Incompatibility with Linux 6.11.{4,5} and 6.6.{57,58} due to `ip6tables` error

[philiptaron]

What is the issue?

I updated to Linux 6.11.4 (on NixOS) and now tailscale status reports the following:

# Health check:
#     - adding [-i tailscale0 -j MARK --set-mark 0x40000/0xff0000] in v6/filter/ts-forward: running [/nix/store/zpl4wlvc9a4ziq7b6ccrpxzn5mwc3frn-iptables-1.8.10/bin/ip6tables -t filter -A ts-forward -i tailscale0 -j MARK --set-mark 0x40000/0xff0000 --wait]: exit status 2: Warning: Extension MARK revision 0 not supported, missing kernel module?
ip6tables v1.8.10 (nf_tables): MARK: bad value for option "--set-mark", or out of range (0-4294967295).

Try `ip6tables -h' or 'ip6tables --help' for more information.

As a result, many things don't work correctly, in particular MagicDNS.

Steps to reproduce

1. Make a NixOS system with kernel 6.11.4 (boot.kernelPackages = pkgs.linuxPackages_latest at time of issue filing). I assume other distros with 6.11.4 would also exhibit the issue, but I haven't checked myself.
2. Install and configure tailscale (services.tailscale.enable = true, tailscale up etc)
3. Run tailscale status

Observed:

# Health check:
#     - adding [-i tailscale0 -j MARK --set-mark 0x40000/0xff0000] in v6/filter/ts-forward: running [/nix/store/zpl4wlvc9a4ziq7b6ccrpxzn5mwc3frn-iptables-1.8.10/bin/ip6tables -t filter -A ts-forward -i tailscale0 -j MARK --set-mark 0x40000/0xff0000 --wait]: exit status 2: Warning: Extension MARK revision 0 not supported, missing kernel module?
ip6tables v1.8.10 (nf_tables): MARK: bad value for option "--set-mark", or out of range (0-4294967295).

Try `ip6tables -h' or 'ip6tables --help' for more information.

Expected: No health check warnings.

This was the case with 6.11.3.

Are there any recent changes that introduced the issue?

The changelog for kernel 6.11.4 lists the following commits to the netfilter code.

$ git log v6.11.3..v6.11.4 --oneline | grep netfilter
339dc6c7266c netfilter: fib: check correct rtable in vrf setups
4cdc55ec6222 netfilter: xtables: avoid NFPROTO_UNSPEC where needed
915717e0bb98 netfilter: br_netfilter: fix panic with metadata_dst skb
9f5c115077d3 netfilter: nf_reject: Fix build warning when CONFIG_BRIDGE_NETFILTER=n
a2c6c487ed9c netfilter: nf_nat: don't try nat source port reallocation for reverse dir clash

Of these revisions, netfilter: xtables: avoid NFPROTO_UNSPEC where needed has been confirmed to be the source of this issue.

OS

Linux

OS version

NixOS at revision 0fe3416c7f455a1e7ca6dec3c0b2d1e2cd30d4f6

Tailscale version

1.76.1

Other software

My full NixOS configuration is at https://github.com/philiptaron/flock.nix. There's nothing fancy there, though; it's mostly a stock NixOS configuration that has run Tailscale reliably until this kernel upgrade.

Bug report

BUG-a941a9d4060b13bb02ff199d2b96deac67ccf9b681a2dfc2f5ee5576fb062a46-20241019151759Z-9ca281bdd508a563

[misuzu]

6.6.57 seems affected too

[raggi]

I guess we better move, even if this gets reverted just to avoid the trap. I believe some users have a light dependency on the number, I'd want to dig up some of those related bugs to refresh on the details - pretty sure they were here on the public tracker

[CoolnsX]

Happening the same for me in Arch Linux on same kernel.
This made the route advertising not working properly

[christian-heusel]

This is caused by 0bfcb7b71e73 ("netfilter: xtables: avoid NFPROTO_UNSPEC where needed") and a fix is already in the works: https://lore.kernel.org/all/20241019-xtables-typos-v2-1-6b8b1735dc8e@0upti.me/

For now downgrading the kernel or patching it with the above should fix the issue, although I'd expect the issue to be fixed with the next stable kernel 😊

[philiptaron]

Thanks for the pointer, Christian (@christian-heusel). I applied the latest version of that patch and I can also confirm that it fixes this issue.

[mweinelt]

https://patchwork.ozlabs.org/project/netfilter-devel/patch/20241020124951.180350-1-pablo@netfilter.org/ is the most likely patch to land.

[crepererum]

For Arch Linux users: rolling back from kernel 6.11.4 to 6.11.3 fixes the issue, e.g. via:

$ sudo pacman -U /var/cache/pacman/pkg/linux-6.11.3.arch1-1-x86_64.pkg.tar.zst /var/cache/pacman/pkg/linux-headers-6.11.3.arch1-1-x86_64.pkg.tar.zst

[Moelf]

on arch this is fixed with 6.11.4-arch2-1

[hummeltech]

This is also happening with linux-lts-6.6.57-1-x86_64.pkg.tar.zst :(

[CoolnsX]

on arch this is fixed with 6.11.4-arch2-1

yeah, was gonna reply myself, but u r fast

[philiptaron]

Linux 6.11.5 and Linux 6.6.58, released today, do not contain the needed fix.

On NixOS, @K900 has cherry-picked the fix into the NixOS 6.11.5 -- see the following PR:

• Kernel updates for 2024-10-22 NixOS/nixpkgs#350500.