Problem:
k3s crashed with a fatal runtime panic whenever the management network interface (mgmt0-system) was deleted and recreated by NetworkManager during DNS configuration add/remove operations. The panic originated inside flannel's VXLAN backend, in a function introduced to handle VXLAN device recreation. The function unconditionally indexed into an IPv6 address slice that is never populated in IPv4-only deployments, causing an index out of range panic that brought down the entire k3s process.
2026-04-17T15:55:37.880037+00:00 appliance-1.chassis.local k3s[309230]: I0417 15:55:37.879956 309230 vxlan_network.go:143] Interface flannel.1 deleted
2026-04-17T15:55:37.880354+00:00 appliance-1.chassis.local k3s[309230]: I0417 15:55:37.880041 309230 vxlan_network.go:102] vxlan device missing, attempting to recreate...
2026-04-17T15:55:37.880864+00:00 appliance-1.chassis.local k3s[309230]: I0417 15:55:37.880853 309230 vxlan_network.go:167] external interface mgmt0-system not found, retrying in 1s
2026-04-17T15:55:38.884392+00:00 appliance-1.chassis.local k3s[309230]: panic: runtime error: index out of range [0] with length 0
2026-04-17T15:55:38.884392+00:00 appliance-1.chassis.local k3s[309230]: goroutine 93557 [running]:
2026-04-17T15:55:38.884392+00:00 appliance-1.chassis.local k3s[309230]: github.com/flannel-io/flannel/pkg/backend/vxlan.(*network).reCreateVxlan(0xc00fe54680, {0x81afc20, 0xc00087a780})
2026-04-17T15:55:38.884392+00:00 appliance-1.chassis.local k3s[309230]: #011/go/pkg/mod/github.com/flannel-io/flannel@v0.27.4/pkg/backend/vxlan/vxlan_network.go:217 +0xd7d
2026-04-17T15:55:38.884392+00:00 appliance-1.chassis.local k3s[309230]: github.com/flannel-io/flannel/pkg/backend/vxlan.(*network).Run.func3()
2026-04-17T15:55:38.884392+00:00 appliance-1.chassis.local k3s[309230]: #011/go/pkg/mod/github.com/flannel-io/flannel@v0.27.4/pkg/backend/vxlan/vxlan_network.go:106 +0x25
2026-04-17T15:55:38.884392+00:00 appliance-1.chassis.local k3s[309230]: created by github.com/flannel-io/flannel/pkg/backend/vxlan.(*network).Run in goroutine 15827
2026-04-17T15:55:38.884392+00:00 appliance-1.chassis.local k3s[309230]: #011/go/pkg/mod/github.com/flannel-io/flannel@v0.27.4/pkg/backend/vxlan/vxlan_network.go:105 +0x3b5
2026-04-17T15:55:38.967479+00:00 appliance-1.chassis.local systemd[1]: k3s.service: Main process exited, code=exited, status=2/INVALIDARGUMENT
2026-04-17T15:55:38.967756+00:00 appliance-1.chassis.local systemd[1]: k3s.service: Failed with result 'exit-code'.
Background
flannel PR #2272 introduced reCreateVxlan() in pkg/backend/vxlan/vxlan_network.go. This function runs in a goroutine and handles the case where the external network interface is deleted and must be recreated. On this platform, the trigger is NetworkManager: when DNS configuration is added or removed, NetworkManager tears down and rebuilds the mgmt0-system interface, which flannel monitors as its external interface.
The Bug
Inside reCreateVxlan(), the function collects IPv4 and IPv6 addresses for the interface:
// IPv4 addresses — always collected
ifaceAddrs, err = ip.GetInterfaceIP4Addrs(extIface)
// IPv6 addresses — only collected when IPv6 is enabled
if config.EnableIPv6 {
ifaceAddrsV6, err = ip.GetInterfaceIP6Addrs(extIface)
}The IPv6 collection is correctly gated behind config.EnableIPv6. However, the subsequent call to create the VXLAN device indexed both slices unconditionally:
// BEFORE — panics on IPv4-only setups:
dev, v6Dev, err := createVXLANDevice(
ctx, config, cfg, nw.subnetMgr,
extIface.Index,
ifaceAddrs[0], // safe — always populated
ifaceAddrsV6[0], // PANIC — empty when IPv6 is disabled
)On an IPv4-only deployment, ifaceAddrsV6 is always nil / empty. Indexing ifaceAddrsV6[0] causes an immediate runtime panic.Problem:k3s crashed with a fatal runtime panic whenever the management network interface (mgmt0-system) was deleted and recreated by NetworkManager during DNS configuration add/remove operations. The panic originated inside flannel's VXLAN backend, in a function introduced to handle VXLAN device recreation. The function unconditionally indexed into an IPv6 address slice that is never populated in IPv4-only deployments, causing an index out of range panic that brought down the entire k3s process.2026-04-17T15:55:37.880037+00:00 appliance-1.chassis.local k3s[309230]: I0417 15:55:37.879956 309230 vxlan_network.go:143] Interface flannel.1 deleted
2026-04-17T15:55:37.880354+00:00 appliance-1.chassis.local k3s[309230]: I0417 15:55:37.880041 309230 vxlan_network.go:102] vxlan device missing, attempting to recreate...
