From: Martin Josefsson Here's a patch that fixes a pretty serious bug introduced by a recent "bugfix". The problem is that RST packets are ignored if they follow an ACK packet, this means that the timeout of the connection isn't decreased, so we get lots of old connections lingering around until the timeout expires, the default timeout for state ESTABLISHED is 5 days. This needs to go into -bk as soon as possible. The bug is present in 2.6.10 as well. Signed-off-by: Andrew Morton --- 25-akpm/net/ipv4/netfilter/ip_conntrack_proto_tcp.c | 3 ++- net/ipv4/netfilter/ip_conntrack_proto_tcp.c.orig | 0 2 files changed, 2 insertions(+), 1 deletion(-) diff -puN net/ipv4/netfilter/ip_conntrack_proto_tcp.c~fix-broken-rst-handling-in-ip_conntrack net/ipv4/netfilter/ip_conntrack_proto_tcp.c --- 25/net/ipv4/netfilter/ip_conntrack_proto_tcp.c~fix-broken-rst-handling-in-ip_conntrack 2005-01-02 02:24:49.511586664 -0800 +++ 25-akpm/net/ipv4/netfilter/ip_conntrack_proto_tcp.c 2005-01-02 02:24:49.518585600 -0800 @@ -906,7 +906,8 @@ static int tcp_packet(struct ip_conntrac if (index == TCP_RST_SET && ((test_bit(IPS_SEEN_REPLY_BIT, &conntrack->status) && conntrack->proto.tcp.last_index <= TCP_SYNACK_SET) - || conntrack->proto.tcp.last_index == TCP_ACK_SET) + || (!test_bit(IPS_ASSURED_BIT, &conntrack->status) + && conntrack->proto.tcp.last_index == TCP_ACK_SET)) && after(ntohl(th->ack_seq), conntrack->proto.tcp.last_seq)) { /* Ignore RST closing down invalid SYN or ACK diff -puN net/ipv4/netfilter/ip_conntrack_proto_tcp.c.orig~fix-broken-rst-handling-in-ip_conntrack net/ipv4/netfilter/ip_conntrack_proto_tcp.c.orig _