Bug#1090183: nftables connection tracking fails after kernel update to 6.1.119-1

Mon, 16 Dec 2024 08:51:48 -0800 

Control: tags -1 + moreinfo

Hi,

On Mon, Dec 16, 2024 at 02:43:47PM +0000, Tibor wrote:
> Package: linux-image-6.1.0-28-amd64
> Version: 6.1.119-1
> Severity: important
> 
> After upgrading from linux-image-6.1.0-27-amd64 to
> linux-image-6.1.0-28-amd64, nftables connection tracking ('ct state')
> functionality stopped working. The issue appears to be related to recent
> netfilter security patches.
> 
> Steps to reproduce:
> 1. Update kernel to 6.1.119-1
> 2. Reboot system
> 3. Attempt to use nftables rules with 'ct state'
> 
> Current behavior:
> - Error message: "could not process rule: No such file or directory"
> - nftables rules using 'ct state' fail to load
> - Basic firewall functionality without connection tracking works
> 
> Expected behavior:
> - nftables rules with 'ct state' should load and function properly
> - Connection tracking should work as it did in previous kernel version
> 
> System information:
> - Debian 12 (bookworm)
> - Previous kernel: linux-image-6.1.0-27-amd64 (6.1.115-1)
> - Current kernel: linux-image-6.1.0-28-amd64 (6.1.119-1)
> - nftables version: 1.0.6
> 
> Related changes in current version:
> - Security fixes for netfilter IPv6 (use-after-free in ip6table_nat)
> - Changes to nf_reject_ipv6 TCP header handling
> 
> nf_conntrack and related modules are loaded:
> [output of lsmod | grep -E 'nf_|netfilter|nft']
> 
> Additional notes:
> - System has module loading disabled (kernel.modules_disabled=1)
> - Required modules are preloaded in initramfs
> - Configuration worked correctly in previous kernel version
> 
> Proposed temporary solution:
> Reverting to linux-image-6.1.0-27-amd64 restores functionality.
> 
> Please advise on proper configuration for connection tracking with the new
> security patches, or confirm if this is a regression that needs to be
> addressed.

Can you please provide an ideally as minimal as possible example which
fails. A simple example using ct state from
https://wiki.nftables.org/wiki-nftables/index.php/Quick_reference-nftables_in_10_minutes#Simple_IP/IPv6_Firewall
works as expected, so we need more information here.

If you are able to to reproduce the issue with the upstream version
6.1.115 and 6.1.119 can you please as well bisect the changes?

Regards,
Salvatore

Reply via email to