Control: forwarded -1 https://lore.kernel.org/all/20241019-xtables-typos-v3-1-66dd2eaac...@0upti.me/ Control: tags -1 + upstream
Hi Chris, On Wed, Oct 23, 2024 at 10:07:20PM +0100, Chris Boot wrote: > Package: src:linux > Version: 6.11.4-1 > Severity: important > Tags: ipv6 > > Hi, > > I upgraded a couple of systems from linux-image-6.11.2-amd64 to > linux-image-6.11.4-amd64 and after rebooting the systems' firewalls fail > to start. > > The problem can be reproduced very simply: > > # ip6tables -w -t mangle -A fooX9269 -j MARK --set-mark 1 > Warning: Extension MARK revision 0 not supported, missing kernel module? > ip6tables: No chain/target/match by that name. > > When reverting to linux-image-6.11.2-amd64 the firewalls start correctly > again, and the test command displayed above works as expected. > > The firewall systems I tested are shorewall6 and the (complex!) ruleset > that kube-proxy generates for Kubernetes 1.31.1. > > In all cases I am using ip6tables-nft not ip6tables-legacy. Looks upstream are working on fixes, https://lore.kernel.org/all/20241019-xtables-typos-v3-1-66dd2eaac...@0upti.me/ this got introduces with 0bfcb7b71e73 ("netfilter: xtables: avoid NFPROTO_UNSPEC where needed") and backports to stable series. Regards, Salvatore
