Kernel config to support iptables --notrack

grosskur · May 14, 2022, 6:15am

I’m having some fun trying to run Kubernetes (1.21.1) with Cilium (v1.11.4) on fly.io and I’m getting an error from the “cilium” DamonSet pod:

level=error msg="Command execution failed" cmd="[iptables -w 5 -t raw -A CILIUM_PRE_raw -m mark --mark 0x00000200/0x00000f00 -m comment --comment cilium: NOTRACK for proxy traffic -j CT --notrack]" error="exit status 2" subsys=iptables
level=warning msg="iptables v1.8.4 (legacy): unknown option \"--notrack\"" subsys=iptables

It looks like the Cilium code here is trying to use --notrack:

github.com

cilium/cilium/blob/v1.11.4/pkg/datapath/iptables/iptables.go#L613

      
        
            	matchProxyReply := fmt.Sprintf("%#08x/%#08x", linux_defaults.MagicMarkIsProxy, linux_defaults.MagicMarkProxyNoIDMask)
            
            
	var err error
            	if option.Config.EnableIPv4 {
            		// No conntrack for traffic to proxy
            		err = ip4tables.runProg([]string{
            			"-t", "raw",
            			"-A", ciliumPreRawChain,
            			"-m", "mark", "--mark", matchToProxy,
            			"-m", "comment", "--comment", "cilium: NOTRACK for proxy traffic",
            			"-j", "CT", "--notrack"}, false)
            		if err == nil {
            			// Explicit ACCEPT for the proxy traffic. Needed when the INPUT defaults to DROP.
            			// Matching needs to be the same as for the NOTRACK rule above.
            			err = ip4tables.runProg([]string{
            				"-t", "filter",
            				"-A", ciliumInputChain,
            				"-m", "mark", "--mark", matchToProxy,
            				"-m", "comment", "--comment", "cilium: ACCEPT for proxy traffic",
            				"-j", "ACCEPT"}, false)
            		}

Looking at the kernel config I see:

$ zcat /proc/config.gz  | grep CONFIG_NETFILTER_XT_TARGET_NOTRACK
CONFIG_NETFILTER_XT_TARGET_NOTRACK=m

Would it be possible to recompile the kernel with CONFIG_NETFILTER_XT_TARGET_NOTRACK=y?

Not a high-priority issue, I just think it would be super cool to be able to spin up a minimal Kubernetes cluster on fly.io for demos and stuff, and this looks like one of the last blockers I can see.

Thanks for considering this request!

twitchax · June 23, 2022, 10:36pm

I have a similar issue using k3s. The multiport option cannot match because the kernel is not built with CONFIG_NETFILTER_XT_MATCH_MULTIPORT.

ii64 · December 30, 2022, 12:27pm

Any update on this issue? I also encountered this problem.

ii64 · December 31, 2022, 5:27pm

Solved the issue, thanks all.

ignoramous · December 31, 2022, 7:12pm

Nice, but how?

ii64 · January 2, 2023, 11:28am

The iptables rules installation on Cilium is optional, you can disable it but keep in mind that disabling the feature has a drawback, we can’t use L7 Proxy etc.

I also found another problem when trying to use VXLAN / GENEVE, so I dropped it and using --set tunnel=disabled .

Using Cilium Helm Chart, --set installIptablesRules=false --set l7Proxy=false should be able to cover up OP issue about the iptables installation.

Topic		Replies	Views
Nftables support in the kernel	3	1603	October 11, 2022
Kernel nftables support Fresh Produce	2	622	January 12, 2024
Runtime Linux Capabilities - running DSVPN as a fly app Questions / Help	4	402	April 16, 2021
Nftables support? Questions / Help	1	469	January 22, 2023
New Thing: connect your Fly org to Tailscale	8	3255	July 25, 2024

Kernel config to support iptables --notrack

Related topics