I am having an issue with UFW causing it to fail to start on 2 of my LXCs running Debian 12 Bookworm (while the same type rules are working fine on 12 other Debian 12 LXCs and 7 Debian 12 VMs.) The LXCs are running under Proxmox VE 8.1.3 in case relevant.
I have re-installed iptables once (and also ran iptables -F) and ufw a few times (and ensured when purging it, it had 0 files or folders containing ufw), restarting for re-installs, rule changes, etc. and this issue occurs with 0 user-defined rules being enabled as well but I will still provide them.
root@pass:~# ufw status
Status: active
To Action From
-- ------ ----
22/tcp ALLOW 192.168.1.0/24
22/tcp ALLOW 10.14.0.0/24
80/tcp ALLOW 192.168.1.0/24
80/tcp ALLOW 10.14.0.0/24
443/tcp ALLOW 192.168.1.0/24
443/tcp ALLOW 10.14.0.0/24
5432/tcp ALLOW 172.16.0.0/12
22/tcp ALLOW fc01::/48
80/tcp ALLOW fc01::/48
443/tcp ALLOW fc01::/48
root@pass:~# systemctl status ufw
x ufw.service - Uncomplicated firewall
Loaded: loaded (/etc/systemd/system/ufw.service; enabled; preset: enabled)
Active: failed (Result: exit-code) since Sun 2024-02-18 23:07:44 EST; 57s ago
Docs: man:ufw(8)
Process: 71 ExecStart=/lib/ufw/ufw-init start quiet (code=exited, status=1/FAILURE)
Main PID: 71 (code=exited, status=1/FAILURE)
CPU: 54ms
Feb 18 23:07:44 pass ufw-init[86]: Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Feb 18 23:07:44 pass ufw-init[88]: iptables-restore v1.8.9 (nf_tables): Chain 'ufw-skip-to-policy-input' does not exist
Feb 18 23:07:44 pass ufw-init[88]: Error occurred at line: 30
Feb 18 23:07:44 pass ufw-init[88]: Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Feb 18 23:07:44 pass ufw-init[94]: iptables-restore: line 2 failed: No chain/target/match by that name.
Feb 18 23:07:44 pass ufw-init[123]: Problem running '/etc/ufw/before.rules'
Feb 18 23:07:44 pass ufw-init[123]: Problem running '/etc/ufw/after.rules'
Feb 18 23:07:44 pass systemd[1]: ufw.service: Main process exited, code=exited, status=1/FAILURE
Feb 18 23:07:44 pass systemd[1]: ufw.service: Failed with result 'exit-code'.
Feb 18 23:07:44 pass systemd[1]: Failed to start ufw.service - Uncomplicated firewall.
root@pass:~# systemctl restart ufw
root@pass:~# systemctl restart ufw
Job for ufw.service failed because the control process exited with error code.
See "systemctl status ufw.service" and "journalctl -xeu ufw.service" for details.
root@pass:~# systemctl restart ufw
It also has an interesting effect where IPv4 doesn't work (in any capacity) while IPv6 does (for SSHing for instance). Not sure why it isn't making the chains and have compared various files from ufw on the working machines, like the systemd file, before.rules, after.rules, etc, didn't find any differences (using KDiff on the /etc/ufw/ directory) and can't find frankly anything on this specific type of ufw issue.
Another interesting thing (looking at the command output), each second time ufw is started, it reports to have started fine but ipv4 is still broken (if ufw is disabled, ipv4 works fine)
Edit: Also just checked, both working and non working lxcs have the same iptables version (1.8.9) and are the nf_tables variant.
Edit: After a bit of time, one appeared to randomly start working fine but did not survive a restart so it must've been a fluke
Edit: Solution but not really, I did a full rootfs diff between a known working LXC (that is relatively slim) and I could not find any relevant differences causing the issue so sadly, I have reinstalled and it fixed it. Sad I could not find the root cause but... I gave it my best shot
Solution but not really solution is to reinstall, I did my best efforts as described in the post but could not find anything wrong, so I had to cave and reinstall the LXC