Nicolas Dichtel <nicolas.dichtel@xxxxxxxxx> wrote: > Since the below commit, there are regressions for legacy setups: > 1/ conntracks are created while there are no listener > 2/ a listener starts and dumps all conntracks to get the current state > 3/ conntracks deleted before the listener has started are not advertised > > This is problematic in containers, where conntracks could be created early. > This sysctl is part of unsafe sysctl and could not be changed easily in > some environments. > > Let's switch back to the legacy behavior. :-( Would it be possible to resolve this for containers by setting the container default to 1 if init_net had it changed to 1 at netns creation time?
