Hi Vladimir, thanks for your report.
On 11 May 2017 at 10:02, Vladimir Kudrya <pzs...@yandex.ru> wrote: > Package: nftables > Version: 0.7-1 > Severity: normal > > Dear Maintainer, since with recent kernel ct helpers are not automatic, it is > required to manually assign them via firewall. > > With current combination of nftables and kernel in Debian stretch the approach > to setting helpers documented upstream is not supported: > https://wiki.nftables.org/wiki-nftables/index.php/Setting_packet_connection_tracking_metainformation > It's true, I wrote that upstream documentation (and just updated it) with more info: you need nftables >= 0.8 and kernel >= 4.12 for this feature. > Or at least no documentation available on how to do it, which is bad since > migration to nftables is encouraged in stretch. In your particular case, you will have to wait a bit until the code lands in debian. This feature will be included eventually in stretch-backports as well, so you could start migrating now and wait for these concrete bits later.
