Connlimit expression can be used for all kind of packets and not only
for packets with connection state new. See this ruleset as example:
table ip filter {
chain input {
type filter hook input priority filter; policy accept;
tcp dport 22 ct count over 4 counter
}
}
Currently, if the connection count goes over the limit the counter will
count the packets. When a connection is closed, the connection count
won't decrement as it should because it is only updated for new
connections due to an optimization on __nf_conncount_add() that prevents
updating the list if the connection is duplicated.
To solve this problem, check whether the connection was skipped and if
so, update the list. This fix isn't necessary on xt_connlimit as the new
nf_conncount API updates the list when the add is skipped inside
nf_conncount_count().
Fixes: 976afca1ceba ("netfilter: nf_conncount: Early exit in
nf_conncount_lookup() and cleanup")
Closes:
https://lore.kernel.org/netfilter/trinity-85c72a88-d762-46c3-be97-36f10e5d9796-1761173693813@3c-app-mailcom-bs12/
Signed-off-by: Fernando Fernandez Mancera <[email protected]>
---
net/netfilter/nft_connlimit.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/net/netfilter/nft_connlimit.c b/net/netfilter/nft_connlimit.c
index 3c1d9ae37bec..4cec228e82e2 100644
--- a/net/netfilter/nft_connlimit.c
+++ b/net/netfilter/nft_connlimit.c
@@ -49,7 +49,14 @@ static inline void nft_connlimit_do_eval(struct
nft_connlimit *priv,
err = nf_conncount_add(ct, priv->list);
if (err) {
- if (err != -EINVAL) {
+ if (err == -EINVAL) {
+ /* Call gc to update the list count if any connection
has
+ * been closed already. This is useful to softlimit
+ * connections like limiting bandwidth based on a number
+ * of open connections.
+ */
+ nf_conncount_gc_list(nf_ct_net(ct), priv->list);
+ } else {
regs->verdict.code = NF_DROP;
return;
}
--
2.51.0
_______________________________________________
dev mailing list
[email protected]
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
