If a connection fails with a TCP reset, the conntrack is destroyed
immediately. This patch sets the SEEN_REPLY bit before destroying the
conntrack.
--- linux-2.6.25.4.orig/net/netfilter/nf_conntrack_proto_tcp.c 2008-05-20 21:05:06.000000000 +0100
+++ linux-2.6.25.4/net/netfilter/nf_conntrack_proto_tcp.c 2008-05-21 09:41:15.000000000 +0100
@@ -962,6 +962,8 @@
problem case, so we can delete the conntrack
immediately. --RR */
if (th->rst) {
+ if (ctinfo >= IP_CT_IS_REPLY)
+ set_bit(IPS_SEEN_REPLY_BIT, &ct->status);
if (del_timer(&ct->timeout))
ct->timeout.function((unsigned long)ct);
return NF_ACCEPT;
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
