1--- linux-2.4.19-pre9/include/linux/netfilter_ipv4/ip_conntrack.h.orig	Mon Jun  3 21:46:59 2002
2+++ linux-2.4.19-pre9/include/linux/netfilter_ipv4/ip_conntrack.h	Mon Jun  3 21:46:37 2002
3@@ -226,6 +226,9 @@
4 extern void ip_ct_refresh(struct ip_conntrack *ct,
5 			  unsigned long extra_jiffies);
6 
7+/* Kill conntrack */
8+extern void ip_ct_death_by_timeout(unsigned long ul_conntrack);
9+
10 /* These are for NAT.  Icky. */
11 /* Call me when a conntrack is destroyed. */
12 extern void (*ip_conntrack_destroyed)(struct ip_conntrack *conntrack);
13--- linux-2.4.19-pre9/net/ipv4/netfilter/ip_conntrack_core.c.orig	Mon Jun  3 20:32:28 2002
14+++ linux-2.4.19-pre9/net/ipv4/netfilter/ip_conntrack_core.c	Tue Jun  4 20:56:18 2002
15@@ -267,7 +267,7 @@
16 	atomic_dec(&ip_conntrack_count);
17 }
18 
19-static void death_by_timeout(unsigned long ul_conntrack)
20+void ip_ct_death_by_timeout(unsigned long ul_conntrack)
21 {
22 	struct ip_conntrack *ct = (void *)ul_conntrack;
23 
24@@ -527,7 +527,7 @@
25 		return dropped;
26 
27 	if (del_timer(&h->ctrack->timeout)) {
28-		death_by_timeout((unsigned long)h->ctrack);
29+		ip_ct_death_by_timeout((unsigned long)h->ctrack);
30 		dropped = 1;
31 	}
32 	ip_conntrack_put(h->ctrack);
33@@ -617,7 +617,7 @@
34 	/* Don't set timer yet: wait for confirmation */
35 	init_timer(&conntrack->timeout);
36 	conntrack->timeout.data = (unsigned long)conntrack;
37-	conntrack->timeout.function = death_by_timeout;
38+	conntrack->timeout.function = ip_ct_death_by_timeout;
39 
40 	INIT_LIST_HEAD(&conntrack->sibling_list);
41 
42@@ -1198,7 +1189,7 @@
43 	while ((h = get_next_corpse(kill, data)) != NULL) {
44 		/* Time to push up daises... */
45 		if (del_timer(&h->ctrack->timeout))
46-			death_by_timeout((unsigned long)h->ctrack);
47+			ip_ct_death_by_timeout((unsigned long)h->ctrack);
48 		/* ... else the timer will get him soon. */
49 
50 		ip_conntrack_put(h->ctrack);
51--- linux-2.4.19-pre9/net/ipv4/netfilter/ip_conntrack_standalone.c.orig	Mon Jun  3 21:43:04 2002
52+++ linux-2.4.19-pre9/net/ipv4/netfilter/ip_conntrack_standalone.c	Mon Jun  3 21:47:43 2002
53@@ -362,6 +362,7 @@
54 EXPORT_SYMBOL(ip_conntrack_helper_unregister);
55 EXPORT_SYMBOL(ip_ct_selective_cleanup);
56 EXPORT_SYMBOL(ip_ct_refresh);
57+EXPORT_SYMBOL(ip_ct_death_by_timeout);
58 EXPORT_SYMBOL(ip_ct_find_proto);
59 EXPORT_SYMBOL(ip_ct_find_helper);
60 EXPORT_SYMBOL(ip_conntrack_expect_related);
61--- linux-2.4.19-pre9/net/ipv4/netfilter/ip_conntrack_core.c.orig	Mon Jun  3 20:32:28 2002
62+++ linux-2.4.19-pre9/net/ipv4/netfilter/ip_conntrack_core.c	Mon Jun  3 20:48:13 2002
63@@ -1091,8 +1091,10 @@
64 	if (!is_confirmed(ct))
65 		ct->timeout.expires = extra_jiffies;
66 	else {
67-		/* Need del_timer for race avoidance (may already be dying). */
68-		if (del_timer(&ct->timeout)) {
69+		/* Don't update timer for each packet, only if it's been >HZ
70+		 * ticks since last update.
71+		 * Need del_timer for race avoidance (may already be dying). */
72+		if (abs(jiffies + extra_jiffies - ct->timeout.expires) >= HZ && del_timer(&ct->timeout)) {
73 			ct->timeout.expires = jiffies + extra_jiffies;
74 			add_timer(&ct->timeout);
75 		}
76