On Fri, 2016-07-08 at 16:34 +0200, Toralf Förster wrote: > On 07/08/2016 04:14 PM, Eric Dumazet wrote: > > Are you sure conntrack is needed at all ? > > Erm, I didn't mention conntrack - but yes, I do have in the firewall rules. > > It is my understanding that conntrack is best practise, right ?
It depends what you want to protect ? linux TCP stack should work quite well without conntrack. If you are aware of any known defect, we should fix TCP stack instead of working around by adding a very expensive framework.