Bug#1085953: ip6tables: Extension MARK revision 0 not supported

Wed, 23 Oct 2024 14:21:37 -0700 

Package: src:linux
Version: 6.11.4-1
Severity: important
Tags: ipv6

Hi,

I upgraded a couple of systems from linux-image-6.11.2-amd64 to
linux-image-6.11.4-amd64 and after rebooting the systems' firewalls fail
to start.

The problem can be reproduced very simply:

# ip6tables -w -t mangle -A fooX9269 -j MARK --set-mark 1
Warning: Extension MARK revision 0 not supported, missing kernel module?
ip6tables: No chain/target/match by that name.

When reverting to linux-image-6.11.2-amd64 the firewalls start correctly
again, and the test command displayed above works as expected.

The firewall systems I tested are shorewall6 and the (complex!) ruleset
that kube-proxy generates for Kubernetes 1.31.1.

In all cases I am using ip6tables-nft not ip6tables-legacy.

Thanks,
Chris

-- Package-specific info:
** Kernel log: boot messages should be attached


-- System Information:
Debian Release: trixie/sid
  APT prefers testing
  APT policy: (500, 'testing'), (100, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 6.11.2-amd64 (SMP w/16 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_WARN, TAINT_OOT_MODULE, 
TAINT_UNSIGNED_MODULE
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_GB:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages linux-image-6.11.4-amd64 depends on:
ii  initramfs-tools [linux-initramfs-tool]  0.145
ii  kmod                                    33+20240816-2
ii  linux-base                              4.10.1

Versions of packages linux-image-6.11.4-amd64 recommends:
ii  apparmor  3.1.7-1+b1

Versions of packages linux-image-6.11.4-amd64 suggests:
pn  debian-kernel-handbook  <none>
ii  firmware-linux-free     20240610-1
ii  grub-efi-amd64          2.12-5
pn  linux-doc-6.11          <none>

Versions of packages linux-image-6.11.4-amd64 is related to:
pn  firmware-amd-graphics     <none>
pn  firmware-atheros          <none>
pn  firmware-bnx2             <none>
pn  firmware-bnx2x            <none>
pn  firmware-brcm80211        <none>
pn  firmware-cavium           <none>
pn  firmware-intel-sound      <none>
pn  firmware-intelwimax       <none>
pn  firmware-ipw2x00          <none>
pn  firmware-ivtv             <none>
pn  firmware-iwlwifi          <none>
pn  firmware-libertas         <none>
pn  firmware-linux-nonfree    <none>
pn  firmware-misc-nonfree     <none>
pn  firmware-myricom          <none>
pn  firmware-netxen           <none>
pn  firmware-qlogic           <none>
pn  firmware-realtek          <none>
pn  firmware-samsung          <none>
pn  firmware-siano            <none>
pn  firmware-ti-connectivity  <none>
pn  xen-hypervisor            <none>

-- no debconf information

Reply via email to