On Tue, Nov 12, 2024 at 10:16:45AM +0100, Pablo Neira Ayuso wrote: > I guess the concern is that assured flows cannot be expelled from the > conntrack table via early_drop, that is why an expedite cleanup is > important? Actually, the issue is that packets could end up in a backend which does not exist after re-configuration, therefore, removing the entry need to happen so ongoing flow have a chance to talk to another (different) backend.