diff -Nru linux-2.4.20/include/linux/netfilter_ipv4/ip_conntrack.h linux-2.4.20-pom2patch/include/linux/netfilter_ipv4/ip_conntrack.h
--- linux-2.4.20/include/linux/netfilter_ipv4/ip_conntrack.h	2003-05-02 12:58:27.000000000 -0500
+++ linux-2.4.20-pom2patch/include/linux/netfilter_ipv4/ip_conntrack.h	2003-05-02 12:58:52.000000000 -0500
@@ -262,6 +262,9 @@
 extern void ip_ct_refresh(struct ip_conntrack *ct,
 			  unsigned long extra_jiffies);
 
+/* Kill conntrack */
+extern void ip_ct_death_by_timeout(unsigned long ul_conntrack);
+
 /* These are for NAT.  Icky. */
 /* Call me when a conntrack is destroyed. */
 extern void (*ip_conntrack_destroyed)(struct ip_conntrack *conntrack);
diff -Nru linux-2.4.20/net/ipv4/netfilter/ip_conntrack_core.c linux-2.4.20-pom2patch/net/ipv4/netfilter/ip_conntrack_core.c
--- linux-2.4.20/net/ipv4/netfilter/ip_conntrack_core.c	2003-05-02 12:58:49.000000000 -0500
+++ linux-2.4.20-pom2patch/net/ipv4/netfilter/ip_conntrack_core.c	2003-05-02 12:58:52.000000000 -0500
@@ -348,7 +348,7 @@
 	atomic_dec(&ip_conntrack_count);
 }
 
-static void death_by_timeout(unsigned long ul_conntrack)
+void ip_ct_death_by_timeout(unsigned long ul_conntrack)
 {
 	struct ip_conntrack *ct = (void *)ul_conntrack;
 
@@ -609,7 +609,7 @@
 		return dropped;
 
 	if (del_timer(&h->ctrack->timeout)) {
-		death_by_timeout((unsigned long)h->ctrack);
+		ip_ct_death_by_timeout((unsigned long)h->ctrack);
 		dropped = 1;
 	}
 	ip_conntrack_put(h->ctrack);
@@ -691,7 +691,7 @@
 	/* Don't set timer yet: wait for confirmation */
 	init_timer(&conntrack->timeout);
 	conntrack->timeout.data = (unsigned long)conntrack;
-	conntrack->timeout.function = death_by_timeout;
+	conntrack->timeout.function = ip_ct_death_by_timeout;
 
 	INIT_LIST_HEAD(&conntrack->sibling_list);
 
@@ -1184,8 +1184,10 @@
 	if (!is_confirmed(ct))
 		ct->timeout.expires = extra_jiffies;
 	else {
-		/* Need del_timer for race avoidance (may already be dying). */
-		if (del_timer(&ct->timeout)) {
+		/* Don't update timer for each packet, only if it's been >HZ
+		 * ticks since last update.
+		 * Need del_timer for race avoidance (may already be dying). */
+		if (abs(jiffies + extra_jiffies - ct->timeout.expires) >= HZ && del_timer(&ct->timeout)) {
 			ct->timeout.expires = jiffies + extra_jiffies;
 			add_timer(&ct->timeout);
 		}
@@ -1291,7 +1293,7 @@
 	while ((h = get_next_corpse(kill, data)) != NULL) {
 		/* Time to push up daises... */
 		if (del_timer(&h->ctrack->timeout))
-			death_by_timeout((unsigned long)h->ctrack);
+			ip_ct_death_by_timeout((unsigned long)h->ctrack);
 		/* ... else the timer will get him soon. */
 
 		ip_conntrack_put(h->ctrack);
diff -Nru linux-2.4.20/net/ipv4/netfilter/ip_conntrack_standalone.c linux-2.4.20-pom2patch/net/ipv4/netfilter/ip_conntrack_standalone.c
--- linux-2.4.20/net/ipv4/netfilter/ip_conntrack_standalone.c	2003-05-02 12:56:58.000000000 -0500
+++ linux-2.4.20-pom2patch/net/ipv4/netfilter/ip_conntrack_standalone.c	2003-05-02 12:58:52.000000000 -0500
@@ -363,6 +363,7 @@
 EXPORT_SYMBOL(ip_conntrack_helper_unregister);
 EXPORT_SYMBOL(ip_ct_selective_cleanup);
 EXPORT_SYMBOL(ip_ct_refresh);
+EXPORT_SYMBOL(ip_ct_death_by_timeout);
 EXPORT_SYMBOL(ip_ct_find_proto);
 EXPORT_SYMBOL(__ip_ct_find_proto);
 EXPORT_SYMBOL(ip_ct_find_helper);
