Public bug reported:
The following iptables connlimit rule can be breached
with a multithreaded client and network device driver,
due to a race in the conncount/connlimit code:
# iptables -A INPUT -p tcp -m tcp --syn --dport 7777 \
-m connlimit --connlimit-above 2000 --connlimit-mask 0 \
-j DROP
NOTE: Patches will be sent to the kernel-team mailing list
and more details/testing will be provided later today.
** Affects: linux (Ubuntu)
Importance: Undecided
Assignee: Mauricio Faria de Oliveira (mfo)
Status: Confirmed
** Changed in: linux (Ubuntu)
Assignee: (unassigned) => Mauricio Faria de Oliveira (mfo)
** Changed in: linux (Ubuntu)
Status: New => Confirmed
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1811094
Title:
iptables connlimit allows more connections than the limit when using
multiple CPUs
Status in linux package in Ubuntu:
Confirmed
Bug description:
The following iptables connlimit rule can be breached
with a multithreaded client and network device driver,
due to a race in the conncount/connlimit code:
# iptables -A INPUT -p tcp -m tcp --syn --dport 7777 \
-m connlimit --connlimit-above 2000 --connlimit-mask 0 \
-j DROP
NOTE: Patches will be sent to the kernel-team mailing list
and more details/testing will be provided later today.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1811094/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
