Cilium fails to start with IPv6 on v1.13.0

[michaelbeaumont]

I've recreated my dual stack cluster with v1.13.0 but Cilium v1.19.2 is failing to start with:

unable to run agent: failed to start: IPv6 is enabled, but the needed ip6tables tables are unavailable (try disabling IPv6 in Cilium or installing ip6tables and kernel modules: ip6_tables, ip6table_mangle, ip6table_raw, ip6table_filter)

but the weird thing is, v1.13.0-beta.1 was working fine. It also works with v1.12.7. Has something changed here? I don't see anything obvious in the release notes/commit diffs. I'm also seeing:

level=warn msg="iptables table is not available on this system" module=agent.datapath.iptables error="unable to run 'iptables -t mangle -L -n' iptables command: exit status 1 stderr=\"iptables v1.8.8 (nf_tables): table `mangle' is incompatible, use 'nft' tool.\\n\\n\"

[smira]

Not sure, but feels like a bug in Cilium, it is not compatible with modern iptables. Cilium should use nftables actually.

[mt190502]

I have same issue with dual-stack mode

cilium-agent time=2026-05-01T19:18:50.679159478Z level=warn msg="iptables table is not available on this system" module=agent.datapath.iptables error="unable to run 'iptables -t nat -L -n' iptables command: exit status 1 stderr=\"iptables v1.8.8 (nf_tables): table `nat' is incompatible, use 'nft' tool.\\n\\n\"" table=nat                       
cilium-agent time=2026-05-01T19:18:50.686645802Z level=warn msg="iptables table is not available on this system" module=agent.datapath.iptables error="unable to run 'iptables -t mangle -L -n' iptables command: exit status 1 stderr=\"iptables v1.8.8 (nf_tables): table `mangle' is incompatible, use 'nft' tool.\\n\\n\"" table=mangle              
cilium-agent time=2026-05-01T19:18:50.698534445Z level=error msg="Start hook failed" function="*iptables.Manager.Start (agent.datapath.iptables)" error="IPv6 is enabled, but the needed ip6tables tables are unavailable (try disabling IPv6 in Cilium or installing ip6tables and kernel modules: ip6_tables, ip6table_mangle, ip6table_raw, ip6table_filter)"                                                      
cilium-agent time=2026-05-01T19:18:50.698636647Z level=error msg="Failed to start hive" error="IPv6 is enabled, but the needed ip6tables tables are unavailable (try disabling IPv6 in Cilium or installing ip6tables and kernel modules: ip6_tables, ip6table_mangle, ip6table_raw, ip6table_filter)" duration=363.645317ms

[smira]

Are you using tailscale extension @mt190502 @michaelbeaumont ?

[smira]

See also siderolabs/extensions#1061

[mt190502]

Hi @smira,
Yes. I'm using tailscale extension. But I'm getting this errors on cilium pods. Is this related to tailscale extension?🤔

[michaelbeaumont]

Yes, me too.

[smira]

Thanks for confirming, yes, the real bug is that tailscale was stripped off the iptables binaries in 1.13, and it falls back to native nft mode (which is not bad), but Cilium still can't do native nft, so it tries iptables-over-nft and it leads to a conflict.

The workaround is to downgrade for now, or remove tailscale. We will ship a fix in 1.13.1

[jhindersson]

I see the same issue when upgrading Talos from 1.11.6 to 1.12.7 using Cilium 1.17.3. We use IPv4/IPv6 dual stack but do not use the tailscale extension.

From what I can tell it might be related to: cilium/cilium#43940

If this is indeed the case we have to wait on upgrading until Cilium version 1.20 which is planned for July or see if the Cilium team can backport the fix to 1.19.

[ozhankaraman]

looks like Cilium 1.20 probably fix our issue, I experience same problem on Talos 1.13.3