iptables: handle case where kernel IPv6 support is disabled #20680

jibi · 2022-07-28T10:04:03Z

Currently, even if the kernel IPv6 support is disabled (i.e. the
ipv6.disable=1 kernel parameter is set), the agent will try to find or
load the ip6tables kernel modules, and if successful it will assume
ip6tables is supported.

This will result in a fatal error since all ip6tables commands will
fail with "Address family not supported".

This commit fixes this by setting the haveIp6tables IptablesManager's
property to false in case the kernel does not support IPv6.

Fixes: d812b92 ("iptables: don't ignore errors")
Fixes: #18513
Fixes: #20672

julianwiedmann

ugh, I remember having an uneasy feeling about this...

For the commit message:

can you please add what specific case this covers? It's the ipv6.disable=1 module parameter, correct?
think we need a Fixes: tag for the commit that introduced the regression.

pkg/datapath/iptables/iptables.go

jibi · 2022-07-28T11:57:26Z

/test

julianwiedmann

lgtm, thanks for the quick fix jibi! One further comment, but feel free to ignore.

pkg/datapath/iptables/iptables.go

Currently, even if the kernel IPv6 support is disabled (i.e. the ipv6.disable=1 kernel parameter is set), the agent will try to find or load the ip6tables kernel modules, and if successful it will assume ip6tables is supported. This will result in a fatal error since all ip6tables commands will fail with "Address family not supported". This commit fixes this by setting the haveIp6tables IptablesManager's property to false in case the kernel does not support IPv6. Fixes: d812b92 ("iptables: don't ignore errors") Fixes: #18513 Fixes: #20672 Signed-off-by: Gilberto Bertin <jibi@cilium.io>

jibi · 2022-07-28T14:02:47Z

/test

YutaroHayakawa

LGTM with a nit (almost the same as Julian's one) 👍

YutaroHayakawa · 2022-07-29T02:03:03Z

pkg/datapath/iptables/iptables.go

+			"Unable to read /sys/module/ipv6/parameters/disable, disabling IPv6 iptables support")
+		haveIp6tables = false
+	} else if strings.TrimSuffix(string(ipv6Disabled), "\n") == "1" {
+		log.Debug(


I think we should show this message to users even if it is not a Fatal. Maybe it should be a Warning?

I'm following the same pattern as above (i.e. emitting a debug logline in case we fail to find/load ip6tables modules):

cilium/pkg/datapath/iptables/iptables.go

Lines 290 to 297 in 78d075d

if err := modulesManager.FindOrLoadModules(

"ip6_tables", "ip6table_mangle", "ip6table_raw", "ip6table_filter"); err != nil {

if option.Config.EnableIPv6 {

log.WithError(err).Fatal(

"IPv6 is enabled and ip6tables modules could not be initialized (try disabling IPv6 in Cilium or loading ip6_tables, ip6table_mangle, ip6table_raw and ip6table_filter kernel modules)")

}

log.WithError(err).Debug(

"ip6tables kernel modules could not be loaded, so IPv6 cannot be used")

brb · 2022-07-29T09:23:57Z

I thought that the issue got fixed with the closure of #18904

jibi · 2022-07-29T11:08:16Z

I thought that the issue got fixed with the closure of #18904

That change only handles the case where IPv6 support is enabled in Cilium but we can't find the related ip6tables modules (but apparently we can still load them even if the kernel has disabled IPv6 support)

jibi added sig/datapath Impacts bpf/ or low-level forwarding details, including map management and monitor messages. release-note/bug This PR fixes an issue in a previous release of Cilium. needs-backport/1.10 labels Jul 28, 2022

jibi requested a review from a team as a code owner July 28, 2022 10:04

jibi assigned julianwiedmann Jul 28, 2022

jibi requested a review from YutaroHayakawa July 28, 2022 10:04

maintainer-s-little-helper bot added this to Needs backport from master in 1.11.8 Jul 28, 2022

maintainer-s-little-helper bot added this to Needs backport from master in 1.10.14 Jul 28, 2022

jibi unassigned julianwiedmann Jul 28, 2022

jibi requested a review from julianwiedmann July 28, 2022 10:04

julianwiedmann requested changes Jul 28, 2022

View reviewed changes

pkg/datapath/iptables/iptables.go Outdated Show resolved Hide resolved

jibi force-pushed the pr/jibi/fix-iptables-without-ipv6-kernel-support branch 2 times, most recently from 4e38f16 to f7d7c6a Compare July 28, 2022 11:56

julianwiedmann approved these changes Jul 28, 2022

View reviewed changes

pkg/datapath/iptables/iptables.go Show resolved Hide resolved

jibi force-pushed the pr/jibi/fix-iptables-without-ipv6-kernel-support branch from f7d7c6a to e9a2928 Compare July 28, 2022 13:55

jibi force-pushed the pr/jibi/fix-iptables-without-ipv6-kernel-support branch from e9a2928 to aa2081c Compare July 28, 2022 14:02

