From: Florian Westphal <fw@strlen.de>
To: Michal Slabihoudek <michal.slabihoudek@gooddata.com>
Cc: netfilter@vger.kernel.org,
Jaroslav Pulchart <jaroslav.pulchart@gooddata.com>,
Tomas Klouda <tomas.klouda@gooddata.com>,
fmancera@suse.de
Subject: Re: [BUG] connlimit breaks localhost connections since 6.17.13
Date: Thu, 8 Jan 2026 18:15:12 +0100 [thread overview]
Message-ID: <aV_mILsZWZQg0SbW@strlen.de> (raw)
In-Reply-To: <6989BD9F-8C24-4397-9AD7-4613B28BF0DB@gooddata.com>
Michal Slabihoudek <michal.slabihoudek@gooddata.com> wrote:
[ CC Fernando ]
> This happens specifically when connecting from localhost to a non-localhost
> IP address (i.e. not in 127.0.0.0/8). The first connection succeeds, but
> subsequent connections immediately time out.
> Removing the iptables rule with the connlimit match fully resolves the issue.
>
> Expected behavior:
> • connlimit should only match and log packets
> • connection handling should remain unaffected when using -j LOG
>
> Actual behavior:
> • connections are silently dropped
> • client experiences TCP connection timeout
We have very little test cases or real world examples, especially
for iptables. Hence constant breakage is expected.
Fernando, can you please have a look?
> iptables rule used (for custom logging only):
> ```
> iptables -I INPUT -p tcp --dport 443 \
> --tcp-flags FIN,SYN,RST,ACK SYN \
> -m connlimit --connlimit-above 500 \
> --connlimit-mask 32 --connlimit-saddr \
> -j LOG --log-prefix "IPT-443: "
> ```
>
> iptables ruleset:
> ```
> Chain INPUT (policy ACCEPT)
> num pkts bytes target prot opt in out source destination
> 1 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0
> tcp dpt:443 flags:0x17/0x02 #conn src/32 > 500
> LOG flags 0 level 4 prefix "IPT-443: "
> ```
>
> Test case:
> First connection from localhost to instance IP (X.X.X.X):
> ```
> curl -I -L -k -m 3 https://X.X.X.X
> -> HTTP/2 200 OK
> ```
> Immediate second connection:
> ```
> curl -I -L -k -m 3 https://X.X.X.X
> -> curl: (28) Connection timed out after 3001 milliseconds
> ```
>
> Without the iptables rule applied, repeated connections succeed without
> any issue.
> Notes:
> • This looks like a regression introduced in 6.17.13
> • The behavior resembles an implicit drop, despite using LOG only
> • Regression might be introduced by https://github.com/torvalds/linux/commit/69894e5b4c5e28cda5f32af33d4a92b7a4b93b0e
>
> Please let me know if further debugging data (conntrack state, traces,or kernel logs) would be helpful.
>
> Best regards.
next prev parent reply other threads:[~2026-01-08 17:15 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-08 16:37 [BUG] connlimit breaks localhost connections since 6.17.13 Michal Slabihoudek
2026-01-08 17:15 ` Florian Westphal [this message]
2026-01-09 10:57 ` Fernando Fernandez Mancera
2026-01-13 11:19 ` Fernando Fernandez Mancera
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aV_mILsZWZQg0SbW@strlen.de \
--to=fw@strlen.de \
--cc=fmancera@suse.de \
--cc=jaroslav.pulchart@gooddata.com \
--cc=michal.slabihoudek@gooddata.com \
--cc=netfilter@vger.kernel.org \
--cc=tomas.klouda@gooddata.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.