I have a test router which is showing promise, 15 days with correct port forwarding. I have removed all of the netfilter modules I'm not using. Perhaps someone else would like to test what I have done...
I compiled kamikaze 2.4 with the following netfilter modules removed:
rm target/linux/generic-2.4/patches/603-netfilter_nat_pptp.patch
rm target/linux/generic-2.4/patches/606-netfilter_NETMAP.patch
rm target/linux/generic-2.4/patches/608-netfilter_ipset.patch
rm target/linux/generic-2.4/patches/609-netfilter_string.patch
rm target/linux/generic-2.4/patches/611-netfilter_condition.patch
rm target/linux/generic-2.4/patches/612-netfilter_quota.patch
rm target/linux/generic-2.4/patches/613-netfilter_nat_h323.patch
rm target/linux/generic-2.4/patches/614-netfilter_nat_rtsp.patch
rm target/linux/generic-2.4/patches/615-netfilter_nat_mms.patch
rm target/linux/generic-2.4/patches/617-netfilter_time.patch
rm target/linux/generic-2.4/patches/620-netfilter_iprange.patch
rm target/linux/generic-2.4/patches/621-netfilter_random.patch
rm target/linux/generic-2.4/patches/622-netfilter_ipset_porthash.patch
rm target/linux/generic-2.4/patches/623-netfilter_ip6t_reject.patch
Now, after removing those files, it takes a bit of work to get things compiling again. I have some patches, but they might not apply cleanly for you. You might have to work these out by hand...
diff -urN package.old/kernel/modules/netfilter.mk package/kernel/modules/netfilter.mk
--- package.old/kernel/modules/netfilter.mk 2008-05-19 14:55:29.000000000 -0400
+++ package/kernel/modules/netfilter.mk 2008-05-19 14:56:18.000000000 -0400
@@ -206,6 +206,7 @@
define KernelPackage/ipt-iprange
SUBMENU:=$(NF_MENU)
TITLE:=Module for matching ip ranges
+ DEPENDS:=@LINUX_2_6
FILES:=$(foreach mod,$(IPT_IPRANGE-m),$(LINUX_DIR)/net/$(mod).$(LINUX_KMOD_SUFFIX))
AUTOLOAD:=$(call AutoLoad,40,$(notdir $(IPT_IPRANGE-m)))
endef
@@ -221,6 +222,7 @@
SUBMENU:=$(NF_MENU)
TITLE:=IPSET Modules
KCONFIG:=$(KCONFIG_IPT_IPSET)
+ DEPENDS:=@LINUX_2_6
FILES:=$(foreach mod,$(IPT_IPSET-m),$(LINUX_DIR)/net/$(mod).$(LINUX_KMOD_SUFFIX))
AUTOLOAD:=$(call AutoLoad,40,$(notdir $(IPT_IPSET-m)))
endef
diff -urN target.old/linux/generic-2.4/patches/610-netfilter_connbytes.patch target/linux/generic-2.4/patches/610-netfilter_connbytes.patch
--- target.old/linux/generic-2.4/patches/610-netfilter_connbytes.patch 2008-05-19 14:40:13.000000000 -0400
+++ target/linux/generic-2.4/patches/610-netfilter_connbytes.patch 2008-05-19 14:52:05.000000000 -0400
@@ -1,16 +1,3 @@
-Index: linux-2.4.35.4/net/ipv4/netfilter/Config.in
-===================================================================
---- linux-2.4.35.4.orig/net/ipv4/netfilter/Config.in
-+++ linux-2.4.35.4/net/ipv4/netfilter/Config.in
-@@ -11,6 +11,8 @@ if [ "$CONFIG_IP_NF_CONNTRACK" != "n" ];
