[Bug 2149872] Re: iptables connlimit traffic loss

Hello Tim, I have installed the provided kernel packages, but the problem still persists. -- You received this bug notification because you are subscribed to linux in Ubuntu. Matching subscriptions: Bgg, Bmail, Nb https://bugs.launchpad.net/bugs/2149872 Title: iptables connlimit traffic loss Status in linux package in Ubuntu: New Bug description: There seems to be a bug related to the iptables connlimit module in the latest Ubuntu 24.04.4 LTS kernel 6.8.0-110. I use the following iptables rule to limit the connections per IPv4 address to a webserver: iptables -I INPUT -p tcp --syn -m multiport --dports 80,443 -m connlimit --connlimit-above 200 -j DROP With this firewall rule installed, network traffic to the webserver is randomly dropped or delayed despite being well below the intended connection limit. It seems that the localhost address range is particularly affected, the first request from a local IP usually works, follwing requests are dropped or delayed. The problem also occurs if I choose ACCEPT instead of DROP as the target: iptables -I INPUT -p tcp --syn -m multiport --dports 80,443 -m connlimit --connlimit-above 200 -j ACCEPT The problem also occurs with the latest Ubuntu 24.04 proposed kernel 6.8.0-114, it does not occur with the previous kernel 6.8.0-107. It also occurs with Ubuntu 22.04.5 LTS kernel 5.15.0-174 and 5.15.0-176, I have not tested other kernel versions. This issue could be related to recent changes in the netfilter code regarding CVE-2026-23111. --- ProblemType: Bug ApportVersion: 2.28.1-0ubuntu3.8 Architecture: amd64 AudioDevicesInUse: USER PID ACCESS COMMAND /dev/snd/seq: tobias 1694 F.... pipewire CRDA: N/A CasperMD5CheckResult: unknown CurrentDesktop: KDE DistroRelease: Ubuntu 24.04 HibernationDevice: RESUME=UUID=eaf0df5b-1533-4971-a82f-5efb004bff46 InstallationDate: Installed on 2012-10-10 (4944 days ago) InstallationMedia: Kubuntu 12.04.1 LTS "Precise Pangolin" - Release amd64 (20120820.1) IwConfig: lo no wireless extensions. eth0 no wireless extensions. virbr0 no wireless extensions. Lsusb: Bus 001 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub Bus 001 Device 002: ID 80ee:0021 VirtualBox USB Tablet Lsusb-t: /: Bus 001.Port 001: Dev 001, Class=root_hub, Driver=ohci-pci/12p, 12M |__ Port 001: Dev 002, If 0, Class=Human Interface Device, Driver=usbhid, 12M MachineType: innotek GmbH VirtualBox Package: linux (not installed) ProcFB: 0 vmwgfxdrmfb ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-6.8.0-114-generic root=UUID=d9d0da57-a29f-4c02-a10b-9aea6411bc6b ro noplymouth ProcVersionSignature: Ubuntu 6.8.0-114.114-generic 6.8.12 PulseList: Error: command ['pacmd', 'list'] failed with exit code 1: No PulseAudio daemon running, or not running as session daemon. RelatedPackageVersions: linux-restricted-modules-6.8.0-114-generic N/A linux-backports-modules-6.8.0-114-generic N/A linux-firmware 20240318.git3b128b60-0ubuntu2.26 RfKill: Tags: noble Uname: Linux 6.8.0-114-generic x86_64 UpgradeStatus: Upgraded to noble on 2025-01-05 (474 days ago) UserGroups: adm cdrom dip libvirt libvirtd lpadmin plugdev sambashare sudo _MarkForUpload: True dmi.bios.date: 12/01/2006 dmi.bios.vendor: innotek GmbH dmi.bios.version: VirtualBox dmi.board.name: VirtualBox dmi.board.vendor: Oracle Corporation dmi.board.version: 1.2 dmi.chassis.type: 1 dmi.chassis.vendor: Oracle Corporation dmi.modalias: dmi:bvninnotekGmbH:bvrVirtualBox:bd12/01/2006:svninnotekGmbH:pnVirtualBox:pvr1.2:rvnOracleCorporation:rnVirtualBox:rvr1.2:cvnOracleCorporation:ct1:cvr:sku: dmi.product.family: Virtual Machine dmi.product.name: VirtualBox dmi.product.version: 1.2 dmi.sys.vendor: innotek GmbH To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2149872/+subscriptions