Package: linux
Version: 6.1.52-1
Severity: grave
Dear Maintainers,
linux-image-6.1.0-12-amd64 causes a serious regression in nftables. After
upgrading one of my machines, nftables fails to start - leaving the system
without an active firewall.
Doing
`nft -cf /etc/nftables.conf'
throws many "Operation not supported" errors on rulesets that have been in
place for months wihtout issues.
Just to give two simple examples from the log when nftables fails to start:
/etc/nftables.conf:99:4-44: Error: Could not process rule: Operation not
supported
tcp option maxseg size 1-500 counter drop
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
/etc/nftables.conf:308:4-27: Error: Could not process rule: Operation not
supported
tcp dport sip-tls accept
^^^^^^^^^^^^^^^^^^^^^^^^
Downgrading to linux-image-6.1.0-11-amd64 resolves the issue.
Notes: I'm running a local rebuild of linux-image-amd64 with a few additional
symbols enabled. But since these symbols are totally unrelated to the netfilter
subsystem and there are no changes to the source itself, I'm certain, this
affects the original Debian build as well. Whether it only affects certain
architectures or rulesets, I can't say, though.
I'm cc'ing debian-secur...@debian.org because the update came via the
stable-security channel.
Thanks and regards,
Timo
