git.ipfire.org Git - thirdparty/kernel/linux.git/commit

author	Fernando Fernandez Mancera <fmancera@suse.de>
	Fri, 21 Nov 2025 00:14:32 +0000 (01:14 +0100)
committer	Pablo Neira Ayuso <pablo@netfilter.org>
	Fri, 28 Nov 2025 00:05:52 +0000 (00:05 +0000)
commit	69894e5b4c5e28cda5f32af33d4a92b7a4b93b0e
tree	4dfb12402e5e44541cb6e70fcd754016086b43ca	tree \| snapshot
parent	c0362b5748282e22fa1592a8d3474f726ad964c2	commit \| diff

netfilter: nft_connlimit: update the count if add was skipped

Connlimit expression can be used for all kind of packets and not only
for packets with connection state new. See this ruleset as example:

table ip filter {
        chain input {
                type filter hook input priority filter; policy accept;
                tcp dport 22 ct count over 4 counter
        }
}

Currently, if the connection count goes over the limit the counter will
count the packets. When a connection is closed, the connection count
won't decrement as it should because it is only updated for new
connections due to an optimization on __nf_conncount_add() that prevents
updating the list if the connection is duplicated.

To solve this problem, check whether the connection was skipped and if
so, update the list. Adjust count_tree() too so the same fix is applied
for xt_connlimit.

Fixes: 976afca1ceba ("netfilter: nf_conncount: Early exit in nf_conncount_lookup() and cleanup")
Closes: https://lore.kernel.org/netfilter/trinity-85c72a88-d762-46c3-be97-36f10e5d9796-1761173693813@3c-app-mailcom-bs12/
Signed-off-by: Fernando Fernandez Mancera <fmancera@suse.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

net/netfilter/nf_conncount.c		diff \| blob \| blame \| history
net/netfilter/nft_connlimit.c		diff \| blob \| blame \| history