Skip to content

NGFW-15626: Add Bookworm kernel 6.1.159 build support#12

Open
singhrohit23 wants to merge 9 commits intomasterfrom
NGFW-15626
Open

NGFW-15626: Add Bookworm kernel 6.1.159 build support#12
singhrohit23 wants to merge 9 commits intomasterfrom
NGFW-15626

Conversation

@singhrohit23
Copy link
Copy Markdown
Contributor

@singhrohit23 singhrohit23 commented Mar 5, 2026
edited
Loading

  • Add debian-6.1.159 kernel source, patches, and build config
  • Add bookworm entry to build-order.txt
  • Jenkinsfile: env-based repo selection (REPOSITORIES=bookworm), defaults to bullseye
  • docker-compose: defaults to bullseye, overridden by REPOSITORY env var
  • Add kernel patch test scripts for verification"

singhrohit23 and others added 7 commits March 6, 2026 13:35
@singhrohit23
Adding Paramter for distribution control
a9b1e29
@singhrohit23
Adding Parameters for specifiying architecture amd64 and Node_Label t…
f38e0e7 
…o build on nodes with more free disk
@singhrohit23
Trigger Jenkins rescan
4dc963c
@singhrohit23
UDP and kernel patches apply
f561b26
@singhrohit23
Make sure patches are applied only once
da32d50
@singhrohit23
Reverting again keeping original
8597bae
@singhrohit23 @claude
NGFW-15626: Fix NFQUEUE NF_DROP conntrack destruction on kernel 6.1
85ca158 
In kernel 6.1, nfqnl_reinject() only calls ct_hook->update() for
NF_ACCEPT/REPEAT/STOP verdicts. For NF_DROP, the unconfirmed
conntrack entry is destroyed when the skb is freed. This breaks
UDP proxy architectures where userspace drops the original packet
and re-sends via its own socket, relying on the conntrack entry
for reply NAT de-translation.

Add mark-gated opt-in patch (0007): when module parameter
nfqueue_confirm_drop_mark is set, packets with matching skb mark
get their conntrack entry confirmed before NF_DROP processing.

Version bumped to untangle2bookworm.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@singhrohit23 singhrohit23 force-pushed the NGFW-15626 branch 7 times, most recently from 3f559eb to 981eaca Compare April 18, 2026 15:51
@singhrohit23 @claude
NGFW-15626: Use guarded __nf_conntrack_confirm() for NFQUEUE NF_DROP
b68684b 
ct_hook->update() calls nf_confirm_cthelper() which returns early
without confirming when no conntrack helper is attached — the
common case for plain UDP. Confirmed via kprobes:
- nf_conntrack_update() returns 0 (success)
- __nf_conntrack_confirm() is never called from that path

Switch to calling __nf_conntrack_confirm() directly with guards:
- Only for unconfirmed entries (nf_ct_is_confirmed check)
- Only for tracked packets (nf_ct_get check)
- Only for marked packets (nfqueue_confirm_drop_mark)

Version bumped to untangle3bookworm.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mayur-dhande mayur-dhande mayur-dhande approved these changes

@DhirajM09 DhirajM09 Awaiting requested review from DhirajM09

@AristaKB AristaKB Awaiting requested review from AristaKB

@cblaise-untangle cblaise-untangle Awaiting requested review from cblaise-untangle

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@singhrohit23 @mayur-dhande