Control: tags -1 upstream Good and bad news.
The good news is that Florian Westphal from the Netfilter project helped me with bisecting the git tree to discover which concrete patch fixes the issue, and he found it: https://git.netfilter.org/iptables/commit/?id=947c51c95edbbf08d6b3c105177ac5cfa238aade The bad news is that the patch doesn't apply cleanly to iptables 1.8.2 (the version in Buster), so this is unlikely to be fixed for Buster. There are many dependent changes in the iptables tree before that patch can be applied. Thankfully, 1.8.3 contains the fix and is already packaged (currently waiting in the NEW queue). reagards.
