The following iptables connlimit rule can be breached with a multithreaded client and network device driver, due to a race in the conncount/connlimit code:
# iptables -A INPUT -p tcp -m tcp --syn --dport 7777 \ -m connlimit --connlimit-above 2000 --connlimit-mask 0 \ -j DROP
NOTE: Patches will be sent to the kernel-team mailing list and more details/testing will be provided later today.
The following iptables connlimit rule can be breached
with a multithreaded client and network device driver,
due to a race in the conncount/connlimit code:
# iptables -A INPUT -p tcp -m tcp --syn --dport 7777 \
-m connlimit --connlimit-above 2000 --connlimit-mask 0 \
-j DROP
NOTE: Patches will be sent to the kernel-team mailing list
and more details/testing will be provided later today.