Bug 2273078

Summary: Fedora ELN/CentOS 10: rootful containers fail to start: Extension MASQUERADE revision 0 not supported, missing kernel module?
Product: [Fedora] Fedora Reporter: Martin Pitt <mpitt>
Component: podmanAssignee: Lokesh Mandvekar <lsm5>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 42CC: bbaude, container-sig, debarshir, dwalsh, go-sig, jnovy, lsm5, mboddu, mheon, patrick, pholzing, santiago
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard: CockpitTest
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2025-03-03 13:14:16 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Martin Pitt 2024-04-03 21:39:56 UTC 
Note: this does *not* apply to rawhide (well, I didn't test it there), but to Fedora ELN. I just can't select ELN in the "Version:" field.

Starting any container as root immediately fails. User containers work.

# podman run  -it --rm  quay.io/libpod/busybox
Error: netavark: unable to append rule '! -d 224.0.0.0/4 -j MASQUERADE' to table 'nat': code: 4, msg: Warning: Extension MASQUERADE revision 0 not supported, missing kernel module?
iptables v1.8.10 (nf_tables):  RULE_APPEND failed (No such file or directory): rule in chain NETAVARK-1D8721804F16F

The particular container image doesn't matter, happens with any.

Current Fedora 39's kernel-modules-core-6.7.9-200.fc39.x86_64 does ship kernel/net/netfilter/xt_MASQUERADE.ko.xz, but this doesn't exist any more in ELN's kernel-modules-core-6.9.0-0.rc2.23.eln136.x86_64. That however has kernel/net/netfilter/nft_masq.ko.xz.

So this smells like that kernel has finally deprecated xtables and only supports nft? And podman/netavark (please reassign as appropriate) needs to use that?


Reproducible: Always

Steps to Reproduce:
As root:

podman run  -it --rm  quay.io/libpod/busybox
Comment 1 Matthew Heon 2024-04-04 12:21:22 UTC 
Can you set an environment variable, `NETAVARK_FW=nftables`, and retest to verify that nftables is still working?

We can throw the default over to nftables in Rawhide and ELN if this does turn out to be a removal.
Comment 2 Paul Holzinger 2024-04-04 13:25:18 UTC 
Note with podman 5 you can set firewall_driver = "nftables" in containers.conf (does the same thing as the env var)

My understanding is that RHEL 10 drops support for iptables-nft compat layer so this is likely why it stopped working. We will need to default to nftables for RHEL 10, AFAIK fedora still support iptables so this is not a problem there.
Of course in the long term we also want default to nftables elsewhere as it offers much better usability, however switching the default is not trivial because on running systems with configured rules things would start failing if we just change the driver that is used. A reboot would fix this but for most people that would not be desirable at all.

I think in the short term we must make the default configurable at netavark build time so that we can at least fix it for the RHEL/Centos 10 builds.
Comment 3 Martin Pitt 2024-04-04 14:18:38 UTC 
`NETAVARK_FW=nftables podman run` works indeed.

Setting it in the config also works:

  printf  '[network]\nfirewall_driver = "nftables"\n' > /etc/containers/containers.conf
Comment 4 Martin Pitt 2024-04-15 09:26:59 UTC 
You already mentioned it, but for the record: this happens in CentOS 10 as well: https://artifacts.dev.testing-farm.io/c94eb87a-15af-48d9-aa4a-9ae55dcf0bd1/
Comment 5 Fedora Admin user for bugzilla script actions 2024-05-30 01:56:06 UTC 
This package has changed maintainer in Fedora. Reassigning to the new maintainer of this component.
Comment 6 Aoife Moloney 2025-02-26 13:00:41 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora Linux 42 development cycle.
Changing version to 42.
Comment 7 Lokesh Mandvekar 2025-03-03 13:09:18 UTC 
@mpitt Is this still an issue?
Comment 8 Paul Holzinger 2025-03-03 13:14:16 UTC 
This was fixed in f41 and newer (and also Centos/RHEL 10) as we switched the default to nftables there
https://fedoraproject.org/wiki/Changes/NetavarkNftablesDefault