We've had to: Revert "netfilter: xtables: avoid NFPROTO_UNSPEC where needed" https://android-review.googlesource.com/c/kernel/common/+/3305935/2 It seems the failure is (probably related to): ... E IptablesRestoreController: -A bw_INPUT -j MARK --or-mark 0x100000 ... E IptablesRestoreController: ------- ERROR ------- E IptablesRestoreController: Warning: Extension MARK revision 0 not supported, missing kernel module? E IptablesRestoreController: ip6tables-restore v1.8.10 (legacy): MARK target: kernel too old for --or-mark E IptablesRestoreController: Error occurred at line: 27 But, I don't see an obvious bug in the CL we had to revert...
