git.ipfire.org Git - thirdparty/kernel/stable.git/commit

author	Fernando Fernandez Mancera <fmancera@suse.de>
	Fri, 21 Nov 2025 00:14:32 +0000 (01:14 +0100)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Thu, 18 Dec 2025 12:55:12 +0000 (13:55 +0100)
commit	b29ddccf36946a90323486221f39e9f88cc01b8e
tree	e0f36aba8caf1a4fd5a4d5b215ef478908665084	tree
parent	3558faee8aace3541189c3a2ca45c7e85e144b44	commit \| diff

netfilter: nft_connlimit: update the count if add was skipped

[ Upstream commit 69894e5b4c5e28cda5f32af33d4a92b7a4b93b0e ]

Connlimit expression can be used for all kind of packets and not only
for packets with connection state new. See this ruleset as example:

table ip filter {
        chain input {
                type filter hook input priority filter; policy accept;
                tcp dport 22 ct count over 4 counter
        }
}

Currently, if the connection count goes over the limit the counter will
count the packets. When a connection is closed, the connection count
won't decrement as it should because it is only updated for new
connections due to an optimization on __nf_conncount_add() that prevents
updating the list if the connection is duplicated.

To solve this problem, check whether the connection was skipped and if
so, update the list. Adjust count_tree() too so the same fix is applied
for xt_connlimit.

Fixes: 976afca1ceba ("netfilter: nf_conncount: Early exit in nf_conncount_lookup() and cleanup")
Closes: https://lore.kernel.org/netfilter/trinity-85c72a88-d762-46c3-be97-36f10e5d9796-1761173693813@3c-app-mailcom-bs12/
Signed-off-by: Fernando Fernandez Mancera <fmancera@suse.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>

net/netfilter/nf_conncount.c		diff \| blob \| blame \| history
net/netfilter/nft_connlimit.c		diff \| blob \| blame \| history