From: Florian Westphal <fw@strlen.de>
To: Fernando Fernandez Mancera <fmancera@suse.de>
Cc: netfilter-devel@vger.kernel.org, coreteam@netfilter.org,
louis.t42@caramail.com
Subject: Re: [PATCH nf] netfilter: nft_connlimit: fix stale read of connection count
Date: Fri, 24 Oct 2025 13:02:38 +0200 [thread overview]
Message-ID: <aPtctiRlb9Pg9sNQ@strlen.de> (raw)
In-Reply-To: <6b0de8f3-d03a-4f12-b2f8-c87aeeef4847@suse.de>
Fernando Fernandez Mancera <fmancera@suse.de> wrote:
> On 10/24/25 1:20 AM, Fernando Fernandez Mancera wrote:
> > nft_connlimit_eval() reads priv->list->count to check if the connection
> > limit has been exceeded. This value can be cached by the CPU while it
> > can be decremented by a different CPU when a connection is closed. This
> > causes a data race as the value cached might be outdated.
> >
> > When a new connection is established and evaluated by the connlimit
> > expression, priv->list->count is incremented by nf_conncount_add(),
> > triggering the CPU's cache coherency protocol and therefore refreshing
> > the cached value before updating it.
> >
> > Solve this situation by reading the value using READ_ONCE().
> >
> > Fixes: df4a90250976 ("netfilter: nf_conncount: merge lookup and add functions")
> > Closes: https://lore.kernel.org/netfilter/trinity-85c72a88-d762-46c3-be97-36f10e5d9796-1761173693813@3c-app-mailcom-bs12/
> > Signed-off-by: Fernando Fernandez Mancera <fmancera@suse.de>
> > ---
>
> While at this, I have found another problem with connlimit although with
> this fix, it is partially mitigated. Since d265929930e2 ("netfilter:
> nf_conncount: reduce unnecessary GC"), if __nf_conncount_add() is called
> more than once during the same jiffy, the function won't check if the
> connection is already tracked and will be added right away incrementing
> the count. This can cause a situation where the count is greater than it
> should and can cause nft_connlimit to match wrongly for a few jiffies.
>
> I am open to suggestions on how to fix this.. as currently I don't have
> a different one other than reverting the commit..
People are not supposed to use it in this way.
This is very expensive, there is a reason why iptables-extensions
examples all use iptables --syn.
This needs a documentation fix.
Or, we could revert df4a90250976 and then only _add for ctinfo NEW.
next prev parent reply other threads:[~2025-10-24 11:02 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-10-23 23:20 [PATCH nf] netfilter: nft_connlimit: fix stale read of connection count Fernando Fernandez Mancera
2025-10-23 23:32 ` Fernando Fernandez Mancera
2025-10-24 11:02 ` Florian Westphal [this message]
2025-10-24 11:14 ` Fernando Fernandez Mancera
2025-10-24 11:33 ` Florian Westphal
2025-10-24 11:31 ` Florian Westphal
2025-10-24 11:55 ` Fernando Fernandez Mancera
2025-10-24 12:49 ` Florian Westphal
2025-10-24 13:04 ` Fernando Fernandez Mancera
2025-10-24 15:47 ` Fernando Fernandez Mancera
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aPtctiRlb9Pg9sNQ@strlen.de \
--to=fw@strlen.de \
--cc=coreteam@netfilter.org \
--cc=fmancera@suse.de \
--cc=louis.t42@caramail.com \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.