UFW 0.36.1 against Iptables >= 1.8

Asked by Yoghi

To say the plain truth I could check by myself but I have only old netbooks with max 2GB ram so the self check is out of my range. :(

On Debian 10 and derivatives i.e. antiX ufw 0.36.1 gives error due to iptables backend change which applies from version 1.8


On eoan I see listed as packages Iptables 1.8.3 which brings rule's syntax change and generate the error on Debian 10 and derivatives (ufw doesn't start and it's reported an error in rules).

I'm only curious to know how you have joined and made working on Ubuntu 19.10 and derivatives incompatible, with iptables 1.8 ufw 0.36.1, rule's syntax.


Also if you are glad to answer.

Many thanks indeed anyway!


Question information

English Edit question
Ubuntu ufw Edit question
No assignee Edit question
Solved by:
Manfred Hampl
Last query:
Last reply:
Revision history for this message
actionparsnip (andrew-woodhead666) said :

What is the output of:

lsb_release -a; uname -a; apt-cache policy ufw


Revision history for this message
Yoghi (info-pclinux) said :

Sorry but due to Canonical unwise decision to drop support to 32bit I'm not able to run version higher than 18.10 and in 18.10 Ufw works flawlessly cause iptables 1.6 is still in use.

That's why I asked you to check if on eoan (only 64bit) with Iptables 1.8 Ufw works.

Iptables backend change since version 1.8 led a change in rules' syntax so as already higlighted by Debian 10 & antiX-19 (still available for 32bit that's why I'm able to check) Ufw 0.36.1 rules still written with Iptables 1.6 rules' syntax should be translated as explained here https://wiki.nftables.org/wiki-nftables/index.php/Moving_from_iptables_to_nftables or rewritten from scratch to work.

Ny two cents, due to old hadware no longer considered by Canonical I'm not able to give you more.

Let me know, if you are glad, if $ ufw enable works flawlessly or return rules errors on eoan.

Revision history for this message
Manfred Hampl (m-hampl) said :

What is the output of the command

lscpu | grep -i mod

Revision history for this message
Yoghi (info-pclinux) said :

Sorry for the delay but I had to find an x64 machine which I don't own. A friend has lent me an hold netbook with an Atom N455 and I'm working since 2 days trying to figure out where is the issue.

It doesn't seem kernel's modules related, in such case neither release 0.35 would work I suppose but v. 0.35 works flawlessly and also v. 0.36 from Debian Buster works flawlessly... if you dowgrade iptables.

After two days working on the issue I'm over.

It was a bit long to post so I uploaded the report on my hosting


Hope this helps.


Revision history for this message
actionparsnip (andrew-woodhead666) said :

Is this question still needed?

Revision history for this message
Yoghi (info-pclinux) said :

Yes! It's a lot needed.

I need to discover if it's an ufw bug or an iptables bug.

ufw or iptables doesn't like modules even if loaded

$ lsmod |grep af_packet
af_packet 34345 10

but wants absolutely it as a builtin.

GNU/Linux != Windows

Who? Ufw or Iptables?

And why?

I found the root cause but I need help to understand if this few polite (IMHO) approach depends on Ufw or Iptables.

Thanks a lot indeed for your support!


Revision history for this message
Best Manfred Hampl (m-hampl) said :

What exactly is your question, and if you are running antiX (or Debian), why are you asking that question in Ubuntu?

To see the full difference between ufw 0.36-1 in Debian and ufw 0.36-1ubuntu3 in Ubuntu Eoan you have to combine the changes in

Version 0.36-1ubuntu2 and newer contain a patch with number 0003 (name and full contents different between 0.36-1ubuntu2 and 0.36-1ubuntu3) that seems to be the key for coping with iptables version 1.8

Revision history for this message
Yoghi (info-pclinux) said :

Hallo Manfred

I was asking here cause it's the "home" of ufw, where to find a best place to meet people which have maybe the best ufw knowledge and I was right You pointed me in the right way can I say... Vielen herzlichen Dank! ehrlich gesagt.

I was asking here also if I don't use Ubuntu cause I thought that GNU/Linux as all the free software was a free world, without borders but this time I was maybe wrong looking at your answer. :-(

Anyway thank to your support I have understood.

I had to discover why were modules required built-in.

The requirement of built-in modules seems a lack in code portability of ufw cause it seems that iptables can run flawlessly also pre-loading modules at iptables startup which normally is system startup


I had to discover which module was missing looking from ufw perspective and I did a comparison between Lubuntu 19.10 Debian 10 and antiX19 which I use cause at the moment I still use i686 laptops.
 I discovered that the missing module seems af_packet but I'm not yet sure, I have to ask to iptables guys, if it's so and you are glad - so you can add it in the README requirements - I'll let you know.
From ufw README I understood that which kind of modules were required was not up to you.

Many thanks indeed for your cooperation, without you I would be still lost but instead I've found the right way. Ich hätte nicht gerne zu schrein aber... THANKS to everyone here not only to Manfred.

Revision history for this message
Yoghi (info-pclinux) said :

Thanks Manfred Hampl, that solved my question.