Bug#1090183: marked as done (nftables connection tracking fails after kernel update to 6.1.119-1)
Your message dated Tue, 17 Dec 2024 07:30:54 +0100
with message-id <Z2Eani5LO99P2Stt@eldamar.lan>
and subject line Re: Bug#1090183: nftables connection tracking fails after kernel update to 6.1.119-1
has caused the Debian Bug report #1090183,
regarding nftables connection tracking fails after kernel update to 6.1.119-1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)
--
1090183: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1090183
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
Package: linux-image-6.1.0-28-amd64
Version: 6.1.119-1
Severity: important
After upgrading from linux-image-6.1.0-27-amd64 to linux-image-6.1.0-28-amd64, nftables connection tracking ('ct state') functionality stopped working. The issue appears to be related to recent netfilter security patches.
Steps to reproduce:
1. Update kernel to 6.1.119-1
2. Reboot system
3. Attempt to use nftables rules with 'ct state'
Current behavior:
- Error message: "could not process rule: No such file or directory"
- nftables rules using 'ct state' fail to load
- Basic firewall functionality without connection tracking works
Expected behavior:
- nftables rules with 'ct state' should load and function properly
- Connection tracking should work as it did in previous kernel version
System information:
- Debian 12 (bookworm)
- Previous kernel: linux-image-6.1.0-27-amd64 (6.1.115-1)
- Current kernel: linux-image-6.1.0-28-amd64 (6.1.119-1)
- nftables version: 1.0.6
Related changes in current version:
- Security fixes for netfilter IPv6 (use-after-free in ip6table_nat)
- Changes to nf_reject_ipv6 TCP header handling
nf_conntrack and related modules are loaded:
[output of lsmod | grep -E 'nf_|netfilter|nft']
Additional notes:
- System has module loading disabled (kernel.modules_disabled=1)
- Required modules are preloaded in initramfs
- Configuration worked correctly in previous kernel version
Proposed temporary solution:
Reverting to linux-image-6.1.0-27-amd64 restores functionality.
Please advise on proper configuration for connection tracking with the new security patches, or confirm if this is a regression that needs to be addressed.
This report has been co authored with AI support.
Kind regards,
--- End Message ---
--- Begin Message ---
Hi,
On Mon, Dec 16, 2024 at 10:39:40PM +0000, Tibor wrote:
> Hi Salvatore, thanks for checking.
>
> I've removed and updated the kernel 6.1.0-28.
>
> I made some other changes before the previous update, so was not able to
> reproduce the issue.
>
> This was my first submission, so apologies for the false alarm.
Thanks for reporting back. I will close in this case the bug report.
Regards,
Salvatore
--- End Message ---
Reply to: