> Is this "normal" ? Do you have some idea about all these > ports 3128 and 3228 ?
The machine where that ip_conntrack came from, is running two squid processes, one on each processor, and clients are distributed evenly over the two processes. 3128 and 3228 are the two listening ports of those squid processes. Such a conntrack shape will be the normal case for iptables running on a server, more extreme than when it's running on a routing firewall. As you asked for ideas about "better" hashes, could you possibly try using CRC32 over the concatenation of the key values? best regards Patrick