2026-04-17T15:55:37.880864+00:00 appliance-1.chassis.local k3s[309230]: I0417 15:55:37.880853 309230 vxlan_network.go:167] external interface mgmt0-system not found, retrying in 1s
2026-04-17T15:55:38.884392+00:00 appliance-1.chassis.local k3s[309230]: panic: runtime error: index out of range [0] with length 0
2026-04-17T15:55:38.884392+00:00 appliance-1.chassis.local k3s[309230]: goroutine 93557 [running]:
2026-04-17T15:55:38.884392+00:00 appliance-1.chassis.local k3s[309230]: github.com/flannel-io/flannel/pkg/backend/vxlan.(*network).reCreateVxlan(0xc00fe54680, {0x81afc20, 0xc00087a780})
2026-04-17T15:55:38.884392+00:00 appliance-1.chassis.local k3s[309230]: #11/go/pkg/mod/github.com/flannel-io/flannel@v0.27.4/pkg/backend/vxlan/vxlan_network.go:217 +0xd7d
2026-04-17T15:55:38.884392+00:00 appliance-1.chassis.local k3s[309230]: github.com/flannel-io/flannel/pkg/backend/vxlan.(*network).Run.func3()
2026-04-17T15:55:38.884392+00:00 appliance-1.chassis.local k3s[309230]: #11/go/pkg/mod/github.com/flannel-io/flannel@v0.27.4/pkg/backend/vxlan/vxlan_network.go:106 +0x25
2026-04-17T15:55:38.884392+00:00 appliance-1.chassis.local k3s[309230]: created by github.com/flannel-io/flannel/pkg/backend/vxlan.(*network).Run in goroutine 15827
2026-04-17T15:55:38.884392+00:00 appliance-1.chassis.local k3s[309230]: #11/go/pkg/mod/github.com/flannel-io/flannel@v0.27.4/pkg/backend/vxlan/vxlan_network.go:105 +0x3b5
2026-04-17T15:55:38.967479+00:00 appliance-1.chassis.local systemd[1]: k3s.service: Main process exited, code=exited, status=2/INVALIDARGUMENT
2026-04-17T15:55:38.967756+00:00 appliance-1.chassis.local systemd[1]: k3s.service: Failed with result 'exit-code'.Backgroundflannel PR #2272 introduced reCreateVxlan() in pkg/backend/vxlan/vxlan_network.go. This function runs in a goroutine and handles the case where the external network interface is deleted and must be recreated. On this platform, the trigger is NetworkManager: when DNS configuration is added or removed, NetworkManager tears down and rebuilds the mgmt0-system interface, which flannel monitors as its external interface.The BugInside reCreateVxlan(), the function collects IPv4 and IPv6 addresses for the interface:// IPv4 addresses — always collected
ifaceAddrs, err = ip.GetInterfaceIP4Addrs(extIface)
// IPv6 addresses — only collected when IPv6 is enabled
if config.EnableIPv6 {
ifaceAddrsV6, err = ip.GetInterfaceIP6Addrs(extIface)
}The IPv6 collection is correctly gated behind config.EnableIPv6. However, the subsequent call to create the VXLAN device indexed both slices unconditionally:// BEFORE — panics on IPv4-only setups:
dev, v6Dev, err := createVXLANDevice(
ctx, config, cfg, nw.subnetMgr,
extIface.Index,
ifaceAddrs[0], // safe — always populated
ifaceAddrsV6[0], // PANIC — empty when IPv6 is disabled
)On an IPv4-only deployment, ifaceAddrsV6 is always nil / empty. Indexing ifaceAddrsV6[0] causes an immediate runtime panic.
