netfilter: nf_ct_icmp: keep the ICMP ct entries longer - linux-dev - Linux kernel development work

diff options

author	Jan Kasprzak <kas@fi.muni.cz>	2009-06-08 15:53:43 +0200
committer	Patrick McHardy <kaber@trash.net>	2009-06-08 15:53:43 +0200
commit	f87fb666bb00a7afcbd7992d236e42ac544996f9 (patch)
tree	0ec53ee8c373e6b4224b2fda40ed4fc49c1ed822 /include/linux/netfilter/nfnetlink.h
parent	netfilter: ipt_MASQUERADE: remove redundant rwlock (diff)
download	linux-dev-f87fb666bb00a7afcbd7992d236e42ac544996f9.tar.xz linux-dev-f87fb666bb00a7afcbd7992d236e42ac544996f9.zip

netfilter: nf_ct_icmp: keep the ICMP ct entries longer

Current conntrack code kills the ICMP conntrack entry as soon as the first reply is received. This is incorrect, as we then see only the first ICMP echo reply out of several possible duplicates as ESTABLISHED, while the rest will be INVALID. Also this unnecessarily increases the conntrackd traffic on H-A firewalls. Make all the ICMP conntrack entries (including the replied ones) last for the default of nf_conntrack_icmp{,v6}_timeout seconds. Signed-off-by: Jan "Yenya" Kasprzak <kas@fi.muni.cz> Signed-off-by: Patrick McHardy <kaber@trash.net>

Diffstat (limited to 'include/linux/netfilter/nfnetlink.h')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: