Your message dated Tue, 17 Dec 2024 14:28:34 +0100 with message-id <z2f8guyvn3xry...@eldamar.lan> and subject line Re: Bug#1090183: Info received (Bug#1090183: nftables connection tracking fails after kernel update to 6.1.119-1) has caused the Debian Bug report #1090183, regarding nftables connection tracking fails after kernel update to 6.1.119-1 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1090183: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1090183 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: linux-image-6.1.0-28-amd64 Version: 6.1.119-1 Severity: important After upgrading from linux-image-6.1.0-27-amd64 to linux-image-6.1.0-28-amd64, nftables connection tracking ('ct state') functionality stopped working. The issue appears to be related to recent netfilter security patches. Steps to reproduce: 1. Update kernel to 6.1.119-1 2. Reboot system 3. Attempt to use nftables rules with 'ct state' Current behavior: - Error message: "could not process rule: No such file or directory" - nftables rules using 'ct state' fail to load - Basic firewall functionality without connection tracking works Expected behavior: - nftables rules with 'ct state' should load and function properly - Connection tracking should work as it did in previous kernel version System information: - Debian 12 (bookworm) - Previous kernel: linux-image-6.1.0-27-amd64 (6.1.115-1) - Current kernel: linux-image-6.1.0-28-amd64 (6.1.119-1) - nftables version: 1.0.6 Related changes in current version: - Security fixes for netfilter IPv6 (use-after-free in ip6table_nat) - Changes to nf_reject_ipv6 TCP header handling nf_conntrack and related modules are loaded: [output of lsmod | grep -E 'nf_|netfilter|nft'] Additional notes: - System has module loading disabled (kernel.modules_disabled=1) - Required modules are preloaded in initramfs - Configuration worked correctly in previous kernel version Proposed temporary solution: Reverting to linux-image-6.1.0-27-amd64 restores functionality. Please advise on proper configuration for connection tracking with the new security patches, or confirm if this is a regression that needs to be addressed. This report has been co authored with AI support. Kind regards,
--- End Message ---
--- Begin Message ---Hi, On Tue, Dec 17, 2024 at 12:54:33PM +0000, Tibor wrote: > Seems the issue comes with an incorrect/mismatching GRUB configuration: > > The connection tracking feature does not work if: > > in the /etc/default/grub > > The > > GRUB_DEFAULT="Debian GNU/Linux. with Linux 6.1.0-27-amd64" > > But The system actually boots the 6.1.0-28 kernel, > > If the GRUB_DEFAULT entry is changed to > GRUB_DEFAULT="Debian GNU/Linux. with Linux 6.1.0-28-amd64" > > The issue seems to resolve. > > - Always starting the default entry Thanks for having reported back! Regards, Salvatore
--- End Message ---
