pass
Has /proc/net/if_inet6: no

Your kernel does not have the necessary support to use ufw. You might be able to get around this if you adjust /etc/default/ufw to use IPV6=no.

I have it already. So is it a problem to archlinuxarm? Should I forward this bug to archlinux?

# cat /etc/default/ufw
# /etc/default/ufw
#

# Set to yes to apply rules to support IPv6 (no means only IPv6 on loopback
# accepted). You will need to 'disable' and then 'enable' the firewall for
# the changes to take affect.
IPV6=no

# Set the default input policy to ACCEPT, DROP, or REJECT. Please note that if
# you change this you will most likely want to adjust your rules.
DEFAULT_INPUT_POLICY="DROP"

# Set the default output policy to ACCEPT, DROP, or REJECT. Please note that if
# you change this you will most likely want to adjust your rules.
DEFAULT_OUTPUT_POLICY="ACCEPT"

# Set the default forward policy to ACCEPT, DROP or REJECT. Please note that
# if you change this you will most likely want to adjust your rules
DEFAULT_FORWARD_POLICY="DROP"

# Set the default application policy to ACCEPT, DROP, REJECT or SKIP. Please
# note that setting this to ACCEPT may be a security risk. See 'man ufw' for
# details
DEFAULT_APPLICATION_POLICY="SKIP"

# By default, ufw only touches its own chains. Set this to 'yes' to have ufw
# manage the built-in chains too. Warning: setting this to 'yes' will break
# non-ufw managed firewall rules
MANAGE_BUILTINS=no

#
# IPT backend
#
# only enable if using iptables backend
IPT_SYSCTL=/etc/ufw/sysctl.conf

# Extra connection tracking modules to load. Complete list can be found in
# net/netfilter/Kconfig of your kernel source. Some common modules:
# nf_conntrack_irc, nf_nat_irc: DCC (Direct Client to Client) support
# nf_conntrack_netbios_ns: NetBIOS (samba) client support
# nf_conntrack_pptp, nf_nat_pptp: PPTP over stateful firewall/NAT
# nf_conntrack_ftp, nf_nat_ftp: active FTP support
# nf_conntrack_tftp, nf_nat_tftp: TFTP support (server side)
IPT_MODULES="nf_conntrack_ftp nf_nat_ftp nf_conntrack_netbios_ns"

[root@serviedre ~]#

Why is it incomplete yet?

What information do you need to triage the bug?

Thanks,

I am with Xan, what other information do you need?

You did not post the complete output from check-requirements. From what little information I have, it seems you do not have everything in your kernel that ufw needs. Also, you pasted the contents of /usr/lib/ufw/user.rules, but I would need for you to attach the file file.

I reinstalled the system... so wait a while, please

Sorry but my hardware is broken. So I could not send you this files. If anyone with a Cubieboard 2 with archlinuxarm could send you...

I have the very same issue on a Banana Pi with kernel 3.19; the reason is that the kernel has no support for LOG but only for NFLOG. To work around this use 'ufw logging off && ufw enable'.
It would be great to get NFLOG support. Changeing LOG to NFLOG and --log-prefix to --nflog-prefix should suffice. Adding runtime detection would be great! ;-)

For others seeing this issue, does Adi's comment in #19 resolve the issue for you? I just noticed that Xan's running of check-requirements seemed abridged. Xan, are you able to send the full output?

Sorry, but my hardware is broken. I can't get recover that.... So I can't do anything relating to this bug. Maybe other people could making a contribution.

Marking this bug as 'Invalid' since Xan is unable to reproduce. Created https://bugs.launchpad.net/ufw/+bug/1475676 for NFLOG support.