- dep_tristate ' Amanda protocol support' CONFIG_IP_NF_AMANDA $CONFIG_IP_NF_CONNTRACK
- dep_tristate ' TFTP protocol support' CONFIG_IP_NF_TFTP $CONFIG_IP_NF_CONNTRACK
- dep_tristate ' IRC protocol support' CONFIG_IP_NF_IRC $CONFIG_IP_NF_CONNTRACK
-+ dep_tristate ' Connection tracking flow accounting' CONFIG_IP_NF_CT_ACCT $CONFIG_IP_NF_CONNTRACK
-+ dep_tristate ' Connection byte counter support' CONFIG_IP_NF_MATCH_CONNBYTES $CONFIG_IP_NF_CT_ACCT $CONFIG_IP_NF_CONNTRACK $CONFIG_IP_NF_IPTABLES
- dep_tristate ' GRE protocol support' CONFIG_IP_NF_CT_PROTO_GRE $CONFIG_IP_NF_CONNTRACK
- dep_tristate ' PPTP protocol support' CONFIG_IP_NF_PPTP $CONFIG_IP_NF_CT_PROTO_GRE
- fi
Index: linux-2.4.35.4/net/ipv4/netfilter/Makefile
===================================================================
--- linux-2.4.35.4.orig/net/ipv4/netfilter/Makefile
@@ -439,27 +426,15 @@
+};
+
+#endif
-Index: linux-2.4.35.4/net/ipv4/netfilter/ip_conntrack_proto_gre.c
-===================================================================
---- linux-2.4.35.4.orig/net/ipv4/netfilter/ip_conntrack_proto_gre.c
-+++ linux-2.4.35.4/net/ipv4/netfilter/ip_conntrack_proto_gre.c
-@@ -237,16 +237,16 @@ static unsigned int gre_print_conntrack(
- /* Returns verdict for packet, and may modify conntrack */
- static int gre_packet(struct ip_conntrack *ct,
- struct iphdr *iph, size_t len,
-- enum ip_conntrack_info conntrackinfo)
-+ enum ip_conntrack_info ctinfo)
- {
- /* If we've seen traffic both ways, this is a GRE connection.
- * Extend timeout. */
- if (ct->status & IPS_SEEN_REPLY) {
-- ip_ct_refresh_acct(ct, ct->proto.gre.stream_timeout);
-+ ip_ct_refresh_acct(ct, ctinfo, iph, ct->proto.gre.stream_timeout);
- /* Also, more likely to be important, and not a probe. */
- set_bit(IPS_ASSURED_BIT, &ct->status);
- } else
-- ip_ct_refresh_acct(ct, ct->proto.gre.timeout);
-+ ip_ct_refresh_acct(ct, ctinfo, iph, ct->proto.gre.timeout);
-
- return NF_ACCEPT;
- }
+diff -urN linux-2.4.35.4.old/net/ipv4/netfilter/Config.in linux-2.4.35.4/net/ipv4/netfilter/Config.in
+--- linux-2.4.35.4.old/net/ipv4/netfilter/Config.in 2008-05-16 09:51:20.000000000 -0400
++++ linux-2.4.35.4/net/ipv4/netfilter/Config.in 2008-05-16 09:52:55.000000000 -0400
+@@ -11,6 +11,8 @@
+ dep_tristate ' Amanda protocol support' CONFIG_IP_NF_AMANDA $CONFIG_IP_NF_CONNTRACK
+ dep_tristate ' TFTP protocol support' CONFIG_IP_NF_TFTP $CONFIG_IP_NF_CONNTRACK
+ dep_tristate ' IRC protocol support' CONFIG_IP_NF_IRC $CONFIG_IP_NF_CONNTRACK
++ dep_tristate ' Connection tracking flow accounting' CONFIG_IP_NF_CT_ACCT $CONFIG_IP_NF_CONNTRACK
++ dep_tristate ' Connection byte counter support' CONFIG_IP_NF_MATCH_CONNBYTES $CONFIG_IP_NF_CT_ACCT $CONFIG_IP_NF_CONNTRACK $CONFIG_IP_NF_IPTABLES
+ fi
+
+ if [ "$CONFIG_EXPERIMENTAL" = "y" ]; then