# [solved] ufw fails requirements check

## equaeghe

I installed ufw and think I set the necessary kernel parameters. However:

```
# /usr/share/ufw/check-requirements

Has python: pass (binary: python2.7, version: 2.7.10, py2)

Has iptables: pass

Has ip6tables: pass

Has /proc/net/dev: pass

Has /proc/net/if_inet6: pass

This script will now attempt to create various rules using the iptables

and ip6tables commands. This may result in module autoloading (eg, for

IPv6).

Proceed with checks (Y/n)? 

== IPv4 ==

Creating 'ufw-check-requirements'... done

Inserting RETURN at top of 'ufw-check-requirements'... done

TCP: pass

UDP: pass

destination port: pass

source port: pass

ACCEPT: pass

DROP: pass

REJECT: pass

LOG: pass

hashlimit: FAIL

error was: iptables: No chain/target/match by that name.

limit: pass

state (NEW): FAIL

error was: iptables: No chain/target/match by that name.

state (RELATED): FAIL

error was: iptables: No chain/target/match by that name.

state (ESTABLISHED): FAIL

error was: iptables: No chain/target/match by that name.

state (INVALID): FAIL

error was: iptables: No chain/target/match by that name.

state (new, recent set): FAIL (no runtime support)

error was: iptables: No chain/target/match by that name.

state (new, recent update): FAIL (no runtime support)

error was: iptables: No chain/target/match by that name.

state (new, limit): FAIL

error was: iptables: No chain/target/match by that name.

interface (input): pass

interface (output): pass

multiport: pass

comment: pass

addrtype (LOCAL): pass

addrtype (MULTICAST): pass

addrtype (BROADCAST): pass

icmp (destination-unreachable): pass

icmp (source-quench): pass

icmp (time-exceeded): pass

icmp (parameter-problem): pass

icmp (echo-request): pass

== IPv6 ==

Creating 'ufw-check-requirements6'... done

Inserting RETURN at top of 'ufw-check-requirements6'... done

TCP: pass

UDP: pass

destination port: pass

source port: pass

ACCEPT: pass

DROP: pass

REJECT: pass

LOG: pass

hashlimit: FAIL

error was: ip6tables: No chain/target/match by that name.

limit: pass

state (NEW): FAIL

error was: ip6tables: No chain/target/match by that name.

state (RELATED): FAIL

error was: ip6tables: No chain/target/match by that name.

state (ESTABLISHED): FAIL

error was: ip6tables: No chain/target/match by that name.

state (INVALID): FAIL

error was: ip6tables: No chain/target/match by that name.

state (new, recent set): FAIL (no runtime support)

error was: ip6tables: No chain/target/match by that name.

state (new, recent update): FAIL (no runtime support)

error was: ip6tables: No chain/target/match by that name.

state (new, limit): FAIL

error was: ip6tables: No chain/target/match by that name.

interface (input): pass

interface (output): pass

multiport: pass

comment: pass

icmpv6 (destination-unreachable): pass

icmpv6 (packet-too-big): pass

icmpv6 (time-exceeded): pass

icmpv6 (parameter-problem): pass

icmpv6 (echo-request): pass

icmpv6 with hl (neighbor-solicitation): pass

icmpv6 with hl (neighbor-advertisement): pass

icmpv6 with hl (router-solicitation): pass

icmpv6 with hl (router-advertisement): pass

FAIL: check your kernel and that you have iptables >= 1.4.0

FAIL: check your kernel and iptables for additional runtime support
```

This seems to indicate that hashlimit and some other parameters are not set (which?). But:

```
# lsmod | grep hashlimit

xt_hashlimit            7966  0

x_tables               15073  15 ip6table_filter,xt_hl,xt_comment,xt_recent,ip_tables,xt_tcpudp,xt_limit,xt_LOG,xt_hashlimit,xt_multiport,iptable_filter,ipt_REJECT,ip6_tables,xt_addrtype,ip6t_REJECT
```

So there must be more going on.

I would be grateful for guidance on getting ufw running.

Is there any list of required kernel parameters for ufw?

