Eugene Crosser <crosser@xxxxxxxxxxx> wrote: > My use case is to set up a stateful firewall allowing any outgoing connection > from a host, and restricting incoming, which obviously requires conntracking. > The twist is that there exists a rather high probability of DoS-like incoming > traffic, that easily overflows conntrack table with unconfirmed entries, even > though their lifetime is very short. Create a rule that drops NEW packets in prerouting hook. For iptables, mangle will work (raw is too early). For nftables, youl need to choose a hook prioriy of -199 or higher (-198, ... to anything below 2**31). Such packets will create a new connection entry, but because packet gets dropped before confirmation the entry will not be committed to the table.
