From: Martin Josefsson <gandalf@netfilter.org>

Here's a patch that fixes a pretty serious bug introduced by a recent
"bugfix".  The problem is that RST packets are ignored if they follow an
ACK packet, this means that the timeout of the connection isn't decreased,
so we get lots of old connections lingering around until the timeout
expires, the default timeout for state ESTABLISHED is 5 days.

This needs to go into -bk as soon as possible.  The bug is present in
2.6.10 as well.

Signed-off-by: Andrew Morton <akpm@osdl.org>
---

 25-akpm/net/ipv4/netfilter/ip_conntrack_proto_tcp.c |    3 ++-
 net/ipv4/netfilter/ip_conntrack_proto_tcp.c.orig    |    0 
 2 files changed, 2 insertions(+), 1 deletion(-)

diff -puN net/ipv4/netfilter/ip_conntrack_proto_tcp.c~fix-broken-rst-handling-in-ip_conntrack net/ipv4/netfilter/ip_conntrack_proto_tcp.c
--- 25/net/ipv4/netfilter/ip_conntrack_proto_tcp.c~fix-broken-rst-handling-in-ip_conntrack	2005-01-02 02:24:49.511586664 -0800
+++ 25-akpm/net/ipv4/netfilter/ip_conntrack_proto_tcp.c	2005-01-02 02:24:49.518585600 -0800
@@ -906,7 +906,8 @@ static int tcp_packet(struct ip_conntrac
 		if (index == TCP_RST_SET
 		    && ((test_bit(IPS_SEEN_REPLY_BIT, &conntrack->status)
 		         && conntrack->proto.tcp.last_index <= TCP_SYNACK_SET)
-		        || conntrack->proto.tcp.last_index == TCP_ACK_SET)
+		        || (!test_bit(IPS_ASSURED_BIT, &conntrack->status)
+			 && conntrack->proto.tcp.last_index == TCP_ACK_SET))
 		    && after(ntohl(th->ack_seq),
 		    	     conntrack->proto.tcp.last_seq)) {
 			/* Ignore RST closing down invalid SYN or ACK
diff -puN net/ipv4/netfilter/ip_conntrack_proto_tcp.c.orig~fix-broken-rst-handling-in-ip_conntrack net/ipv4/netfilter/ip_conntrack_proto_tcp.c.orig
_