Control: tags -1 + moreinfo Hi
On Sun, Sep 10, 2023 at 10:38:45AM +0200, Timo Sigurdsson wrote: > Package: linux > Version: 6.1.52-1 > Severity: grave > > Dear Maintainers, > > linux-image-6.1.0-12-amd64 causes a serious regression in nftables. > After upgrading one of my machines, nftables fails to start - > leaving the system without an active firewall. > > Doing > `nft -cf /etc/nftables.conf' > throws many "Operation not supported" errors on rulesets that have been in > place for months wihtout issues. > > Just to give two simple examples from the log when nftables fails to start: > /etc/nftables.conf:99:4-44: Error: Could not process rule: Operation not > supported > tcp option maxseg size 1-500 counter drop > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > /etc/nftables.conf:308:4-27: Error: Could not process rule: Operation not > supported > tcp dport sip-tls accept > ^^^^^^^^^^^^^^^^^^^^^^^^ > > Downgrading to linux-image-6.1.0-11-amd64 resolves the issue. > > Notes: I'm running a local rebuild of linux-image-amd64 with a few > additional symbols enabled. But since these symbols are totally > unrelated to the netfilter subsystem and there are no changes to the > source itself, I'm certain, this affects the original Debian build > as well. Whether it only affects certain architectures or rulesets, > I can't say, though. > > I'm cc'ing debian-secur...@debian.org because the update came via > the stable-security channel. This is defintively not 'grave' but I keep it for the time beeing at RC level and might be adjusted later. Would it be possible to provide a minimal set of rules triggering the issue? Can you reproduce the issue with the official build? Regards, Salvatore
