Bug#1090183: marked as done (nftables connection tracking fails after kernel update to 6.1.119-1)

Your message dated Tue, 17 Dec 2024 07:30:54 +0100 with message-id <Z2Eani5LO99P2Stt@eldamar.lan> and subject line Re: Bug#1090183: nftables connection tracking fails after kernel update to 6.1.119-1 has caused the Debian Bug report #1090183, regarding nftables connection tracking fails after kernel update to 6.1.119-1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 1090183: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1090183 Debian Bug Tracking System Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: submit@bugs.debian.org
Subject: nftables connection tracking fails after kernel update to 6.1.119-1
From: Tibor <oomtig@gmail.com>
Date: Mon, 16 Dec 2024 14:43:47 +0000
Message-id: <[🔎] CAORh9ZEFKOPbkSvg_MjTurDnmt_XNVMU6GpR6R8Txxhi2Wxrww@mail.gmail.com>

Package: linux-image-6.1.0-28-amd64
Version: 6.1.119-1
Severity: important

After upgrading from linux-image-6.1.0-27-amd64 to linux-image-6.1.0-28-amd64, nftables connection tracking ('ct state') functionality stopped working. The issue appears to be related to recent netfilter security patches.

Steps to reproduce:
1. Update kernel to 6.1.119-1
2. Reboot system
3. Attempt to use nftables rules with 'ct state'

Current behavior:
- Error message: "could not process rule: No such file or directory"
- nftables rules using 'ct state' fail to load
- Basic firewall functionality without connection tracking works

Expected behavior:
- nftables rules with 'ct state' should load and function properly
- Connection tracking should work as it did in previous kernel version

System information:
- Debian 12 (bookworm)
- Previous kernel: linux-image-6.1.0-27-amd64 (6.1.115-1)
- Current kernel: linux-image-6.1.0-28-amd64 (6.1.119-1)
- nftables version: 1.0.6

Related changes in current version:
- Security fixes for netfilter IPv6 (use-after-free in ip6table_nat)
- Changes to nf_reject_ipv6 TCP header handling

nf_conntrack and related modules are loaded:
[output of lsmod | grep -E 'nf_|netfilter|nft']

Additional notes:
- System has module loading disabled (kernel.modules_disabled=1)
- Required modules are preloaded in initramfs
- Configuration worked correctly in previous kernel version

Proposed temporary solution:
Reverting to linux-image-6.1.0-27-amd64 restores functionality.

Please advise on proper configuration for connection tracking with the new security patches, or confirm if this is a regression that needs to be addressed.

This report has been co authored with AI support.

Kind regards,

--- End Message ---

--- Begin Message ---

To: Tibor <oomtig@gmail.com>
Cc: 1090183-done@bugs.debian.org
Subject: Re: Bug#1090183: nftables connection tracking fails after kernel update to 6.1.119-1
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Tue, 17 Dec 2024 07:30:54 +0100
Message-id: <Z2Eani5LO99P2Stt@eldamar.lan>
In-reply-to: <CAORh9ZEFhHpFaEephMAsOLB2rQ+qJkTKtebOnsmZ7SWsdpZvdQ@mail.gmail.com>
References: <[🔎] CAORh9ZEFKOPbkSvg_MjTurDnmt_XNVMU6GpR6R8Txxhi2Wxrww@mail.gmail.com> <[🔎] Z2BaHJIRvM2pSOIb@eldamar.lan> <CAORh9ZEFhHpFaEephMAsOLB2rQ+qJkTKtebOnsmZ7SWsdpZvdQ@mail.gmail.com>

Hi,

On Mon, Dec 16, 2024 at 10:39:40PM +0000, Tibor wrote:
> Hi Salvatore, thanks for checking.
> 
> I've removed and updated the kernel 6.1.0-28.
> 
> I made some other changes before the previous update, so was not able to
> reproduce the issue.
> 
> This was my first submission, so apologies for the false alarm.

Thanks for reporting back. I will close in this case the bug report.

Regards,
Salvatore

--- End Message ---

Reply to: