Package: linux-image-6.1.0-28-amd64
Version: 6.1.119-1
Severity: important
After upgrading from linux-image-6.1.0-27-amd64 to
linux-image-6.1.0-28-amd64, nftables connection tracking ('ct state')
functionality stopped working. The issue appears to be related to recent
netfilter security patches.
Steps to reproduce:
1. Update kernel to 6.1.119-1
2. Reboot system
3. Attempt to use nftables rules with 'ct state'
Current behavior:
- Error message: "could not process rule: No such file or directory"
- nftables rules using 'ct state' fail to load
- Basic firewall functionality without connection tracking works
Expected behavior:
- nftables rules with 'ct state' should load and function properly
- Connection tracking should work as it did in previous kernel version
System information:
- Debian 12 (bookworm)
- Previous kernel: linux-image-6.1.0-27-amd64 (6.1.115-1)
- Current kernel: linux-image-6.1.0-28-amd64 (6.1.119-1)
- nftables version: 1.0.6
Related changes in current version:
- Security fixes for netfilter IPv6 (use-after-free in ip6table_nat)
- Changes to nf_reject_ipv6 TCP header handling
nf_conntrack and related modules are loaded:
[output of lsmod | grep -E 'nf_|netfilter|nft']
Additional notes:
- System has module loading disabled (kernel.modules_disabled=1)
- Required modules are preloaded in initramfs
- Configuration worked correctly in previous kernel version
Proposed temporary solution:
Reverting to linux-image-6.1.0-27-amd64 restores functionality.
Please advise on proper configuration for connection tracking with the new
security patches, or confirm if this is a regression that needs to be
addressed.
This report has been co authored with AI support.
Kind regards,
