Nftables ct count over 2 counter continues to trigger with only 1 connection

Nftables ct count over 2 counter continues to trigger with only 1 connection

[louis.t42]

Hello,

I have read the documentation and asked on Stack Exchange but am unable to find an answer to the following behavior.

Given this table and chain where 123.123.123.123 is my own address:

table ip mytable {
        chain mychain {
                type filter hook input priority filter; policy accept;
                ip saddr != 123.123.123.123 drop
                ip saddr 123.123.123.123 ct count over 2 counter
        }
}

I am establishing a varying number of TCP connections from my own address by connecting via SSH. These show up in "ss -at" and "conntrack -L" as well as disappear once disconnected - all as expected.

With 2 connections open I see "packets 0 bytes 0" on the counter. With 3 connections open I see "packets 6599 bytes 475441".

The question: when disconnecting 2 of the connections (from 3 total back to 1 total) the counter continues to increment. It triggers even when "ss -at" and "conntrack -L" show just one connection with no TIME_WAIT or other entries.

It even continues incrementing after a "conntrack -F" and often feels as though it is a one-way switch once the counter has triggered. Sometimes closing all connections (to 0 total) stops the counter from incrementing.

Is there an explanation as to this "ct count" behavior in more detail?

Thanks.

Re: Nftables ct count over 2 counter continues to trigger with only 1 connection

[Pablo Neira Ayuso]

Hi,

On Thu, Oct 23, 2025 at 12:54:53AM +0200, louis.t42@caramail.com wrote:
> Hello,
> 
> I have read the documentation and asked on Stack Exchange but am unable to find an answer to the following behavior.
> 
> Given this table and chain where 123.123.123.123 is my own address:
> 
> table ip mytable {
>         chain mychain {
>                 type filter hook input priority filter; policy accept;
>                 ip saddr != 123.123.123.123 drop
>                 ip saddr 123.123.123.123 ct count over 2 counter
>         }
> }
> 
> I am establishing a varying number of TCP connections from my own address by connecting via SSH. These show up in "ss -at" and "conntrack -L" as well as disappear once disconnected - all as expected.
> 
> With 2 connections open I see "packets 0 bytes 0" on the counter. With 3 connections open I see "packets 6599 bytes 475441".
> 
> The question: when disconnecting 2 of the connections (from 3 total back to 1 total) the counter continues to increment. It triggers even when "ss -at" and "conntrack -L" show just one connection with no TIME_WAIT or other entries.
> 
> It even continues incrementing after a "conntrack -F" and often feels as though it is a one-way switch once the counter has triggered. Sometimes closing all connections (to 0 total) stops the counter from incrementing.
> 
> Is there an explanation as to this "ct count" behavior in more detail?

This behaviour looks buggy, I am trying to narrow down the issue.

Re: Nftables ct count over 2 counter continues to trigger with only 1 connection

[Fernando Fernandez Mancera]

On 10/23/25 12:54 AM, louis.t42@caramail.com wrote:
> Hello,
> 
> I have read the documentation and asked on Stack Exchange but am unable to find an answer to the following behavior.
> 
> Given this table and chain where 123.123.123.123 is my own address:
> 
> table ip mytable {
>          chain mychain {
>                  type filter hook input priority filter; policy accept;
>                  ip saddr != 123.123.123.123 drop
>                  ip saddr 123.123.123.123 ct count over 2 counter
>          }
> }
> 
> I am establishing a varying number of TCP connections from my own address by connecting via SSH. These show up in "ss -at" and "conntrack -L" as well as disappear once disconnected - all as expected.
> 
> With 2 connections open I see "packets 0 bytes 0" on the counter. With 3 connections open I see "packets 6599 bytes 475441".
> 
> The question: when disconnecting 2 of the connections (from 3 total back to 1 total) the counter continues to increment. It triggers even when "ss -at" and "conntrack -L" show just one connection with no TIME_WAIT or other entries.
> 
> It even continues incrementing after a "conntrack -F" and often feels as though it is a one-way switch once the counter has triggered. Sometimes closing all connections (to 0 total) stops the counter from incrementing.
> 
> Is there an explanation as to this "ct count" behavior in more detail?
> 
> Thanks.

Yes, this seems buggy. I have reproduced this with upstream kernel and 
also on 5.10 so I guess this has been here for a long time. I am working 
now on a patch.

Thanks!

Re: Nftables ct count over 2 counter continues to trigger with only 1 connection

[Florian Westphal]

louis.t42@caramail.com <louis.t42@caramail.com> wrote:
> I have read the documentation and asked on Stack Exchange but am unable to find an answer to the following behavior.
> 
> Given this table and chain where 123.123.123.123 is my own address:
> 
> table ip mytable {
>         chain mychain {
>                 type filter hook input priority filter; policy accept;
>                 ip saddr != 123.123.123.123 drop
>                 ip saddr 123.123.123.123 ct count over 2 counter
>         }
> }

After looking at Fernandos analysis, does this work when you restrict
this to new packets, i.e.:

	ct state new jump {
		ip saddr != 123.123.123.123 drop
		ip saddr 123.123.123.123 ct count over 2 counter
	}

This is supposed to only ever add new connections and not re-add established
ones.

Re: Nftables ct count over 2 counter continues to trigger with only 1 connection

[louis.t42]

> After looking at Fernandos analysis, does this work when you restrict
> this to new packets, i.e.:

Thanks for spending time on this. I can confirm that adding the restriction with the inline jump works great! Of course, it would still be great if the original rules behaved predictably as well.

As an end-user trying to learn, the man documentation surrounding conntrack and especially packet path dynamic set add/update with `ct count over` and similar could be improved. The dynamic set flag also lists "delete" as a valid option with no other references to it which felt odd.

Re: Nftables ct count over 2 counter continues to trigger with only 1 connection

[Pablo Neira Ayuso]

On Mon, Oct 27, 2025 at 02:54:59PM +0100, louis.t42@caramail.com wrote:
> > After looking at Fernandos analysis, does this work when you restrict
> > this to new packets, i.e.:
> 
> Thanks for spending time on this. I can confirm that adding the restriction with the inline jump works great! Of course, it would still be great if the original rules behaved predictably as well.
> 
> As an end-user trying to learn, the man documentation surrounding conntrack and especially packet path dynamic set add/update with `ct count over` and similar could be improved. The dynamic set flag also lists "delete" as a valid option with no other references to it which felt odd.

Please send us patches that can be reviewed, it will take a bit of
time on you but it could possibly kick off some discussions, thanks.