Hi Pablo,
Le 26/06/2024 à 13:41, Pablo Neira Ayuso a écrit :
Hi Nicolas,
On Tue, Jun 04, 2024 at 03:54:38PM +0200, Nicolas Dichtel wrote:
Since the below commit, there are regressions for legacy setups: 1/ conntracks are created while there are no listener 2/ a listener starts and dumps all conntracks to get the current state 3/ conntracks deleted before the listener has started are not advertised
This is problematic in containers, where conntracks could be created early. This sysctl is part of unsafe sysctl and could not be changed easily in some environments.
Let's switch back to the legacy behavior.
Maybe it is possible to annotate destroy events in a percpu area if the conntrack extension is not available. This code used to follow such approach time ago.
Thanks for the feedback. I was wondering if just sending the destroy event would be possible. TBH, I'm not very familiar with this part of the code, I need to dig a bit. I won't have time for this right now, any help would be appreciated.