Bug#1090183: nftables connection tracking fails after kernel update to 6.1.119-1
Package: linux-image-6.1.0-28-amd64
Version: 6.1.119-1
Severity: important
After upgrading from linux-image-6.1.0-27-amd64 to
linux-image-6.1.0-28-amd64, nftables connection tracking ('ct state')
functionality stopped working. The issue appears to be related to recent
netfilter security patches.
Steps to reproduce:
1. Update kernel to 6.1.119-1
2. Reboot system
3. Attempt to use nftables rules with 'ct state'
Current behavior:
- Error message: "could not process rule: No such file or directory"
- nftables rules using 'ct state' fail to load
- Basic firewall functionality without connection tracking works
Expected behavior:
- nftables rules with 'ct state' should load and function properly
- Connection tracking should work as it did in previous kernel version
System information:
- Debian 12 (bookworm)
- Previous kernel: linux-image-6.1.0-27-amd64 (6.1.115-1)
- Current kernel: linux-image-6.1.0-28-amd64 (6.1.119-1)
- nftables version: 1.0.6
Related changes in current version:
- Security fixes for netfilter IPv6 (use-after-free in ip6table_nat)
- Changes to nf_reject_ipv6 TCP header handling
nf_conntrack and related modules are loaded:
[output of lsmod | grep -E 'nf_|netfilter|nft']
Additional notes:
- System has module loading disabled (kernel.modules_disabled=1)
- Required modules are preloaded in initramfs
- Configuration worked correctly in previous kernel version
Proposed temporary solution:
Reverting to linux-image-6.1.0-27-amd64 restores functionality.
Please advise on proper configuration for connection tracking with the new
security patches, or confirm if this is a regression that needs to be
addressed.
This report has been co authored with AI support.
Kind regards,
Bug#1090183: nftables connection tracking fails after kernel update to 6.1.119-1
Error:
Could not process rule: No such file or directory
Dec 16 12:01:31 localhost nft[503]: ct state invalid drop comment "Drop
invalid connections"
Dec 16 12:01:31 localhost nft[503]:
Dec 16 12:01:31 localhost nft[503]: /etc/nftables.conf:30:9-16: Error:
Could not process rule: No such file or directory
Dec 16 12:01:31 localhost nft[503]: ct state established,related
accept comment "Allow existing connections"
Dec 16 12:01:31 localhost nft[503]:
Dec 16 12:01:31 localhost nft[503]: /etc/nftables.conf:47:13-20: Error:
Could not process rule: No such file or directory
Dec 16 12:01:31 localhost nft[503]: ct state established \
Dec 16 12:01:31 localhost nft[503]:
Dec 16 12:01:31 localhost nft[503]: /etc/nftables.conf:51:13-20: Error:
Could not process rule: No such file or directory
Dec 16 12:01:31 localhost nft[503]: ct state established \
Dec 16 12:01:31 localhost nft[503]:
Dec 16 12:01:31 localhost nft[503]: /etc/nftables.conf:56:13-20: Error:
Could not process rule: No such file or directory
Dec 16 12:01:31 localhost nft[503]: ct state new \
Dec 16 12:01:31 localhost nft[503]:
Dec 16 12:01:31 localhost nft[503]: /etc/nftables.conf:60:13-20: Error:
Could not process rule: No such file or directory
Dec 16 12:01:31 localhost nft[503]: ct state established \
Dec 16 12:01:31 localhost nft[503]:
Dec 16 12:01:31 localhost nft[503]: /etc/nftables.conf:80:13-20: Error:
Could not process rule: No such file or directory
Dec 16 12:01:31 localhost nft[503]: ct state new \
Dec 16 12:01:31 localhost nft[503]:
Dec 16 12:01:31 localhost nft[503]: /etc/nftables.conf:85:13-20: Error:
Could not process rule: No such file or directory
Dec 16 12:01:31 localhost nft[503]: ct state new \
Dec 16 12:01:31 localhost nft[503]:
Dec 16 12:01:31 localhost nft[503]: /etc/nftables.conf:91:13-20: Error:
Could not process rule: No such file or directory
Dec 16 12:01:31 localhost nft[503]: ct state
{new,established,related} \
Dec 16 12:01:31 localhost nft[503]:
Dec 16 12:01:31 localhost systemd[1]: nftables.service: Main process
exited, code=exited, status=1/FAILURE
Dec 16 12:01:31 localhost systemd[1]: nftables.service: Failed with result
'exit-code'.
