I'm also experiencing a similar issue using RKE2 and kube-proxy (see
https://github.com/rancher/rke2/issues/7438).
uname -a
Linux rke2-0-control-plane-2qwnd-mz6rj 6.8.0-57-generic #59-Ubuntu SMP
PREEMPT_DYNAMIC Sat Mar 15 17:40:59 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux
E0415 12:55:34.932450 1 proxier.go:1564] "Failed to execute
iptables-restore" err=<
exit status 2: Warning: Extension MARK revision 0 not supported,
missing kernel module?
ip6tables-restore v1.8.9 (nf_tables): unknown option "--xor-mark"
Error occurred at line: 17
Try `ip6tables-restore -h' or 'ip6tables-restore --help' for more
information.
> ipFamily="IPv6"
I0415 12:55:34.932475 1 proxier.go:833] "Sync failed" ipFamily="IPv6"
retryingTime="30s"
E0415 12:56:04.956189 1 proxier.go:1564] "Failed to execute
iptables-restore" err=<
exit status 2: Warning: Extension MARK revision 0 not supported,
missing kernel module?
ip6tables-restore v1.8.9 (nf_tables): unknown option "--xor-mark"
Error occurred at line: 17
Try `ip6tables-restore -h' or 'ip6tables-restore --help' for more
information.
> ipFamily="IPv6"
** Bug watch added: github.com/rancher/rke2/issues #7438
https://github.com/rancher/rke2/issues/7438
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux-signed-nvidia-6.8 in Ubuntu.
https://bugs.launchpad.net/bugs/2106326
Title:
ip6tables option --set-mark not working with linux-
image-6.8.0-1024-nvidia and above
Status in linux-hwe-6.8 package in Ubuntu:
Confirmed
Status in linux-signed-nvidia-6.8 package in Ubuntu:
Confirmed
Bug description:
Starting from linux-image-6.8.0-1024-nvidia (and now 1025 as well), I
receive an error when loading the following sequence of iptables
rules:
awg set warp0 fwmark 1
iptables -A OUTPUT -t mangle -m owner --uid-owner danted1 -m mark --mark 0 !
-d localhost -j MARK --set-mark 217
iptables -A OUTPUT -t mangle -m owner --uid-owner tinyproxy -m mark --mark 0
! -d localhost -j MARK --set-mark 227
ip6tables -A OUTPUT -t mangle -m owner --uid-owner danted1 -m mark --mark 0 !
-d ip6-localhost -j MARK --set-mark 217
ip6tables -A OUTPUT -t mangle -m owner --uid-owner tinyproxy -m mark --mark 0
! -d ip6-localhost -j MARK --set-mark 227
ip rule add fwmark 217 table 217
ip rule add fwmark 227 table 217
ip -6 rule add fwmark 217 table 217
ip -6 rule add fwmark 227 table 217
ip6tables v1.8.7 (nf_tables): unknown option "--set-mark"
Try `ip6tables -h' or 'ip6tables --help' for more information.
Likely the errors refer to the rules on lines 4 or 5 above.
Interesting that only ip6tables rule triggers the error, while
iptables apparently passes correctly.
These rules are used to force all the traffic on certain local proxy
servers to go through a VPN interface. They are located in the
interface .conf file, so they are applied automatically when the
interface is set up (and now this fails making the VPN interface to
not load).
Everything worked OK on nvidia kernel versions 1023 and before.
Everything still works on another machine running the mainline
(generic) kernel.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux-hwe-6.8/+bug/2106326/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
