diff options
| author | Florian Westphal <fw@strlen.de> | 2019-09-29 14:54:03 -0400 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2019-10-01 12:42:15 -0400 |
| commit | 895b5c9f206eb7d25dc1360a8ccfc5958895eb89 (patch) | |
| tree | 509162fdc985cf083ca5f06732d46eadb308c6d9 | |
| parent | 9cfc370240c31c7f31f445e69190dd15be8e5d7d (diff) | |
netfilter: drop bridge nf reset from nf_reset
commit 174e23810cd31
("sk_buff: drop all skb extensions on free and skb scrubbing") made napi
recycle always drop skb extensions. The additional skb_ext_del() that is
performed via nf_reset on napi skb recycle is not needed anymore.
Most nf_reset() calls in the stack are there so queued skb won't block
'rmmod nf_conntrack' indefinitely.
This removes the skb_ext_del from nf_reset, and renames it to a more
fitting nf_reset_ct().
In a few selected places, add a call to skb_ext_reset to make sure that
no active extensions remain.
I am submitting this for "net", because we're still early in the release
cycle. The patch applies to net-next too, but I think the rename causes
needless divergence between those trees.
Suggested-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
31 files changed, 40 insertions, 45 deletions
diff --git a/drivers/net/ppp/pptp.c b/drivers/net/ppp/pptp.c index 734de7de03f7..e1fabb3e3246 100644 --- a/drivers/net/ppp/pptp.c +++ b/drivers/net/ppp/pptp.c | |||
| @@ -238,7 +238,7 @@ static int pptp_xmit(struct ppp_channel *chan, struct sk_buff *skb) | |||
| 238 | skb_dst_drop(skb); | 238 | skb_dst_drop(skb); |
| 239 | skb_dst_set(skb, &rt->dst); | 239 | skb_dst_set(skb, &rt->dst); |
| 240 | 240 | ||
| 241 | nf_reset(skb); | 241 | nf_reset_ct(skb); |
| 242 | 242 | ||
| 243 | skb->ip_summed = CHECKSUM_NONE; | 243 | skb->ip_summed = CHECKSUM_NONE; |
| 244 | ip_select_ident(net, skb, NULL); | 244 | ip_select_ident(net, skb, NULL); |
| @@ -358,7 +358,7 @@ static int pptp_rcv(struct sk_buff *skb) | |||
| 358 | po = lookup_chan(htons(header->call_id), iph->saddr); | 358 | po = lookup_chan(htons(header->call_id), iph->saddr); |
| 359 | if (po) { | 359 | if (po) { |
| 360 | skb_dst_drop(skb); | 360 | skb_dst_drop(skb); |
| 361 | nf_reset(skb); | 361 | nf_reset_ct(skb); |
| 362 | return sk_receive_skb(sk_pppox(po), skb, 0); | 362 | return sk_receive_skb(sk_pppox(po), skb, 0); |
| 363 | } | 363 | } |
| 364 | drop: | 364 | drop: |
diff --git a/drivers/net/tun.c b/drivers/net/tun.c index aab0be40d443..812dc3a65efb 100644 --- a/drivers/net/tun.c +++ b/drivers/net/tun.c | |||
| @@ -1104,7 +1104,7 @@ static netdev_tx_t tun_net_xmit(struct sk_buff *skb, struct net_device *dev) | |||
| 1104 | */ | 1104 | */ |
| 1105 | skb_orphan(skb); | 1105 | skb_orphan(skb); |
| 1106 | 1106 | ||
| 1107 | nf_reset(skb); | 1107 | nf_reset_ct(skb); |
| 1108 | 1108 | ||
