Skip to content

iso: enable IPv6 iptables support in ISO kernels #21910

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

iso: enable IPv6 iptables support in ISO kernels #21910

wants to merge 2 commits into from
+9 −2

Conversation

@kartikjoshi21
Copy link
Contributor

@kartikjoshi21 kartikjoshi21 commented Nov 17, 2025

Prepare the ISO kernels to support IPv6 Services using the legacy iptables/ip6tables backend.

x86_64:

  • Explicitly enable IPv6 (CONFIG_IPV6=y).
  • Enable IPv6 conntrack defragmentation (CONFIG_NF_DEFRAG_IPV6=m).
  • Enable IPv6 iptables raw and NAT support:
    • CONFIG_IP6_NF_RAW=m
    • CONFIG_IP6_NF_NAT=m
    • CONFIG_IP6_NF_TARGET_MASQUERADE=m

aarch64:

  • Enable IPv6 conntrack defragmentation (CONFIG_NF_DEFRAG_IPV6=m).
  • Enable IPv6 iptables raw table support (CONFIG_IP6_NF_RAW=m).

With these options, the ISO kernels provide the full legacy ip6tables stack (filter/mangle/raw/nat + MASQUERADE) needed by kube-proxy and Calico in iptables mode for IPv6 Services.

@k8s-ci-robot k8s-ci-robot added the cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. label Nov 17, 2025
@k8s-ci-robot
Copy link
Contributor

k8s-ci-robot commented Nov 17, 2025

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: kartikjoshi21
Once this PR has been reviewed and has the lgtm label, please assign prezha for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. label Nov 17, 2025
@k8s-ci-robot
Copy link
Contributor

k8s-ci-robot commented Nov 17, 2025

Hi @kartikjoshi21. Thanks for your PR.

I'm waiting for a github.com member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@k8s-ci-robot k8s-ci-robot added the size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. label Nov 17, 2025
@minikube-bot
Copy link
Collaborator

minikube-bot commented Nov 17, 2025

Can one of the admins verify this patch?

@kartikjoshi21
iso: enable IPv6 iptables support in ISO kernels
2259701 
Prepare the ISO kernels to support IPv6 Services using the legacy
iptables/ip6tables backend.

x86_64:
- Explicitly enable IPv6 (CONFIG_IPV6=y).
- Enable IPv6 conntrack defragmentation
  (CONFIG_NF_DEFRAG_IPV6=m).
- Enable IPv6 iptables raw and NAT support:
  - CONFIG_IP6_NF_RAW=m
  - CONFIG_IP6_NF_NAT=m
  - CONFIG_IP6_NF_TARGET_MASQUERADE=m

aarch64:
- Enable IPv6 conntrack defragmentation
  (CONFIG_NF_DEFRAG_IPV6=m).
- Enable IPv6 iptables raw table support
  (CONFIG_IP6_NF_RAW=m).

With these options, the ISO kernels provide the full legacy
ip6tables stack (filter/mangle/raw/nat + MASQUERADE) needed by
kube-proxy and Calico in iptables mode for IPv6 Services.

Fixes: kubernetes#21878
Signed-off-by: Kartik Joshi <[email protected]>
@kartikjoshi21 kartikjoshi21 force-pushed the kartikjoshi21/ipv6-legacy-support branch from 0eb7c37 to 2259701 Compare November 17, 2025 12:14
@k8s-ci-robot k8s-ci-robot added the do-not-merge/invalid-commit-message Indicates that a PR should not merge because it has an invalid commit message. label Nov 17, 2025
@kartikjoshi21
Copy link
Contributor Author

kartikjoshi21 commented Nov 17, 2025

Steps to test this PR

  1. Build iso image from root of directory make minikube-iso-x86_64
PS C:\Users\kartikjoshi\headlamp-desktop\minikube> minikube ssh -- 'sudo sysctl -w net.ipv6.conf.all.disable_ipv6=0 net.ipv6.conf.default.disable_ipv6=0'
>> minikube ssh -- 'sysctl -n net.ipv6.conf.all.disable_ipv6 net.ipv6.conf.default.disable_ipv6'
>>
net.ipv6.conf.all.disable_ipv6 = 0
net.ipv6.conf.default.disable_ipv6 = 0
0
0
PS C:\Users\kartikjoshi\headlamp-desktop\minikube> minikube ssh -- 'for t in filter mangle raw nat; do printf "%s: " $t; sudo -n ip6tables -t $t -S >/dev/null 2>&1; echo $?; done'
>>
filter:0
mangle:0
raw:0
nat:0
PS C:\Users\kartikjoshi\headlamp-desktop\minikube> minikube ssh -- 'sysctl -n net.ipv6.conf.all.disable_ipv6; sysctl -n net.ipv6.conf.default.disable_ipv6'
>>
0
0
PS C:\Users\kartikjoshi\headlamp-desktop\minikube> minikube ssh -- 'sudo modprobe ip6_tables ip6table_filter ip6table_mangle ip6table_raw ip6table_nat nf_conntrack nf_nat || true'
>> minikube ssh -- 'for t in filter mangle raw nat; do printf "%s: " $t; sudo -n ip6tables -t $t -S >/dev/null 2>&1; echo $?; done'
filter:0
mangle:0
raw:0
nat:0

@medyagh
Copy link
Member

medyagh commented Nov 19, 2025

/ok-to-build-iso

medyagh
medyagh reviewed Nov 19, 2025
View reviewed changes
Copy link
Member

@medyagh medyagh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@kartikjoshi21 do you have an example of working with ipv6 with this ISO?

@minikube-bot
Copy link
Collaborator

minikube-bot commented Nov 20, 2025

Hi @kartikjoshi21, we have updated your PR with the reference to newly built ISO. Pull the changes locally if you want to test with them or update your PR further.

@k8s-ci-robot
Copy link
Contributor

k8s-ci-robot commented Nov 20, 2025

Keywords which can automatically close issues and at(@) or hashtag(#) mentions are not allowed in commit messages.

The list of commits with invalid commit messages:

  • 2259701 iso: enable IPv6 iptables support in ISO kernels

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@k8s-ci-robot k8s-ci-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Nov 20, 2025
@k8s-ci-robot
Copy link
Contributor

k8s-ci-robot commented Nov 20, 2025

PR needs rebase.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@k8s-ci-robot k8s-ci-robot added size/S Denotes a PR that changes 10-29 lines, ignoring generated files. and removed size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels Nov 20, 2025
@kartikjoshi21
Copy link
Contributor Author

kartikjoshi21 commented Nov 20, 2025

@kartikjoshi21 do you have an example of working with ipv6 with this ISO?

Hi @medyagh Thankyou for reviewing the PR, i have just tested if modules are present and ipv6 tables are enabled , test results can be seen here #21910 (comment) . For testing if ipv6 is working i will have to make changes to hyperv driver to support ipv6 which can be added after this change is reviewed #21630. Thanks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ComradeProgrammer ComradeProgrammer Awaiting requested review from ComradeProgrammer

@prezha prezha Awaiting requested review from prezha

@medyagh medyagh Awaiting requested review from medyagh

Assignees

No one assigned

Labels

cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. do-not-merge/invalid-commit-message Indicates that a PR should not merge because it has an invalid commit message. needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. size/S Denotes a PR that changes 10-29 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@kartikjoshi21 @k8s-ci-robot @minikube-bot @medyagh