--- linux-2.4.19-rsn1/net/ipv4/netfilter/ip_conntrack_core.c.orig 2002-08-29 14:13:04.000000000 +0200 +++ linux-2.4.19-rsn1/net/ipv4/netfilter/ip_conntrack_core.c 2002-09-08 00:08:24.000000000 +0200 @@ -751,7 +751,6 @@ static inline struct ip_conntrack * resolve_normal_ct(struct sk_buff *skb, struct ip_conntrack_protocol *proto, - int *set_reply, unsigned int hooknum, enum ip_conntrack_info *ctinfo) { @@ -776,8 +775,6 @@ /* It exists; we have (non-exclusive) reference. */ if (DIRECTION(h) == IP_CT_DIR_REPLY) { *ctinfo = IP_CT_ESTABLISHED + IP_CT_IS_REPLY; - /* Please set reply bit if this packet OK */ - *set_reply = 1; } else { /* Once we've had two way comms, always ESTABLISHED. */ if (h->ctrack->status & IPS_SEEN_REPLY) { @@ -793,7 +792,6 @@ h->ctrack); *ctinfo = IP_CT_NEW; } - *set_reply = 0; } skb->nfct = &h->ctrack->infos[*ctinfo]; return h->ctrack; @@ -809,7 +806,6 @@ struct ip_conntrack *ct; enum ip_conntrack_info ctinfo; struct ip_conntrack_protocol *proto; - int set_reply; int ret; /* FIXME: Do this right please. --RR */ @@ -849,7 +845,7 @@ && icmp_error_track(*pskb, &ctinfo, hooknum)) return NF_ACCEPT; - if (!(ct = resolve_normal_ct(*pskb, proto,&set_reply,hooknum,&ctinfo))) + if (!(ct = resolve_normal_ct(*pskb, proto, hooknum, &ctinfo))) /* Not valid part of a connection */ return NF_ACCEPT; @@ -877,8 +873,6 @@ return NF_ACCEPT; } } - if (set_reply) - set_bit(IPS_SEEN_REPLY_BIT, &ct->status); return ret; } --- linux-2.4.19-rsn1/net/ipv4/netfilter/ip_conntrack_proto_generic.c.orig 2002-09-08 00:30:14.000000000 +0200 +++ linux-2.4.19-rsn1/net/ipv4/netfilter/ip_conntrack_proto_generic.c 2002-09-08 00:20:33.000000000 +0200 @@ -43,6 +43,10 @@ struct iphdr *iph, size_t len, enum ip_conntrack_info conntrackinfo) { + /* This is a reply packet, set conntrack to replied. */ + if (CTINFO2DIR(conntrackinfo) == IP_CT_DIR_REPLY) + set_bit(IPS_SEEN_REPLY_BIT, &conntrack->status); + ip_ct_refresh(conntrack, GENERIC_TIMEOUT); return NF_ACCEPT; } --- linux-2.4.19-rsn1/net/ipv4/netfilter/ip_conntrack_proto_icmp.c.orig 2002-09-08 00:30:04.000000000 +0200 +++ linux-2.4.19-rsn1/net/ipv4/netfilter/ip_conntrack_proto_icmp.c 2002-09-08 00:20:23.000000000 +0200 @@ -72,6 +72,11 @@ struct iphdr *iph, size_t len, enum ip_conntrack_info ctinfo) { + /* This is a reply packet, set conntrack to replied. + * Not needed for icmp but it's here for completeness */ + if (CTINFO2DIR(conntrackinfo) == IP_CT_DIR_REPLY) + set_bit(IPS_SEEN_REPLY_BIT, &conntrack->status); + /* Try to delete connection immediately after all replies: won't actually vanish as we still have skb, and del_timer means this will only run once even if count hits zero twice --- linux-2.4.19-rsn1/net/ipv4/netfilter/ip_conntrack_proto_tcp.c.orig 2002-09-08 00:29:41.000000000 +0200 +++ linux-2.4.19-rsn1/net/ipv4/netfilter/ip_conntrack_proto_tcp.c 2002-09-08 00:27:07.000000000 +0200 @@ -222,7 +222,12 @@ if (del_timer(&conntrack->timeout)) conntrack->timeout.function((unsigned long)conntrack); } else { - /* Set ASSURED if we see see valid ack in ESTABLISHED after SYN_RECV */ + /* This is a reply packet, set conntrack to replied. */ + if (CTINFO2DIR(ctinfo) == IP_CT_DIR_REPLY) + set_bit(IPS_SEEN_REPLY_BIT, &conntrack->status); + + /* Set ASSURED if we see valid ack in + * ESTABLISHED after SYN_RECV */ if (oldtcpstate == TCP_CONNTRACK_SYN_RECV && CTINFO2DIR(ctinfo) == IP_CT_DIR_ORIGINAL && tcph->ack && !tcph->syn --- linux-2.4.19-rsn1/net/ipv4/netfilter/ip_conntrack_proto_udp.c.orig 2002-09-08 00:29:15.000000000 +0200 +++ linux-2.4.19-rsn1/net/ipv4/netfilter/ip_conntrack_proto_udp.c 2002-09-08 00:20:56.000000000 +0200 @@ -49,6 +49,10 @@ struct iphdr *iph, size_t len, enum ip_conntrack_info conntrackinfo) { + /* This is a reply packet, set conntrack to replied. */ + if (CTINFO2DIR(conntrackinfo) == IP_CT_DIR_REPLY) + set_bit(IPS_SEEN_REPLY_BIT, &conntrack->status); + /* If we've seen traffic both ways, this is some kind of UDP stream. Extend timeout. */ if (conntrack->status & IPS_SEEN_REPLY) {