| 1109 | if (ptr_ring_produce(&tfile->tx_ring, skb)) | 1109 | if (ptr_ring_produce(&tfile->tx_ring, skb)) |
| 1110 | goto drop; | 1110 | goto drop; |
diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c index ba98e0971b84..5a635f028bdc 100644 --- a/drivers/net/virtio_net.c +++ b/drivers/net/virtio_net.c | |||
| @@ -1585,7 +1585,7 @@ static netdev_tx_t start_xmit(struct sk_buff *skb, struct net_device *dev) | |||
| 1585 | /* Don't wait up for transmitted skbs to be freed. */ | 1585 | /* Don't wait up for transmitted skbs to be freed. */ |
| 1586 | if (!use_napi) { | 1586 | if (!use_napi) { |
| 1587 | skb_orphan(skb); | 1587 | skb_orphan(skb); |
| 1588 | nf_reset(skb); | 1588 | nf_reset_ct(skb); |
| 1589 | } | 1589 | } |
| 1590 | 1590 | ||
| 1591 | /* If running out of space, stop queue to avoid getting packets that we | 1591 | /* If running out of space, stop queue to avoid getting packets that we |
diff --git a/drivers/net/vrf.c b/drivers/net/vrf.c index a4b38a980c3c..ee52bde058df 100644 --- a/drivers/net/vrf.c +++ b/drivers/net/vrf.c | |||
| @@ -366,7 +366,7 @@ static int vrf_finish_output6(struct net *net, struct sock *sk, | |||
| 366 | struct neighbour *neigh; | 366 | struct neighbour *neigh; |
| 367 | int ret; | 367 | int ret; |
| 368 | 368 | ||
| 369 | nf_reset(skb); | 369 | nf_reset_ct(skb); |
| 370 | 370 | ||
| 371 | skb->protocol = htons(ETH_P_IPV6); | 371 | skb->protocol = htons(ETH_P_IPV6); |
| 372 | skb->dev = dev; | 372 | skb->dev = dev; |
| @@ -459,7 +459,7 @@ static struct sk_buff *vrf_ip6_out_direct(struct net_device *vrf_dev, | |||
| 459 | 459 | ||
| 460 | /* reset skb device */ | 460 | /* reset skb device */ |
| 461 | if (likely(err == 1)) | 461 | if (likely(err == 1)) |
| 462 | nf_reset(skb); | 462 | nf_reset_ct(skb); |
| 463 | else | 463 | else |
| 464 | skb = NULL; | 464 | skb = NULL; |
| 465 | 465 | ||
| @@ -560,7 +560,7 @@ static int vrf_finish_output(struct net *net, struct sock *sk, struct sk_buff *s | |||
| 560 | bool is_v6gw = false; | 560 | bool is_v6gw = false; |
| 561 | int ret = -EINVAL; | 561 | int ret = -EINVAL; |
| 562 | 562 | ||
| 563 | nf_reset(skb); | 563 | nf_reset_ct(skb); |
| 564 | 564 | ||
| 565 | /* Be paranoid, rather than too clever. */ | 565 | /* Be paranoid, rather than too clever. */ |
| 566 | if (unlikely(skb_headroom(skb) < hh_len && dev->header_ops)) { | 566 | if (unlikely(skb_headroom(skb) < hh_len && dev->header_ops)) { |
| @@ -670,7 +670,7 @@ static struct sk_buff *vrf_ip_out_direct(struct net_device *vrf_dev, | |||
| 670 | 670 | ||
| 671 | /* reset skb device */ | 671 | /* reset skb device */ |
| 672 | if (likely(err == 1)) | 672 | if (likely(err == 1)) |
| 673 | nf_reset(skb); | 673 | nf_reset_ct(skb); |
| 674 | else | 674 | else |
| 675 | skb = NULL; | 675 | skb = NULL; |
| 676 | 676 | ||
