ACK: [SRU][J/N/Q][PATCH 0/1] iptables connlimit traffic loss
Vinicius Peixoto
vinicius.peixoto at canonical.com
Thu May 7 15:50:18 UTC 2026
On Tue Apr 28, 2026 at 6:28 PM -03, Tim Whisonant wrote:
> BugLink: https://bugs.launchpad.net/bugs/2149872
>
> SRU Justification:
>
> [Impact]
>
> netfilter: nf_conncount: fix tracking of connections from localhost
>
> Since commit be102eb6a0e7 ("netfilter: nf_conncount: rework API to use
> sk_buff directly"), we skip the adding and trigger a GC when the ct is
> confirmed. For connections originated from local to local it doesn't
> work because the connection is confirmed on POSTROUTING, therefore
> tracking on the INPUT hook is always skipped.
>
> In order to fix this, we check whether skb input ifindex is set to
> loopback ifindex. If it is then we fallback on a GC plus track operation
> skipping the optimization. This fallback is necessary to avoid
> duplicated tracking of a packet train e.g 10 UDP datagrams sent on a
> burst when initiating the connection.
>
> Tested with xt_connlimit/nft_connlimit and OVS limit and with a HTTP
> server and iperf3 on UDP mode.
>
> [Fix]
>
> Resolute: not affected
> Questing: applied Jammy patch
> Noble: applied Jammy patch
> Jammy: cherry picked from upstream
> Focal: not affected
> Bionic: not affected
> Xenial: not affected
> Trusty: not affected
>
> [Test Plan]
>
> Compile and boot tested.
>
> [Where problems could occur]
>
> The change affects a worker routine for adding network connections
> in order to correct an invalid treatment of the loopback interface.
> Issues may manifest as unexpected behavior when using the loopback
> interface.
>
> Fernando Fernandez Mancera (1):
> netfilter: nf_conncount: fix tracking of connections from localhost
>
> net/netfilter/nf_conncount.c | 15 +++++++++++++--
> 1 file changed, 13 insertions(+), 2 deletions(-)
Acked-by: Vinicius Peixoto <vinicius.peixoto at canonical.com>
More information about the kernel-team
mailing list