- Accelerated hash tree: Page of cache-line long entries: struct hentry { u16 parthash[]; struct ip_conntrack_hash *ct[] }; On fill, becomes pointer to new hash table. - Figure out how to shrink it again (if !stressed, scan page on one in four final htable entry removal?). - Use atomic ops for replacement, RCU for reading. - "Stress" flag when DOSd: 90% full? new / found? Turns of TCP jumping straight to established state (ACK flood). Other subsystems can do similar tightening. - Reserve bit in "parthash" to indicated unassured: scan entire hentry for unassured, and *drop* the current packet (less work, better).