** Also affects: linux (Ubuntu Trusty)
Importance: Undecided
Status: New
** Changed in: linux (Ubuntu Trusty)
Importance: Undecided => Medium
** Changed in: linux (Ubuntu Trusty)
Status: New => Fix Committed
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1811094
Title:
iptables connlimit allows more connections than the limit when using
multiple CPUs
Status in linux package in Ubuntu:
Fix Committed
Status in linux source package in Trusty:
Fix Committed
Status in linux source package in Xenial:
Fix Committed
Status in linux source package in Bionic:
Fix Released
Status in linux source package in Cosmic:
Fix Committed
Bug description:
[Impact]
* The iptables connection count/limit rules can be breached
with multithreaded network driver/server/client (common)
due to a race in the conncount/connlimit code.
* For example:
# iptables -A INPUT -p tcp -m tcp --syn --dport 7777 \
-m connlimit --connlimit-above 2000 --connlimit-mask 0 \
-j DROP
* The fix is a backport from an upstream commit that resolves
the problem (plus dependencies for a cleaner backport) that
address the race condition:
commit b36e4523d4d5 ("netfilter: nf_conncount: fix garbage
collection confirm race").
[Test Case]
* Server-side: (relevant kernel side)
(limit TCP port 7777 to only 2000 connections)
# iptables -A INPUT -p tcp -m tcp --syn --dport 7777 \
-m connlimit --connlimit-above 2000 --connlimit-mask 0 \
-j DROP
# ulimit -SHn 65000 # increase number of open files
# ruby server.rb # multi-threaded server
* Client-side:
# ulimit -SHn 65000
# ruby client.rb <server ip> <port> <target # connections> <# threads>
<test output>
* Results with Original kernel:
(client achieves target of 6000 connections > limit of 2000 connections)
# ruby client.rb 10.230.56.100 7777 6000 3
1
2
3
<...>
6000
Target reached. Thread finishing
6001
Target reached. Thread finishing
6002
Target reached. Thread finishing
Threads done. 6002 connections
press enter to exit
* Results with Modified kernel:
(client is limited to 2000 connections, and times out afterward)
# ruby client.rb 10.230.56.100 7777 6000 3
1
2
3
<...>
2000
<... blocks for a few minutes ...>
failed to create connection: Connection timed out - connect(2) for
"10.230.56.100" port 7777
failed to create connection: Connection timed out - connect(2) for
"10.230.56.100" port 7777
failed to create connection: Connection timed out - connect(2) for
"10.230.56.100" port 7777
Threads done. 2000 connections
press enter to exit
* Test cases possibly available upon request,
depending on original author's permission.
[Regression Potential]
* The patchset has been reviewed by a netfilter maintainer [1] in
stable mailing list, and was considered OK for 4.14, and that's
essentially the same backport for 4.15 and 4.4.
* The changes are limited to netfilter connlimit/conncount (names
change between older/newer kernel versions).
[Other Info]
* The backport for 4.14 [2] is applied as of 4.14.92.
[1] https://www.spinics.net/lists/stable/msg276883.html
[2] https://www.spinics.net/lists/stable/msg276910.html
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1811094/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
