Skip to content

traefik's svc-lb fails to start due to nf_tables #13657

Open
Open
traefik's svc-lb fails to start due to nf_tables#13657
@IsaacNez

Description

@IsaacNez
IsaacNez
opened on Feb 17, 2026

Environmental Info:
K3s Version:

k3s version v1.34.4+k3s1 (c6017918)
go version go1.24.12

Node(s) CPU architecture, OS, and Version:
Linux <host> 5.15.148-tegra #1 SMP PREEMPT Tue Jan 7 17:14:38 PST 2025 aarch64 aarch64 aarch64 GNU/Linux

Cluster Configuration:
1 node cluster

Describe the bug:
Consistent with this known issue, k3s' built-in traefik LoadBalancer fails to configure due to a problem with the nf_tables kernel module (my guess).

This Jetson Orin brings iptables 1.8.7 and the current version of k3s (via traefik) brings iptables v1.8.11. However, setting up iptables to function in legacy mode does not work since something in the startup process re-introduces the kernel module nf_tables, which causes traefik's svc-lb to crash as the nft mode is detected. This I discovered when I rmmod nf_tables, which caused the new installation crashed again.

To make the setup work as expected, I had to blacklist nf_tables and xtables-nft-multi. It is important to consider that I have tested this with and without --prefer-bundled-bin. This option does not seem to fix the problem at all. Maybe an update to the known issues might be feasible.

This problem is also possible to reproduce under RaspbianOS (Linux rasp-a 6.12.34+rpt-rpi-2712 #1 SMP PREEMPT Debian 1:6.12.34-1+rpt1~bookworm (2025-06-26) aarch64 GNU/Linux). Maybe it is an aarch64 problem?

Steps To Reproduce:

  • Get a Raspberry Pi 5 or Jetson Orin Nano Developer Kit
  • Setup iptables to legacy mode
  • nf_tables is installed in the system
  • Installed K3s as curl -sfL https://get.k3s.io | sh -s - --prefer-bundled-bin --write-kubeconfig-mode=0644

Side steps

  • sudo rmmod nf_tables
  • curl -sfL https://get.k3s.io | sh -s - --write-kubeconfig-mode=0644 <- re-introduces nf_tables

Expected behavior:

  • If running with curl -sfL https://get.k3s.io | sh -s - --prefer-bundled-bin --write-kubeconfig-mode=0644, k3s should start up normally
  • curl -sfL https://get.k3s.io | sh -s - --write-kubeconfig-mode=0644 should respect having iptables in legacy mode rather than re-inserting nf_tables into the kernel

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    K3s Development

    Status

    To Triage

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions