Hello all! I've got a couple of questiona about netfilter's connection tracker, could someone clarify it to me? 1. When conntrack is being flushed? In /proc/net/ip_conntrack I see lots of UNREPLIED connections, I reload conntrack kernel module but see the table being filled with old entries. The same looks to happen after rebooting Linux box. 2. Are UNREPLIED connections being wiped when number of connections to track equals to conntrack's capacity? Some web resources tell they are, but some tell otherwise. I tried to reduce conntrack's capacity and saw that these connections aren't wiped and cause conntrack to overflow is it bug or feature? 3. I played with NOTRACK target of table raw and discovered that if I add a NOTRACK rule that matches with already established connections, they stuck in table as unreplied. Most of them disappear when I set net.ipv4.netfilter.ip_conntrack_tcp_loose to 0. Is it recommended to kill existing unreplied connections in this way? Could it be any side effect for new or currently established connections that don't match NOTRACK? Thanks in advance -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
