[Bug 1811094] Re: iptables connlimit allows more connections than the limit when using multiple CPUs

Mon, 11 Feb 2019 13:16:08 -0800 

Verification successful on trusty-proposed.

Updates kernel (goes above 2000 connections)
---

root@petilil:~# uname -a
Linux petilil 3.13.0-165-generic #215-Ubuntu SMP Wed Jan 16 11:46:47 UTC 2019 
x86_64 x86_64 x86_64 GNU/Linux
root@petilil:~# iptables -F
root@petilil:~# iptables -A INPUT -p tcp -m tcp --syn --dport 7777 -m connlimit 
--connlimit-above 2000 --connlimit-mask 0 -j DROP
root@petilil:~# ulimit -SHn 65000
root@petilil:~# ruby ~ubuntu/server.rb 

root@rotom:~# ulimit -SHn 65000
root@rotom:~# ruby client.rb 10.230.56.100 7777 6000 3
1
2
3
...
6000
Target reached. Thread finishing
6001
Target reached. Thread finishing
6002
Target reached. Thread finishing
Threads done. 6002 connections
press enter to exit


Proposed kernel (stops at 2000 connections)
---

root@petilil:~# uname -a
Linux petilil 3.13.0-166-generic #216-Ubuntu SMP Thu Feb 7 14:07:53 UTC 2019 
x86_64 x86_64 x86_64 GNU/Linux
root@petilil:~# iptables -F
root@petilil:~# iptables -A INPUT -p tcp -m tcp --syn --dport 7777 -m connlimit 
--connlimit-above 2000 --connlimit-mask 0 -j DROP 
root@petilil:~# ulimit -SHn 65000
root@petilil:~# ruby ~ubuntu/server.rb 

root@rotom:~# ulimit -SHn 65000                                                 
                                                            
root@rotom:~# ruby client.rb 10.230.56.100 7777 6000 3
ruby: No such file or directory -- client.rb (LoadError)
root@rotom:~# cd /home/mfo/sf192750/
root@rotom:/home/mfo/sf192750# ruby client.rb 10.230.56.100 7777 6000 3
Connecting to ["10.230.56.100"]:7777 6000 times with 3
1
2
3
...
2000
<blocks for a while>
failed to create connection: Connection timed out - connect(2) for 
"10.230.56.100" port 7777
failed to create connection: Connection timed out - connect(2) for 
"10.230.56.100" port 7777
failed to create connection: Connection timed out - connect(2) for 
"10.230.56.100" port 7777
Threads done. 2000 connections
press enter to exit


** Tags removed: verification-needed-trusty
** Tags added: verification-done-trusty

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1811094

Title:
  iptables connlimit allows more connections than the limit when using
  multiple CPUs

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1811094/+subscriptions

-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to