Hi Michal, Thanks for providing a nice summary of your experience when dealing with this problem. Always nice to know that I am not alone :) On Thu, May 3, 2018 at 11:42 AM, Michal Kubecek <mkubecek@xxxxxxx> wrote: > One of the ideas I had was this: > > - keep also unconfirmed conntracks in some data structure > - check new packets also against unconfirmed conntracks > - if it matches an unconfirmed conntrack, defer its processing > until that conntrack is either inserted or discarded I was thinking about something along the same lines and came to the same conclusion, it is a lot of hassle and work for a very special case. I think that replacing the conntrack entry is a good compromise, it improves on the current situation, and allows for the creation of "perfect" solutions in user-space. For example, a user can keep track of seen UDP flows, and then only release new packets belonging to the same flow when the conntrack entry is created. BR, Kristian -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
