Hi Nicolas, On Tue, Jun 04, 2024 at 03:54:38PM +0200, Nicolas Dichtel wrote: > Since the below commit, there are regressions for legacy setups: > 1/ conntracks are created while there are no listener > 2/ a listener starts and dumps all conntracks to get the current state > 3/ conntracks deleted before the listener has started are not advertised > > This is problematic in containers, where conntracks could be created early. > This sysctl is part of unsafe sysctl and could not be changed easily in > some environments. > > Let's switch back to the legacy behavior. Maybe it is possible to annotate destroy events in a percpu area if the conntrack extension is not available. This code used to follow such approach time ago.
