Public bug reported:
Anbox Cloud enables people to run LXC-based Android instances to provide
a generic AOSP experience in the cloud. After the 6.8 HWE kernel was
updated to 6.8.0-57.59, Android containers can no longer access the
network.
```
root@test0:~# anbox-shell ping -c 1 192.168.250.1
connect: Network is unreachable
```
We observed the following errors from the IptablesRestoreController component
in Android, which manages both IPv4 and IPv6 rules.
```
root@test0:~# anbox-shell logcat -s IptablesRestoreController
--------- beginning of main
04-01 12:29:48.036 91 171 E IptablesRestoreController: iptables error:
04-01 12:29:48.036 91 171 E IptablesRestoreController: ------- COMMAND
-------
04-01 12:29:48.036 91 171 E IptablesRestoreController: *mangle
04-01 12:29:48.036 91 171 E IptablesRestoreController: -A
routectrl_mangle_INPUT -i eth0 -j MARK --set-mark 0x30064/0xffefffff
04-01 12:29:48.036 91 171 E IptablesRestoreController: COMMIT
04-01 12:29:48.036 91 171 E IptablesRestoreController: ------- ERROR
-------
04-01 12:29:48.036 91 171 E IptablesRestoreController: ip6tables-restore
v1.8.7 (legacy): unknown option "--set-mark"
04-01 12:29:48.036 91 171 E IptablesRestoreController: Error occurred at
line: 2
04-01 12:29:48.036 91 171 E IptablesRestoreController: Try
`ip6tables-restore -h' or 'ip6tables-restore --help' for more information.
```
During our testing, things started breaking with kernel 6.8.0-56.58.1.
We confirmed that after downgrading the kernel to 6.8.0-55.57.1, things
worked again.
The underlying issue has been discussed over [1]
```
This is caused by 0bfcb7b71e73 ("netfilter: xtables: avoid NFPROTO_UNSPEC where
needed") and a fix is already in the works:
https://lore.kernel.org/all/20241019-xtables-typos-v2-1-6b8b1735d...@0upti.me/
For now downgrading the kernel or patching it with the above should fix the
issue, although I'd expect the issue to be fixed with the next stable kernel
```
We've seen that the fix("netfilter: xtables: fix typo causing some
targets not to load on IPv6") has been included in the 6.8.0-58.60
kernel [2] and can confirm that after upgrading the kernel to
6.8.0-58.60, the issue is resolved, and network access from the Android
container works fine.
```
$ anbox-shell ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=52 time=34.4 ms
```
Meanwhile when testing the cloud flavor kernels,
```
$ uname -r
6.8.0-1024-aws
$ anbox-shell ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=52 time=34.4 ms
```
So far, cloud flavor kernels have not been affected by the issue.
However, our concern is that after the kernel, which includes commit
0bfcb7b71e73, rolls out to the public cloud, it may affect Anbox Cloud
environments deployed on the cloud.
Could you please share the timeline for the release of the 6.8.0-58.60
kernel? According to the discourse post[3], is it targeted for early
May? We need to determine what actions we can take to minimize the
impact on our customers as much as possible.
Thanks!
[1] https://github.com/tailscale/tailscale/issues/13863#issuecomment-2424752914
[2] https://launchpad.net/ubuntu/+source/linux/6.8.0-58.60
[3] https://discourse.ubuntu.com/t/the-2025-03-17-sru-cycle-started/57903
** Affects: linux (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2105997
Title:
Android instance can not access network once kernel is upgraded to
6.8.0-57.59~22.04.1
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2105997/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
