Public bug reported: /usr/share/netfilter-persistent/plugins.d/15-ip4tables contains two lines of interest:
set -e /sbin/modprobe -q iptable_filter modprobe failure causes entire script to exit with 1 status immediately. Processes run inside of containers (such as LXC and LXD) can't really load modules, and kernel modules usually aren't even installed anyway: root@t1:~# /sbin/modprobe iptable_filter modprobe: ERROR: ../libkmod/libkmod.c:586 kmod_search_moddep() could not open moddep file '/lib/modules/4.15.0-46-generic/modules.dep.bin' modprobe: FATAL: Module iptable_filter not found in directory /lib/modules/4.15.0-46-generic However, iptables will generally work inside containers, provided that the required modules were loaded outside the container. So instead of failing, I think modprobe errors should be just ignored (|| true). This seems to be the same bug as #1002078, which apparently got reintroduced during code rewrite. ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: netfilter-persistent 1.0.4+nmu2 ProcVersionSignature: Ubuntu 4.15.0-46.49-generic 4.15.18 Uname: Linux 4.15.0-46-generic x86_64 NonfreeKernelModules: xt_REDIRECT nf_nat_redirect xt_tcpudp iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack xt_addrtype iptable_filter binfmt_misc veth ebtable_filter ebtables bridge stp llc snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hda_core snd_hwdep snd_pcm input_leds joydev serio_raw snd_timer snd soundcore mac_hid sch_fq_codel ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi ip_tables x_tables autofs4 btrfs zstd_compress raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear hid_generic usbhid hid crct10dif_pclmul crc32_pclmul ghash_clmulni_intel pcbc aesni_intel aes_x86_64 crypto_simd qxl glue_helper ttm cryptd drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops psmouse sym53c8xx scsi_transport_spi drm virtio_blk pata_acpi i2c_piix4 virtio_net floppy ApportVersion: 2.20.9-0ubuntu7.6 Architecture: amd64 Date: Fri Mar 15 00:06:17 2019 PackageArchitecture: all ProcEnviron: TERM=xterm-256color PATH=(custom, no user) XDG_RUNTIME_DIR=<set> LANG=C.UTF-8 SHELL=/bin/bash SourcePackage: iptables-persistent UpgradeStatus: No upgrade log present (probably fresh install) ** Affects: iptables-persistent (Ubuntu) Importance: Undecided Status: New ** Tags: amd64 apport-bug bionic uec-images -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1820144 Title: iptables-persistent fails in containers due to modprobe being unavailable even though module could've been loaded outside of the container To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/iptables-persistent/+bug/1820144/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs