diff -urN linux-2.4.23-pom-031219-4-extr/include/linux/netfilter_ipv4/ip_conntrack.h linux-2.4.23-pom-031219-5-opti/include/linux/netfilter_ipv4/ip_conntrack.h
--- linux-2.4.23-pom-031219-4-extr/include/linux/netfilter_ipv4/ip_conntrack.h	Sun Jan  4 19:14:59 2004
+++ linux-2.4.23-pom-031219-5-opti/include/linux/netfilter_ipv4/ip_conntrack.h	Sun Jan  4 19:15:58 2004
@@ -269,6 +269,9 @@
 extern void ip_ct_refresh(struct ip_conntrack *ct,
 			  unsigned long extra_jiffies);
 
+/* Kill conntrack */
+extern void ip_ct_death_by_timeout(unsigned long ul_conntrack);
+
 /* These are for NAT.  Icky. */
 /* Call me when a conntrack is destroyed. */
 extern void (*ip_conntrack_destroyed)(struct ip_conntrack *conntrack);
diff -urN linux-2.4.23-pom-031219-4-extr/net/ipv4/netfilter/ip_conntrack_core.c linux-2.4.23-pom-031219-5-opti/net/ipv4/netfilter/ip_conntrack_core.c
--- linux-2.4.23-pom-031219-4-extr/net/ipv4/netfilter/ip_conntrack_core.c	Sun Jan  4 19:14:59 2004
+++ linux-2.4.23-pom-031219-5-opti/net/ipv4/netfilter/ip_conntrack_core.c	Sun Jan  4 19:15:58 2004
@@ -380,7 +380,7 @@
 	atomic_dec(&ip_conntrack_count);
 }
 
-static void death_by_timeout(unsigned long ul_conntrack)
+void ip_ct_death_by_timeout(unsigned long ul_conntrack)
 {
 	struct ip_conntrack *ct = (void *)ul_conntrack;
 
@@ -663,7 +663,7 @@
 		return dropped;
 
 	if (del_timer(&h->ctrack->timeout)) {
-		death_by_timeout((unsigned long)h->ctrack);
+		ip_ct_death_by_timeout((unsigned long)h->ctrack);
 		dropped = 1;
 	}
 	ip_conntrack_put(h->ctrack);
@@ -758,7 +758,7 @@
 	/* Don't set timer yet: wait for confirmation */
 	init_timer(&conntrack->timeout);
 	conntrack->timeout.data = (unsigned long)conntrack;
-	conntrack->timeout.function = death_by_timeout;
+	conntrack->timeout.function = ip_ct_death_by_timeout;
 
 	INIT_LIST_HEAD(&conntrack->sibling_list);
 
@@ -1243,8 +1243,10 @@
 	if (!is_confirmed(ct))
 		ct->timeout.expires = extra_jiffies;
 	else {
-		/* Need del_timer for race avoidance (may already be dying). */
-		if (del_timer(&ct->timeout)) {
+		/* Don't update timer for each packet, only if it's been >HZ
+		 * ticks since last update.
+		 * Need del_timer for race avoidance (may already be dying). */
+		if (abs(jiffies + extra_jiffies - ct->timeout.expires) >= HZ && del_timer(&ct->timeout)) {
 			ct->timeout.expires = jiffies + extra_jiffies;
 			add_timer(&ct->timeout);
 		}
@@ -1349,7 +1351,7 @@
 	while ((h = get_next_corpse(kill, data, &bucket)) != NULL) {
 		/* Time to push up daises... */
 		if (del_timer(&h->ctrack->timeout))
-			death_by_timeout((unsigned long)h->ctrack);
+			ip_ct_death_by_timeout((unsigned long)h->ctrack);
 		/* ... else the timer will get him soon. */
 
 		ip_conntrack_put(h->ctrack);
diff -urN linux-2.4.23-pom-031219-4-extr/net/ipv4/netfilter/ip_conntrack_standalone.c linux-2.4.23-pom-031219-5-opti/net/ipv4/netfilter/ip_conntrack_standalone.c
--- linux-2.4.23-pom-031219-4-extr/net/ipv4/netfilter/ip_conntrack_standalone.c	Sun Jan  4 19:14:59 2004
+++ linux-2.4.23-pom-031219-5-opti/net/ipv4/netfilter/ip_conntrack_standalone.c	Sun Jan  4 19:15:58 2004
@@ -533,6 +533,7 @@
 EXPORT_SYMBOL(ip_conntrack_helper_unregister);
 EXPORT_SYMBOL(ip_ct_selective_cleanup);
 EXPORT_SYMBOL(ip_ct_refresh);
+EXPORT_SYMBOL(ip_ct_death_by_timeout);
 EXPORT_SYMBOL(ip_ct_find_proto);
 EXPORT_SYMBOL(ip_ct_find_helper);
 EXPORT_SYMBOL(ip_conntrack_expect_related);