Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp2736315yba; Mon, 22 Apr 2019 12:01:29 -0700 (PDT) X-Google-Smtp-Source: APXvYqyTqJw+dQ5zawwQi6R3duZekF8boQJnVMYqCLsfoqTGn2DC1euIuHHcs/nuf5HgsZtNy57F X-Received: by 2002:a17:902:e183:: with SMTP id cd3mr21928522plb.233.1555959689136; Mon, 22 Apr 2019 12:01:29 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1555959689; cv=none; d=google.com; s=arc-20160816; b=NXxHA1ukUw6KLBlEN9Bow1xGtt+5Sl9mGW0z2TcoguW2I6tBM/z/e+M1Ypj2AErK2Q fXRMsaA+t23rHdjy5N3Y24PR95KsM8dUDK3GX6puSjkzFirqHwHIX0hcSyCxQpFk5Vzk YR0QVlKRZXlYRUJEeSey2OqldyiC/UIsjY/HT6raVsnzoH5j7UWPFVrrJa/fuZvPSpQG nCHfPUPQHqQEJrEND/Vi91kQedVzKoNO1a/VIEdvJ0z8Kvc+JhHxWQzLEgkN9q8VVhc4 rXwC2o7tWcgnZAHR68fWaccjsMYOjQ93cOsZDD55r9JKW6jth4Y+wHFEgbqL1ee28zfn zAlA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=lzm034456QWaFQ9O5g1aOJ1lTXzls1TIJ51xePC5MNg=; b=AbxA/O6b0Dc2Ylt0wpP7DaWskqbmXSd0VU5O83UqQ99LmoXxfEiZg6P0+SQocMDjWe aFH6yXGjddwDlPwdGAiNOhLuaAiAWTQ3lycqb5BYyoq7vi3nkKxpsMAFwW2zbTS5E/Ti gbVbBkvmFazZWymLO0I8BaO+MXRXaBwTprr+av+RaMtzoDtiHaPkd6cbnaNkaupvsWem NM6DaQvrv1PrsKtYQ8kbSQK+LQlfUNIjgmc/ZtwzrKOV8vR/2jOxQyvvQ0TlJyMVfnHx Q/deBhRl2G1KHKRdQIsxiVHCJzRISAUKH7K8Vt0cn7b8I+G8yqbx/uOdbpvf6HxkJLkD 4x2g== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id j9si13824235pfh.205.2019.04.22.12.01.14; Mon, 22 Apr 2019 12:01:29 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728680AbfDVS5N (ORCPT + 99 others); Mon, 22 Apr 2019 14:57:13 -0400 Received: from Chamillionaire.breakpoint.cc ([146.0.238.67]:52378 "EHLO Chamillionaire.breakpoint.cc" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727014AbfDVS5N (ORCPT ); Mon, 22 Apr 2019 14:57:13 -0400 Received: from fw by Chamillionaire.breakpoint.cc with local (Exim 4.89) (envelope-from ) id 1hIe7q-0002nh-BO; Mon, 22 Apr 2019 20:57:10 +0200 Date: Mon, 22 Apr 2019 20:57:10 +0200 From: Florian Westphal To: Andreas Hartmann Cc: Florian Westphal , Pablo Neira Ayuso , linux-kernel@vger.kernel.org Subject: Re: [PATCH 4.19 13/99] netfilter: nf_conncount: fix argument order to find_next_bit Message-ID: <20190422185710.3la4ayzxslafxwbn@breakpoint.cc> References: <20190121134913.924726465@linuxfoundation.org> <20190121134914.421023706@linuxfoundation.org> <20190422172732.sneybhuwrreb7g2u@breakpoint.cc> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: NeoMutt/20170113 (1.7.2) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Andreas Hartmann wrote: > > Could you at least tell us how you're using nf_conncount (nf/iptables > > rules)? > > # Generated by iptables-save v1.6.2 on Mon Apr 22 20:19:30 2019 > *filter > :INPUT DROP [0:0] > :FORWARD ACCEPT [0:0] > :OUTPUT DROP [4423:248703] > -A INPUT -s 127.0.0.1/32 -d 239.255.255.250/32 -i lo -p udp -j ACCEPT > -A INPUT -p tcp -m tcp --dport 113 -j REJECT --reject-with icmp-port-unreachable > -A INPUT -d 255.255.255.255/32 -p udp -j ACCEPT > -A INPUT -d 224.0.0.1/32 -j ACCEPT > -A INPUT -s 127.0.0.1/32 -d 127.0.0.2/32 -i lo -j ACCEPT > -A INPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -i lo -j ACCEPT > -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT > -A INPUT -s 192.168.22.0/24 -j ACCEPT > -A INPUT -j LOG --log-prefix "In Input gesperrt: " > -A INPUT -s 169.254.2.1/32 -d 169.254.2.2/32 -i br1 -p tcp -m tcp --sport 80 -j ACCEPT > -A OUTPUT -s 192.168.22.6/32 -d 224.0.0.22/32 -o lo -p igmp -j ACCEPT > -A OUTPUT -d 192.168.6.173/32 -o br1 -p tcp -m tcp --dport 80 -j ACCEPT > -A OUTPUT -s 169.254.2.2/32 -d 239.255.255.250/32 -o br1 -p udp -j DROP > -A OUTPUT -s 192.168.22.6/32 -d 224.0.0.251/32 -o br1 -p udp -j ACCEPT > -A OUTPUT -s 127.0.0.1/32 -d 239.255.255.250/32 -o lo -p udp -j ACCEPT > -A OUTPUT -s 192.168.22.6/32 -d 255.255.255.255/32 -o br1 -p udp -m udp --dport 1900 -j ACCEPT > -A OUTPUT -s 127.0.0.1/32 -d 127.255.255.255/32 -o br1 -p udp -j ACCEPT > -A OUTPUT -s 192.168.22.6/32 -d 239.0.0.250/32 -o br1 -p igmp -j ACCEPT > -A OUTPUT -s 192.168.22.6/32 -d 239.255.255.250/32 -o br1 -p igmp -j ACCEPT > -A OUTPUT -s 192.168.22.6/32 -d 239.255.255.250/32 -o br1 -p udp -m udp --dport 1900 -j ACCEPT > -A OUTPUT -s 192.168.22.6/32 -d 239.1.1.1/32 -o br1 -p udp -j ACCEPT > -A OUTPUT -s 192.168.22.6/32 -d 239.1.1.1/32 -o br1 -p igmp -j ACCEPT > -A OUTPUT -s 192.168.22.6/32 -d 224.0.0.251/32 -o br1 -p igmp -j ACCEPT > -A OUTPUT -s 192.168.22.6/32 -p tcp -m tcp --dport 1935 -j ACCEPT > -A OUTPUT -s 192.168.22.0/24 -d 192.168.3.0/24 -j ACCEPT > -A OUTPUT -s 127.0.0.1/32 -d 127.0.0.2/32 -o lo -j ACCEPT > -A OUTPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -o lo -j ACCEPT > -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT > -A OUTPUT -s 192.168.22.0/24 -d 192.168.22.0/24 -j ACCEPT > -A OUTPUT -j LOG --log-prefix "In Output gesperrt: " > -A OUTPUT -s 169.254.2.2/32 -d 169.254.2.1/32 -o br1 -p tcp -m tcp --dport 80 -j ACCEPT > COMMIT I don't see connlimit match is in use. Could you post output of lsmod | grep nf_conncount and grep CONNCOUNT ~/your_kernel_conf Thanks.