netfilter: nf_ct_icmp: keep the ICMP ct entries longer

[pandora-kernel.git] / net / ipv4 / netfilter / nf_conntrack_proto_icmp.c

diff --git a/net/ipv4/netfilter/nf_conntrack_proto_icmp.c b/net/ipv4/netfilter/nf_conntrack_proto_icmp.c
index c6ab3d9..d71ba76 100644 (file)
--- a/net/ipv4/netfilter/nf_conntrack_proto_icmp.c
+++ b/net/ipv4/netfilter/nf_conntrack_proto_icmp.c
@@ -82,17 +82,10 @@ static int icmp_packet(struct nf_conn *ct,
                       u_int8_t pf,
                       unsigned int hooknum)
 {
-       /* Try to delete connection immediately after all replies:
-          won't actually vanish as we still have skb, and del_timer
-          means this will only run once even if count hits zero twice
-          (theoretically possible with SMP) */
-       if (CTINFO2DIR(ctinfo) == IP_CT_DIR_REPLY) {
-               if (atomic_dec_and_test(&ct->proto.icmp.count))
-                       nf_ct_kill_acct(ct, ctinfo, skb);
-       } else {
-               atomic_inc(&ct->proto.icmp.count);
-               nf_ct_refresh_acct(ct, ctinfo, skb, nf_ct_icmp_timeout);
-       }
+       /* Do not immediately delete the connection after the first
+          successful reply to avoid excessive conntrackd traffic
+          and also to handle correctly ICMP echo reply duplicates. */
+       nf_ct_refresh_acct(ct, ctinfo, skb, nf_ct_icmp_timeout);
 
        return NF_ACCEPT;
 }
@@ -116,7 +109,6 @@ static bool icmp_new(struct nf_conn *ct, const struct sk_buff *skb,
                nf_ct_dump_tuple_ip(&ct->tuplehash[0].tuple);
                return false;
        }
-       atomic_set(&ct->proto.icmp.count, 0);
        return true;
 }