diff options
author | Jan Kasprzak <kas@fi.muni.cz> | 2009-06-08 15:53:43 +0200 |
---|---|---|
committer | Patrick McHardy <kaber@trash.net> | 2009-06-08 15:53:43 +0200 |
commit | f87fb666bb00a7afcbd7992d236e42ac544996f9 (patch) | |
tree | 0ec53ee8c373e6b4224b2fda40ed4fc49c1ed822 /include/net/netfilter/ipv4 | |
parent | 17f2f52be0edb6d1ff5a3675f2bc545aea2dbf76 (diff) | |
download | linux-stable-f87fb666bb00a7afcbd7992d236e42ac544996f9.tar.gz linux-stable-f87fb666bb00a7afcbd7992d236e42ac544996f9.tar.bz2 linux-stable-f87fb666bb00a7afcbd7992d236e42ac544996f9.zip |
netfilter: nf_ct_icmp: keep the ICMP ct entries longer
Current conntrack code kills the ICMP conntrack entry as soon as
the first reply is received. This is incorrect, as we then see only
the first ICMP echo reply out of several possible duplicates as
ESTABLISHED, while the rest will be INVALID. Also this unnecessarily
increases the conntrackd traffic on H-A firewalls.
Make all the ICMP conntrack entries (including the replied ones)
last for the default of nf_conntrack_icmp{,v6}_timeout seconds.
Signed-off-by: Jan "Yenya" Kasprzak <kas@fi.muni.cz>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Diffstat (limited to 'include/net/netfilter/ipv4')
-rw-r--r-- | include/net/netfilter/ipv4/nf_conntrack_icmp.h | 11 |
1 files changed, 0 insertions, 11 deletions
diff --git a/include/net/netfilter/ipv4/nf_conntrack_icmp.h b/include/net/netfilter/ipv4/nf_conntrack_icmp.h deleted file mode 100644 index 3dd22cff23ec..000000000000 --- a/include/net/netfilter/ipv4/nf_conntrack_icmp.h +++ /dev/null @@ -1,11 +0,0 @@ -#ifndef _NF_CONNTRACK_ICMP_H -#define _NF_CONNTRACK_ICMP_H -/* ICMP tracking. */ -#include <asm/atomic.h> - -struct ip_ct_icmp -{ - /* Optimization: when number in == number out, forget immediately. */ - atomic_t count; -}; -#endif /* _NF_CONNTRACK_ICMP_H */ |