{"id":2229921,"url":"http://patchwork.ozlabs.org/api/1.1/covers/2229921/?format=json","web_url":"http://patchwork.ozlabs.org/project/ubuntu-kernel/cover/20260428212843.4099005-1-tim.whisonant@canonical.com/","project":{"id":15,"url":"http://patchwork.ozlabs.org/api/1.1/projects/15/?format=json","name":"Ubuntu Kernel","link_name":"ubuntu-kernel","list_id":"kernel-team.lists.ubuntu.com","list_email":"kernel-team@lists.ubuntu.com","web_url":null,"scm_url":null,"webscm_url":null},"msgid":"<20260428212843.4099005-1-tim.whisonant@canonical.com>","date":"2026-04-28T21:28:31","name":"[SRU,J/N/Q,0/1] iptables connlimit traffic loss","submitter":{"id":89903,"url":"http://patchwork.ozlabs.org/api/1.1/people/89903/?format=json","name":"Tim Whisonant","email":"tim.whisonant@canonical.com"},"mbox":"http://patchwork.ozlabs.org/project/ubuntu-kernel/cover/20260428212843.4099005-1-tim.whisonant@canonical.com/mbox/","series":[{"id":501937,"url":"http://patchwork.ozlabs.org/api/1.1/series/501937/?format=json","web_url":"http://patchwork.ozlabs.org/project/ubuntu-kernel/list/?series=501937","date":"2026-04-28T21:28:31","name":"iptables connlimit traffic loss","version":1,"mbox":"http://patchwork.ozlabs.org/series/501937/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/covers/2229921/comments/","headers":{"Return-Path":"<kernel-team-bounces@lists.ubuntu.com>","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=fail reason=\"signature verification failed\" (4096-bit key;\n unprotected) header.d=canonical.com header.i=@canonical.com\n header.a=rsa-sha256 header.s=20251003 header.b=CdR1X3WR;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com\n (client-ip=185.125.189.65; helo=lists.ubuntu.com;\n envelope-from=kernel-team-bounces@lists.ubuntu.com;\n receiver=patchwork.ozlabs.org)"],"Received":["from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65])\n\t(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g4tq10yDWz1yK5\n\tfor <incoming@patchwork.ozlabs.org>; Wed, 29 Apr 2026 07:29:00 +1000 (AEST)","from localhost ([127.0.0.1] helo=lists.ubuntu.com)\n\tby lists.ubuntu.com with esmtp (Exim 4.86_2)\n\t(envelope-from <kernel-team-bounces@lists.ubuntu.com>)\n\tid 1wHpzA-0000cI-NR; Tue, 28 Apr 2026 21:28:52 +0000","from smtp-relay-internal-0.internal ([10.131.114.225]\n helo=smtp-relay-internal-0.canonical.com)\n by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)\n (Exim 4.86_2) (envelope-from <tim.whisonant@canonical.com>)\n id 1wHpz9-0000c5-66\n for kernel-team@lists.ubuntu.com; Tue, 28 Apr 2026 21:28:51 +0000","from mail-yx1-f70.google.com (mail-yx1-f70.google.com\n [74.125.224.70])\n (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest\n SHA256)\n (No client certificate requested)\n by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id 09D0C3F7D2\n for <kernel-team@lists.ubuntu.com>; Tue, 28 Apr 2026 21:28:51 +0000 (UTC)","by mail-yx1-f70.google.com with SMTP id\n 956f58d0204a3-651bd07888eso24167460d50.2\n for <kernel-team@lists.ubuntu.com>; Tue, 28 Apr 2026 14:28:50 -0700 (PDT)","from localhost (104-6-108-11.lightspeed.frokca.sbcglobal.net.