Hi, since recently we have had some problems with the conntrack table growing too large and thus I experimented with lowering /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_established from 5 days to a couple of hours. One thing I am still curious about though: What happens after established connections timeout if packets arrive which still belong to that connection? Do they get dropped automatically by netfilter or do I have to set up a rule to accomplish this? In other words: Is the conntrack code merely about managing a table with connection states that gets used e.g. in the NAT code and can be used to query the state of connections in iptables rules or does it perform stateful inspection itself and (based on that) packet dropping etc. too? Thanks for your help. -Daniel
