On OrbStack 7.0.11-orbstack-00360-gc9bc4d96ac70, CONFIG_NF_CONNTRACK is entirely absent from /proc/config.gz -- neither as CONFIG_NF_CONNTRACK=y nor as # CONFIG_NF_CONNTRACK is not set. However, the feature is clearly compiled in: options that have a hard Kconfig dependency on NF_CONNTRACK are present and set to y:

$ zcat /proc/config.gz | grep NF_CONNTRACK
CONFIG_NF_CONNTRACK_NETBIOS_NS=y

$ zcat /proc/config.gz | grep NF_CT_NETLINK
CONFIG_NF_CT_NETLINK=y

Both NF_CONNTRACK_NETBIOS_NS and NF_CT_NETLINK have depends on NF_CONNTRACK in upstream Kconfig, so the parent option must be compiled in. The upstream Kconfig (including orbstack/linux-macvirt) still defines NF_CONNTRACK as a normal tristate -- it has not been made unconditional -- so the absence from the config output appears to be a build configuration artifact.

Impact: Any tooling that reads /proc/config.gz to verify kernel capabilities will incorrectly conclude the feature is absent. Concretely, k0s worker (v1.35.1+k0s.1) runs a pre-flight check that reads this file and rejects the kernel:

level=error msg=Rejected pre-flight-check=os/NET/NETFILTER/NETFILTER_XTABLES property=unknown
Error: pre-flight checks failed, check out `k0s sysinfo`

The k0s worker then crash-loops indefinitely. The workaround is --ignore-pre-flight-checks, but this suppresses all checks rather than just this one.

Expected behaviour: zcat /proc/config.gz | grep CONFIG_NF_CONNTRACK returns CONFIG_NF_CONNTRACK=y.

Environment:

• OrbStack version: 2.2.1 (2020100)
• Kernel: 7.0.11-orbstack-00360-gc9bc4d96ac70
• Architecture: arm64 (Apple Silicon)