diff --git a/drivers/net/wireless/mac80211_hwsim.c b/drivers/net/wireless/mac80211_hwsim.c index 635956024e88..45c73a6f09a1 100644 --- a/drivers/net/wireless/mac80211_hwsim.c +++ b/drivers/net/wireless/mac80211_hwsim.c | |||
| @@ -1261,8 +1261,8 @@ static bool mac80211_hwsim_tx_frame_no_nl(struct ieee80211_hw *hw, | |||
| 1261 | skb_orphan(skb); | 1261 | skb_orphan(skb); |
| 1262 | skb_dst_drop(skb); | 1262 | skb_dst_drop(skb); |
| 1263 | skb->mark = 0; | 1263 | skb->mark = 0; |
| 1264 | secpath_reset(skb); | 1264 | skb_ext_reset(skb); |
| 1265 | nf_reset(skb); | 1265 | nf_reset_ct(skb); |
| 1266 | 1266 | ||
| 1267 | /* | 1267 | /* |
| 1268 | * Get absolute mactime here so all HWs RX at the "same time", and | 1268 | * Get absolute mactime here so all HWs RX at the "same time", and |
diff --git a/drivers/staging/octeon/ethernet-tx.c b/drivers/staging/octeon/ethernet-tx.c index c64728fc21f2..a62057555d1b 100644 --- a/drivers/staging/octeon/ethernet-tx.c +++ b/drivers/staging/octeon/ethernet-tx.c | |||
| @@ -349,10 +349,8 @@ int cvm_oct_xmit(struct sk_buff *skb, struct net_device *dev) | |||
| 349 | */ | 349 | */ |
| 350 | dst_release(skb_dst(skb)); | 350 | dst_release(skb_dst(skb)); |
| 351 | skb_dst_set(skb, NULL); | 351 | skb_dst_set(skb, NULL); |
| 352 | #ifdef CONFIG_XFRM | 352 | skb_ext_reset(skb); |
| 353 | secpath_reset(skb); | 353 | nf_reset_ct(skb); |
| 354 | #endif | ||
| 355 | nf_reset(skb); | ||
| 356 | 354 | ||
| 357 | #ifdef CONFIG_NET_SCHED | 355 | #ifdef CONFIG_NET_SCHED |
| 358 | skb->tc_index = 0; | 356 | skb->tc_index = 0; |
diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h index e7d3b1a513ef..4351577b14d7 100644 --- a/include/linux/skbuff.h +++ b/include/linux/skbuff.h | |||
| @@ -4160,15 +4160,12 @@ static inline void __skb_ext_copy(struct sk_buff *d, const struct sk_buff *s) {} | |||
| 4160 | static inline void skb_ext_copy(struct sk_buff *dst, const struct sk_buff *s) {} | 4160 | static inline void skb_ext_copy(struct sk_buff *dst, const struct sk_buff *s) {} |
| 4161 | #endif /* CONFIG_SKB_EXTENSIONS */ | 4161 | #endif /* CONFIG_SKB_EXTENSIONS */ |
| 4162 | 4162 | ||
| 4163 | static inline void nf_reset(struct sk_buff *skb) | 4163 | static inline void nf_reset_ct(struct sk_buff *skb) |
| 4164 | { | 4164 | { |
| 4165 | #if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE) | 4165 | #if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE) |
| 4166 | nf_conntrack_put(skb_nfct(skb)); | 4166 | nf_conntrack_put(skb_nfct(skb)); |
| 4167 | skb->_nfct = 0; | 4167 | skb->_nfct = 0; |
| 4168 | #endif | 4168 | #endif |
| 4169 | #if IS_ENABLED(CONFIG_BRIDGE_NETFILTER) | ||
| 4170 | skb_ext_del(skb, SKB_EXT_BRIDGE_NF); | ||
| 4171 | #endif | ||
| 4172 | } | 4169 | } |
| 4173 | 4170 | ||
| 4174 | static inline void nf_reset_trace(struct sk_buff *skb) | 4171 | static inline void nf_reset_trace(struct sk_buff *skb) |
