From: Florian Westphal <fw@strlen.de>
To: Fernando Fernandez Mancera <fmancera@suse.de>
Cc: netfilter-devel@vger.kernel.org, coreteam@netfilter.org,
pablo@netfilter.org, phil@nwl.cc,
Michal Slabihoudek <michal.slabihoudek@gooddata.com>
Subject: Re: [PATCH nf-next v2] netfilter: nf_conncount: fix tracking of connections from localhost
Date: Mon, 19 Jan 2026 21:45:10 +0100 [thread overview]
Message-ID: <aW6X1kBQ8clOAL76@strlen.de> (raw)
In-Reply-To: <20260119203546.11207-1-fmancera@suse.de>
Fernando Fernandez Mancera <fmancera@suse.de> wrote:
> Since commit be102eb6a0e7 ("netfilter: nf_conncount: rework API to use
> sk_buff directly"), we skip the adding and trigger a GC when the ct is
> confirmed. For connections originated from local to local it doesn't
> work because the connection is confirmed on POSTROUTING, therefore
> tracking on the INPUT hook is always skipped.
>
> In order to fix this, we check whether skb input ifindex is set to
> loopback ifindex. If it is then we fallback on a GC plus track operation
> skipping the optimization. This fallback is necessary to avoid
> duplicated tracking of a packet train e.g 10 UDP datagrams sent on a
> burst when initiating the connection.
>
> Tested with xt_connlimit/nft_connlimit and OVS limit and with a HTTP
> server and iperf3 on UDP mode.
LGTM, thanks Fernando. But shouldn't this go via nf tree?
next prev parent reply other threads:[~2026-01-19 20:45 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-19 20:35 [PATCH nf-next v2] netfilter: nf_conncount: fix tracking of connections from localhost Fernando Fernandez Mancera
2026-01-19 20:45 ` Florian Westphal [this message]
2026-01-19 23:14 ` Fernando Fernandez Mancera
2026-01-19 23:35 ` Florian Westphal
2026-01-20 9:10 ` Fernando Fernandez Mancera
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aW6X1kBQ8clOAL76@strlen.de \
--to=fw@strlen.de \
--cc=coreteam@netfilter.org \
--cc=fmancera@suse.de \
--cc=michal.slabihoudek@gooddata.com \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
--cc=phil@nwl.cc \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.