git.ipfire.org Git - thirdparty/kernel/stable.git/commit

netfilter: nft_connlimit: update the count if add was skipped

[ Upstream commit 69894e5b4c5e28cda5f32af33d4a92b7a4b93b0e ]

Connlimit expression can be used for all kind of packets and not only
for packets with connection state new. See this ruleset as example:

table ip filter {
        chain input {
                type filter hook input priority filter; policy accept;
                tcp dport 22 ct count over 4 counter
        }
}

Currently, if the connection count goes over the limit the counter will
count the packets. When a connection is closed, the connection count
won't decrement as it should because it is only updated for new
connections due to an optimization on __nf_conncount_add() that prevents
updating the list if the connection is duplicated.

To solve this problem, check whether the connection was skipped and if
so, update the list. Adjust count_tree() too so the same fix is applied
for xt_connlimit.

Fixes: 976afca1ceba ("netfilter: nf_conncount: Early exit in nf_conncount_lookup() and cleanup")
Closes: https://lore.kernel.org/netfilter/trinity-85c72a88-d762-46c3-be97-36f10e5d9796-1761173693813@3c-app-mailcom-bs12/
Signed-off-by: Fernando Fernandez Mancera <fmancera@suse.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>

author	Fernando Fernandez Mancera <fmancera@suse.de>
	Fri, 21 Nov 2025 00:14:32 +0000 (01:14 +0100)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Mon, 19 Jan 2026 12:09:35 +0000 (13:09 +0100)
commit	53bc0ac47f4f7621c991807bc90e01df49561ac8
tree	1e729b1e9080adef9043c4432cd19c948e24a1bb	tree \| snapshot
parent	b160895d6bc9690459b16ef87799c9bd456af3ec	commit \| diff

net/netfilter/nf_conncount.c		diff \| blob \| blame \| history
net/netfilter/nft_connlimit.c		diff \| blob \| blame \| history