> > Alternatively, if no answer comes back at all, the conntrack is in the > > (extra) state UNREPLIED. When the connection table becomes full, UNREPLIED > > connections are recycled preferentially. > > Hey, this is not fair !!!!!
The behaviour is as fair as it can be, IMO. > This behaviour is not described in ip_conntrack_proto_tcp.c. > Where is it coded ???? Mostly in ip_conntrack_core.c. The early_drop() and unreplied() functions implement the checking, based on the IPS_ASSURED bit in conntrack->status. Use "grep" to see where that bit is set. best regards Patrick