YutaroHayakawa approved these changes Jul 29, 2022

View reviewed changes

ldelossa approved these changes Jul 29, 2022

View reviewed changes

jibi closed this Jul 29, 2022

jibi reopened this Jul 29, 2022

maintainer-s-little-helper bot added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Jul 29, 2022

aanm merged commit 03b89ec into master Jul 29, 2022

aanm deleted the pr/jibi/fix-iptables-without-ipv6-kernel-support branch July 29, 2022 12:58

aanm mentioned this pull request Jul 29, 2022

Cilium failed to delete iptables #20714

Closed

2 tasks

hemanthmalla mentioned this pull request Aug 9, 2022

iptables: handle case where kernel IPv6 support is disabled DataDog/cilium#287

Merged

nbusseneau mentioned this pull request Aug 9, 2022

v1.10 backports 2022-08-09 #20838

Merged

nbusseneau added backport-pending/1.10 and removed needs-backport/1.10 labels Aug 9, 2022

maintainer-s-little-helper bot moved this from Needs backport from master to Backport pending to v1.10 in 1.10.14 Aug 9, 2022

nbusseneau mentioned this pull request Aug 9, 2022

v1.11 backports 2022-08-09 #20840

Merged

nbusseneau added backport-pending/1.11 and removed needs-backport/1.11 labels Aug 9, 2022

maintainer-s-little-helper bot moved this from Needs backport from master to Backport pending to v1.10 in 1.11.8 Aug 9, 2022

nbusseneau mentioned this pull request Aug 10, 2022

v1.12 backports 2022-08-10 #20851

Merged

nbusseneau added backport-pending/1.12 and removed needs-backport/1.12 labels Aug 10, 2022

tklauser added backport-done/1.11 The backport for Cilium 1.11.x for this PR is done. and removed backport-pending/1.11 labels Aug 11, 2022

maintainer-s-little-helper bot moved this from Backport pending to v1.10 to Backport done to v1.11 in 1.11.8 Aug 11, 2022

tklauser added backport-done/1.10 and removed backport-pending/1.10 labels Aug 11, 2022

maintainer-s-little-helper bot moved this from Backport pending to v1.10 to Backport done to v1.10 in 1.10.14 Aug 11, 2022

tklauser added backport-done/1.12 The backport for Cilium 1.12.x for this PR is done. and removed backport-pending/1.12 labels Aug 11, 2022

This was referenced Aug 11, 2022

Prepare for release v1.10.14 #20874

Merged

Prepare for release v1.11.8 #20876

Merged

Prepare for release v1.12.1 #20912

Merged

jralmaraz mentioned this pull request Sep 26, 2022

Cilium pods in WSL2 kind cluster fail to start with iptables error #21446

Closed

1 task

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

iptables: handle case where kernel IPv6 support is disabled #20680

iptables: handle case where kernel IPv6 support is disabled #20680

jibi commented Jul 28, 2022 •

edited

julianwiedmann left a comment

jibi commented Jul 28, 2022

julianwiedmann left a comment

jibi commented Jul 28, 2022

YutaroHayakawa left a comment •

edited

YutaroHayakawa Jul 29, 2022 •

edited

jibi Jul 29, 2022

brb commented Jul 29, 2022

jibi commented Jul 29, 2022

	if err := modulesManager.FindOrLoadModules(
	"ip6_tables", "ip6table_mangle", "ip6table_raw", "ip6table_filter"); err != nil {
	if option.Config.EnableIPv6 {
	log.WithError(err).Fatal(
	"IPv6 is enabled and ip6tables modules could not be initialized (try disabling IPv6 in Cilium or loading ip6_tables, ip6table_mangle, ip6table_raw and ip6table_filter kernel modules)")
	}
	log.WithError(err).Debug(
	"ip6tables kernel modules could not be loaded, so IPv6 cannot be used")

iptables: handle case where kernel IPv6 support is disabled #20680

iptables: handle case where kernel IPv6 support is disabled #20680

Conversation

jibi commented Jul 28, 2022 • edited

julianwiedmann left a comment

Choose a reason for hiding this comment

jibi commented Jul 28, 2022

julianwiedmann left a comment

Choose a reason for hiding this comment

jibi commented Jul 28, 2022

YutaroHayakawa left a comment • edited

Choose a reason for hiding this comment

YutaroHayakawa Jul 29, 2022 • edited

Choose a reason for hiding this comment

jibi Jul 29, 2022

Choose a reason for hiding this comment

brb commented Jul 29, 2022

jibi commented Jul 29, 2022

jibi commented Jul 28, 2022 •

edited

YutaroHayakawa left a comment •

edited

YutaroHayakawa Jul 29, 2022 •

edited