diff --git a/net/batman-adv/soft-interface.c b/net/batman-adv/soft-interface.c index a1146cb10919..9cbed6f5a85a 100644 --- a/net/batman-adv/soft-interface.c +++ b/net/batman-adv/soft-interface.c | |||
| @@ -436,7 +436,7 @@ void batadv_interface_rx(struct net_device *soft_iface, | |||
| 436 | /* clean the netfilter state now that the batman-adv header has been | 436 | /* clean the netfilter state now that the batman-adv header has been |
| 437 | * removed | 437 | * removed |
| 438 | */ | 438 | */ |
| 439 | nf_reset(skb); | 439 | nf_reset_ct(skb); |
| 440 | 440 | ||
| 441 | if (unlikely(!pskb_may_pull(skb, ETH_HLEN))) | 441 | if (unlikely(!pskb_may_pull(skb, ETH_HLEN))) |
| 442 | goto dropped; | 442 | goto dropped; |
diff --git a/net/core/skbuff.c b/net/core/skbuff.c index 01d65206f4fb..529133611ea2 100644 --- a/net/core/skbuff.c +++ b/net/core/skbuff.c | |||
| @@ -5120,7 +5120,7 @@ void skb_scrub_packet(struct sk_buff *skb, bool xnet) | |||
| 5120 | skb->ignore_df = 0; | 5120 | skb->ignore_df = 0; |
| 5121 | skb_dst_drop(skb); | 5121 | skb_dst_drop(skb); |
| 5122 | skb_ext_reset(skb); | 5122 | skb_ext_reset(skb); |
| 5123 | nf_reset(skb); | 5123 | nf_reset_ct(skb); |
| 5124 | nf_reset_trace(skb); | 5124 | nf_reset_trace(skb); |
| 5125 | 5125 | ||
| 5126 | #ifdef CONFIG_NET_SWITCHDEV | 5126 | #ifdef CONFIG_NET_SWITCHDEV |
diff --git a/net/dccp/ipv4.c b/net/dccp/ipv4.c index b685bc82f8d0..d9b4200ed12d 100644 --- a/net/dccp/ipv4.c +++ b/net/dccp/ipv4.c | |||
| @@ -871,7 +871,7 @@ lookup: | |||
| 871 | 871 | ||
| 872 | if (!xfrm4_policy_check(sk, XFRM_POLICY_IN, skb)) | 872 | if (!xfrm4_policy_check(sk, XFRM_POLICY_IN, skb)) |
| 873 | goto discard_and_relse; | 873 | goto discard_and_relse; |
| 874 | nf_reset(skb); | 874 | nf_reset_ct(skb); |
| 875 | 875 | ||
| 876 | return __sk_receive_skb(sk, skb, 1, dh->dccph_doff * 4, refcounted); | 876 | return __sk_receive_skb(sk, skb, 1, dh->dccph_doff * 4, refcounted); |
| 877 | 877 | ||
diff --git a/net/ipv4/ip_input.c b/net/ipv4/ip_input.c index 1e2392b7c64e..c59a78a267c3 100644 --- a/net/ipv4/ip_input.c +++ b/net/ipv4/ip_input.c | |||
| @@ -199,7 +199,7 @@ resubmit: | |||
| 199 | kfree_skb(skb); | 199 | kfree_skb(skb); |
| 200 | return; | 200 | return; |
| 201 | } | 201 | } |
| 202 | nf_reset(skb); | 202 | nf_reset_ct(skb); |
| 203 | } | 203 | } |
| 204 | ret = INDIRECT_CALL_2(ipprot->handler, tcp_v4_rcv, udp_rcv, | 204 | ret = INDIRECT_CALL_2(ipprot->handler, tcp_v4_rcv, udp_rcv, |
| 205 | skb); | 205 | skb); |
diff --git a/net/ipv4/ipmr.c b/net/ipv4/ipmr.c index 313470f6bb14..716d5472c022 100644 --- a/net/ipv4/ipmr.c +++ b/net/ipv4/ipmr.c | |||
| @@ -1794,7 +1794,7 @@ static void ip_encap(struct net *net, struct sk_buff *skb, | |||
| 1794 | ip_send_check(iph); | 1794 | ip_send_check(iph); |
| 1795 | 1795 | ||
| 1796 | memset(&(IPCB(skb)->opt), 0, sizeof(IPCB(skb)->opt)); | 1796 | memset(&(IPCB(skb)->opt), 0, sizeof(IPCB(skb)->opt)); |
| 1797 | nf_reset(skb); | 1797 | nf_reset_ct(skb); |
| 1798 | } | 1798 | } |
| 1799 | 1799 | ||
| 1800 | static inline int ipmr_forward_finish(struct net *net, struct sock *sk, | 1800 | static inline int ipmr_forward_finish(struct net *net, struct sock *sk, |
| @@ -2140,7 +2140,7 @@ int ip_mr_input(struct sk_buff *skb) | |||
| 2140 | 2140 | ||
| 2141 | mroute_sk = rcu_dereference(mrt->mroute_sk); | 2141 | mroute_sk = rcu_dereference(mrt->mroute_sk); |
| 2142 | if (mroute_sk) { | 2142 | if (mroute_sk) { |
| 2143 | nf_reset(skb); | 2143 | nf_reset_ct(skb); |
| 2144 | raw_rcv(mroute_sk, skb); | 2144 | raw_rcv(mroute_sk, skb); |
| 2145 | return 0; | 2145 | return 0; |
| 2146 | } | 2146 | } |
diff --git a/net/ipv4/netfilter/nf_dup_ipv4.c b/net/ipv4/netfilter/nf_dup_ipv4.c index af3fbf76dbd3..6cc5743c553a 100644 --- a/net/ipv4/netfilter/nf_dup_ipv4.c +++ b/net/ipv4/netfilter/nf_dup_ipv4.c | |||
| @@ -65,7 +65,7 @@ void nf_dup_ipv4(struct net *net, struct sk_buff *skb, unsigned int hooknum, | |||
| 65 | 65 | ||
| 66 | #if IS_ENABLED(CONFIG_NF_CONNTRACK) | 66 | #if IS_ENABLED(CONFIG_NF_CONNTRACK) |
| 67 | /* Avoid counting cloned packets towards the original connection. */ | 67 | /* Avoid counting cloned packets towards the original connection. */ |
| 68 | nf_reset(skb); | 68 | nf_reset_ct(skb); |
| 69 | nf_ct_set(skb, NULL, IP_CT_UNTRACKED); | 69 | nf_ct_set(skb, NULL, IP_CT_UNTRACKED); |
| 70 | #endif | 70 | #endif |
| 71 | /* | 71 | /* |
diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c index 80da5a66d5d7..3183413ebc6c 100644 --- a/net/ipv4/raw.c +++ b/net/ipv4/raw.c | |||
| @@ -332,7 +332,7 @@ int raw_rcv(struct sock *sk, struct sk_buff *skb) | |||
| 332 | kfree_skb(skb); | 332 | kfree_skb(skb); |
| 333 | return NET_RX_DROP; | 333 | return NET_RX_DROP; |
| 334 | } | 334 | } |
| 335 | nf_reset(skb); | 335 | nf_reset_ct(skb); |
| 336 | 336 | ||
| 337 | skb_push(skb, skb->data - skb_network_header(skb)); | 337 | skb_push(skb, skb->data - skb_network_header(skb)); |
| 338 | 338 | ||
diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c index 2ee45e3755e9..bf124b1742df 100644 --- a/net/ipv4/tcp_ipv4.c +++ b/net/ipv4/tcp_ipv4.c | |||
| @@ -1916,7 +1916,7 @@ process: | |||
| 1916 | if (tcp_v4_inbound_md5_hash(sk, skb)) | 1916 | if (tcp_v4_inbound_md5_hash(sk, skb)) |
| 1917 | goto discard_and_relse; | 1917 | goto discard_and_relse; |
| 1918 | 1918 | ||
| 1919 | nf_reset(skb); | 1919 | nf_reset_ct(skb); |
| 1920 | 1920 | ||
| 1921 | if (tcp_filter(sk, skb)) | 1921 | if (tcp_filter(sk, skb)) |
| 1922 | goto discard_and_relse; | 1922 | goto discard_and_relse; |
diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c index cf755156a684..e8443cc5c1ab 100644 --- a/net/ipv4/udp.c +++ b/net/ipv4/udp.c | |||
| @@ -1969,7 +1969,7 @@ static int udp_queue_rcv_one_skb(struct sock *sk, struct sk_buff *skb) | |||
| 1969 | */ | 1969 | */ |
| 1970 | if (!xfrm4_policy_check(sk, XFRM_POLICY_IN, skb)) | 1970 | if (!xfrm4_policy_check(sk, XFRM_POLICY_IN, skb)) |
| 1971 | goto drop; | 1971 | goto drop; |
| 1972 | nf_reset(skb); | 1972 | nf_reset_ct(skb); |
| 1973 | 1973 | ||
| 1974 | if (static_branch_unlikely(&udp_encap_needed_key) && up->encap_type) { | 1974 | if (static_branch_unlikely(&udp_encap_needed_key) && up->encap_type) { |
| 1975 | int (*encap_rcv)(struct sock *sk, struct sk_buff *skb); | 1975 | int (*encap_rcv)(struct sock *sk, struct sk_buff *skb); |
| @@ -2298,7 +2298,7 @@ int __udp4_lib_rcv(struct sk_buff *skb, struct udp_table *udptable, | |||
| 2298 | 2298 | ||
| 2299 | if (!xfrm4_policy_check(NULL, XFRM_POLICY_IN, skb)) | 2299 | if (!xfrm4_policy_check(NULL, XFRM_POLICY_IN, skb)) |
| 2300 | goto drop; | 2300 | goto drop; |
| 2301 | nf_reset(skb); | 2301 | nf_reset_ct(skb); |
| 2302 | 2302 | ||
| 2303 | /* No socket. Drop packet silently, if checksum is wrong */ | 2303 | /* No socket. Drop packet silently, if checksum is wrong */ |
| 2304 | if (udp_lib_checksum_complete(skb)) | 2304 | if (udp_lib_checksum_complete(skb)) |
diff --git a/net/ipv6/ip6_input.c b/net/ipv6/ip6_input.c index d432d0011c16..7e5df23cbe7b 100644 --- a/net/ipv6/ip6_input.c +++ b/net/ipv6/ip6_input.c | |||
| @@ -371,7 +371,7 @@ resubmit_final: | |||
| 371 | /* Free reference early: we don't need it any more, | 371 | /* Free reference early: we don't need it any more, |
| 372 | and it may hold ip_conntrack module loaded | 372 | and it may hold ip_conntrack module loaded |
| 373 | indefinitely. */ | 373 | indefinitely. */ |
| 374 | nf_reset(skb); | 374 | nf_reset_ct(skb); |
| 375 | 375 | ||
| 376 | skb_postpull_rcsum(skb, skb_network_header(skb), | 376 | skb_postpull_rcsum(skb, skb_network_header(skb), |
| 377 | skb_network_header_len(skb)); | 377 | skb_network_header_len(skb)); |
diff --git a/net/ipv6/netfilter/nf_dup_ipv6.c b/net/ipv6/netfilter/nf_dup_ipv6.c index e6c9da9866b1..a0a2de30be3e 100644 --- a/net/ipv6/netfilter/nf_dup_ipv6.c +++ b/net/ipv6/netfilter/nf_dup_ipv6.c | |||
| @@ -54,7 +54,7 @@ void nf_dup_ipv6(struct net *net, struct sk_buff *skb, unsigned int hooknum, | |||
| 54 | return; | 54 | return; |
| 55 | 55 | ||
| 56 | #if IS_ENABLED(CONFIG_NF_CONNTRACK) | 56 | #if IS_ENABLED(CONFIG_NF_CONNTRACK) |
| 57 | nf_reset(skb); | 57 | nf_reset_ct(skb); |
| 58 | nf_ct_set(skb, NULL, IP_CT_UNTRACKED); | 58 | nf_ct_set(skb, NULL, IP_CT_UNTRACKED); |
| 59 | #endif | 59 | #endif |
| 60 | if (hooknum == NF_INET_PRE_ROUTING || | 60 | if (hooknum == NF_INET_PRE_ROUTING || |
