Iptables legacy

When I run a status check I get:

# tailscale status
# Health check:
#     - router: adding [-i tailscale0 -j MARK --set-mark 0x40000] in v4/filter/ts-forward: running [/usr/sbin/iptables -t filter -A ts-forward -i tailscale0 -j MARK --set-mark 0x40000 --wait]: exit status 2: iptables v1.8.4 (legacy): unknown option "--set-mark"

Do I need to upgrade iptables? What version added support for “–set-mark” (I can’t find it in their release notes)?

I got this from Tailscale support:

The fwmark kernel module is needed. sudo modprobe xt_mark will load it if is is present in /lib/modules. This message can also occur if you’ve upgraded the kernel, but not loaded the new version yet. A reboot may solve the problem.

# modprobe xt_mark
modprobe: FATAL: Module xt_mark not found in directory /lib/modules/5.4.148

It turned out we weren’t building xt_mark - I had to add CONFIG_NETFILTER_XT_MARK to our kernel build.