Package: arno-iptables-firewall Version: 2.1.1-6 Severity: normal Tags: upstream Control: forwarded -1 https://github.com/arno-iptables-firewall/aif/issues/88
Reasons seems to be this change to the kernel: linux (5.19.11-1) unstable; urgency=medium [...] - netfilter: conntrack: NF_CONNTRACK_PROCFS should no longer default to y [...] In https://mirrors.edge.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.19.7 I found commit 7d4bfe34b9cbb0395cb9508fa64324d4a1379e00 Author: Geert Uytterhoeven <ge...@linux-m68k.org> Date: Mon Aug 15 12:39:20 2022 +0200 netfilter: conntrack: NF_CONNTRACK_PROCFS should no longer default to y [ Upstream commit aa5762c34213aba7a72dc58e70601370805fa794 ] NF_CONNTRACK_PROCFS was marked obsolete in commit 54b07dca68557b09 ("netfilter: provide config option to disable ancient procfs parts") in v3.3. Excerpt from the logs of my personal machine: [...] Okt 30 09:49:12 e580sg systemd[1]: Starting Arno's Iptables Firewall(AIF)... Okt 30 09:49:12 e580sg arno-iptables-firewall[2112]: Arno's Iptables Firewall(AIF) v2.1.1 Okt 30 09:49:12 e580sg arno-iptables-firewall[2112]: ------------------------------------------------------------------------------- Okt 30 09:49:12 e580sg arno-iptables-firewall[2112]: Platform: Linux 5.19.0-2-amd64 x86_64 Okt 30 09:49:12 e580sg arno-iptables-firewall[2112]: Netfilter iptables version: 1.8.8 Okt 30 09:49:12 e580sg firewall[2412]: ** Starting Arno's Iptables Firewall(AIF) v2.1.1 ** Okt 30 09:49:13 e580sg arno-iptables-firewall[2112]: Checking/probing Iptables modules: Okt 30 09:49:13 e580sg arno-iptables-firewall[2112]: Loaded kernel module ip_tables. Okt 30 09:49:13 e580sg arno-iptables-firewall[2112]: Loaded kernel module ip6_tables. Okt 30 09:49:13 e580sg arno-iptables-firewall[2112]: Loaded kernel module nf_conntrack. Okt 30 09:49:13 e580sg arno-iptables-firewall[2112]: Loaded kernel module xt_conntrack. Okt 30 09:49:13 e580sg arno-iptables-firewall[2112]: Loaded kernel module xt_limit. Okt 30 09:49:13 e580sg arno-iptables-firewall[2112]: Loaded kernel module xt_state. Okt 30 09:49:13 e580sg arno-iptables-firewall[2112]: Loaded kernel module xt_multiport. Okt 30 09:49:13 e580sg arno-iptables-firewall[2112]: Loaded kernel module iptable_filter. Okt 30 09:49:13 e580sg arno-iptables-firewall[2112]: Loaded kernel module ip6table_filter. Okt 30 09:49:13 e580sg arno-iptables-firewall[2112]: Loaded kernel module iptable_mangle. Okt 30 09:49:13 e580sg arno-iptables-firewall[2112]: Loaded kernel module ip6table_mangle. Okt 30 09:49:13 e580sg arno-iptables-firewall[2112]: Loaded kernel module iptable_raw. Okt 30 09:49:13 e580sg arno-iptables-firewall[2112]: Loaded kernel module ip6table_raw. Okt 30 09:49:13 e580sg arno-iptables-firewall[2112]: Loaded kernel module ipt_REJECT. Okt 30 09:49:13 e580sg arno-iptables-firewall[2112]: Loaded kernel module ip6t_REJECT. Okt 30 09:49:13 e580sg arno-iptables-firewall[2112]: Loaded kernel module xt_LOG. Okt 30 09:49:13 e580sg arno-iptables-firewall[2112]: Loaded kernel module xt_TCPMSS. Okt 30 09:49:13 e580sg arno-iptables-firewall[2112]: Loaded kernel module iptable_nat. Okt 30 09:49:13 e580sg arno-iptables-firewall[2112]: Loaded kernel module nf_nat. Okt 30 09:49:13 e580sg arno-iptables-firewall[2112]: Loaded kernel module ipt_MASQUERADE. Okt 30 09:49:13 e580sg arno-iptables-firewall[2112]: Module check done... Okt 30 09:49:13 e580sg arno-iptables-firewall[2112]: Setting the kernel ring buffer to only log panic messages to the console Okt 30 09:49:13 e580sg arno-iptables-firewall[2112]: Configuring general kernel parameters: Okt 30 09:49:13 e580sg arno-iptables-firewall[2112]: net.netfilter.nf_conntrack_helper = 0 Okt 30 09:49:13 e580sg arno-iptables-firewall[2112]: Setting the max. amount of simultaneous connections to 16384 Okt 30 09:49:13 e580sg arno-iptables-firewall[2112]: net.nf_conntrack_max = 16384 Okt 30 09:49:13 e580sg arno-iptables-firewall[2112]: net.netfilter.nf_conntrack_udp_timeout = 60 Okt 30 09:49:13 e580sg arno-iptables-firewall[2112]: net.netfilter.nf_conntrack_acct = 1 [...] Okt 30 10:02:54 e580sg systemd[1]: Starting Arno's Iptables Firewall(AIF)... Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]: Arno's Iptables Firewall(AIF) v2.1.1 Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]: ------------------------------------------------------------------------------- Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]: Platform: Linux 6.0.0-2-amd64 x86_64 Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]: Netfilter iptables version: 1.8.8 Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]: Checking/probing Iptables modules: Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]: Loaded kernel module ip_tables. Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]: Loaded kernel module ip6_tables. Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]: Loaded kernel module nf_conntrack. Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]: Loaded kernel module xt_conntrack. Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]: Loaded kernel module xt_limit. Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]: Loaded kernel module xt_state. Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]: Loaded kernel module xt_multiport. Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]: Loaded kernel module iptable_filter. Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]: Loaded kernel module ip6table_filter. Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]: Loaded kernel module iptable_mangle. Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]: Loaded kernel module ip6table_mangle. Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]: Loaded kernel module iptable_raw. Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]: Loaded kernel module ip6table_raw. Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]: Loaded kernel module ipt_REJECT. Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]: Loaded kernel module ip6t_REJECT. Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]: Loaded kernel module xt_LOG. Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]: Loaded kernel module xt_TCPMSS. Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]: Loaded kernel module iptable_nat. Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]: Loaded kernel module nf_nat. Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]: Loaded kernel module ipt_MASQUERADE. Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]: Module check done... Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]: Setting the kernel ring buffer to only log panic messages to the console Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]: Configuring general kernel parameters: Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]: Conntrack legacy automatic helper assignment is ENABLED Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]: Setting the max. amount of simultaneous connections to 16384 Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]: net.nf_conntrack_max = 16384 Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]: net.netfilter.nf_conntrack_udp_timeout = 60 Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]: net.netfilter.nf_conntrack_acct = 1 [...] Output of "sysctl -a | grep conntrack": net.netfilter.nf_conntrack_acct = 1 net.netfilter.nf_conntrack_buckets = 262144 net.netfilter.nf_conntrack_checksum = 1 net.netfilter.nf_conntrack_count = 52 net.netfilter.nf_conntrack_dccp_loose = 1 net.netfilter.nf_conntrack_dccp_timeout_closereq = 64 net.netfilter.nf_conntrack_dccp_timeout_closing = 64 net.netfilter.nf_conntrack_dccp_timeout_open = 43200 net.netfilter.nf_conntrack_dccp_timeout_partopen = 480 net.netfilter.nf_conntrack_dccp_timeout_request = 240 net.netfilter.nf_conntrack_dccp_timeout_respond = 480 net.netfilter.nf_conntrack_dccp_timeout_timewait = 240 net.netfilter.nf_conntrack_events = 2 net.netfilter.nf_conntrack_expect_max = 4096 net.netfilter.nf_conntrack_frag6_high_thresh = 4194304 net.netfilter.nf_conntrack_frag6_low_thresh = 3145728 net.netfilter.nf_conntrack_frag6_timeout = 60 net.netfilter.nf_conntrack_generic_timeout = 600 net.netfilter.nf_conntrack_gre_timeout = 30 net.netfilter.nf_conntrack_gre_timeout_stream = 180 net.netfilter.nf_conntrack_icmp_timeout = 30 net.netfilter.nf_conntrack_icmpv6_timeout = 30 net.netfilter.nf_conntrack_log_invalid = 0 net.netfilter.nf_conntrack_max = 16384 net.netfilter.nf_conntrack_sctp_timeout_closed = 10 net.netfilter.nf_conntrack_sctp_timeout_cookie_echoed = 3 net.netfilter.nf_conntrack_sctp_timeout_cookie_wait = 3 net.netfilter.nf_conntrack_sctp_timeout_established = 432000 net.netfilter.nf_conntrack_sctp_timeout_heartbeat_acked = 210 net.netfilter.nf_conntrack_sctp_timeout_heartbeat_sent = 30 net.netfilter.nf_conntrack_sctp_timeout_shutdown_ack_sent = 3 net.netfilter.nf_conntrack_sctp_timeout_shutdown_recd = 0 net.netfilter.nf_conntrack_sctp_timeout_shutdown_sent = 0 net.netfilter.nf_conntrack_tcp_be_liberal = 0 net.netfilter.nf_conntrack_tcp_ignore_invalid_rst = 0 net.netfilter.nf_conntrack_tcp_loose = 1 net.netfilter.nf_conntrack_tcp_max_retrans = 3 net.netfilter.nf_conntrack_tcp_timeout_close = 10 net.netfilter.nf_conntrack_tcp_timeout_close_wait = 60 net.netfilter.nf_conntrack_tcp_timeout_established = 432000 net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 120 net.netfilter.nf_conntrack_tcp_timeout_last_ack = 30 net.netfilter.nf_conntrack_tcp_timeout_max_retrans = 300 net.netfilter.nf_conntrack_tcp_timeout_syn_recv = 60 net.netfilter.nf_conntrack_tcp_timeout_syn_sent = 120 net.netfilter.nf_conntrack_tcp_timeout_time_wait = 120 net.netfilter.nf_conntrack_tcp_timeout_unacknowledged = 300 net.netfilter.nf_conntrack_timestamp = 0 net.netfilter.nf_conntrack_udp_timeout = 60 net.netfilter.nf_conntrack_udp_timeout_stream = 120 net.nf_conntrack_max = 16384 At least nf_conntrack_helper is missing. -- System Information: Debian Release: bookworm/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 6.1.0-3-amd64 (SMP w/8 CPU threads; PREEMPT) Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages arno-iptables-firewall depends on: ii debconf [debconf-2.0] 1.5.82 ii gawk 1:5.1.0-1 ii iproute2 6.1.0-1 ii iptables 1.8.9-2 ii kmod 30+20221128-1 ii procps 2:4.0.2-3 Versions of packages arno-iptables-firewall recommends: ii bind9-dnsutils [dnsutils] 1:9.18.11-2 ii curl 7.87.0-2 ii dnsutils 1:9.18.11-2 ii rsyslog 8.2212.0-1 Versions of packages arno-iptables-firewall suggests: pn rpcbind <none> -- Configuration Files: /etc/arno-iptables-firewall/custom-rules changed [not included] -- debconf information excluded