diff --git a/net/ipv6/raw.c b/net/ipv6/raw.c index 6e1888ee4036..a77f6b7d3a7c 100644 --- a/net/ipv6/raw.c +++ b/net/ipv6/raw.c | |||
| @@ -215,7 +215,7 @@ static bool ipv6_raw_deliver(struct sk_buff *skb, int nexthdr) | |||
| 215 | 215 | ||
| 216 | /* Not releasing hash table! */ | 216 | /* Not releasing hash table! */ |
| 217 | if (clone) { | 217 | if (clone) { |
| 218 | nf_reset(clone); | 218 | nf_reset_ct(clone); |
| 219 | rawv6_rcv(sk, clone); | 219 | rawv6_rcv(sk, clone); |
| 220 | } | 220 | } |
| 221 | } | 221 | } |
diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c index 105e5a7092e7..f82ea12bac37 100644 --- a/net/l2tp/l2tp_core.c +++ b/net/l2tp/l2tp_core.c | |||
| @@ -1078,7 +1078,7 @@ int l2tp_xmit_skb(struct l2tp_session *session, struct sk_buff *skb, int hdr_len | |||
| 1078 | memset(&(IPCB(skb)->opt), 0, sizeof(IPCB(skb)->opt)); | 1078 | memset(&(IPCB(skb)->opt), 0, sizeof(IPCB(skb)->opt)); |
| 1079 | IPCB(skb)->flags &= ~(IPSKB_XFRM_TUNNEL_SIZE | IPSKB_XFRM_TRANSFORMED | | 1079 | IPCB(skb)->flags &= ~(IPSKB_XFRM_TUNNEL_SIZE | IPSKB_XFRM_TRANSFORMED | |
| 1080 | IPSKB_REROUTED); | 1080 | IPSKB_REROUTED); |
| 1081 | nf_reset(skb); | 1081 | nf_reset_ct(skb); |
| 1082 | 1082 | ||
| 1083 | bh_lock_sock(sk); | 1083 | bh_lock_sock(sk); |
| 1084 | if (sock_owned_by_user(sk)) { | 1084 | if (sock_owned_by_user(sk)) { |
diff --git a/net/l2tp/l2tp_eth.c b/net/l2tp/l2tp_eth.c index bd3f39349d40..fd5ac2788e45 100644 --- a/net/l2tp/l2tp_eth.c +++ b/net/l2tp/l2tp_eth.c | |||
| @@ -151,7 +151,7 @@ static void l2tp_eth_dev_recv(struct l2tp_session *session, struct sk_buff *skb, | |||
| 151 | skb->ip_summed = CHECKSUM_NONE; | 151 | skb->ip_summed = CHECKSUM_NONE; |
| 152 | 152 | ||
| 153 | skb_dst_drop(skb); | 153 | skb_dst_drop(skb); |
| 154 | nf_reset(skb); | 154 | nf_reset_ct(skb); |
| 155 | 155 | ||
| 156 | rcu_read_lock(); | 156 | rcu_read_lock(); |
| 157 | dev = rcu_dereference(spriv->dev); | 157 | dev = rcu_dereference(spriv->dev); |
diff --git a/net/l2tp/l2tp_ip.c b/net/l2tp/l2tp_ip.c index 622833317dcb..0d7c887a2b75 100644 --- a/net/l2tp/l2tp_ip.c +++ b/net/l2tp/l2tp_ip.c | |||
| @@ -193,7 +193,7 @@ pass_up: | |||
| 193 | if (!xfrm4_policy_check(sk, XFRM_POLICY_IN, skb)) | 193 | if (!xfrm4_policy_check(sk, XFRM_POLICY_IN, skb)) |
| 194 | goto discard_put; | 194 | goto discard_put; |
| 195 | 195 | ||
| 196 | nf_reset(skb); | 196 | nf_reset_ct(skb); |
| 197 | 197 | ||
| 198 | return sk_receive_skb(sk, skb, 1); | 198 | return sk_receive_skb(sk, skb, 1); |
| 199 | 199 | ||
diff --git a/net/l2tp/l2tp_ip6.c b/net/l2tp/l2tp_ip6.c index 687e23a8b326..802f19aba7e3 100644 --- a/net/l2tp/l2tp_ip6.c +++ b/net/l2tp/l2tp_ip6.c | |||
| @@ -206,7 +206,7 @@ pass_up: | |||
| 206 | if (!xfrm6_policy_check(sk, XFRM_POLICY_IN, skb)) | 206 | if (!xfrm6_policy_check(sk, XFRM_POLICY_IN, skb)) |
