{"id":2229920,"url":"http://patchwork.ozlabs.org/api/1.1/patches/2229920/?format=json","web_url":"http://patchwork.ozlabs.org/project/ubuntu-kernel/patch/20260428212843.4099005-2-tim.whisonant@canonical.com/","project":{"id":15,"url":"http://patchwork.ozlabs.org/api/1.1/projects/15/?format=json","name":"Ubuntu Kernel","link_name":"ubuntu-kernel","list_id":"kernel-team.lists.ubuntu.com","list_email":"kernel-team@lists.ubuntu.com","web_url":null,"scm_url":null,"webscm_url":null},"msgid":"<20260428212843.4099005-2-tim.whisonant@canonical.com>","date":"2026-04-28T21:28:32","name":"[SRU,J/N/Q,1/1] netfilter: nf_conncount: fix tracking of connections from localhost","commit_ref":null,"pull_url":null,"state":"new","archived":false,"hash":"f139ae631cb37ef22614167eed31359fef8ffa4e","submitter":{"id":89903,"url":"http://patchwork.ozlabs.org/api/1.1/people/89903/?format=json","name":"Tim Whisonant","email":"tim.whisonant@canonical.com"},"delegate":null,"mbox":"http://patchwork.ozlabs.org/project/ubuntu-kernel/patch/20260428212843.4099005-2-tim.whisonant@canonical.com/mbox/","series":[{"id":501937,"url":"http://patchwork.ozlabs.org/api/1.1/series/501937/?format=json","web_url":"http://patchwork.ozlabs.org/project/ubuntu-kernel/list/?series=501937","date":"2026-04-28T21:28:31","name":"iptables connlimit traffic loss","version":1,"mbox":"http://patchwork.ozlabs.org/series/501937/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/patches/2229920/comments/","check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/2229920/checks/","tags":{},"headers":{"Return-Path":"","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=fail reason=\"signature verification failed\" (4096-bit key;\n unprotected) header.d=canonical.com header.i=@canonical.com\n header.a=rsa-sha256 header.s=20251003 header.b=OvhOGoXA;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com\n (client-ip=185.125.189.65; helo=lists.ubuntu.com;\n envelope-from=kernel-team-bounces@lists.ubuntu.com;\n receiver=patchwork.ozlabs.org)"],"Received":["from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65])\n\t(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g4tq10R27z1yHZ\n\tfor ; Wed, 29 Apr 2026 07:29:00 +1000 (AEST)","from localhost ([127.0.0.1] helo=lists.ubuntu.com)\n\tby lists.ubuntu.com with esmtp (Exim 4.86_2)\n\t(envelope-from )\n\tid 1wHpzB-0000cm-W2; Tue, 28 Apr 2026 21:28:54 +0000","from smtp-relay-internal-1.internal ([10.131.114.114]\n helo=smtp-relay-internal-1.canonical.com)\n by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)\n (Exim 4.86_2) (envelope-from )\n id 1wHpzB-0000cT-FY\n for kernel-team@lists.ubuntu.com; Tue, 28 Apr 2026 21:28:53 +0000","from mail-yw1-f197.google.com (mail-yw1-f197.google.com\n [209.85.128.197])\n (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest\n SHA256)\n (No client certificate requested)\n by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id 593003F856\n for ; Tue, 28 Apr 2026 21:28:53 +0000 (UTC)","by mail-yw1-f197.google.com with SMTP id\n 00721157ae682-7987861595eso3302397b3.1\n for ; Tue, 28 Apr 2026 14:28:53 -0700 (PDT)","from localhost (104-6-108-11.lightspeed.frokca.sbcglobal.net.\n [104.6.108.11]) by smtp.gmail.com with ESMTPSA id\n 00721157ae682-7bd258cc768sm3093257b3.35.2026.04.28.14.28.50\n for \n (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);\n Tue, 28 Apr 2026 14:28:51 -0700 (PDT)"],"DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com;\n s=20251003; t=1777411733;\n bh=p1wuk1CLbuP495F3zvq+iJg8P65NMs74/XhVIobZgkI=;\n h=From:To:Subject:Date:Message-ID:In-Reply-To:References:\n MIME-Version;\n b=OvhOGoXAYJ4DYx/NkM1LTpYO3VbYJP9HScmpoQMOefgHXL+th50CkCiX7ax/os3qc\n ywdNmnXu+9ieJ6Mzb6F5cLTdrFspwXT9FSEJ4qMzSUSu/Ah29lPHYDxJ8PGLhLPN+I\n mdgECBV6MlRreZdZLvTJnAjIuBMaOUVbw9g6p03jasKJzptxYw5b/LjxTrJWA2YQBh\n e5Zw/pDVVesvC2mAOejgPk9NCRXsNxG5Ce/Gk9ulH9IxZ083/43kPXUCNJuHkIeccQ\n +sH/kfOnz4/ORCud4avPbxnFF6EmgS3sPPm6iitvkJcoc9KakAlSaPI2l/UpIIVhTk\n oh647wekMNZSsZC2po4HY7zngiYtwaSUkvC0LMC1aSr0uT8hMV1y+DSwejEkmUbTsg\n iJaviZQ0isKHnas1YFcFzjA14pX1jp3yzrSqmSF+yzu9H2QPWwJ4Lh3Lis+zkOA4LR\n sKjzV4ghMSQY0KklFO6axxQsiEMm5adLQ7Eco/O3QyWPk4jZoMbMCQ/fkKXv3kQPkm\n N9eh0q0HZk0J9CubbtX7C6bvf8yDO8fiwfJUFUw0Ho0TMrgkqRJzBTmcgrI5VaIETW\n gAQJ6QfePemi6bOJgEuimeBbVhkkcROsCTqIvh/RHuFutiYo4ljxR57asHiK8DLy/9\n yqms2GuAEaHP7PMa5VLx8pJw=","X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20251104; t=1777411732; x=1778016532;\n h=content-transfer-encoding:mime-version:references:in-reply-to\n :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to\n :cc:subject:date:message-id:reply-to;\n bh=p1wuk1CLbuP495F3zvq+iJg8P65NMs74/XhVIobZgkI=;\n b=Mp2VMUhq0XmVYNhIeMzFUq3/jBFZEF+UwamDxnmldNfGbmk5j1mNvp6ju2aj8uT6Bu\n hyHTBnhNmjH0R0JmWLDXpToyYO9z3DeRJto2xPxu/8IIOi6h82F1BJncMT9/6bbm2IwQ\n qMm/4VQoMoyl51lvSjdDxkyVdHzT6F9BM/kxMV/U6uQyxkhbZvj7PVurTw+MHSmdXrqS\n kVh3UvOImI9g7aasOVgKYLw9HeEKk6LoyvPJ46VMnvXdbH5Bkn3zrDcrH6kfWfxFMNup\n pgqYDZ+v0luiAv5F70eFFsnWeZaRbgQK9flQ/CTp9G9BrA/CuSWDz+QqNdumyGxSZJdx\n wKGA==","X-Gm-Message-State":"AOJu0YycBkLXB5NZyShAeWomj9u27b9a/Hto5u1x+f2/r4QzbP9kO/fq\n yxIGh0VMWkgnSJyLlz/0R22kOimX3usBndvjB040CwzuBRWh2lTJXXP89z2OA9N6KkztKoy0o1q\n UtOtrQ2rJkqjCmI2C8E3VUw90II9/F229Bt92NByDcZMWF/kdH6O8fKxvjIm+1gGe+mljB4NDOA\n snwolOt+AifCWyGg==","X-Gm-Gg":"AeBDievPQbIjItMHe6tA6+mYf3ZRUsshfTvbTNbOY/NyO/B7G2Vvn+HR3zC/KrRNwOx\n WnjxVE8B79tOWPF3K7tZmnJ+LjPHku4QaLngOmclVWYbLIc0UM+QfdHbbPtD0sHGJOJRlhAZI3Y\n D8D4oYob17qsk1nbOiKATgkFnQ+/2D1r3ZYb1xq0xOm3FOkfUDY1l9fywNN1u56EkFDZwJkrZNo\n XlaaEYOP4+x3C53/jYaai5ovfX9q1RV8pCYUXaS+iEJt4Ox8gBEHi04qxSOFaDDlzOcjCjnRd/q\n 79qEPj75pIFbnnxV1Rq+2Ze6nPgLx0HxYawmJ6NnnbFtdbitQjBGEuQaa/HYbNaRn8jtr5gK/5G\n vaQHtNdcCfWji78pYlOd6ZBJFP7vIluqtqTHjE4Pk6SkzxjMNYPdTETaM2ujaYhANujqKWn331H\n +sw34L49VnZGkK","X-Received":["by 2002:a05:690c:d82:b0:7b8:7855:4d37 with SMTP id\n 00721157ae682-7bcf50f6997mr50350767b3.13.1777411731910;\n Tue, 28 Apr 2026 14:28:51 -0700 (PDT)","by 2002:a05:690c:d82:b0:7b8:7855:4d37 with SMTP id\n 00721157ae682-7bcf50f6997mr50350547b3.13.1777411731448;\n Tue, 28 Apr 2026 14:28:51 -0700 (PDT)"],"From":"Tim Whisonant ","To":"kernel-team@lists.ubuntu.com","Subject":"[SRU][J/N/Q][PATCH 1/1] netfilter: nf_conncount: fix tracking of\n connections