[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1051592: linux: Regression - upgrade to 6.1.52-1 breaks nftables

Package: linux
Version: 6.1.52-1
Severity: grave

Dear Maintainers,

linux-image-6.1.0-12-amd64 causes a serious regression in nftables. After upgrading one of my machines, nftables fails to start - leaving the system without an active firewall.

Doing
`nft -cf /etc/nftables.conf'
throws many "Operation not supported" errors on rulesets that have been in place for months wihtout issues.

Just to give two simple examples from the log when nftables fails to start:
/etc/nftables.conf:99:4-44: Error: Could not process rule: Operation not supported
                        tcp option maxseg size 1-500 counter drop
                        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
/etc/nftables.conf:308:4-27: Error: Could not process rule: Operation not supported
                        tcp dport sip-tls accept
                        ^^^^^^^^^^^^^^^^^^^^^^^^

Downgrading to linux-image-6.1.0-11-amd64 resolves the issue.

Notes: I'm running a local rebuild of linux-image-amd64 with a few additional symbols enabled. But since these symbols are totally unrelated to the netfilter subsystem and there are no changes to the source itself, I'm certain, this affects the original Debian build as well. Whether it only affects certain architectures or rulesets, I can't say, though.

I'm cc'ing debian-security@debian.org because the update came via the stable-security channel.


Thanks and regards,

Timo
Reply to: