kernel-5.15: Add patch to fix IPv6 typo

[yeazelm]

Issue number:

Closes # bottlerocket-os/bottlerocket#4295

Description of changes:
This patch fixes issues with ip6tables commands that fail due to a typo.

This is the type of error that can come up:

exit status 2: ip6tables-restore v1.8.4 (legacy): unknown option "--xor-mark"

Testing done:
Nodes using the current 5.15 kernel fail to become ready when ip6tables-restore fails, but with this patch they come up fine and there is no longer the error.

Current 1.26.2 node when running in an IPv6 subnet:

bash-5.1# journalctl | grep ip6tables
Nov 15 02:19:43 ip-192-168-93-220.us-west-2.compute.internal kubelet[1387]:         ip6tables v1.8.10 (legacy): MARK target: kernel too old for --or-mark
Nov 15 02:19:43 ip-192-168-93-220.us-west-2.compute.internal kubelet[1387]:         Try `ip6tables -h' or 'ip6tables --help' for more information.

With the patch:

bash-5.1# journalctl | grep ip6tables
bash-5.1#

Also booted with IPv4 instead of IPv6 and the node worked as expected.

Terms of contribution:

By submitting this pull request, I agree that this contribution is dual-licensed under the terms of both the Apache License, version 2.0, and the MIT license.

[Sparksssj]

look good to me!

Changed my mind

[bcressey]

This doesn't match the 5.15 backport.

[yeazelm]

This doesn't match the 5.15 backport.

Our tree already had this change:
net/netfilter/xt_TRACE.c

 32 static struct xt_target trace_tg_reg[] __read_mostly = {
 33   {
 34     .name   = "TRACE",
 35     .revision = 0,
 36     .family   = NFPROTO_IPV4,
 37     .table    = "raw",
 38     .target   = trace_tg,
 39     .checkentry = trace_tg_check,
 40     .destroy  = trace_tg_destroy,
 41     .me       = THIS_MODULE,
 42   },
 43 #if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
 44   {
 45     .name   = "TRACE",
 46     .revision = 0,
 47     .family   = NFPROTO_IPV6,
 48     .table    = "raw",
 49     .target   = trace_tg,
 50     .checkentry = trace_tg_check,
 51     .destroy  = trace_tg_destroy,
 52   },
 53 #endif
 54 };

The lines are different but the .me line is there in the correct function.

[bcressey]

It's hard to tell from the context but the ".me" field looks like it needs to be added at the end of the IPv6 fields.

[yeazelm]

^ Thanks @bcressey for the prompting, I somehow messed up this chunk the first time I applied it but this time it got it working. Pushed a new patch with the full 3 hunks.

[stevo-f3]

Same issue is affecting kube-proxy on Amazon Linux 2 EKS AMI based nodes, with kernel 5.15.168-114.166.amzn2.x86_64. Last known working kernel version is 5.15.167-112.166.amzn2. Would it make sense to report issue to AL2 kernel team and have issue patched/fixed there instead?

[yeazelm]

Hello @stevo-f3! We have reported this to Amazon Linux and they are tracking a fix for their 5.15 kernel as well, we decided to take this fix now and get a release out to fix it while Amazon Linux worked in parallel. Once we ingest the next kernel with the fix, we'll pull this patch out of our builds.