We've recently upgraded to Ubuntu 16.04 (kernel 4.4) and I've noticed some new behavior regarding net.netfilter.nf_conntrack_max. In the past (with 12.04 running 3.2) if you hit nf_conntrack_max you wouldn't be able to establish any new connections. However, I've been doing some testing with SYN flooding and SYNPROXY DDoS protection. I've found that after hitting nf_conntrack_max by way of a SYN flood I can still establish connections to the server.
Using SYNPROXY keeps the conntrack table to established connections, but with or without it I can still connect to the server with no issues.
Does anyone have any info on this?
I came across lockless TCP listeners in 4.4:
https://kernelnewbies.org/Linux_4.4#head-7c34e3af145ac61502d1e032726946e9b380d03d
I'm wondering if this is part of it.
