Discussion:
Bug#1085953: ip6tables: Extension MARK revision 0 not supported
(too old to reply)
Chris Boot
2024-10-23 21:30:01 UTC
Permalink
Package: src:linux
Version: 6.11.4-1
Severity: important
Tags: ipv6

Hi,

I upgraded a couple of systems from linux-image-6.11.2-amd64 to
linux-image-6.11.4-amd64 and after rebooting the systems' firewalls fail
to start.

The problem can be reproduced very simply:

# ip6tables -w -t mangle -A fooX9269 -j MARK --set-mark 1
Warning: Extension MARK revision 0 not supported, missing kernel module?
ip6tables: No chain/target/match by that name.

When reverting to linux-image-6.11.2-amd64 the firewalls start correctly
again, and the test command displayed above works as expected.

The firewall systems I tested are shorewall6 and the (complex!) ruleset
that kube-proxy generates for Kubernetes 1.31.1.

In all cases I am using ip6tables-nft not ip6tables-legacy.

Thanks,
Chris

-- Package-specific info:
** Kernel log: boot messages should be attached


-- System Information:
Debian Release: trixie/sid
APT prefers testing
APT policy: (500, 'testing'), (100, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 6.11.2-amd64 (SMP w/16 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_WARN, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages linux-image-6.11.4-amd64 depends on:
ii initramfs-tools [linux-initramfs-tool] 0.145
ii kmod 33+20240816-2
ii linux-base 4.10.1

Versions of packages linux-image-6.11.4-amd64 recommends:
ii apparmor 3.1.7-1+b1

Versions of packages linux-image-6.11.4-amd64 suggests:
pn debian-kernel-handbook <none>
ii firmware-linux-free 20240610-1
ii grub-efi-amd64 2.12-5
pn linux-doc-6.11 <none>

Versions of packages linux-image-6.11.4-amd64 is related to:
pn firmware-amd-graphics <none>
pn firmware-atheros <none>
pn firmware-bnx2 <none>
pn firmware-bnx2x <none>
pn firmware-brcm80211 <none>
pn firmware-cavium <none>
pn firmware-intel-sound <none>
pn firmware-intelwimax <none>
pn firmware-ipw2x00 <none>
pn firmware-ivtv <none>
pn firmware-iwlwifi <none>
pn firmware-libertas <none>
pn firmware-linux-nonfree <none>
pn firmware-misc-nonfree <none>
pn firmware-myricom <none>
pn firmware-netxen <none>
pn firmware-qlogic <none>
pn firmware-realtek <none>
pn firmware-samsung <none>
pn firmware-siano <none>
pn firmware-ti-connectivity <none>
pn xen-hypervisor <none>

-- no debconf information
Debian Bug Tracking System
2024-10-24 06:40:01 UTC
Permalink
Bug #1085953 [src:linux] ip6tables: Extension MARK revision 0 not supported
tags -1 + upstream
Bug #1085953 [src:linux] ip6tables: Extension MARK revision 0 not supported
Added tag(s) upstream.
--
1085953: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1085953
Debian Bug Tracking System
Contact ***@bugs.debian.org with problems
Salvatore Bonaccorso
2024-10-24 06:40:02 UTC
Permalink
Control: forwarded -1 https://lore.kernel.org/all/20241019-xtables-typos-v3-1-***@0upti.me/
Control: tags -1 + upstream

Hi Chris,
Post by Chris Boot
Package: src:linux
Version: 6.11.4-1
Severity: important
Tags: ipv6
Hi,
I upgraded a couple of systems from linux-image-6.11.2-amd64 to
linux-image-6.11.4-amd64 and after rebooting the systems' firewalls fail
to start.
# ip6tables -w -t mangle -A fooX9269 -j MARK --set-mark 1
Warning: Extension MARK revision 0 not supported, missing kernel module?
ip6tables: No chain/target/match by that name.
When reverting to linux-image-6.11.2-amd64 the firewalls start correctly
again, and the test command displayed above works as expected.
The firewall systems I tested are shorewall6 and the (complex!) ruleset
that kube-proxy generates for Kubernetes 1.31.1.
In all cases I am using ip6tables-nft not ip6tables-legacy.
Looks upstream are working on fixes,
https://lore.kernel.org/all/20241019-xtables-typos-v3-1-***@0upti.me/
this got introduces with 0bfcb7b71e73 ("netfilter: xtables: avoid
NFPROTO_UNSPEC where needed") and backports to stable series.

Regards,
Salvatore
Debian Bug Tracking System
2024-10-28 07:10:01 UTC
Permalink
Your message dated Mon, 28 Oct 2024 07:04:39 +0000
with message-id <E1t5Jnr-0026qX-***@fasolo.debian.org>
and subject line Bug#1085953: fixed in linux 6.11.5-1
has caused the Debian Bug report #1085953,
regarding ip6tables: Extension MARK revision 0 not supported
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ***@bugs.debian.org
immediately.)
--
1085953: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1085953
Debian Bug Tracking System
Contact ***@bugs.debian.org with problems
Loading...