[PATCH] Fix broken RST handling in ip_conntrack

Here's a patch that fixes a pretty serious bug introduced by a recent
"bugfix".  The problem is that RST packets are ignored if they follow an
ACK packet, this means that the timeout of the connection isn't decreased,
so we get lots of old connections lingering around until the timeout
expires, the default timeout for state ESTABLISHED is 5 days.

This needs to go into -bk as soon as possible.  The bug is present in
2.6.10 as well.
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>

net/ipv4/netfilter/ip_conntrack_proto_tcp.c

@@ -906,7 +906,8 @@ static int tcp_packet(struct ip_conntrack *conntrack,
 		if (index == TCP_RST_SET
 		    && ((test_bit(IPS_SEEN_REPLY_BIT, &conntrack->status)
 		         && conntrack->proto.tcp.last_index <= TCP_SYNACK_SET)
-		        || conntrack->proto.tcp.last_index == TCP_ACK_SET)
+		        || (!test_bit(IPS_ASSURED_BIT, &conntrack->status)
+			 && conntrack->proto.tcp.last_index == TCP_ACK_SET))
 		    && after(ntohl(th->ack_seq),
 		    	     conntrack->proto.tcp.last_seq)) {
 			/* Ignore RST closing down invalid SYN or ACK