From: Florian Westphal <fw@strlen.de>
To: Fernando Fernandez Mancera <fmancera@suse.de>
Cc: netfilter-devel@vger.kernel.org, coreteam@netfilter.org,
phil@nwl.cc, pablo@netfilter.org,
Alejandro Olivan Alvarez <alejandro.olivan.alvarez@gmail.com>
Subject: Re: [PATCH nf v2] netfilter: nf_conncount: prevent connlimit drops for early confirmed ct
Date: Tue, 19 May 2026 22:23:13 +0200 [thread overview]
Message-ID: <agzGsaehgIuc0vIT@strlen.de> (raw)
In-Reply-To: <20260514141628.4636-1-fmancera@suse.de>
Fernando Fernandez Mancera <fmancera@suse.de> wrote:
> Commit 69894e5b4c5e ("netfilter: nft_connlimit: update the count if add
> was skipped") introduced a regression where packets for valid
> connections are dropped when using connlimit for soft-limiting
> scenarios.
>
> The issue occurs when a new connection reuses a socket currently in
> the TIME_WAIT state. In this scenario, the connection tracking entry
> is evaluated as already confirmed. Previously, __nf_conncount_add()
> assumed that if a connection was confirmed and did not originate from
> the loopback interface, it should skip the addition and return -EEXIST.
>
> Skipping the addition triggers a garbage collection run that cleans up
> the TIME_WAIT connection. Consequently, the active connection count
> drops to 0, which xt_connlimit mishandles, leading to the false rejection
> of the perfectly valid new connection.
What do you make of https://sashiko.dev/#/patchset/20260514141628.4636-1-fmancera%40suse.de
Is there a way to handle this with a different solution?
I don't see a good solution. What about making
__nf_conncount_gc_list() return the number of removed elements and allow
a single re-add attempt if we released some entries?
(Note that I don't think that conncount with unidirectional traffic
is a sensible thing to configure, but I can't say "not supported"
either...)
next prev parent reply other threads:[~2026-05-19 20:23 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-14 14:16 [PATCH nf v2] netfilter: nf_conncount: prevent connlimit drops for early confirmed ct Fernando Fernandez Mancera
2026-05-19 20:23 ` Florian Westphal [this message]
2026-05-19 21:31 ` Fernando Fernandez Mancera
2026-05-22 9:29 ` Fernando Fernandez Mancera
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=agzGsaehgIuc0vIT@strlen.de \
--to=fw@strlen.de \
--cc=alejandro.olivan.alvarez@gmail.com \
--cc=coreteam@netfilter.org \
--cc=fmancera@suse.de \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
--cc=phil@nwl.cc \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.