Public bug reported: The following iptables connlimit rule can be breached with a multithreaded client and network device driver, due to a race in the conncount/connlimit code:
# iptables -A INPUT -p tcp -m tcp --syn --dport 7777 \ -m connlimit --connlimit-above 2000 --connlimit-mask 0 \ -j DROP NOTE: Patches will be sent to the kernel-team mailing list and more details/testing will be provided later today. ** Affects: linux (Ubuntu) Importance: Undecided Assignee: Mauricio Faria de Oliveira (mfo) Status: Confirmed ** Changed in: linux (Ubuntu) Assignee: (unassigned) => Mauricio Faria de Oliveira (mfo) ** Changed in: linux (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1811094 Title: iptables connlimit allows more connections than the limit when using multiple CPUs Status in linux package in Ubuntu: Confirmed Bug description: The following iptables connlimit rule can be breached with a multithreaded client and network device driver, due to a race in the conncount/connlimit code: # iptables -A INPUT -p tcp -m tcp --syn --dport 7777 \ -m connlimit --connlimit-above 2000 --connlimit-mask 0 \ -j DROP NOTE: Patches will be sent to the kernel-team mailing list and more details/testing will be provided later today. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1811094/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp