diff --git a/policy/cilium/0033-logging.patch b/policy/cilium/0033-logging.patch
new file mode 100644
index 00000000..a0c85985
--- /dev/null
+++ b/policy/cilium/0033-logging.patch
@@ -0,0 +1,51 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: l1b0k <libokang.dev@gmail.com>
+Date: Mon, 14 Oct 2024 16:33:42 +0800
+Subject: logging
+
+Signed-off-by: l1b0k <libokang.dev@gmail.com>
+---
+ pkg/maps/ctmap/ctmap.go | 19 +++++++++++++------
+ 1 file changed, 13 insertions(+), 6 deletions(-)
+
+diff --git a/pkg/maps/ctmap/ctmap.go b/pkg/maps/ctmap/ctmap.go
+index 868871811b..052cab28e9 100644
+--- a/pkg/maps/ctmap/ctmap.go
++++ b/pkg/maps/ctmap/ctmap.go
+@@ -496,6 +496,13 @@ func doGC4(m *Map, filter *GCFilter) gcStats {
+ 	globalDeleteLock[m.mapType].Lock()
+ 	stats.dumpError = m.DumpReliablyWithCallback(filterCallback, stats.DumpStats)
+ 	globalDeleteLock[m.mapType].Unlock()
++
++	log.Infof("gc map %s id %d max %d deleted %d alived %d", m.Name(), m.InnerID, m.MaxEntries, stats.deleted, stats.aliveEntries)
++	cur := stats.aliveEntries + stats.deleted
++	if float64(cur)/float64(m.MaxEntries) >= 0.9 {
++		log.Infof("ConntrackFull table %s current %d maxEntries %d", m.Name(), cur, m.MaxEntries)
++	}
++
+ 	return stats
+ }
+ 
+@@ -566,13 +573,13 @@ func GC(m *Map, filter *GCFilter) int {
+ // The consumer of the buffer invokes the function.
+ //
+ // The SNAT is being used for the following cases:
+-// 1. By NodePort BPF on an intermediate node before fwd'ing request from outside
++//  1. By NodePort BPF on an intermediate node before fwd'ing request from outside
+ //     to a destination node.
+-// 2. A packet from local endpoint sent to outside (BPF-masq).
+-// 3. A packet from a host local application (i.e. running in the host netns)
+-//    This is needed to prevent SNAT from hijacking such connections.
+-// 4. By DSR on a backend node to SNAT responses with service IP+port before
+-//    sending to a client.
++//  2. A packet from local endpoint sent to outside (BPF-masq).
++//  3. A packet from a host local application (i.e. running in the host netns)
++//     This is needed to prevent SNAT from hijacking such connections.
++//  4. By DSR on a backend node to SNAT responses with service IP+port before
++//     sending to a client.
+ //
+ // In the case of 1-3, we always create a CT_EGRESS CT entry. This allows the
+ // CT GC to remove corresponding SNAT entries. In the case of 4, will create
+-- 
+2.47.0
+