David Miller <da...@davemloft.net> wrote: [ flow tables ] > Ok, that seems to constrain the exposure. > > We should talk at some point about how exposed conntrack itself is.
Sure, we can do that. If you have specific scenarios (synflood, peer that opens 100k (legitimate) connections, perpetual-fin, etc) in mind let me know, i do think that we could still do better in some cases.
