Package: linux-image-4.2.0-1-amd64 Version: 4.2.1-2 After booting the kernel image provided by this package and attempting to connect to the Internet, network access doesn't actually work. The message "nf_conntrack: table full, dropping packet" is repeatedly logged.
Comparing the contents of the various /proc/sys conntrack files between a working 4.1 kernel (from linux-image-4.1.0-2-amd64) and the broken 4.2, the only difference I see is that nf_conntrack_count has a value "-5". Yes, negative 5. /proc/net/stat/nf_conntrack's "entries" column matches this with a value of fffffffb. /proc/net/nf_conntrack is empty on the 4.2 kernel, while it has a handful of expected entries on 4.1. I have iptables rules set up by shorewall on this machine, including configuration to forward/masq traffic on the interface used by vde2, in case that helps reproduce this. Removing all the iptables rules and removing the nf_conntrack_ipv4 module (and everything that depends on it, of course) stops the error. Disabling shorewall at boot allows network functionality and starting shorewall later didn't immediately cause the problem, but in some experimentation after the system locked up.
