APPLIED: [SRU][J/N/Q][PATCH 0/1] iptables connlimit traffic loss

Edoardo Canepa edoardo.canepa at canonical.com
Fri May 8 20:10:12 UTC 2026 

Applied to J/N/Q:linux/master-next. Thanks.

On 4/28/26 23:28, Tim Whisonant wrote:
> BugLink: https://bugs.launchpad.net/bugs/2149872
>
> SRU Justification:
>
> [Impact]
>
> netfilter: nf_conncount: fix tracking of connections from localhost
>
> Since commit be102eb6a0e7 ("netfilter: nf_conncount: rework API to use
> sk_buff directly"), we skip the adding and trigger a GC when the ct is
> confirmed. For connections originated from local to local it doesn't
> work because the connection is confirmed on POSTROUTING, therefore
> tracking on the INPUT hook is always skipped.
>
> In order to fix this, we check whether skb input ifindex is set to
> loopback ifindex. If it is then we fallback on a GC plus track operation
> skipping the optimization. This fallback is necessary to avoid
> duplicated tracking of a packet train e.g 10 UDP datagrams sent on a
> burst when initiating the connection.
>
> Tested with xt_connlimit/nft_connlimit and OVS limit and with a HTTP
> server and iperf3 on UDP mode.
>
> [Fix]
>
> Resolute: not affected
> Questing: applied Jammy patch
> Noble:    applied Jammy patch
> Jammy:    cherry picked from upstream
> Focal:    not affected
> Bionic:   not affected
> Xenial:   not affected
> Trusty:   not affected
>
> [Test Plan]
>
> Compile and boot tested.
>
> [Where problems could occur]
>
> The change affects a worker routine for adding network connections
> in order to correct an invalid treatment of the loopback interface.
> Issues may manifest as unexpected behavior when using the loopback
> interface.
>
> Fernando Fernandez Mancera (1):
>    netfilter: nf_conncount: fix tracking of connections from localhost
>
>   net/netfilter/nf_conncount.c | 15 +++++++++++++--
>   1 file changed, 13 insertions(+), 2 deletions(-)
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0x20F88172E14F6784.asc
Type: application/pgp-keys
Size: 3167 bytes
Desc: OpenPGP public key
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20260508/694848af/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20260508/694848af/attachment-0001.sig>

More information about the kernel-team mailing list