Bug#1051592: linux: Regression - upgrade to 6.1.52-1 breaks nftables

To: Timo Sigurdsson <public_timo.s@silentcreek.de>, 1051592@bugs.debian.org
Subject: Bug#1051592: linux: Regression - upgrade to 6.1.52-1 breaks nftables
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Sun, 10 Sep 2023 12:21:11 +0200
Message-id: <[🔎] ZP2Yl5wDTOwuCsB4@eldamar.lan>
Reply-to: Salvatore Bonaccorso <carnil@debian.org>, 1051592@bugs.debian.org
In-reply-to: <[🔎] 20230910083845.8232D6320570@dd20004.kasserver.com>
References: <[🔎] 20230910083845.8232D6320570@dd20004.kasserver.com> <[🔎] 20230910083845.8232D6320570@dd20004.kasserver.com>

Control: tags -1 + moreinfo

Hi

On Sun, Sep 10, 2023 at 10:38:45AM +0200, Timo Sigurdsson wrote:
> Package: linux
> Version: 6.1.52-1
> Severity: grave
> 
> Dear Maintainers,
> 
> linux-image-6.1.0-12-amd64 causes a serious regression in nftables.
> After upgrading one of my machines, nftables fails to start -
> leaving the system without an active firewall.
> 
> Doing
> `nft -cf /etc/nftables.conf'
> throws many "Operation not supported" errors on rulesets that have been in place for months wihtout issues.
> 
> Just to give two simple examples from the log when nftables fails to start:
> /etc/nftables.conf:99:4-44: Error: Could not process rule: Operation not supported
>                         tcp option maxseg size 1-500 counter drop
>                         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> /etc/nftables.conf:308:4-27: Error: Could not process rule: Operation not supported
>                         tcp dport sip-tls accept
>                         ^^^^^^^^^^^^^^^^^^^^^^^^
> 
> Downgrading to linux-image-6.1.0-11-amd64 resolves the issue.
> 
> Notes: I'm running a local rebuild of linux-image-amd64 with a few
> additional symbols enabled. But since these symbols are totally
> unrelated to the netfilter subsystem and there are no changes to the
> source itself, I'm certain, this affects the original Debian build
> as well. Whether it only affects certain architectures or rulesets,
> I can't say, though.
> 
> I'm cc'ing debian-security@debian.org because the update came via
> the stable-security channel.

This is defintively not 'grave' but I keep it for the time beeing at
RC level and might be adjusted later.

Would it be possible to provide a minimal set of rules triggering the
issue? Can you reproduce the issue with the official build?

Regards,
Salvatore

Reply to:

Follow-Ups:
- Bug#1051592: linux: Regression - upgrade to 6.1.52-1 breaks nftables
  - From: "Timo Sigurdsson" <public_timo.s@silentcreek.de>

References:
- Bug#1051592: linux: Regression - upgrade to 6.1.52-1 breaks nftables
  - From: "Timo Sigurdsson" <public_timo.s@silentcreek.de>

Prev by Date: Bug#1051592: linux: Regression - upgrade to 6.1.52-1 breaks nftables
Next by Date: Processed: Re: Bug#1051592: linux: Regression - upgrade to 6.1.52-1 breaks nftables
Previous by thread: Bug#1051592: linux: Regression - upgrade to 6.1.52-1 breaks nftables
Next by thread: Bug#1051592: linux: Regression - upgrade to 6.1.52-1 breaks nftables
Index(es):
- Date
- Thread