Your message dated Sat, 16 Sep 2023 18:02:59 +0000 with message-id <[email protected]> and subject line Bug#1051592: fixed in nftables 1.0.6-2+deb12u2 has caused the Debian Bug report #1051592, regarding linux: Regression - upgrade to 6.1.52-1 breaks nftables to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 1051592: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1051592 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: linux Version: 6.1.52-1 Severity: grave Dear Maintainers, linux-image-6.1.0-12-amd64 causes a serious regression in nftables. After upgrading one of my machines, nftables fails to start - leaving the system without an active firewall. Doing `nft -cf /etc/nftables.conf' throws many "Operation not supported" errors on rulesets that have been in place for months wihtout issues. Just to give two simple examples from the log when nftables fails to start: /etc/nftables.conf:99:4-44: Error: Could not process rule: Operation not supported tcp option maxseg size 1-500 counter drop ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ /etc/nftables.conf:308:4-27: Error: Could not process rule: Operation not supported tcp dport sip-tls accept ^^^^^^^^^^^^^^^^^^^^^^^^ Downgrading to linux-image-6.1.0-11-amd64 resolves the issue. Notes: I'm running a local rebuild of linux-image-amd64 with a few additional symbols enabled. But since these symbols are totally unrelated to the netfilter subsystem and there are no changes to the source itself, I'm certain, this affects the original Debian build as well. Whether it only affects certain architectures or rulesets, I can't say, though. I'm cc'ing [email protected] because the update came via the stable-security channel. Thanks and regards, Timo
--- End Message ---
--- Begin Message ---Source: nftables Source-Version: 1.0.6-2+deb12u2 Done: Salvatore Bonaccorso <[email protected]> We believe that the bug you reported is fixed in the latest version of nftables, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Salvatore Bonaccorso <[email protected]> (supplier of updated nftables package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sat, 16 Sep 2023 07:47:15 +0200 Source: nftables Architecture: source Version: 1.0.6-2+deb12u2 Distribution: bookworm Urgency: medium Maintainer: Debian Netfilter Packaging Team <[email protected]> Changed-By: Salvatore Bonaccorso <[email protected]> Closes: 1051592 Changes: nftables (1.0.6-2+deb12u2) bookworm; urgency=medium . * [136245a] Fix incorrect bytecode generation hit with new kernel check that rejects adding rules to bound chains (Closes: #1051592) - rule: add helper function to expand chain rules intoi commands - rule: expand standalone chain that contains rules - src: expand table command before evaluation Checksums-Sha1: 2d4f8f425c28129f4b4c31c3bfeeaa7f0f9636db 2630 nftables_1.0.6-2+deb12u2.dsc aaba84a09051e7057bf15418f7cedb936ca63c67 26268 nftables_1.0.6-2+deb12u2.debian.tar.xz Checksums-Sha256: 413d0a649ec540b6a296673ccc66a45498bcb6e6d7eae7ac5f8e3ceac4107291 2630 nftables_1.0.6-2+deb12u2.dsc 529dcfde172cfc9fc33b1efa2a19b35ddf82b13aab8cd5b233d81e4008a95edf 26268 nftables_1.0.6-2+deb12u2.debian.tar.xz Files: cc5485484935ac92ae92ebbe984e5097 2630 net important nftables_1.0.6-2+deb12u2.dsc 0cdefcc4793d5134ce8e6b877aca50b4 26268 net important nftables_1.0.6-2+deb12u2.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmUFQfxfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk ZWJpYW4ub3JnAAoJEAVMuPMTQ89EozEP/29wEpNhFeRSLwuAax4FFRrt3Ycz2ew1 FHyQ0atuwhHTMeeoWR5TwiqZpMN+AiBFZ23tzwmDjLsLZn+zmxYsN/95HrKdRsgA onymtCaX8oita33YFyBFuVEHeeVC3XC1HK8uXZKLi1DOiogEqht7xZXrPc/0yQvx 6V/pqZfannvcNUkvldvwOnulHoLO/mr8QtRtRH0pI8L5eQc0PrlnsZ1hyD8Ui9bQ bzkncukyC9WQmn97v5ex9d4brP3jNEMSaVpQVn0c9Xdi3B6zcbAeQwssUWmhtK0P FDz9C1hOlv7lg/KB2py9ckWNY2YKAdwmUszzBDoErg3p2GQD07AbZyEkiZRRJWs+ l5HvjjKR6CScECYQ/RxsdLfGy0IUUlFbuoZNER0ymQcU2Tf4bF93yT7agEcXHIBG KFJlJ9SzlZeSsFdLuESN4fjM5J6BnFN/Rl7e99VvpPi5iYWUHDE04kKTHldR2H3C 57uURFBHsSD84QEll0qSDsNVEDxcVDXsEuanGyQaydRtNlxNpQBFLiieaWpOmdl7 OdFRo7S2eY5aiXd/6PupQ9lHDbw5GnCMtqdGON2HJ3U41MoAZbztI39msEqzu1EH MxGZsl3B+t0eZvlQWKx8T0jHlcMCJTmDenZQsiJ2ARiW+uOFpC5gBjdOzk7YP55t IRLq9Dn+8ZPQ =TJ9N -----END PGP SIGNATURE-----
--- End Message ---
