[SRU][J/N/Q][PATCH 0/1] iptables connlimit traffic loss

[Tim Whisonant]

BugLink: https://bugs.launchpad.net/bugs/2149872

SRU Justification:

[Impact]

netfilter: nf_conncount: fix tracking of connections from localhost

Since commit be102eb6a0e7 ("netfilter: nf_conncount: rework API to use
sk_buff directly"), we skip the adding and trigger a GC when the ct is
confirmed. For connections originated from local to local it doesn't
work because the connection is confirmed on POSTROUTING, therefore
tracking on the INPUT hook is always skipped.

In order to fix this, we check whether skb input ifindex is set to
loopback ifindex. If it is then we fallback on a GC plus track operation
skipping the optimization. This fallback is necessary to avoid
duplicated tracking of a packet train e.g 10 UDP datagrams sent on a
burst when initiating the connection.

Tested with xt_connlimit/nft_connlimit and OVS limit and with a HTTP
server and iperf3 on UDP mode.

[Fix]

Resolute: not affected
Questing: applied Jammy patch
Noble:    applied Jammy patch
Jammy:    cherry picked from upstream
Focal:    not affected
Bionic:   not affected
Xenial:   not affected
Trusty:   not affected

[Test Plan]

Compile and boot tested.

[Where problems could occur]

The change affects a worker routine for adding network connections
in order to correct an invalid treatment of the loopback interface.
Issues may manifest as unexpected behavior when using the loopback
interface.

Fernando Fernandez Mancera (1):
  netfilter: nf_conncount: fix tracking of connections from localhost

 net/netfilter/nf_conncount.c | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

-- 
2.43.0