git.baikalelectronics.ru Git - kernel.git/commit

author	Jan Kasprzak <kas@fi.muni.cz>
	Mon, 8 Jun 2009 13:53:43 +0000 (15:53 +0200)
committer	Patrick McHardy <kaber@trash.net>
	Mon, 8 Jun 2009 13:53:43 +0000 (15:53 +0200)
commit	3bd1a2b4c34a6a43a11bf6d27d8d7f26db22921a
tree	0ec53ee8c373e6b4224b2fda40ed4fc49c1ed822	tree \| snapshot
parent	e18f85c3934122138287f0486632a44ff1ec0404	commit \| diff

netfilter: nf_ct_icmp: keep the ICMP ct entries longer

Current conntrack code kills the ICMP conntrack entry as soon as
the first reply is received. This is incorrect, as we then see only
the first ICMP echo reply out of several possible duplicates as
ESTABLISHED, while the rest will be INVALID. Also this unnecessarily
increases the conntrackd traffic on H-A firewalls.

Make all the ICMP conntrack entries (including the replied ones)
last for the default of nf_conntrack_icmp{,v6}_timeout seconds.

Signed-off-by: Jan "Yenya" Kasprzak <kas@fi.muni.cz>
Signed-off-by: Patrick McHardy <kaber@trash.net>

include/net/netfilter/ipv4/nf_conntrack_icmp.h	[deleted file]	blob \| history
include/net/netfilter/ipv6/nf_conntrack_icmpv6.h		diff \| blob \| history
include/net/netfilter/nf_conntrack.h		diff \| blob \| history
net/ipv4/netfilter/nf_conntrack_proto_icmp.c		diff \| blob \| history
net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c		diff \| blob \| history