Iptables owner mode causes applications which open many tcp connections to hang

[R4z0R7]

Hello,

If we make a given port available only to a particular user, using iptables and the owner module, that user is not able to make many tcp connections to the specified port in a short period of time, causing applications which rapidly open and close a large number of connections to hang.

Environment: AlmaLinux release 8.8 (Sapphire Caracal) 4.18.0-477.15.1.el8_8.x86_64 iptables v1.8.4 (nf_tables) Ncat: Version 7.91 ( https://nmap.org/ncat )

Steps to reproduce:

1. Make a tcp port (12355 in the example) available only to user web1:

   iptables -I OUTPUT -s 127.0.0.1 -d 0.0.0.0/0 -p tcp --dport 12355 -m owner --gid-owner web1 -j ACCEPT
   iptables -A OUTPUT -s 127.0.0.1 -d 0.0.0.0/0 -p tcp --dport 12355 -j DROP

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     tcp  --  127.0.0.1            0.0.0.0/0            tcp dpt:12355 owner GID match 1001
DROP       tcp  --  127.0.0.1            0.0.0.0/0            tcp dpt:12355

2. Start a Ncat process listening on that port:

nc -l -k 12355

3. Login as user web1 and run this command:

for i in {1..10000}; do echo "date" ; echo "$i \n" && echo 1 | telnet 127.0.0.1 12355 2>&1 > /dev/null; done

At some point, way before the 10000th iteration, the cycle will hang. It doesn't usually stop on the exact same connection. It could stop after 500, or 2000, etc. There are no errors or warnings in dmesg or /var/log/messages.

If we remove the corresponding firewall rules and run the for cycle, the process doesn't hang. There is no such issue in CentOS 7.

While the process is stuck and we cannot make a connection to port 12355 from localhost, if the port is open to the world we can still make a connection from outside our system.