ufw crashed with Perhaps iptables or your kernel needs to be upgraded. in get_netfilter_capabilities()

Bug #1044361 reported by adm on 2012-08-31
This bug affects 8 people
Affects Status Importance Assigned to Milestone
ufw (Ubuntu)
Jamie Strandboge

Bug Description

it's 1st time when ufw crashed with this kernel - after 2 weeks of fine work with it

ProblemType: Crash
DistroRelease: Ubuntu 12.10
Package: ufw 0.33-0ubuntu1
Uname: Linux 3.5.1-pfz3 i686
ApportVersion: 2.5.1-0ubuntu4
Architecture: i386
Date: Fri Aug 31 17:05:00 2012
ExecutablePath: /usr/sbin/ufw
InterpreterPath: /usr/bin/python3.2mu
PackageArchitecture: all
ProcCmdline: /usr/bin/python3 /usr/sbin/ufw app update all
PythonArgs: ['/usr/sbin/ufw', 'app', 'update', 'all']
SourcePackage: ufw
Title: ufw crashed with Perhaps iptables or your kernel needs to be upgraded. in get_netfilter_capabilities()
UpgradeStatus: Upgraded to quantal on 2012-08-30 (0 days ago)

Related branches

adm (alexm-) wrote :
tags: removed: need-duplicate-check
Changed in ufw (Ubuntu):
importance: Undecided → Medium
Ubuntu QA Website (ubuntuqa) wrote :

This bug has been reported on the Ubuntu ISO testing tracker.

A list of all reports related to this bug can be found here:

tags: added: iso-testing
visibility: private → public
Jamie Strandboge (jdstrand) wrote :

Thank you for using Ubuntu and filing a bug. Your kernel doesn't seem to have the required iptables support:
Traceback (most recent call last):
  File "/usr/sbin/ufw", line 95, in <module>
    ui = ufw.frontend.UFWFrontend(pr.dryrun)
  File "/usr/lib/python3/dist-packages/ufw/frontend.py", line 153, in __init__
    self.backend = UFWBackendIptables(dryrun)
  File "/usr/lib/python3/dist-packages/ufw/backend_iptables.py", line 45, in __init__
    ufw.backend.UFWBackend.__init__(self, "iptables", dryrun, files)
  File "/usr/lib/python3/dist-packages/ufw/backend.py", line 81, in __init__
    nf_caps = ufw.util.get_netfilter_capabilities(self.iptables)
  File "/usr/lib/python3/dist-packages/ufw/util.py", line 734, in get_netfilter_capabilities
    raise OSError(errno.ENOENT, out)
OSError: [Errno 2] FATAL: Module ip_tables not found.
iptables v1.4.12: can't initialize iptables table `filter': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.

I noticed that you are using a non-Ubuntu kernel '3.5.1-pfz3'. Please recompile with the necessary kernel support. You might want to use /usr/share/ufw/check-requirements to help identify what you need.

Changed in ufw (Ubuntu):
status: New → Invalid
Shahar Or (mightyiam) on 2012-09-20
Changed in ufw (Ubuntu):
status: Invalid → New
Shahar Or (mightyiam) wrote :

I had this bug* occurred while upgrading the kernel just now.

*I say "this bug" because the crash reporter decided so and opened this page.

So I marked it new.


Jamie Strandboge (jdstrand) wrote :

Shahar, what kernel did you upgrade to? (this should really have been a new bug, btw)

Changed in ufw (Ubuntu):
status: New → Incomplete
Shahar Or (mightyiam) wrote :

Dear Jamie,

This is the kernel upgrade: linux-image-generic:i386 (,

And it is on quantal.

Jamie Strandboge (jdstrand) wrote :

What is the output of this command:
$ cat /proc/version_signature

Mikael Andersson (mongomannen) wrote :

I just had this same "ufw crashed with Perhaps iptables or your kernel needs to be upgraded. in get_netfilter_capabilities()" crash on 12.10 AMD64 on first boot after a clean install. The error reporter redirected me here. I verified with lsmod that iptables was loaded.
After a reboot everything seems fine again though.

$ cat /proc/version_signature
Ubuntu 3.5.0-15.22-generic 3.5.4

On 21 September 2012 21:31, Jamie Strandboge <email address hidden> wrote:
> What is the output of this command:
> $ cat /proc/version_signature

Ubuntu 3.5.0-15.22-generic 3.5.4

Jamie Strandboge (jdstrand) wrote :

I cannot reproduce this on upgrades or with the latest 12.10 iso. However, the problem is clear: when ufw is run and iptables fails to add the ufw-test-caps chain, ufw traces back. Ufw should not be tracing back in the situation, but instead exit with error and report the problem. Commits r795 and r796 fix this by only running the capabilities checks when needed and not tracing back during those tests.

I am testing packages now and will report back when done.

Changed in ufw (Ubuntu):
assignee: nobody → Jamie Strandboge (jdstrand)
milestone: none → ubuntu-12.10-beta-2
status: Incomplete → In Progress
Jamie Strandboge (jdstrand) wrote :

After make a small unrelated fix (r797) that curiously only affected zh_CN, test-ufw.py now passes all tests.

Jamie Strandboge (jdstrand) wrote :

I reviewed the iso-testing issues and understand the problem better in those cases. It was the netboot images that had failures-- I didn't confirm, but it makes sense that they have a reduced functionality kernel/environment such that 'ufw app update all' would fail with the reported traceback. The patch I devised will continue to make 'ufw app update all' fail with error, but now it won't traceback and cause apport to report the error. The postinst continues to use 'ufw app update all || true' when processing the ufw triggers (for exactly this reason), resolving this bug for the ISOs.

Uploaded 0.33-0ubuntu2 to 12.10.

Changed in ufw (Ubuntu):
status: In Progress → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ufw - 0.33-0ubuntu2

ufw (0.33-0ubuntu2) quantal; urgency=low

  * debian/patches/0002-lp1044361.patch: move netfilter capabilities checking
    into initcaps(), and call initcaps() only when we need it (LP: #1044361)
  * 0003-fix-typeerror-on-error.patch: fix TypeError on error when using zh_CN
 -- Jamie Strandboge <email address hidden> Mon, 24 Sep 2012 08:52:57 -0500

Changed in ufw (Ubuntu):
status: Fix Committed → Fix Released
Savio (abhijeet) wrote :

It's very bad this bug is affects me even if i have 0.33-0ubuntu2. A few days ago i upgrade from 12.04 and here i'm with this issue.
When i first enable sudo ufw using ufw enable i got following error:

savio@saviola:~$ sudo ufw enable
ERROR: initcaps
[Errno 2] ip6tables v1.4.12: can't initialize ip6tables table `filter': Address family not supported by protocol
Perhaps ip6tables or your kernel needs to be upgraded.

savio@saviola:~$ uname -a
Linux saviola 3.5.0-19-generic #30-Ubuntu SMP Tue Nov 13 17:48:01 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers