Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

iptables conntrack and wireguard tunnels are broken because NETFILTER_XT_TARGET_CT/NETFILTER_XT_MATCH_CONNMARK are disabled #7407

Open
1 of 2 tasks
Trolldemorted opened this issue Sep 7, 2021 · 3 comments
Open
1 of 2 tasks

iptables conntrack and wireguard tunnels are broken because NETFILTER_XT_TARGET_CT/NETFILTER_XT_MATCH_CONNMARK are disabled #7407

Trolldemorted opened this issue Sep 7, 2021 · 3 comments

Comments

@Trolldemorted
Copy link

Trolldemorted commented Sep 7, 2021
edited
Loading

Windows Build Number

Microsoft Windows [Version 10.0.19042.1165]

WSL Version

  • WSL 2
  • WSL 1

Kernel Version

Linux version 5.10.16.3-microsoft-standard-WSL2 (oe-user@oe-host) (x86_64-msft-linux-gcc (GCC) 9.3.0, GNU ld (GNU Binutils) 2.34.0.20200220) #1 SMP Fri Apr 2 22:23:49 UTC 2021

Distro Version

Ubuntu 20.04

Other Software

wireguard-dkms/focal-updates,now 1.0.20201112-1~20.04.1 all [installed,automatic]
wireguard-tools/focal-updates,now 1.0.20200513-1~20.04.2 amd64 [installed,automatic]
wireguard/focal-updates,now 1.0.20200513-1~20.04.2 all [installed]

Repro Steps

As explained here and here, the conntrack features don't work because the kernel config options aren't set:

sudo iptables -C INPUT -m connmark --mark 0x10/0x10 -j DROP
iptables v1.8.4 (legacy): Couldn't load match `connmark':No such file or directory

Try `iptables -h' or 'iptables --help' for more information.

Expected Behavior

connmark and wireguard work as they'd in a normal ubuntu vm.

Actual Behavior

connmark doesn't work, wireguard can't set up iptables and fails:

iptables-restore v1.8.4 (legacy): unknown option "--save-mark"

Diagnostic Logs

No response
@SvenDowideit
Copy link

#7547

@jakubdyszkiewicz jakubdyszkiewicz mentioned this issue Sep 20, 2022
Closed
@wizpresso-steve-cy-fan
Copy link

wizpresso-steve-cy-fan commented Nov 9, 2023
edited
Loading

We are also aware of this weird kube-proxy IPVS issue (we are using k0s more specifically but it should apply universally to other Kubernetes distro as well) where we believe conntrack (and the missing of some key kernel extensions) is related:

[root@WIZPRESSO-07 ~]# sudo iptables -t raw -A PREROUTING -p tcp -m multiport --dport 80,81,82 -j NOTRACK
Warning: Extension CT revision 0 not supported, missing kernel module?
Notice: The NOTRACK target is converted into CT target in rule listing and saving.
iptables v1.8.9 (nf_tables):  RULE_APPEND failed (No such file or directory): rule in chain PREROUTING

This is one of the reason why iptables mode for kube-proxy failed for k8s on WSL2 out of the box

@soredake
Copy link

@kelsey-steele Hi! I've seen that you've fixed #8302, can you look at this issue too, please?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@SvenDowideit @soredake @Trolldemorted @wizpresso-steve-cy-fan