Kernel config to support iptables --notrack

I’m having some fun trying to run Kubernetes (1.21.1) with Cilium (v1.11.4) on and I’m getting an error from the “cilium” DamonSet pod:

level=error msg="Command execution failed" cmd="[iptables -w 5 -t raw -A CILIUM_PRE_raw -m mark --mark 0x00000200/0x00000f00 -m comment --comment cilium: NOTRACK for proxy traffic -j CT --notrack]" error="exit status 2" subsys=iptables
level=warning msg="iptables v1.8.4 (legacy): unknown option \"--notrack\"" subsys=iptables

It looks like the Cilium code here is trying to use --notrack:

Looking at the kernel config I see:

$ zcat /proc/config.gz  | grep CONFIG_NETFILTER_XT_TARGET_NOTRACK

Would it be possible to recompile the kernel with CONFIG_NETFILTER_XT_TARGET_NOTRACK=y? :slight_smile:

Not a high-priority issue, I just think it would be super cool to be able to spin up a minimal Kubernetes cluster on for demos and stuff, and this looks like one of the last blockers I can see.

Thanks for considering this request!

1 Like

I have a similar issue using k3s. The multiport option cannot match because the kernel is not built with CONFIG_NETFILTER_XT_MATCH_MULTIPORT.

Any update on this issue? I also encountered this problem.

Solved the issue, thanks all.

Nice, but how?

The iptables rules installation on Cilium is optional, you can disable it but keep in mind that disabling the feature has a drawback, we can’t use L7 Proxy etc.

I also found another problem when trying to use VXLAN / GENEVE, so I dropped it and using --set tunnel=disabled .

Using Cilium Helm Chart, --set installIptablesRules=false --set l7Proxy=false should be able to cover up OP issue about the iptables installation.

1 Like