Re: [PATCH 0/6 nf-next v3] netfilter: rework conncount API to receive sk_buff directly

[Pablo Neira Ayuso <pablo@netfilter.org>]

Hi Fernando,

On Wed, Nov 12, 2025 at 12:43:46PM +0100, Fernando Fernandez Mancera wrote:
> This series is fixing two different problems. The first issue is related
> to duplicated entries when used for non-confirmed connections in
> nft_connlimit and xt_connlimit. Now, nf_conncount_add() checks whether
> the connection is confirmed or not. If the connection is confirmed,
> skip the add.
> 
> In order to do that, nf_conncount_count_skb() and nf_conncount_add_skb()
> API has been introduced. They allow the user to pass the sk_buff
> directly. The old API has been removed.
> 
> The second issue this series is fixing is related to
> nft_connlimit/xt_connlimit not updating the list of connection for
> confirmed connections breaking softlimiting use-cases like limiting the
> bandwidth when too many connections are open.
> 
> This has been tested with nftables and iptables both in filter and raw
> priorities. I have stressed the system up to 2000 connections.
> 
> CC'ing openvswitch maintainers as this change on the API required me to
> touch their code. I am not very familiar with the internals of
> openvswitch but I believe this should be fine. If you could provide some
> testing from openvswitch side it would be really helpful.
> 
> Fernando Fernandez Mancera (6):
>   netfilter: nf_conncount: introduce new nf_conncount_count_skb() API
>   netfilter: xt_connlimit: use nf_conncount_count_skb() directly
>   openvswitch: use nf_conncount_count_skb() directly
>   netfilter: nf_conncount: pass the sk_buff down to __nf_conncount_add()

I have collapsed this four patches initial patches (1-4) to see how it
looks:

 include/net/netfilter/nf_conntrack_count.h |   17 ++++-----
 net/netfilter/nf_conncount.c               |  159 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++--------------------------
 net/netfilter/nft_connlimit.c              |   21 +----------
 net/netfilter/xt_connlimit.c               |   14 +------
 net/openvswitch/conntrack.c                |   16 ++++----
 5 files changed, 133 insertions(+), 94 deletions(-)

It is a bit large, but I find it easier to understand the goal,
because this patch is pushing down the skb into the conncount core and
adapting callers at the same time, which is what Florian suggested.

Then, another patch to add the special -EINVAL case for already
confirmed conntracks that is in patch 6/6 in this series. This is to
deal with the new use-case of using ct count really for counting, not
just for limiting.

Finally, the gc consolidation.

I pushed it to this branch in nf-next.git,

        https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf-next.git/log/?h=tentative-conncount-series

NOTE: commit messages would need an adjustment.

Sidenote: Not related, but connlimit does not work for bridge and
netdev families because of nft_pf(). This relates to another topic
that is being discussing about how to handle vlan/pppoe packets.
**No need to address this series**, just mentioning it.