From: Florian Westphal <fw@strlen.de>
To: Fernando Fernandez Mancera <fmancera@suse.de>
Cc: netfilter-devel@vger.kernel.org, coreteam@netfilter.org,
pablo@netfilter.org, phil@nwl.cc,
Michal Slabihoudek <michal.slabihoudek@gooddata.com>
Subject: Re: [PATCH nf-next] netfilter: nf_conncount: fix tracking of connections from localhost
Date: Sun, 18 Jan 2026 13:22:56 +0100 [thread overview]
Message-ID: <aWzQoFTl6Cf4Vt3T@strlen.de> (raw)
In-Reply-To: <20260118111316.4643-1-fmancera@suse.de>
Fernando Fernandez Mancera <fmancera@suse.de> wrote:
> Since commit be102eb6a0e7 ("netfilter: nf_conncount: rework API to use
> sk_buff directly"), we skip the adding and trigger a GC when the ct is
> confirmed. For connections originated from local to local it doesn't
> work because the connection is confirmed from a early stage, therefore
> tracking is always skipped.
Alternative:
@@ -415,7 +415,7 @@ insert_tree(struct net *net,
if (ret && ret != -EEXIST)
count = 0; /* hotdrop */
else
- count = rbconn->list.count;
+ count = rbconn->list.count ? rbconn->list.count : 1;
?
connlimit for localhost connections only works correctly in output or
postrouting, even before any of your changes.
As you say; for local connections, confirmation happens in postrouting,
i.e., before prerouting rules are evaluated.
Hence, even before any of your changes, the conntrack limit is never
effective because the connections are confirmed before.
In the reported example, its no problem to create 1000k connections,
500 will go through, rest will eventually time out. But they are
created.
AFAICS the problem is erroneous trigger of "hotdrop" mode. First
connection attempt allocates new node, with count == 1.
Subsequent attempt encounter -EEXIST check instead of add, then
return list length with is 0, not 1 so packet gets dropped.
Without your patches, connections won't complete once reaching
the limit, but the conntrack entries can be allocated and are confirmed
regardless of "-m connlimit".
Thus I'm not sold on this use case, it doesn't limit connections,
it only limits established ones.
If its legit case, then we should have a test case for this in
iptables.git .
That said, the patch looks correct to me.
next prev parent reply other threads:[~2026-01-18 12:22 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-18 11:13 [PATCH nf-next] netfilter: nf_conncount: fix tracking of connections from localhost Fernando Fernandez Mancera
2026-01-18 12:22 ` Florian Westphal [this message]
2026-01-18 15:50 ` Fernando Fernandez Mancera
2026-01-18 16:03 ` Florian Westphal
2026-01-18 16:34 ` Fernando Fernandez Mancera
2026-01-19 0:21 ` Florian Westphal
2026-01-19 16:37 ` Fernando Fernandez Mancera
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aWzQoFTl6Cf4Vt3T@strlen.de \
--to=fw@strlen.de \
--cc=coreteam@netfilter.org \
--cc=fmancera@suse.de \
--cc=michal.slabihoudek@gooddata.com \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
--cc=phil@nwl.cc \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.