5 files changed, 8 insertions, 45 deletions

diff --git a/include/net/netfilter/ipv4/nf_conntrack_icmp.h b/include/net/netfilter/ipv4/nf_conntrack_icmp.h
deleted file mode 100644
index 3dd22cff23ec..000000000000
--- a/include/net/netfilter/ipv4/nf_conntrack_icmp.h
+++ /dev/null
@@ -1,11 +0,0 @@
-#ifndef _NF_CONNTRACK_ICMP_H
-#define _NF_CONNTRACK_ICMP_H
-/* ICMP tracking. */
-#include <asm/atomic.h>
-
-struct ip_ct_icmp
-{
-        /* Optimization: when number in == number out, forget immediately. */
-        atomic_t count;
-};
-#endif /* _NF_CONNTRACK_ICMP_H */
diff --git a/include/net/netfilter/ipv6/nf_conntrack_icmpv6.h b/include/net/netfilter/ipv6/nf_conntrack_icmpv6.h
index 86591afda29c..67edd50a398a 100644
--- a/include/net/netfilter/ipv6/nf_conntrack_icmpv6.h
+++ b/include/net/netfilter/ipv6/nf_conntrack_icmpv6.h
@@ -9,7 +9,6 @@
 
 #ifndef _NF_CONNTRACK_ICMPV6_H
 #define _NF_CONNTRACK_ICMPV6_H
-#include <asm/atomic.h>
 
 #ifndef ICMPV6_NI_QUERY
 #define ICMPV6_NI_QUERY 139
@@ -18,10 +17,4 @@
 #define ICMPV6_NI_REPLY 140
 #endif
 
-struct nf_ct_icmpv6
-{
-        /* Optimization: when number in == number out, forget immediately. */
-        atomic_t count;
-};
-
 #endif /* _NF_CONNTRACK_ICMPV6_H */
diff --git a/include/net/netfilter/nf_conntrack.h b/include/net/netfilter/nf_conntrack.h
index 2ba36dd33aeb..2b877374242d 100644
--- a/include/net/netfilter/nf_conntrack.h
+++ b/include/net/netfilter/nf_conntrack.h
@@ -23,7 +23,6 @@
 #include <linux/netfilter/nf_conntrack_dccp.h>
 #include <linux/netfilter/nf_conntrack_sctp.h>
 #include <linux/netfilter/nf_conntrack_proto_gre.h>
-#include <net/netfilter/ipv4/nf_conntrack_icmp.h>
 #include <net/netfilter/ipv6/nf_conntrack_icmpv6.h>
 
 #include <net/netfilter/nf_conntrack_tuple.h>
@@ -34,8 +33,6 @@ union nf_conntrack_proto {
         struct nf_ct_dccp dccp;
         struct ip_ct_sctp sctp;
         struct ip_ct_tcp tcp;
-        struct ip_ct_icmp icmp;
-        struct nf_ct_icmpv6 icmpv6;
         struct nf_ct_gre gre;
 };
 
diff --git a/net/ipv4/netfilter/nf_conntrack_proto_icmp.c b/net/ipv4/netfilter/nf_conntrack_proto_icmp.c
index c6ab3d99e792..d71ba7677344 100644
--- a/net/ipv4/netfilter/nf_conntrack_proto_icmp.c
+++ b/net/ipv4/netfilter/nf_conntrack_proto_icmp.c
@@ -82,17 +82,10 @@ static int icmp_packet(struct nf_conn *ct,
                        u_int8_t pf,
                        unsigned int hooknum)
 {
-        /* Try to delete connection immediately after all replies:
-           won't actually vanish as we still have skb, and del_timer
-           means this will only run once even if count hits zero twice
-           (theoretically possible with SMP) */
-        if (CTINFO2DIR(ctinfo) == IP_CT_DIR_REPLY) {
-                if (atomic_dec_and_test(&ct->proto.icmp.count))
-                        nf_ct_kill_acct(ct, ctinfo, skb);
-        } else {
-                atomic_inc(&ct->proto.icmp.count);
-                nf_ct_refresh_acct(ct, ctinfo, skb, nf_ct_icmp_timeout);
-        }
+        /* Do not immediately delete the connection after the first
+           successful reply to avoid excessive conntrackd traffic
+           and also to handle correctly ICMP echo reply duplicates. */
+        nf_ct_refresh_acct(ct, ctinfo, skb, nf_ct_icmp_timeout);
 
         return NF_ACCEPT;
 }
@@ -116,7 +109,6 @@ static bool icmp_new(struct nf_conn *ct, const struct sk_buff *skb,
                 nf_ct_dump_tuple_ip(&ct->tuplehash[0].tuple);
                 return false;
         }
-        atomic_set(&ct->proto.icmp.count, 0);
         return true;
 }
 
diff --git a/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c b/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
index a0acd9655fef..642dcb127bab 100644
--- a/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
+++ b/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
@@ -95,17 +95,10 @@ static int icmpv6_packet(struct nf_conn *ct,
                        u_int8_t pf,
                        unsigned int hooknum)
 {
-        /* Try to delete connection immediately after all replies:
-           won't actually vanish as we still have skb, and del_timer
-           means this will only run once even if count hits zero twice
-           (theoretically possible with SMP) */
-        if (CTINFO2DIR(ctinfo) == IP_CT_DIR_REPLY) {
-                if (atomic_dec_and_test(&ct->proto.icmp.count))
-                        nf_ct_kill_acct(ct, ctinfo, skb);
-        } else {
-                atomic_inc(&ct->proto.icmp.count);
-                nf_ct_refresh_acct(ct, ctinfo, skb, nf_ct_icmpv6_timeout);
-        }
+        /* Do not immediately delete the connection after the first
+           successful reply to avoid excessive conntrackd traffic
+           and also to handle correctly ICMP echo reply duplicates. */
+        nf_ct_refresh_acct(ct, ctinfo, skb, nf_ct_icmpv6_timeout);
 
         return NF_ACCEPT;
 }
@@ -131,7 +124,6 @@ static bool icmpv6_new(struct nf_conn *ct, const struct sk_buff *skb,
                                       type + 128);
                 return false;
         }
-        atomic_set(&ct->proto.icmp.count, 0);
         return true;
 }