[hyke]

kernel 6.17 introduced a new option [code]CONFIG_NETFILTER_XTABLES_LEGACY[/code]. When it's not enabled, it will turn off the old options for IPTABLES_LEGACY.

This is a problem because the archlinux base install includes [code]iptables[/code] (i.e. "iptables-legacy") which relies on the legacy interface from the kernel.

One way to overcome this compatibility problem is to install [code]iptables-nft[/code] instead.
Another option is to enable the new [code]CONFIG_NETFILTER_XTABLES_LEGACY[/code] in the kernel package so the legacy IPTABLES_LEGACY options remain enabled.

@graysky2, should we just keep supporting the IPTABLES_LEGACY so users don't have to switch over to iptables-nft?

[graysky]

Let's see what Arch upstream does when 6.17 goes gold. For now I enabled it and the corresponding modules, see:make_clickable_callback(MAGIC_URL_FULL, ' ', 'https://github.com/archlinuxarm/PKGBUILDs/commit/38633d2ad82975f57c87eaba6900241bd9513d07', '', ' class="postlink"')

[hyke]

Looks like Arch upstream is enabling the new config for 6.17
make_clickable_callback(MAGIC_URL_FULL, '
', 'https://gitlab.archlinux.org/archlinux/packaging/packages/linux/-/commit/46c65b3f38ffaee2caf38255e81a0f611d6ed3a7#dfba7aade0868074c2861c98e2a9a92f3178a51b_1559_1569', '', ' class="postlink"')

[graysky]

6.17-2 incorporates these settings

[hyke]

Turns out a few of the other IPTABLES config options got turned off in linux-aarch64

git diff 2d457c4a986dddfa245db537f0a0fb88ac4aa2cb~:core/linux-aarch64/config master:core/linux-aarch64/config

docker will complain about
iptables v1.8.11 (legacy): can't initialize iptables table `raw': Table does not exist (do you need to insmod?)

[graysky]

This can happen on major refreshes. Please submit a PR if you know which options got kicked as a function of the config refresh.

[amhairghin]

Take note that linux-armv7 6.17.3-1 has same problem:

[code]
Oct 26 14:07:10 portex iptables-restore[300]: modprobe: FATAL: Module ip_tables not found in directory /lib/modules/6.17.3-1-armv7-ARCH
Oct 26 14:07:10 portex iptables-restore[298]: iptables-restore v1.8.11 (legacy): iptables-restore: unable to initialize table 'filter'
Oct 26 14:07:10 portex iptables-restore[298]: Error occurred at line: 2
Oct 26 14:07:10 portex iptables-restore[298]: Try `iptables-restore -h' or 'iptables-restore --help' for more information.
[/code]

[graysky]

Linux-aarch64-rc is shipping the iptable family of modules. Have you tried modprobe?


./6.18.0-rc2-1-aarch64-rc-ARCH/kernel/net/ipv4/netfilter/iptable_security.ko
./6.18.0-rc2-1-aarch64-rc-ARCH/kernel/net/ipv4/netfilter/iptable_raw.ko
./6.18.0-rc2-1-aarch64-rc-ARCH/kernel/net/ipv4/netfilter/iptable_nat.ko
./6.18.0-rc2-1-aarch64-rc-ARCH/kernel/net/ipv4/netfilter/iptable_mangle.ko
./6.18.0-rc2-1-aarch64-rc-ARCH/kernel/net/ipv4/netfilter/iptable_filter.ko

[spookster]

For the time being I could get docker to stop complaining by creating folder:

>sudo mkdir -p /etc/systemd/system/docker.service.d<

And then create this file:

>/etc/systemd/system/docker.service.d/override.conf<

with this content:

>>>
[Service]
Environment="DOCKER_INSECURE_NO_IPTABLES_RAW=1"
<<<

Then:

>sudo systemctl daemon-reload<

>sudo systemctl restart docker<

Since I am only running locally, this should be fine.

[hyke]

Sorry, I meant there is a problem with linux-aarch64. I believe linux-aarch64-rc got restored.