from localhost","Date":"Tue, 28 Apr 2026 14:28:32 -0700","Message-ID":"<20260428212843.4099005-2-tim.whisonant@canonical.com>","X-Mailer":"git-send-email 2.43.0","In-Reply-To":"<20260428212843.4099005-1-tim.whisonant@canonical.com>","References":"<20260428212843.4099005-1-tim.whisonant@canonical.com>","MIME-Version":"1.0","X-BeenThere":"kernel-team@lists.ubuntu.com","X-Mailman-Version":"2.1.20","Precedence":"list","List-Id":"Kernel team discussions ","List-Unsubscribe":",\n ","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n ","Content-Type":"text/plain; charset=\"utf-8\"","Content-Transfer-Encoding":"base64","Errors-To":"kernel-team-bounces@lists.ubuntu.com","Sender":"\"kernel-team\" "},"content":"From: Fernando Fernandez Mancera \n\nBugLink: https://bugs.launchpad.net/bugs/2149872\n\nSince commit be102eb6a0e7 (\"netfilter: nf_conncount: rework API to use\nsk_buff directly\"), we skip the adding and trigger a GC when the ct is\nconfirmed. For connections originated from local to local it doesn't\nwork because the connection is confirmed on POSTROUTING, therefore\ntracking on the INPUT hook is always skipped.\n\nIn order to fix this, we check whether skb input ifindex is set to\nloopback ifindex. If it is then we fallback on a GC plus track operation\nskipping the optimization. This fallback is necessary to avoid\nduplicated tracking of a packet train e.g 10 UDP datagrams sent on a\nburst when initiating the connection.\n\nTested with xt_connlimit/nft_connlimit and OVS limit and with a HTTP\nserver and iperf3 on UDP mode.\n\nFixes: be102eb6a0e7 (\"netfilter: nf_conncount: rework API to use sk_buff directly\")\nReported-by: Michal Slabihoudek \nCloses: https://lore.kernel.org/netfilter/6989BD9F-8C24-4397-9AD7-4613B28BF0DB@gooddata.com/\nSigned-off-by: Fernando Fernandez Mancera \nSigned-off-by: Florian Westphal \n(cherry picked from commit de8a70cefcb26cdceaafdc5ac144712681419c29)\nSigned-off-by: Tim Whisonant \n---\n net/netfilter/nf_conncount.c | 15 +++++++++++++--\n 1 file changed, 13 insertions(+), 2 deletions(-)","diff":"diff --git a/net/netfilter/nf_conncount.c b/net/netfilter/nf_conncount.c\nindex a2c5a7ba0c6fc..ee69b4e36514c 100644\n--- a/net/netfilter/nf_conncount.c\n+++ b/net/netfilter/nf_conncount.c\n@@ -178,13 +178,24 @@ static int __nf_conncount_add(struct net *net,\n \t\treturn -ENOENT;\n \n \tif (ct && nf_ct_is_confirmed(ct)) {\n-\t\terr = -EEXIST;\n-\t\tgoto out_put;\n+\t\t/* local connections are confirmed in postrouting so confirmation\n+\t\t * might have happened before hitting connlimit\n+\t\t */\n+\t\tif (skb->skb_iif != LOOPBACK_IFINDEX) {\n+\t\t\terr = -EEXIST;\n+\t\t\tgoto out_put;\n+\t\t}\n+\n+\t\t/* this is likely a local connection, skip optimization to avoid\n+\t\t * adding duplicates from a 'packet train'\n+\t\t */\n+\t\tgoto check_connections;\n \t}\n \n \tif ((u32)jiffies == list->last_gc)\n \t\tgoto add_new_node;\n \n+check_connections:\n \t/* check the saved connections */\n \tlist_for_each_entry_safe(conn, conn_n, &list->head, node) {\n \t\tif (collect > CONNCOUNT_GC_MAX_NODES)\n","prefixes":["SRU","J/N/Q","1/1"]}