Perhaps useful:

```
# eix -I iptables

[I] net-firewall/iptables

     Available versions:  ~1.4.17 1.4.21-r1 ~1.4.21-r2(0/10) ~1.4.21-r3(0/10) {conntrack ipv6 netlink pcap static-libs}

     Installed versions:  1.4.21-r1(12:39:44 PM 11/25/2015)(ipv6 -conntrack -netlink -static-libs)

     Homepage:            http://www.netfilter.org/projects/iptables/

     Description:         Linux kernel (2.4+) firewall, NAT and packet mangling tools

# eix -I ufw

[I] net-firewall/ufw

     Available versions:  0.34_pre805-r2^t {examples ipv6 PYTHON_TARGETS="python2_7 python3_3 python3_4"}

     Installed versions:  0.34_pre805-r2^t(11:47:52 AM 11/25/2015)(ipv6 -examples PYTHON_TARGETS="python2_7 python3_4 -python3_3")

     Homepage:            https://launchpad.net/ufw

     Description:         A program used to manage a netfilter firewall
```

Last edited by equaeghe on Mon Jan 11, 2016 10:01 pm; edited 1 time in total

----------

## DeIM

Hi, I've installed ufw too and tried to run it. Thanks to you I found there is the check script. In my case it printed something similar. I've enabled kernel options by https://wiki.gentoo.org/wiki/Ufw, however the script still failed. So I ticked some more options in kernel by the script fail lines and after few tries all tests passed. The parameters are similar as on failed lines, sometime one kernel parameter makes several test to pass since it is the same "grouped property".

Versions are the same:

```
$ eix -I iptables

[I] net-firewall/iptables

     Available versions:  ~1.4.17 1.4.21-r1 ~1.4.21-r2(0/10) ~1.4.21-r3(0/10) ~1.4.21-r4(0/10) ~1.6.0(0/11) {conntrack ipv6 netlink nftables pcap static-libs}

     Installed versions:  1.4.21-r1(16:10:27 15.8.2015)(ipv6 -conntrack -netlink -static-libs)

     Homepage:            http://www.netfilter.org/projects/iptables/

     Description:         Linux kernel (2.4+) firewall, NAT and packet mangling tools

$ eix -I ufw

[I] net-firewall/ufw

     Available versions:  0.34_pre805-r2^t {examples ipv6 PYTHON_TARGETS="python2_7 python3_3 python3_4"}

     Installed versions:  0.34_pre805-r2^t(16:17:52 9.1.2016)(ipv6 -examples PYTHON_TARGETS="python2_7 python3_3 python3_4")

     Homepage:            https://launchpad.net/ufw

     Description:         A program used to manage a netfilter firewall
```

----------

## equaeghe

 *DeIM wrote:*   

> Hi, I've installed ufw too and tried to run it. Thanks to you I found there is the check script. In my case it printed something similar. I've enabled kernel options by https://wiki.gentoo.org/wiki/Ufw, however the script still failed. So I ticked some more options in kernel by the script fail lines and after few tries all tests passed. The parameters are similar as on failed lines, sometime one kernel parameter makes several test to pass since it is the same "grouped property".

 

Any hope that you can recover a list of all the parameters that you activated, a diff of your .config with the one before?

----------

## DeIM

I recall that I marked in Core Netfilter Configuration this:

```
<M> NetBIOS name service protocol support

{M}   "HL" hoplimit target support

*** Xtables matches ***

<M>   "addrtype" address type match support

<M>   "comment" match support

<*>   "conntrack" connection tracking match support

<M>   "hashlimit" match support

{M}   "hl" hoplimit/TTL match support

<M>   "limit" match support

<M>   "recent" match support

<*>   "state" match support

```

And some in IPv6: Netfilter Configuration

Complete netfilter part of .config is here:

http://pastebin.com/9YNuuL6k

Hope this will help.

----------

## equaeghe

 *DeIM wrote:*   

> I recall that I marked in Core Netfilter Configuration this:
> 
> ```
> <M> NetBIOS name service protocol support
> 
> ...

 

Yes, thanks! I added ip4 conntrack, mangling (in support of), hl support.

Now the checks pass. Trying out will wait for another day.

----------

