Yay!

🎉

Pity ZFS doesn't have 4.9 support in stable release yet.

Any idea why this broke some of our tests? I tested that reverting this would fix nixos.tests.nat.standalone.x86_64-linux; the other NAT test is probably the same and there might be more (these two are now blocking unstable-small).

This seems to be the root symptom (it's an FTP session):

client# > EPRT |1|192.168.1.1|37984|
-client# < 200 EPRT command successful. Consider using EPSV.
+client# < 500 Illegal EPRT command.

That is, active FTP stops working while passive seems still OK.

This is a new thing in the log:

client# [    4.777473] nf_conntrack: automatic helper assignment is deprecated and it will be removed soon. Use the iptables CT target to attach helpers instead.
router# [    5.021706] nf_conntrack: automatic helper assignment is deprecated and it will be removed soon. Use the iptables CT target to attach helpers instead.

Have you checked that this isn't just a transient failure? It seems very odd that an application-level FTP issue (illegal command) would be caused by a kernel bump...

I did, of course. Hydra tried several times and I also tried locally once (and once with kernel reverted).

I suspect some changes in netfilter might've broken our firewall rules, but my knowledge around these things is almost void.

Probably to do with https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/services/networking/firewall.nix#L427-L444

@vcunat regarding zfs: #21578

(I didn't mention ZFS.)

@dwe11er regarding zfs: #21578