\n [104.6.108.11]) by smtp.gmail.com with ESMTPSA id\n 956f58d0204a3-65bff6c9302sm177256d50.10.2026.04.28.14.28.48\n for <kernel-team@lists.ubuntu.com>\n (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);\n Tue, 28 Apr 2026 14:28:48 -0700 (PDT)"],"DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com;\n s=20251003; t=1777411731;\n bh=Ftd62Xf5HzCt1/t9qGhip0piylnBWKJwlmFV4wqI6HY=;\n h=From:To:Subject:Date:Message-ID:MIME-Version;\n b=CdR1X3WRyLzOKxxr7SCwJAT1Si9rQuYA8mTZXz43PiNAcldwuPXM+KV0Kp6nwYlGU\n qRg+79xAMW7S1aeTApg7yNvZ6r2Q0IgpUOZjJSWy7d+UyOxD6FewjPN9l8AtIUGRft\n anjh1N4tIsXS2kyofftoI6KywrA+jQIFG3GFMlbES7eP23RUPAAx2CYIYRfl6TYt4N\n dU1lKMHE6HvKO/Ua3CL6XX2iqx+ektXXoQ8X4RLOMndChteWz/ptacUX7b29PrArYq\n vYg24zo1JqlYlnQ4AlA2Frqf4oUohPz2ah8gR5tlGP/0zk2k6y+jK7wDy0piJE/DGg\n Ts3n3K/VOzYmnGnKX3lqRymuv26tCcUKH33fi1Nvv4Atg+eaws9ejLvE8W2KelclPF\n Lab/3FbnhHeVFJUyBpuQXxkYmbIQvDzyNJVAIAkgMEvEmukGXxEZl/2H4ngCZF8Yhj\n JXLNiO8Hka30aSaocnEIqvjylIxthzFrg2KfsAQfy2Onn9kyselBXX4fiCew5G6tes\n /rhpWKrnZjiq06w+mB90fis2C1otJ9cesZIu5V8hWHRR+WoyM7tmIyWQN7Cdg8bFTM\n C7oMJm0vhC4PR24cqTXrx+gxXJkUWx0bYzqCLOeq01o/JiOsBfBSEioGhGzfPeIvPK\n SyHbP5tgKa09Ic3Tv7FVcdSU=","X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20251104; t=1777411729; x=1778016529;\n h=content-transfer-encoding:mime-version:message-id:date:subject:to\n :from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date:message-id\n :reply-to;\n bh=Ftd62Xf5HzCt1/t9qGhip0piylnBWKJwlmFV4wqI6HY=;\n b=LAvICJUPMabC+Fkbfru0a6P9N76Fu7OJFH+2hzxf98YJkvO6bqQwkgHvr4uzH4b5Sv\n 5s5KOHhUS2tTusQLnrNdzm4rocZunpMQq+6M9BtkAYY0yni82WNO6du5MmvEDy32VGZk\n B9dX1DBF0iIwL401mBvOYoS5s4xuPPDTmp8eSWlR5dcQMuxZWTJvkbY9b8LyqfPG3Cdv\n tMEp1WQ+xZ4K0BbxvMhjf+1+OrV4zVeygOWJIcBDIZkZpsCKNPxtpcPOmBMGAfcb7TOM\n PjiTc3vLdRvxwSsUH4rO4EHC3MEn8G7okhizFm747uXccVGQ57u9jEfFnPHOEQhu3tLJ\n m2Hw==","X-Gm-Message-State":"AOJu0YzUL05r5av1ZR+FaTDiO28OviHDeWszIsoZrJc0BUOYWwL1KL1d\n pVljakE+cNsO7DWcIEWYGs4RRmZikAdDUpmR5SyQEooPaB8NlCIqYQpmfZfWRf63CydBAmvvnOz\n f3CuW9MoM6nFe6GBBjY/BuwBcsRaMUbRxYqeXwFAXknNgVSmadwiPOA0OpiSFCdaDo1y9PkVjPQ\n fz+Mww68AlEqVfnw==","X-Gm-Gg":"AeBDietIrFh3yBBGDkY6NJvZSXktj/DV8XsUd2l3KlkATNRwAODDM27C6BbHwX9ftKW\n BTlPf8wf7sk33UhzsC3GT+SmXwZbU+YPz95xeOylNDuUHP+tE5Y4Vg5BN74E9guakmMg37qGFaR\n 2PiwCg7NRiL/dc88heg52AhcAukKmYQ/+r1rITvqGcM2QZXtuXnnA341b1Egx4eo3b2rw9+ZO3A\n OFLqggQXVhWw83m08B4fH0zG30F1GrbtHEORGLnUFO8xdKE8KibnrgQ1MyrauUHyoiaMwug4iYK\n RlvHENxUV2ehn3ttzjFfvqR31HN3ssbycPJ52cGBu3QuM+zU+509ltR+851iBwL7qmkrHY9dZG+\n zULKN0RZhp2SpXtWliSNB8fQBR2xcgVlVuCM6IQ45uz8MH3M6p42MgKPNU2squzmmhFFkjCK42O\n QATpKKUbdzL7Pb","X-Received":["by 2002:a05:690e:e83:b0:651:b40a:d6ce with SMTP id\n 956f58d0204a3-65beed7bb0amr4262354d50.14.1777411729550;\n Tue, 28 Apr 2026 14:28:49 -0700 (PDT)","by 2002:a05:690e:e83:b0:651:b40a:d6ce