iptables: Fatal when IPv6 is enabled but corresponding kernel modules are missing #18941

vadorovsky · 2022-02-25T11:40:00Z

Before this change, when Cilium was running with --enable-ipv6 option,
we were only logging a warning, but then the rest of iptables.go module
was inserting ip6tables rules anyway. That resulted in errors, because
inserting such rules is impossible without IPv6 netfilter presence in
the kernel.

This change fixes that by a fatal error in situation when IPv6 is
enabled in Cilium, but not supported by the kernel. In such situations,
users should either disable IPv6 in Cilium or load the needed kernel
modules.

Fixes: #18904
Signed-off-by: Michal Rostecki vadorovsky@gmail.com

Fatal when IPv6 is enabled but corresponding kernel modules are missing

pchaigno · 2022-02-26T15:55:38Z

Fatal error when IPv6 is enabled, but cannot be used

Maybe this would be better worded as a full sentence?

Fatal when IPv6 is enabled but corresponding kernel modules are missing.

vadorovsky · 2022-02-28T09:28:58Z

@pchaigno Fixed the commit message. Thanks!

pchaigno · 2022-02-28T09:30:30Z

@vadorovsky Oh, sorry. The previous commit title was fine (and fit within the character limit). I meant to suggest changing the release note :)

vadorovsky · 2022-02-28T09:56:58Z

@pchaigno I had an intention to change it also in release notes and PR title, but seems like lack of coffee made me to not do it. Fixed now. :)

pchaigno · 2022-04-04T13:30:50Z

@vadorovsky Could you please rebase? Many tests are failing because the PR branch is pretty old.

… are missing Before this change, when Cilium was running with --enable-ipv6 option, we were only logging a warning, but then the rest of iptables.go module was inserting ip6tables rules anyway. That resulted in errors, because inserting such rules is impossible without IPv6 netfilter presence in the kernel. This change fixes that by a fatal error in situation when IPv6 is enabled in Cilium, but not supported by the kernel. In such situations, users should either disable IPv6 in Cilium or load the needed kernel modules. Fixes: cilium#18904 Signed-off-by: Michal Rostecki <vadorovsky@gmail.com>

vadorovsky · 2022-04-14T17:09:15Z

sorry for doing it so late

pchaigno · 2022-04-15T13:39:43Z

No problem.

/test

maintainer-s-little-helper bot added the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Feb 25, 2022

pchaigno approved these changes Feb 26, 2022

View reviewed changes

pchaigno added feature/ipv6 Relates to IPv6 protocol support kind/bug This is a bug in the Cilium logic. needs-backport/1.11 release-note/bug This PR fixes an issue in a previous release of Cilium. labels Feb 26, 2022

maintainer-s-little-helper bot removed dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. labels Feb 26, 2022

YutaroHayakawa approved these changes Feb 28, 2022

View reviewed changes

vadorovsky force-pushed the fatal-ipv6 branch from 69beae8 to 5ffe025 Compare February 28, 2022 09:28

vadorovsky changed the title ~~iptables: Fatal error when IPv6 is enabled, but cannot be used~~ iptables: Fatal when IPv6 is enabled but corresponding kernel modules are missing Feb 28, 2022

vadorovsky force-pushed the fatal-ipv6 branch from 5ffe025 to dca5cc0 Compare March 2, 2022 12:31

This comment was marked as resolved.

Sign in to view

github-actions bot added the stale The stale bot thinks this issue is old. Add "pinned" label to prevent this from becoming stale. label Apr 2, 2022

pchaigno removed the stale The stale bot thinks this issue is old. Add "pinned" label to prevent this from becoming stale. label Apr 2, 2022

maintainer-s-little-helper bot mentioned this pull request Apr 2, 2022

CI: K8sVerifier Runs the kernel verifier against Cilium's BPF datapath: terminating containers are not deleted after timeout #18895

Closed

pchaigno added the dont-merge/needs-rebase This PR needs to be rebased because it has merge conflicts. label Apr 4, 2022

vadorovsky force-pushed the fatal-ipv6 branch from dca5cc0 to eb61aba Compare April 14, 2022 12:50

vadorovsky force-pushed the fatal-ipv6 branch from eb61aba to a831fe6 Compare April 14, 2022 17:08

maintainer-s-little-helper bot added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Apr 15, 2022

pchaigno removed the dont-merge/needs-rebase This PR needs to be rebased because it has merge conflicts. label Apr 15, 2022

tklauser merged commit 976e1c0 into cilium:master Apr 19, 2022

tklauser mentioned this pull request Apr 19, 2022

v1.11 backports 2022-04-19 #19481

Merged

tklauser added backport-pending/1.11 backport-done/1.11 The backport for Cilium 1.11.x for this PR is done. and removed needs-backport/1.11 labels Apr 19, 2022

aanm mentioned this pull request May 10, 2022

Prepare for release v1.11.5 #19756

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

iptables: Fatal when IPv6 is enabled but corresponding kernel modules are missing #18941

iptables: Fatal when IPv6 is enabled but corresponding kernel modules are missing #18941

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

This comment was marked as resolved.

Uh oh!

Uh oh!

Uh oh!

Uh oh!

iptables: Fatal when IPv6 is enabled but corresponding kernel modules are missing #18941

iptables: Fatal when IPv6 is enabled but corresponding kernel modules are missing #18941

Uh oh!

Conversation

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

This comment was marked as resolved.

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!