Bug#1090183: nftables connection tracking fails after kernel update to 6.1.119-1

[Tibor <oomtig@gmail.com>]

Package: linux-image-6.1.0-28-amd64
Version: 6.1.119-1
Severity: important

After upgrading from linux-image-6.1.0-27-amd64 to linux-image-6.1.0-28-amd64, nftables connection tracking ('ct state') functionality stopped working. The issue appears to be related to recent netfilter security patches.

Steps to reproduce:
1. Update kernel to 6.1.119-1
2. Reboot system
3. Attempt to use nftables rules with 'ct state'

Current behavior:
- Error message: "could not process rule: No such file or directory"
- nftables rules using 'ct state' fail to load
- Basic firewall functionality without connection tracking works

Expected behavior:
- nftables rules with 'ct state' should load and function properly
- Connection tracking should work as it did in previous kernel version

System information:
- Debian 12 (bookworm)
- Previous kernel: linux-image-6.1.0-27-amd64 (6.1.115-1)
- Current kernel: linux-image-6.1.0-28-amd64 (6.1.119-1)
- nftables version: 1.0.6

Related changes in current version:
- Security fixes for netfilter IPv6 (use-after-free in ip6table_nat)
- Changes to nf_reject_ipv6 TCP header handling

nf_conntrack and related modules are loaded:
[output of lsmod | grep -E 'nf_|netfilter|nft']

Additional notes:
- System has module loading disabled (kernel.modules_disabled=1)
- Required modules are preloaded in initramfs
- Configuration worked correctly in previous kernel version

Proposed temporary solution:
Reverting to linux-image-6.1.0-27-amd64 restores functionality.

Please advise on proper configuration for connection tracking with the new security patches, or confirm if this is a regression that needs to be addressed.

This report has been co authored with AI support.

Kind regards,