with SMTP id\n 956f58d0204a3-65beed7bb0amr4262329d50.14.1777411729008;\n Tue, 28 Apr 2026 14:28:49 -0700 (PDT)"],"From":"Tim Whisonant <tim.whisonant@canonical.com>","To":"kernel-team@lists.ubuntu.com","Subject":"[SRU][J/N/Q][PATCH 0/1] iptables connlimit traffic loss","Date":"Tue, 28 Apr 2026 14:28:31 -0700","Message-ID":"<20260428212843.4099005-1-tim.whisonant@canonical.com>","X-Mailer":"git-send-email 2.43.0","MIME-Version":"1.0","X-BeenThere":"kernel-team@lists.ubuntu.com","X-Mailman-Version":"2.1.20","Precedence":"list","List-Id":"Kernel team discussions <kernel-team.lists.ubuntu.com>","List-Unsubscribe":"<https://lists.ubuntu.com/mailman/options/kernel-team>,\n <mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>","List-Archive":"<https://lists.ubuntu.com/archives/kernel-team>","List-Post":"<mailto:kernel-team@lists.ubuntu.com>","List-Help":"<mailto:kernel-team-request@lists.ubuntu.com?subject=help>","List-Subscribe":"<https://lists.ubuntu.com/mailman/listinfo/kernel-team>,\n <mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>","Content-Type":"text/plain; charset=\"utf-8\"","Content-Transfer-Encoding":"base64","Errors-To":"kernel-team-bounces@lists.ubuntu.com","Sender":"\"kernel-team\" <kernel-team-bounces@lists.ubuntu.com>"},"content":"BugLink: https://bugs.launchpad.net/bugs/2149872\n\nSRU Justification:\n\n[Impact]\n\nnetfilter: nf_conncount: fix tracking of connections from localhost\n\nSince commit be102eb6a0e7 (\"netfilter: nf_conncount: rework API to use\nsk_buff directly\"), we skip the adding and trigger a GC when the ct is\nconfirmed. For connections originated from local to local it doesn't\nwork because the connection is confirmed on POSTROUTING, therefore\ntracking on the INPUT hook is always skipped.\n\nIn order to fix this, we check whether skb input ifindex is set to\nloopback ifindex. If it is then we fallback on a GC plus track operation\nskipping the optimization. This fallback is necessary to avoid\nduplicated tracking of a packet train e.g 10 UDP datagrams sent on a\nburst when initiating the connection.\n\nTested with xt_connlimit/nft_connlimit and OVS limit and with a HTTP\nserver and iperf3 on UDP mode.\n\n[Fix]\n\nResolute: not affected\nQuesting: applied Jammy patch\nNoble:    applied Jammy patch\nJammy:    cherry picked from upstream\nFocal:    not affected\nBionic:   not affected\nXenial:   not affected\nTrusty:   not affected\n\n[Test Plan]\n\nCompile and boot tested.\n\n[Where problems could occur]\n\nThe change affects a worker routine for adding network connections\nin order to correct an invalid treatment of the loopback interface.\nIssues may manifest as unexpected behavior when using the loopback\ninterface.\n\nFernando Fernandez Mancera (1):\n  netfilter: nf_conncount: fix tracking of connections from localhost\n\n net/netfilter/nf_conncount.c | 15 +++++++++++++--\n 1 file changed, 13 insertions(+), 2 deletions(-)"}