--- a/net/netfilter/xt_connlimit.c	2007-10-09 23:31:38.000000000 +0300
+++ b/net/netfilter/xt_connlimit.c	2008-02-07 19:23:20.000000000 +0200
@@ -28,6 +28,8 @@
 #include <net/netfilter/nf_conntrack_core.h>
 #include <net/netfilter/nf_conntrack_tuple.h>
 
+int connlimit_timeout = 10*60*HZ; /* 10 sec */
+
 /* we will save the tuples of all connections we care about */
 struct xt_connlimit_conn {
 	struct list_head list;
@@ -103,7 +105,8 @@ static int count_them(struct xt_connlimi
 		      const struct nf_conntrack_tuple *tuple,
 		      const union nf_conntrack_address *addr,
 		      const union nf_conntrack_address *mask,
-		      const struct xt_match *match)
+		      const struct xt_match *match,
+		      const unsigned long timeout)
 {
 	struct nf_conntrack_tuple_hash *found;
 	struct xt_connlimit_conn *conn;
@@ -130,6 +133,7 @@ static int count_them(struct xt_connlimi
 			found_ct = nf_ct_tuplehash_to_ctrack(found);
 
 		if (found_ct != NULL &&
+		    abs(found_ct->timeout.expires-timeout)<connlimit_timeout &&
 		    nf_ct_tuple_equal(&conn->tuple, tuple) &&
 		    !already_closed(found_ct))
 			/*
@@ -210,7 +214,7 @@ static bool connlimit_match(const struct
 	}
 
 	spin_lock_bh(&info->data->lock);
-	connections = count_them(info->data, tuple_ptr, &addr, &mask, match);
+	connections = count_them(info->data, tuple_ptr, &addr, &mask, match, ct->timeout.expires);
 	spin_unlock_bh(&info->data->lock);
 
 	if (connections < 0) {