Dec 16 12:01:31 localhost systemd[1]: Failed to start nftables.service -
nftables.
And version history - setting back to the previous kernel, then upgrading
to the new kernel, seemed to resolve the issue for the first boot.
Dec 17 11:06:14 localhost kernel: Linux version 6.1.0-28-amd64 (
debian-kernel@lists.debian.org) (gcc-12 (Debian 12.2.0-14) 12.2.0, GNU ld
(GNU Binutils for Debian) 2.40) #1 SMP PREEMPT_DYNAMIC Debian 6.1.119-1
(2024-11-22)
Dec 17 10:59:47 localhost kernel: Linux version 6.1.0-28-amd64 (
debian-kernel@lists.debian.org) (gcc-12 (Debian 12.2.0-14) 12.2.0, GNU ld
(GNU Binutils for Debian) 2.40) #1 SMP PREEMPT_DYNAMIC Debian 6.1.119-1
(2024-11-22)
Dec 17 09:13:35 localhost kernel: Linux version 6.1.0-28-amd64 (
debian-kernel@lists.debian.org) (gcc-12 (Debian 12.2.0-14) 12.2.0, GNU ld
(GNU Binutils for Debian) 2.40) #1 SMP PREEMPT_DYNAMIC Debian 6.1.119-1
(2024-11-22)
Dec 16 22:36:35 localhost kernel: Linux version 6.1.0-28-amd64 (
debian-kernel@lists.debian.org) (gcc-12 (Debian 12.2.0-14) 12.2.0, GNU ld
(GNU Binutils for Debian) 2.40) #1 SMP PREEMPT_DYNAMIC Debian 6.1.119-1
(2024-11-22)
Dec 16 22:12:09 localhost kernel: Linux version 6.1.0-27-amd64 (
debian-kernel@lists.debian.org) (gcc-12 (Debian 12.2.0-14) 12.2.0, GNU ld
(GNU Binutils for Debian) 2.40) #1 SMP PREEMPT_DYNAMIC Debian 6.1.115-1
(2024-11-01)
Dec 16 15:39:14 localhost kernel: Linux version 6.1.0-28-amd64 (
debian-kernel@lists.debian.org) (gcc-12 (Debian 12.2.0-14) 12.2.0, GNU ld
(GNU Binutils for Debian) 2.40) #1 SMP PREEMPT_DYNAMIC Debian 6.1.119-1
(2024-11-22)
Dec 16 15:28:29 localhost kernel: Linux version 6.1.0-28-amd64 (
debian-kernel@lists.debian.org) (gcc-12 (Debian 12.2.0-14) 12.2.0, GNU ld
(GNU Binutils for Debian) 2.40) #1 SMP PREEMPT_DYNAMIC Debian 6.1.119-1
(2024-11-22)
Dec 16 13:38:52 localhost kernel: Linux version 6.1.0-28-amd64 (
debian-kernel@lists.debian.org) (gcc-12 (Debian 12.2.0-14) 12.2.0, GNU ld
(GNU Binutils for Debian) 2.40) #1 SMP PREEMPT_DYNAMIC Debian 6.1.119-1
(2024-11-22)
Dec 16 13:02:58 localhost kernel: Linux version 6.1.0-28-amd64 (
debian-kernel@lists.debian.org) (gcc-12 (Debian 12.2.0-14) 12.2.0, GNU ld
(GNU Binutils for Debian) 2.40) #1 SMP PREEMPT_DYNAMIC Debian 6.1.119-1
(2024-11-22)
Dec 16 12:01:31 localhost kernel: Linux version 6.1.0-28-amd64 (
debian-kernel@lists.debian.org) (gcc-12 (Debian 12.2.0-14) 12.2.0, GNU ld
(GNU Binutils for Debian) 2.40) #1 SMP PREEMPT_DYNAMIC Debian 6.1.119-1
(2024-11-22)
I can reliably reproduce this by:
1. Cold boot the system
2. Attemp
Bug#1090183: Info received (Bug#1090183: nftables connection tracking fails after kernel update to 6.1.119-1)
Seems the issue comes with an incorrect/mismatching GRUB configuration: The connection tracking feature does not work if: in the /etc/default/grub The GRUB_DEFAULT="Debian GNU/Linux. with Linux 6.1.0-27-amd64" But The system actually boots the 6.1.0-28 kernel, If the GRUB_DEFAULT entry is changed to GRUB_DEFAULT="Debian GNU/Linux. with Linux 6.1.0-28-amd64" The issue seems to resolve. - Always starting the default entry On Tue, Dec 17, 2024 at 11:45 AM Debian Bug Tracking System < ow...@bugs.debian.org> wrote: > Thank you for the additional information you have supplied regarding > this Bug report. > > This is an automatically generated reply to let you know your message > has been received. > > Your message is being forwarded to the package maintainers and other > interested parties for their attention; they will reply in due course. > > Your message has been sent to the package maintainer(s): > Debian Kernel Team > > If you wish to submit further information on this problem, please > send it to 1090...@bugs.debian.org. > > Please do not send mail to ow...@bugs.debian.org unless you wish > to report a problem with the Bug-tracking system. > > -- > 1090183: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1090183 > Debian Bug Tracking System > Contact ow...@bugs.debian.org with problems >
Bug#352972: linux-image-2.6.15-1-686 + linux-image-2.6.15-1-486
Hi I have found the same DMA problem in all versions of this kernel linux-image-2.6.15-1-686 (2.6.15-1 till 2.6.15-7) and also with linux-image-2.6.15-1-486/2.6.15-7 The DMA with linux-image-2.6.12-1-686 works without any problem on the same machine (82801DB (ICH4) chipset) regards Tibor -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#355672: Boot hangs on SATA harddrive
Package: linux-image-2.6.15-1-686-smp Version: 2.6.15-7 I'm using Debian testing on a Dell Optiplex GX280 desktop machine with standard Debian kernel package of linux-image-2.6.12-1-686-smp. This computer has a SATA hard drive which is handled by the kernel perfectly. I've installed linux-image-2.6.15-1-686-smp. The installation went fine installing all the dependencies as well. The boot process with this kernel is running smoothly up to the point when after loading modules from the initial ramdisk the hard drive should be accessed. This is a point when the process hangs. I suspect the problem is related to loading the SATA modules. The problem has been recognized by others as well, but I could not find it in the list of reported bugs: http://lists.debian.org/debian-kernel/2006/01/msg00716.html The SATA relevant part of lspci -vvv: :00:1f.2 IDE interface: Intel Corp. 82801FB/FW (ICH6/ICH6W) SATA Controller (rev 03) (prog-if 8f [Master SecP SecO PriP PriO]) Subsystem: Dell: Unknown device 0179 Control: I/O+ Mem- BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- Status: Cap+ 66MHz+ UDF- FastB2B+ ParErr- DEVSEL=medium >TAbort- SERR-
Bug#357448: Boot hangs on SATA harddrive
Package: linux-image-2.6.15-1-686-smp Version: 2.6.15-8 I'm using Debian testing on a Dell Optiplex GX280 desktop machine with standard Debian kernel package of linux-image-2.6.12-1-686-smp. This computer has a SATA hard drive which is handled by the kernel perfectly. I've installed linux-image-2.6.15-1-686-smp. The installation went fine installing all the dependencies as well. The boot process with this kernel is running smoothly up to the point when after loading modules from the initial ramdisk the hard drive should be accessed. This is a point when the process hangs. I suspect the problem is related to loading the SATA modules. The problem has been recognized by others as well, but I could not find it in the list of reported bugs: http://lists.debian.org/debian-kernel/2006/01/msg00716.html The SATA relevant part of lspci -vvv: :00:1f.2 IDE interface: Intel Corp. 82801FB/FW (ICH6/ICH6W) SATA Controller (rev 03) (prog-if 8f [Master SecP SecO PriP PriO]) Subsystem: Dell: Unknown device 0179 Control: I/O+ Mem- BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- Status: Cap+ 66MHz+ UDF- FastB2B+ ParErr- DEVSEL=medium >TAbort- SERR-
Bug#355672: Boot hangs, but for different reasons
Package: linux-image-2.6.15-1-686-smp Version: 2.6.15-7 Hi Guys, Sorry for the previous bug report, I made a mistake. I thought that the hanging boot process was due to not recognising my SATA drive, but it was actually a hwclock related issue. I upgraded the util-linux package and now I could see the error message from hwclock which was RTC related (waiting for clock tick timed out). I added an extra parameter to hwclock in /etc/init.d/hwclock.sh (HWCLOCKPARS="--directisa") and now it boots with no problem. Regards, Tibor Radvanyi
Bug#289690: cannot access some files with samba
Unfortunately I cannot reproduce the problem with cifs because I shifted to 2.6.10. I use smbfs with this kernel and do not experience any problem. I believe the bug has been fixed. Steve Langasek wrote: Does this bug also occur when using the cifs driver instead of the smbfs driver? It's my impression that the smbfs driver is no longer well-maintained upstream in 2.6, and that the cifs driver is a better choice. I'm not sure if we should consider this bug release-critical when there are lots of other problematic smbfs bugs out there even if this one gets fixed. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#289690: (no subject)
Package: kernel-image-2.6.8-1-686 Version: 2.6.8-10 Dear Package Maintener, I am using Sarge, I have just did an apt-get dist-upgrade. My previous kernel was already 2.6.8 but it was also upgraded during the dist-upgrade. I use pam_mount to mount NT server shares. It used to be working fine before the dist-upgrade, but now when I try to reach certain files (I tend to suspect that this is file size related) the command e.g. a cp just hangs then gives this: cp ~/local/M/data/Docs/Form.doc ./ cp: reading `/home/tibor/local/M/data/Docs/Form.doc': Input/output error At the same time I see this in /var/log/syslog: Jan 10 15:35:05 matrix kernel: smb_proc_readX_data: offset is larger than SMB_READX_MAX_PAD or negative! Jan 10 15:35:05 matrix kernel: smb_proc_readX_data: -59 > 64 || -59 < 0 Jan 10 15:35:35 matrix kernel: smb_add_request: request [d5509e60, mid=211] timed out! The content of ~/.pam_mount.conf is the following: volume user01 smb ebpsfile04 tradva01$ /home/tibor/local/M uid=tibor,gid=tibor - - volume user01 smb ebpsgrpclust groups/home/tibor/local/S uid=tibor,gid=tibor - - volume user01 smb ebpsduploIT /home/tibor/local/F uid=tibor,gid=tibor - - volume user01 smb 10.10.1.15 movies/home/tibor/local/movies uid=tibor,gid=tibor - - The relvant (not comment) lines /etc/security/pam_mount.conf debug 0 mkmountpoint 1 fsckloop /dev/loop7 luserconf .pam_mount.conf options_allow uid,gid,nosuid,nodev,loop,encryption options_require uid,gid lsof /usr/sbin/lsof %(MNTPT) fsck /sbin/fsck -p %(FSCKLOOP) losetup /sbin/losetup -p0 "%(before=\"-e \" CIPHER)" "%(before=\"-k \" KEYBITS)" %(FSCKLOOP) %(VOLUME) unlosetup /sbin/losetup -d %(FSCKLOOP) cifsmount /bin/mount -t cifs //%(SERVER)/%(VOLUME) %(MNTPT) -o "username=%(USER)%(before=\",\" OPTIONS)" smbmount /usr/bin/smbmount //%(SERVER)/%(VOLUME) %(MNTPT) -o "username=%(USER)%(before=\",\" OPTIONS)" ncpmount /usr/bin/ncpmount %(SERVER)/%(USER) %(MNTPT) -o "pass-fd=0,volume=%(VOLUME)%(before=\",\" OPTIONS)" smbumount /usr/bin/smbumount %(MNTPT) ncpumount /usr/bin/ncpumount %(MNTPT) umount /bin/umount %(MNTPT) lclmount /bin/mount -p0 %(VOLUME) %(MNTPT) "%(before=\"-o \" OPTIONS)" cryptmount /bin/mount -t crypt "%(before=\"-o \" OPTIONS)" %(VOLUME) %(MNTPT) nfsmount /bin/mount %(SERVER):%(VOLUME) "%(MNTPT)%(before=\"-o \" OPTIONS)" mntagain /bin/mount --bind %(PREVMNTPT) %(MNTPT) pmvarrun /usr/sbin/pmvarrun -u %(USER) -d -o %(OPERATION) The libc6 version I am using: 2.3.2.ds1-20 uname -a prints: Linux matrix 2.6.8-1-686 #1 Thu Nov 25 04:34:30 UTC 2004 i686 GNU/Linux I found the following post that may be useful: http://lwn.net/Articles/112514/?format=printable Regards, Tibor -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#648766: [sparc-unstable] kernel crash
Package: linux-image-3.0.0-2-sparc64-smp Version: 3.0.0-6 Hello, On my Sunfire 280r there is a sil3112 chip based SATA1 dual port controller and there are two 1GB HDD on it in stripe and I use XFS on that stripe. I use the unstable linux-image kernel because kernel in testing lastly tried kernel crashed at boot (http://old.nabble.com/Kernel-3.0-fails-to-boot-on-V240-td32376229.html) On big workload the kernel (seems) randomly crashing: [20101.827174] BUG: NMI Watchdog detected LOCKUP on CPU0, ip 0043922c, registers: [20101.912687] TSTATE: 004480e01607 TPC: 0043922c TNPC: 00439230 Y: Not tainted [20102.030413] TPC: [20102.089769] g0: g1: 0040 g2: 0001 g3: 0001869d [20102.193937] g4: f800fe09b2c0 g5: f800022ac000 g6: f800fe0b8000 g7: [20102.298106] o0: 0001 o1: o2: o3: [20102.402274] o4: o5: 0003 sp: f800fe0ba6b1 ret_pc: 0043924c [20102.510610] RPC: [20102.569985] l0: l1: 0016 l2: f800fe042000 l3: f800fe042040 [20102.674152] l4: l5: 0002 l6: 0001 l7: [20102.778320] i0: 0050 i1: 0001 i2: 0002 i3: 0060 [20102.882488] i4: 000186a0 i5: i6: f800fe0ba771 i7: 00438f34 [20102.986656] I7: [20103.035612] Call Trace: [20103.064784] [00438f34] xcall_deliver+0xe8/0x110 [20103.128327] [00439ccc] smp_flush_tlb_pending+0x88/0xa0 [20103.199165] [004490b0] flush_tlb_pending+0x50/0x64 [20103.265829] [00502134] ptep_clear_flush+0x38/0x48 [20103.331459] [004fd6e4] try_to_unmap_one+0xa0/0x420 [20103.398120] [004fe25c] try_to_unmap_anon+0xc4/0x118 [20103.465829] [004fe368] try_to_unmap+0x60/0x9c [20103.527289] [00510c10] migrate_pages+0x200/0x3d4 [20103.591878] [0050b078] compact_zone+0x6c0/0x708 [20103.655415] [0050b1f0] compact_zone_order+0x94/0xa8 [20103.723125] [0050b26c] try_to_compact_pages+0x68/0xcc [20103.792926] [004de448] __alloc_pages_direct_compact+0x70/0x12c [20103.872086] [004de970] __alloc_pages_nodemask+0x46c/0x760 [20103.946044] [00463f84] copy_process+0xac/0xd50 [20104.008545] [00464d40] do_fork+0xec/0x294 [20104.065842] [0042b66c] sparc_do_fork+0x30/0x4c [20104.128333] Call Trace: [20104.157509] [004209f4] tl0_irq15+0x14/0x20 [20104.215840] [0043922c] cheetah_xcall_deliver+0x1a8/0x240 [20104.288757] [00438f34] xcall_deliver+0xe8/0x110 [20104.352298] [00439ccc] smp_flush_tlb_pending+0x88/0xa0 [20104.423134] [004490b0] flush_tlb_pending+0x50/0x64 [20104.489800] [00502134] ptep_clear_flush+0x38/0x48 [20104.555428] [004fd6e4] try_to_unmap_one+0xa0/0x420 [20104.622095] [004fe25c] try_to_unmap_anon+0xc4/0x118 [20104.689802] [004fe368] try_to_unmap+0x60/0x9c [20104.751260] [00510c10] migrate_pages+0x200/0x3d4 [20104.815845] [0050b078] compact_zone+0x6c0/0x708 [20104.879389] [0050b1f0] compact_zone_order+0x94/0xa8 [20104.947098] [0050b26c] try_to_compact_pages+0x68/0xcc [20105.016892] [004de448] __alloc_pages_direct_compact+0x70/0x12c [20105.096059] [004de970] __alloc_pages_nodemask+0x46c/0x760 [20105.170017] [00463f84] copy_process+0xac/0xd50 What could I do? Cheers, Tibor -- To UNSUBSCRIBE, email to debian-kernel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4ec18df7.60...@gmail.com
Bug#648766: [sparc-unstable] kernel crash
I found this very similar BUG report: http://old.nabble.com/Ext4-stable-yet--td31660435.html Kind Regards, Tibor -- To UNSUBSCRIBE, email to debian-kernel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4ec396db.1060...@gmail.com