Problem:
k3s crashed with a fatal runtime panic whenever the management network interface (
mgmt0-system) was deleted and recreated by NetworkManager during DNS configuration add/remove operations. The panic originated inside flannel's VXLAN backend, in a function introduced to handle VXLAN device recreation. The function unconditionally indexed into an IPv6 address slice that is never populated in IPv4-only deployments, causing anindex out of rangepanic that brought down the entire k3s process.Background
flannel PR #2272 introduced
reCreateVxlan()inpkg/backend/vxlan/vxlan_network.go. This function runs in a goroutine and handles the case where the external network interface is deleted and must be recreated. On this platform, the trigger is NetworkManager: when DNS configuration is added or removed, NetworkManager tears down and rebuilds themgmt0-systeminterface, which flannel monitors as its external interface.The Bug
Inside
reCreateVxlan(), the function collects IPv4 and IPv6 addresses for the interface:The IPv6 collection is correctly gated behind
config.EnableIPv6. However, the subsequent call to create the VXLAN device indexed both slices unconditionally:On an IPv4-only deployment,
ifaceAddrsV6is alwaysnil/ empty. IndexingifaceAddrsV6[0]causes an immediate runtime panic.Problem:k3s crashed with a fatal runtime panic whenever the management network interface (mgmt0-system) was deleted and recreated by NetworkManager during DNS configuration add/remove operations. The panic originated inside flannel's VXLAN backend, in a function introduced to handle VXLAN device recreation. The function unconditionally indexed into an IPv6 address slice that is never populated in IPv4-only deployments, causing an index out of range panic that brought down the entire k3s process.2026-04-17T15:55:37.880037+00:00 appliance-1.chassis.local k3s[309230]: I0417 15:55:37.879956 309230 vxlan_network.go:143] Interface flannel.1 deleted2026-04-17T15:55:37.880354+00:00 appliance-1.chassis.local k3s[309230]: I0417 15:55:37.880041 309230 vxlan_network.go:102] vxlan device missing, attempting to recreate...
2026-04-17T15:55:37.880864+00:00 appliance-1.chassis.local k3s[309230]: I0417 15:55:37.880853 309230 vxlan_network.go:167] external interface mgmt0-system not found, retrying in 1s
2026-04-17T15:55:38.884392+00:00 appliance-1.chassis.local k3s[309230]: panic: runtime error: index out of range [0] with length 0
2026-04-17T15:55:38.884392+00:00 appliance-1.chassis.local k3s[309230]: goroutine 93557 [running]:
2026-04-17T15:55:38.884392+00:00 appliance-1.chassis.local k3s[309230]: github.com/flannel-io/flannel/pkg/backend/vxlan.(*network).reCreateVxlan(0xc00fe54680, {0x81afc20, 0xc00087a780})
2026-04-17T15:55:38.884392+00:00 appliance-1.chassis.local k3s[309230]: #11/go/pkg/mod/github.com/flannel-io/flannel@v0.27.4/pkg/backend/vxlan/vxlan_network.go:217 +0xd7d
2026-04-17T15:55:38.884392+00:00 appliance-1.chassis.local k3s[309230]: github.com/flannel-io/flannel/pkg/backend/vxlan.(*network).Run.func3()
2026-04-17T15:55:38.884392+00:00 appliance-1.chassis.local k3s[309230]: #11/go/pkg/mod/github.com/flannel-io/flannel@v0.27.4/pkg/backend/vxlan/vxlan_network.go:106 +0x25
2026-04-17T15:55:38.884392+00:00 appliance-1.chassis.local k3s[309230]: created by github.com/flannel-io/flannel/pkg/backend/vxlan.(*network).Run in goroutine 15827
2026-04-17T15:55:38.884392+00:00 appliance-1.chassis.local k3s[309230]: #11/go/pkg/mod/github.com/flannel-io/flannel@v0.27.4/pkg/backend/vxlan/vxlan_network.go:105 +0x3b5
2026-04-17T15:55:38.967479+00:00 appliance-1.chassis.local systemd[1]: k3s.service: Main process exited, code=exited, status=2/INVALIDARGUMENT
2026-04-17T15:55:38.967756+00:00 appliance-1.chassis.local systemd[1]: k3s.service: Failed with result 'exit-code'.Backgroundflannel PR #2272 introduced reCreateVxlan() in pkg/backend/vxlan/vxlan_network.go. This function runs in a goroutine and handles the case where the external network interface is deleted and must be recreated. On this platform, the trigger is NetworkManager: when DNS configuration is added or removed, NetworkManager tears down and rebuilds the mgmt0-system interface, which flannel monitors as its external interface.The BugInside reCreateVxlan(), the function collects IPv4 and IPv6 addresses for the interface:// IPv4 addresses — always collected
ifaceAddrs, err = ip.GetInterfaceIP4Addrs(extIface)
// IPv6 addresses — only collected when IPv6 is enabled
if config.EnableIPv6 {
ifaceAddrsV6, err = ip.GetInterfaceIP6Addrs(extIface)
}The IPv6 collection is correctly gated behind config.EnableIPv6. However, the subsequent call to create the VXLAN device indexed both slices unconditionally:// BEFORE — panics on IPv4-only setups:
dev, v6Dev, err := createVXLANDevice(
ctx, config, cfg, nw.subnetMgr,
extIface.Index,
ifaceAddrs[0], // safe — always populated
ifaceAddrsV6[0], // PANIC — empty when IPv6 is disabled
)On an IPv4-only deployment, ifaceAddrsV6 is always nil / empty. Indexing ifaceAddrsV6[0] causes an immediate runtime panic.