[SRU X][PATCH 0/6] netfilter: nf_conncount: fix for LP#1811094

Stefan Bader stefan.bader at canonical.com
Thu Jan 10 10:25:02 UTC 2019 

On 10.01.19 04:31, Mauricio Faria de Oliveira wrote:
> BugLink: https://bugs.launchpad.net/bugs/1811094
> 
> [Impact]
> 
>  * The iptables connection count/limit rules can be breached
>    with multithreaded network driver/server/client (common)
>    due to a race in the conncount/connlimit code.
> 
>  * For example:
> 
>    # iptables -A INPUT -p tcp -m tcp --syn --dport 7777 \
>      -m connlimit --connlimit-above 2000 --connlimit-mask 0 \
>      -j DROP
> 
>  * The fix is a backport from an upstream commit that resolves
>    the problem (plus dependencies for a cleaner backport) that
>    address the race condition:
> 
>    commit b36e4523d4d5 ("netfilter: nf_conncount: fix garbage
>    collection confirm race").
> 
> [Test Case]
> 
>  * Server-side: (relevant kernel side)
>    (limit TCP port 7777 to only 2000 connections)
> 
>    # iptables -A INPUT -p tcp -m tcp --syn --dport 7777 \
>      -m connlimit --connlimit-above 2000 --connlimit-mask 0 \
>      -j DROP
> 
>    # ulimit -SHn 65000 # increase number of open files
>    # ruby server.rb # multi-threaded server
> 
>  * Client-side:
> 
>    # ulimit -SHn 65000
>    # ruby client.rb <server ip> <port> <target # connections> <# threads>
>    <test output>
> 
>  * Results with Original kernel:
>    (client achieves target of 6000 connections > limit of 2000 connections)
> 
>    # ruby client.rb 10.230.56.100 7777 6000 3
>    1
>    2
>    3
>    <...>
>    6000
>    Target reached. Thread finishing
>    6001
>    Target reached. Thread finishing
>    6002
>    Target reached. Thread finishing
>    Threads done. 6002 connections
>    press enter to exit
> 
>  * Results with Modified kernel:
>    (client is limited to 2000 connections, and times out afterward)
> 
>    # ruby client.rb 10.230.56.100 7777 6000 3
>    1
>    2
>    3
>    <...>
>    2000
>    <... blocks for a few minutes ...>
>    failed to create connection: Connection timed out - connect(2) for "10.230.56.100" port 7777
>    failed to create connection: Connection timed out - connect(2) for "10.230.56.100" port 7777
>    failed to create connection: Connection timed out - connect(2) for "10.230.56.100" port 7777
>    Threads done. 2000 connections
>    press enter to exit
> 
>  * Test cases possibly available upon request,
>    depending on original author's permission.
> 
> [Regression Potential]
> 
>  * The patchset has been reviewed by a netfilter maintainer [1] in
>    stable mailing list, and was considered OK for 4.14, and that's
>    essentially the same backport for 4.15 and 4.4.
> 
>  * The changes are limited to netfilter connlimit/conncount (names
>    change between older/newer kernel versions).
> 
> [Other Info]
> 
>  * The backport for 4.14 [2] is applied as of 4.14.92.
> 
> [1] https://www.spinics.net/lists/stable/msg276883.html
> [2] https://www.spinics.net/lists/stable/msg276910.html
> 
> Florian Westphal (3):
>   netfilter: xt_connlimit: don't store address in the conn nodes
>   netfilter: nf_conncount: fix garbage collection confirm race
>   netfilter: nf_conncount: don't skip eviction when age is negative
> 
> Mauricio Faria de Oliveira (1):
>   UBUNTU: SAUCE: netfilter: xt_connlimit: remove the 'addr' parameter in
>     add_hlist()

Just double checking since I do not see this set on 4.4.y right now: you are
positive that this does affect 4.4 the same? If yes, think we could just take
the patches from 4.14.y and try to get those into our Xenial tree. Just in case,
this is an acceptable approach and has been done before (I mean instead of
working with the upstream changes, take those which were applied to a closer
upstream stable). I did a quick test with "netfilter: xt_connlimit: don't store
address in the conn nodes" and it looks like that could just become a

(cherry-picked from commit 5e614e212a6359af78b6034ceb12c56f71d5b423 linux-4.14.y)

> 
> Pablo Neira Ayuso (1):
>   netfilter: nf_conncount: expose connection list interface
> 
> Yi-Hung Wei (1):
>   netfilter: nf_conncount: Fix garbage collection with zones
> 
>  include/net/netfilter/nf_conntrack_count.h | 15 ++++
>  net/netfilter/xt_connlimit.c               | 99 +++++++++++++++++-----
>  2 files changed, 91 insertions(+), 23 deletions(-)
>  create mode 100644 include/net/netfilter/nf_conntrack_count.h
> 


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20190110/fce34a0e/attachment.sig>

More information about the kernel-team mailing list