--- linux-2.4.19-rsn1/net/ipv4/netfilter/ip_conntrack_core.c.orig	2002-08-29 14:13:04.000000000 +0200
+++ linux-2.4.19-rsn1/net/ipv4/netfilter/ip_conntrack_core.c	2002-09-08 00:39:22.000000000 +0200
@@ -751,7 +751,6 @@
 static inline struct ip_conntrack *
 resolve_normal_ct(struct sk_buff *skb,
 		  struct ip_conntrack_protocol *proto,
-		  int *set_reply,
 		  unsigned int hooknum,
 		  enum ip_conntrack_info *ctinfo)
 {
@@ -776,8 +775,8 @@
 	/* It exists; we have (non-exclusive) reference. */
 	if (DIRECTION(h) == IP_CT_DIR_REPLY) {
 		*ctinfo = IP_CT_ESTABLISHED + IP_CT_IS_REPLY;
-		/* Please set reply bit if this packet OK */
-		*set_reply = 1;
+		/* This is a reply packet, set conntrack to replied. */
+		set_bit(IPS_SEEN_REPLY_BIT, &h->ctrack->status);
 	} else {
 		/* Once we've had two way comms, always ESTABLISHED. */
 		if (h->ctrack->status & IPS_SEEN_REPLY) {
@@ -793,7 +792,6 @@
 			       h->ctrack);
 			*ctinfo = IP_CT_NEW;
 		}
-		*set_reply = 0;
 	}
 	skb->nfct = &h->ctrack->infos[*ctinfo];
 	return h->ctrack;
@@ -809,7 +807,6 @@
 	struct ip_conntrack *ct;
 	enum ip_conntrack_info ctinfo;
 	struct ip_conntrack_protocol *proto;
-	int set_reply;
 	int ret;
 
 	/* FIXME: Do this right please. --RR */
@@ -849,7 +846,7 @@
 	    && icmp_error_track(*pskb, &ctinfo, hooknum))
 		return NF_ACCEPT;
 
-	if (!(ct = resolve_normal_ct(*pskb, proto,&set_reply,hooknum,&ctinfo)))
+	if (!(ct = resolve_normal_ct(*pskb, proto, hooknum, &ctinfo)))
 		/* Not valid part of a connection */
 		return NF_ACCEPT;
 
@@ -877,8 +874,6 @@
 			return NF_ACCEPT;
 		}
 	}
-	if (set_reply)
-		set_bit(IPS_SEEN_REPLY_BIT, &ct->status);
 
 	return ret;
 }
--- linux-2.4.19-rsn1/net/ipv4/netfilter/ip_conntrack_proto_tcp.c.orig	2002-09-08 00:29:41.000000000 +0200
+++ linux-2.4.19-rsn1/net/ipv4/netfilter/ip_conntrack_proto_tcp.c	2002-09-08 00:41:51.000000000 +0200
@@ -218,7 +218,9 @@
 	   have an established connection: this is a fairly common
 	   problem case, so we can delete the conntrack
 	   immediately.  --RR */
-	if (!(conntrack->status & IPS_SEEN_REPLY) && tcph->rst) {
+	if (oldtcpstate == TCP_CONNTRACK_SYN_SENT
+	    && CTINFO2DIR(ctinfo) == IP_CT_DIR_REPLY
+	    && tcph->rst) {
 		if (del_timer(&conntrack->timeout))
 			conntrack->timeout.function((unsigned long)conntrack);
 	} else {