Can't make container work with ENABLE_UFW=true

[adzero]

Is there a pinned issue for this?

• I have read the pinned issues and could not find my issue

Is there an existing or similar issue/discussion for this?

• I have searched the existing issues
• I have searched the existing discussions

Is there any comment in the documentation for this?

• I have read the documentation, especially the FAQ and Troubleshooting parts

Is this related to a provider?

• I have checked the provider repo for issues
• My issue is NOT related to a provider

Are you using the latest release?

• I am using the latest release

Have you tried using the dev branch latest?

• I have tried using dev branch

Docker run config used

docker run --cap-add=NET_ADMIN -d
-e OPENVPN_PROVIDER=NORDVPN
-e OPENVPN_USERNAME=USER
-e OPENVPN_PASSWORD=SERVICEPASSWORD
-e NORDVPN_COUNTRY=FR
-e NORDVPN_CATEGORY=legacy_p2p
-e NORDVPN_PROTOCOL=tcp
-e CREATE_TUN_DEVICE=true
-e LOCAL_NETWORK=192.168.1.0/24
-e ENABLE_UFW=true
--log-driver json-file
--log-opt max-size=10m
-p 9091:9091
haugene/transmission-openvpn

Current Behavior

Container starting and than stops with an error related to ufw-init.

If I set ENABLE_UFWto false container starts and is healthy.

Expected Behavior

Container should start with firewall enabled.

How have you tried to solve the problem?

I dug into the issues inside the repository to find a solution to this problem.
Whereas many issues are related to the firewall activation, I haven't found a solution to make it work.

I would appreciate any clue or help to find a solution or at least understand why it's not working.

Log output

2023-07-24T18:33:36.557363644Z Starting container with revision: 1103172
2023-07-24T18:33:36.557414908Z TRANSMISSION_HOME is currently set to: /config/transmission-home
2023-07-24T18:33:36.557428702Z WARNING: Deprecated. Found old default transmission-home folder at /data/transmission-home, setting this as TRANSMISSION_HOME. This might break in future versions.
2023-07-24T18:33:36.557435828Z We will fallback to this directory as long as the folder exists. Please consider moving it to /config/transmission-home
2023-07-24T18:33:36.648998577Z Creating TUN device /dev/net/tun
2023-07-24T18:33:36.655935031Z Using OpenVPN provider: NORDVPN
2023-07-24T18:33:36.656013374Z Running with VPN_CONFIG_SOURCE auto
2023-07-24T18:33:36.656048583Z Provider NORDVPN has a bundled setup script. Defaulting to internal config
2023-07-24T18:33:36.656061545Z Executing setup script for NORDVPN
2023-07-24T18:33:36.658257516Z /etc/openvpn/nordvpn/..
2023-07-24T18:33:37.743936096Z INFO: OVPN: Checking curl installation
2023-07-24T18:33:37.766288177Z INFO: OVPN: DNS resolution ok
2023-07-24T18:33:38.778717009Z INFO: OVPN: ok, configurations download site reachable
2023-07-24T18:33:38.778764606Z INFO: OVPN: Removing existing configs in /etc/openvpn/nordvpn
2023-07-24T18:33:40.002955277Z Checking NORDPVN API responses
2023-07-24T18:33:40.125153672Z INFO: OVPN:Selecting the best server...
2023-07-24T18:33:40.156497330Z INFO: OVPN: Searching for country : FR (74)
2023-07-24T18:33:40.186669940Z INFO: OVPN: Searching for group: legacy_p2p
2023-07-24T18:33:40.187341593Z INFO: OVPN:Searching for technology: openvpn_tcp
2023-07-24T18:33:43.665499345Z INFO: OVPN: Best server : fr746.nordvpn.com, load: 9
2023-07-24T18:33:43.665535427Z Best server : fr746.nordvpn.com
2023-07-24T18:33:43.666209963Z INFO: OVPN: Downloading config: fr746.nordvpn.com.ovpn
2023-07-24T18:33:43.666241963Z INFO: OVPN: Downloading from: https://downloads.nordcdn.com/configs/files/ovpn_tcp/servers/fr746.nordvpn.com.tcp.ovpn
2023-07-24T18:33:43.883562815Z OVPN: NORDVPN: selected: fr746.nordvpn.com, VPN_PROVIDER_HOME: /etc/openvpn/nordvpn
2023-07-24T18:33:43.888882360Z Starting OpenVPN using config fr746.nordvpn.com.ovpn
2023-07-24T18:33:43.893189291Z Modifying /etc/openvpn/nordvpn/fr746.nordvpn.com.ovpn for best behaviour in this container
2023-07-24T18:33:43.893234224Z Modification: Point auth-user-pass option to the username/password file
2023-07-24T18:33:43.894732772Z Modification: Change ca certificate path
2023-07-24T18:33:43.896809566Z Modification: Change ping options
2023-07-24T18:33:43.901544371Z Modification: Update/set resolv-retry to 15 seconds
2023-07-24T18:33:43.903965263Z Modification: Change tls-crypt keyfile path
2023-07-24T18:33:43.906097663Z Modification: Set output verbosity to 3
2023-07-24T18:33:43.908526000Z Modification: Remap SIGUSR1 signal to SIGTERM, avoid OpenVPN restart loop
2023-07-24T18:33:43.911040581Z Modification: Updating status for config failure detection
2023-07-24T18:33:43.915789718Z Setting OpenVPN credentials...
2023-07-24T18:33:43.966696914Z enabling firewall
2023-07-24T18:33:44.059873903Z ERROR: problem running ufw-init
2023-07-24T18:33:44.059901653Z iptables-restore v1.8.7 (legacy): Couldn't load match limit':No such file or directory 2023-07-24T18:33:44.059908838Z 2023-07-24T18:33:44.059914841Z Error occurred at line: 63 2023-07-24T18:33:44.059920398Z Try iptables-restore -h' or 'iptables-restore --help' for more information.
2023-07-24T18:33:44.059926004Z iptables-restore v1.8.7 (legacy): Couldn't load match limit':No such file or directory 2023-07-24T18:33:44.059931914Z 2023-07-24T18:33:44.059937096Z Error occurred at line: 8 2023-07-24T18:33:44.059942343Z Try iptables-restore -h' or 'iptables-restore --help' for more information.
2023-07-24T18:33:44.059947817Z sysctl: setting key "net.ipv4.conf.all.accept_redirects", ignoring: Read-only file system
2023-07-24T18:33:44.059953710Z sysctl: setting key "net.ipv4.conf.default.accept_redirects", ignoring: Read-only file system
2023-07-24T18:33:44.059960153Z sysctl: setting key "net.ipv6.conf.all.accept_redirects", ignoring: Read-only file system
2023-07-24T18:33:44.059966154Z sysctl: setting key "net.ipv6.conf.default.accept_redirects", ignoring: Read-only file system
2023-07-24T18:33:44.059971767Z sysctl: setting key "net.ipv4.icmp_echo_ignore_broadcasts", ignoring: Read-only file system
2023-07-24T18:33:44.059977465Z sysctl: setting key "net.ipv4.icmp_ignore_bogus_error_responses", ignoring: Read-only file system
2023-07-24T18:33:44.059983012Z sysctl: setting key "net.ipv4.icmp_echo_ignore_all", ignoring: Read-only file system
2023-07-24T18:33:44.059988974Z sysctl: setting key "net.ipv4.conf.all.log_martians", ignoring: Read-only file system
2023-07-24T18:33:44.059994968Z sysctl: setting key "net.ipv4.conf.default.log_martians", ignoring: Read-only file system
2023-07-24T18:33:44.060000487Z
2023-07-24T18:33:44.060005700Z Problem running '/etc/ufw/before.rules'
2023-07-24T18:33:44.060011133Z Problem running '/etc/ufw/user.rules'
2023-07-24T18:33:44.060016640Z

HW/SW Environment

- Hardware : Asustor AS6706T
- OS: 4.2.2.RI61
- Docker: 23.0.6

Anything else?

No response

[pkishino]

Hello, I did some digging into this but couldn't find anything conclusive...
I see the ERROR: problem running ufw-init
and the following lines.. it looks like a possible permission/system problem, see:
sysctl: setting key "net.ipv4.conf.all.accept_redirects", ignoring: Read-only file system

also, could you try adding this env variable please ?
UFW_DISABLE_IPTABLES_REJECT=true

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.