f87fb666bb
Current conntrack code kills the ICMP conntrack entry as soon as
the first reply is received. This is incorrect, as we then see only
the first ICMP echo reply out of several possible duplicates as
ESTABLISHED, while the rest will be INVALID. Also this unnecessarily
increases the conntrackd traffic on H-A firewalls.
Make all the ICMP conntrack entries (including the replied ones)
last for the default of nf_conntrack_icmp{,v6}_timeout seconds.
Signed-off-by: Jan "Yenya" Kasprzak <kas@fi.muni.cz>
Signed-off-by: Patrick McHardy <kaber@trash.net>
21 lines
429 B
C
21 lines
429 B
C
/*
|
|
* ICMPv6 tracking.
|
|
*
|
|
* 21 Apl 2004: Yasuyuki Kozakai @USAGI <yasuyuki.kozakai@toshiba.co.jp>
|
|
* - separated from nf_conntrack_icmp.h
|
|
*
|
|
* Derived from include/linux/netfiter_ipv4/ip_conntrack_icmp.h
|
|
*/
|
|
|
|
#ifndef _NF_CONNTRACK_ICMPV6_H
|
|
#define _NF_CONNTRACK_ICMPV6_H
|
|
|
|
#ifndef ICMPV6_NI_QUERY
|
|
#define ICMPV6_NI_QUERY 139
|
|
#endif
|
|
#ifndef ICMPV6_NI_REPLY
|
|
#define ICMPV6_NI_REPLY 140
|
|
#endif
|
|
|
|
#endif /* _NF_CONNTRACK_ICMPV6_H */
|