[Bug 2149872] [NEW] iptables connlimit traffic loss

Public bug reported: There seems to be a bug related to the iptables connlimit module in the latest Ubuntu 24.04.4 LTS kernel 6.8.0-110. I use the following iptables rule to limit the connections per IPv4 address to a webserver: iptables -I INPUT -p tcp --syn -m multiport --dports 80,443 -m connlimit --connlimit-above 200 -j DROP With this firewall rule installed, network traffic to the webserver is randomly dropped or delayed despite being well below the intended connection limit. It seems that the localhost address range is particularly affected, the first request from a local IP usually works, follwing requests are dropped or delayed. The problem also occurs if I choose ACCEPT instead of DROP as the target: iptables -I INPUT -p tcp --syn -m multiport --dports 80,443 -m connlimit --connlimit-above 200 -j ACCEPT The problem also occurs with the latest Ubuntu 24.04 proposed kernel 6.8.0-114, it does not occur with the previous kernel 6.8.0-107. It also occurs with Ubuntu 22.04.5 LTS kernel 5.15.0-174 and 5.15.0-176, I have not tested other kernel versions. This issue could be related to recent changes in the netfilter code regarding CVE-2026-23111. ** Affects: linux (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are subscribed to linux in Ubuntu. Matching subscriptions: Bgg, Bmail, Nb https://bugs.launchpad.net/bugs/2149872 Title: iptables connlimit traffic loss Status in linux package in Ubuntu: New Bug description: There seems to be a bug related to the iptables connlimit module in the latest Ubuntu 24.04.4 LTS kernel 6.8.0-110. I use the following iptables rule to limit the connections per IPv4 address to a webserver: iptables -I INPUT -p tcp --syn -m multiport --dports 80,443 -m connlimit --connlimit-above 200 -j DROP With this firewall rule installed, network traffic to the webserver is randomly dropped or delayed despite being well below the intended connection limit. It seems that the localhost address range is particularly affected, the first request from a local IP usually works, follwing requests are dropped or delayed. The problem also occurs if I choose ACCEPT instead of DROP as the target: iptables -I INPUT -p tcp --syn -m multiport --dports 80,443 -m connlimit --connlimit-above 200 -j ACCEPT The problem also occurs with the latest Ubuntu 24.04 proposed kernel 6.8.0-114, it does not occur with the previous kernel 6.8.0-107. It also occurs with Ubuntu 22.04.5 LTS kernel 5.15.0-174 and 5.15.0-176, I have not tested other kernel versions. This issue could be related to recent changes in the netfilter code regarding CVE-2026-23111. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2149872/+subscriptions