From: Florian Westphal <fw@strlen.de>
To: Fernando Fernandez Mancera <fmancera@suse.de>
Cc: netfilter-devel@vger.kernel.org, coreteam@netfilter.org,
pablo@netfilter.org, phil@nwl.cc,
Michal Slabihoudek <michal.slabihoudek@gooddata.com>
Subject: Re: [PATCH nf-next] netfilter: nf_conncount: fix tracking of connections from localhost
Date: Mon, 19 Jan 2026 01:21:51 +0100 [thread overview]
Message-ID: <aW15H8M9tjLRHSED@strlen.de> (raw)
In-Reply-To: <7d24517c-1209-49cc-a9cc-26eaf1a0e49e@suse.de>
Fernando Fernandez Mancera <fmancera@suse.de> wrote:
> After a quick test, it works for local connections. Although it doesn't
> work for reverse-connlimit on INPUT. Consider the following ruleset:
>
> iptables -I INPUT -p tcp --sport 80 --tcp-flags FIN,SYN,RST,ACK SYN -m
> connlimit --connlimit-above 100 -j LOG --log-prefix "Exceeded limit
> established connections to 443"
Mhh, what is that supposed to do?
'sport 80' meaning that we're client and we're receiving back a syn/ack?
The rule only matches syn packets.
I'm confused what this should accomplish.
> To clarify this is the diff:
>
> diff --git a/net/netfilter/nf_conncount.c b/net/netfilter/nf_conncount.c
> index 5588cd0fcd9a..339aaf5e3393 100644
> --- a/net/netfilter/nf_conncount.c
> +++ b/net/netfilter/nf_conncount.c
> @@ -182,7 +182,7 @@ static int __nf_conncount_add(struct net *net,
> /* connections from localhost are confirmed almost
> instantly,
> * check if there has been a reply
> */
> - if (test_bit(IPS_SEEN_REPLY_BIT, &ct->status)) {
> + if (skb->skb_iif != 1) {
> err = -EEXIST;
> goto out_put;
> }
>
> I will send a V2 and ask for testing from Michal if possible.
Thanks! connlimit is very old and there is no formal spec as
to what its supposed to do, so I supsect we should try to at least
fix the reported regression. I'm fine with both approaches
(REPLY and iif test), but the iif one would be 'better' in the sense
that its a clear workaround for the more shady corner case :-)
Would you mind updating the comment was well to explain that
this is related to loopback traffic, with conncount sitting
in prerouting and thus after conntrack confirmation?
Thanks!
next prev parent reply other threads:[~2026-01-19 0:22 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-18 11:13 [PATCH nf-next] netfilter: nf_conncount: fix tracking of connections from localhost Fernando Fernandez Mancera
2026-01-18 12:22 ` Florian Westphal
2026-01-18 15:50 ` Fernando Fernandez Mancera
2026-01-18 16:03 ` Florian Westphal
2026-01-18 16:34 ` Fernando Fernandez Mancera
2026-01-19 0:21 ` Florian Westphal [this message]
2026-01-19 16:37 ` Fernando Fernandez Mancera
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aW15H8M9tjLRHSED@strlen.de \
--to=fw@strlen.de \
--cc=coreteam@netfilter.org \
--cc=fmancera@suse.de \
--cc=michal.slabihoudek@gooddata.com \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
--cc=phil@nwl.cc \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.