If we make a given port available only to a particular user, using iptables and the owner module, that user is not able to make many tcp connections to the specified port in a short period of time, causing applications which rapidly open and close a large number of connections to hang.
for i in {1..10000}; do echo "date" ; echo "$i \n" && echo 1 | telnet 127.0.0.1 12355 2>&1 > /dev/null; done
At some point, way before the 10000th iteration, the cycle will hang. It doesn't usually stop on the exact same connection. It could stop after 500, or 2000, etc. There are no errors or warnings in dmesg or /var/log/messages.
If we remove the corresponding firewall rules and run the for cycle, the process doesn't hang. There is no such issue in CentOS 7.
While the process is stuck and we cannot make a connection to port 12355 from localhost, if the port is open to the world we can still make a connection from outside our system.
Hello,
If we make a given port available only to a particular user, using iptables and the owner module, that user is not able to make many tcp connections to the specified port in a short period of time, causing applications which rapidly open and close a large number of connections to hang.
Environment: AlmaLinux release 8.8 (Sapphire Caracal) 4.18.0-477.15.1.el8_8.x86_64 iptables v1.8.4 (nf_tables) Ncat: Version 7.91 ( https://nmap.org/ncat )
Steps to reproduce:
nc -l -k 12355
for i in {1..10000}; do echo "
date" ; echo "$i \n" && echo 1 | telnet 127.0.0.1 12355 2>&1 > /dev/null; done
At some point, way before the 10000th iteration, the cycle will hang. It doesn't usually stop on the exact same connection. It could stop after 500, or 2000, etc. There are no errors or warnings in dmesg or /var/log/messages.
If we remove the corresponding firewall rules and run the for cycle, the process doesn't hang. There is no such issue in CentOS 7.
While the process is stuck and we cannot make a connection to port 12355 from localhost, if the port is open to the world we can still make a connection from outside our system.