[CCing Ilya and the regression list, as it should be in the loop for regressions: https://docs.kernel.org/admin-guide/reporting-regressions.html] > Hi, > > After upgrading to 6.6.57 I noticed that my IPv6 firewall config failed to load. > > Quick investigation flagged NFLOG to be the issue: > > # ip6tables -I INPUT -j NFLOG > Warning: Extension NFLOG revision 0 not supported, missing kernel module? > ip6tables: No chain/target/match by that name. > > The regression is caused by the following commit: > https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git/commit/?h=linux-6.6.y&id=997f67d813ce0cf5eb3cdb8f124da68141e91b6c Not my area of expertise, but from a quick look is seems to be a known problem due to some typos and people are working on a fix here: https://lore.kernel.org/all/20241019-xtables-typos-v3-1-66dd2eaacf2f@xxxxxxxx/ Ciao, Thorsten > More precisely, the bug is in the change below: > > +#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES) > + { > + .name = "NFLOG", > + .revision = 0, > + .family = NFPROTO_IPV4, > + .checkentry = nflog_tg_check, > + .destroy = nflog_tg_destroy, > + .target = nflog_tg, > + .targetsize = sizeof(struct xt_nflog_info), > + .me = THIS_MODULE, > + }, > +#endif > > Replacing NFPROTO_IPV4 with NFPROTO_IPV6 fixed the issue. > > Looking at the commit, it seems that at least one more target (MARK) may be also impacted: > > +#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES) > + { > + .name = "MARK", > + .revision = 2, > + .family = NFPROTO_IPV4, > + .target = mark_tg, > + .targetsize = sizeof(struct xt_mark_tginfo2), > + .me = THIS_MODULE, > + }, > +#endif > > The same errors seem to be present in the main tree: > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=0bfcb7b71e735560077a42847f69597ec7dcc326 > > I also suspect other -stable trees may be impacted by the same issue. > > Best regards, > Krzysztof Olędzki
