The v6.12-rc5 commit 306ed1728e84 ("netfilter: xtables: fix typo causing
some targets not to load on IPv6") has been backported to v6.11.6,
v6.6.59, v6.1.115, v5.15.170.The commit has been landed to linux/oracular version 6.11.0-17.17, linux/noble version 6.8.0-58.60. >From changelog of 6.8.0-58.60, https://launchpad.net/ubuntu/+source/linux/6.8.0-58.60, the kernel bug is bug 2102529; and from bug 2102529, it's tagged kernel-sru- cycle-2025.03.17-1; and from https://kernel.ubuntu.com/, cycle 2025.03.17 will be released to -updates on Apr 14. ** Also affects: linux (Ubuntu Plucky) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Noble) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Oracular) Importance: Undecided Status: New ** Changed in: linux (Ubuntu Plucky) Status: New => Invalid ** Changed in: linux (Ubuntu Oracular) Status: New => Fix Released ** Changed in: linux (Ubuntu Noble) Status: New => Fix Released -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/2105997 Title: Android instance can not access network once kernel is upgraded to 6.8.0-57.59~22.04.1 Status in linux package in Ubuntu: Invalid Status in linux source package in Noble: Fix Released Status in linux source package in Oracular: Fix Released Status in linux source package in Plucky: Invalid Bug description: Anbox Cloud enables people to run LXC-based Android instances to provide a generic AOSP experience in the cloud. After the 6.8 HWE kernel was updated to 6.8.0-57.59, Android containers can no longer access the network. ``` root@test0:~# anbox-shell ping -c 1 192.168.250.1 connect: Network is unreachable ``` We observed the following errors from the IptablesRestoreController component in Android, which manages both IPv4 and IPv6 rules. ``` root@test0:~# anbox-shell logcat -s IptablesRestoreController --------- beginning of main 04-01 12:29:48.036 91 171 E IptablesRestoreController: iptables error: 04-01 12:29:48.036 91 171 E IptablesRestoreController: ------- COMMAND ------- 04-01 12:29:48.036 91 171 E IptablesRestoreController: *mangle 04-01 12:29:48.036 91 171 E IptablesRestoreController: -A routectrl_mangle_INPUT -i eth0 -j MARK --set-mark 0x30064/0xffefffff 04-01 12:29:48.036 91 171 E IptablesRestoreController: COMMIT 04-01 12:29:48.036 91 171 E IptablesRestoreController: ------- ERROR ------- 04-01 12:29:48.036 91 171 E IptablesRestoreController: ip6tables-restore v1.8.7 (legacy): unknown option "--set-mark" 04-01 12:29:48.036 91 171 E IptablesRestoreController: Error occurred at line: 2 04-01 12:29:48.036 91 171 E IptablesRestoreController: Try `ip6tables-restore -h' or 'ip6tables-restore --help' for more information. ``` During our testing, things started breaking with kernel 6.8.0-56.58.1. We confirmed that after downgrading the kernel to 6.8.0-55.57.1, things worked again. The underlying issue has been discussed over [1] ``` This is caused by 0bfcb7b71e73 ("netfilter: xtables: avoid NFPROTO_UNSPEC where needed") and a fix is already in the works: https://lore.kernel.org/all/20241019-xtables-typos-v2-1-6b8b1735d...@0upti.me/ For now downgrading the kernel or patching it with the above should fix the issue, although I'd expect the issue to be fixed with the next stable kernel ``` We've seen that the fix("netfilter: xtables: fix typo causing some targets not to load on IPv6") has been included in the 6.8.0-58.60 kernel [2] and can confirm that after upgrading the kernel to 6.8.0-58.60, the issue is resolved, and network access from the Android container works fine. ``` $ anbox-shell ping 8.8.8.8 PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data. 64 bytes from 8.8.8.8: icmp_seq=1 ttl=52 time=34.4 ms ``` Meanwhile when testing the cloud flavor kernels, ``` $ uname -r 6.8.0-1024-aws $ anbox-shell ping 8.8.8.8 PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data. 64 bytes from 8.8.8.8: icmp_seq=1 ttl=52 time=34.4 ms ``` So far, cloud flavor kernels have not been affected by the issue. However, our concern is that after the kernel, which includes commit 0bfcb7b71e73, rolls out to the public cloud, it may affect Anbox Cloud environments deployed on the cloud. Could you please share the timeline for the release of the 6.8.0-58.60 kernel? According to the discourse post[3], is it targeted for early May? We need to determine what actions we can take to minimize the impact on our customers as much as possible. Thanks! [1] https://github.com/tailscale/tailscale/issues/13863#issuecomment-2424752914 [2] https://launchpad.net/ubuntu/+source/linux/6.8.0-58.60 [3] https://discourse.ubuntu.com/t/the-2025-03-17-sru-cycle-started/57903 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2105997/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
