Hello, My use case is to set up a stateful firewall allowing any outgoing connection from a host, and restricting incoming, which obviously requires conntracking. The twist is that there exists a rather high probability of DoS-like incoming traffic, that easily overflows conntrack table with unconfirmed entries, even though their lifetime is very short. I was hoping to keep conntracking enabled in the outgoing/raw hook, but in the prerouting/raw hook disable conntracking _unless_ an entry (previously created by an outgoing packet) already exists. In other words, *make incoming packets update existing entries but never create new entries*. Looking at the code in resolve_normal_ct(), apparently there is no any special flag or anything for that. But maybe it is possible to have a rule in the prerouting/raw chain that would conditionally set `notrack` flag depending on a lookup in the conntrack table? Or maybe there are other suggestions how to achieve the goal (of not letting "unexpected" incoming packets fill conntrack table)? Thank you, Eugene
Attachment:
OpenPGP_signature
Description: OpenPGP digital signature