| 207 | goto discard_put; | 207 | goto discard_put; |
| 208 | 208 | ||
| 209 | nf_reset(skb); | 209 | nf_reset_ct(skb); |
| 210 | 210 | ||
| 211 | return sk_receive_skb(sk, skb, 1); | 211 | return sk_receive_skb(sk, skb, 1); |
| 212 | 212 | ||
diff --git a/net/netfilter/ipvs/ip_vs_xmit.c b/net/netfilter/ipvs/ip_vs_xmit.c index 9c464d24beec..888d3068a492 100644 --- a/net/netfilter/ipvs/ip_vs_xmit.c +++ b/net/netfilter/ipvs/ip_vs_xmit.c | |||
| @@ -613,7 +613,7 @@ static inline int ip_vs_tunnel_xmit_prepare(struct sk_buff *skb, | |||
| 613 | if (unlikely(cp->flags & IP_VS_CONN_F_NFCT)) | 613 | if (unlikely(cp->flags & IP_VS_CONN_F_NFCT)) |
| 614 | ret = ip_vs_confirm_conntrack(skb); | 614 | ret = ip_vs_confirm_conntrack(skb); |
| 615 | if (ret == NF_ACCEPT) { | 615 | if (ret == NF_ACCEPT) { |
| 616 | nf_reset(skb); | 616 | nf_reset_ct(skb); |
| 617 | skb_forward_csum(skb); | 617 | skb_forward_csum(skb); |
| 618 | } | 618 | } |
| 619 | return ret; | 619 | return ret; |
diff --git a/net/openvswitch/vport-internal_dev.c b/net/openvswitch/vport-internal_dev.c index d2437b5b2f6a..21c90d3a7ebf 100644 --- a/net/openvswitch/vport-internal_dev.c +++ b/net/openvswitch/vport-internal_dev.c | |||
| @@ -237,7 +237,7 @@ static netdev_tx_t internal_dev_recv(struct sk_buff *skb) | |||
| 237 | } | 237 | } |
| 238 | 238 | ||
| 239 | skb_dst_drop(skb); | 239 | skb_dst_drop(skb); |
| 240 | nf_reset(skb); | 240 | nf_reset_ct(skb); |
| 241 | secpath_reset(skb); | 241 | secpath_reset(skb); |
| 242 | 242 | ||
| 243 | skb->pkt_type = PACKET_HOST; | 243 | skb->pkt_type = PACKET_HOST; |
diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c index e2742b006d25..82a50e850245 100644 --- a/net/packet/af_packet.c +++ b/net/packet/af_packet.c | |||
| @@ -1821,7 +1821,7 @@ static int packet_rcv_spkt(struct sk_buff *skb, struct net_device *dev, | |||
| 1821 | skb_dst_drop(skb); | 1821 | skb_dst_drop(skb); |
| 1822 | 1822 | ||
| 1823 | /* drop conntrack reference */ | 1823 | /* drop conntrack reference */ |
| 1824 | nf_reset(skb); | 1824 | nf_reset_ct(skb); |
| 1825 | 1825 | ||
| 1826 | spkt = &PACKET_SKB_CB(skb)->sa.pkt; | 1826 | spkt = &PACKET_SKB_CB(skb)->sa.pkt; |
| 1827 | 1827 | ||
| @@ -2121,7 +2121,7 @@ static int packet_rcv(struct sk_buff *skb, struct net_device *dev, | |||
| 2121 | skb_dst_drop(skb); | 2121 | skb_dst_drop(skb); |
| 2122 | 2122 | ||
| 2123 | /* drop conntrack reference */ | 2123 | /* drop conntrack reference */ |
| 2124 | nf_reset(skb); | 2124 | nf_reset_ct(skb); |
| 2125 | 2125 | ||
| 2126 | spin_lock(&sk->sk_receive_queue.lock); | 2126 | spin_lock(&sk->sk_receive_queue.lock); |
| 2127 | po->stats.stats1.tp_packets++; | 2127 | po->stats.stats1.tp_packets++; |
diff --git a/net/sctp/input.c b/net/sctp/input.c index 1008cdc44dd6..5a070fb5b278 100644 --- a/net/sctp/input.c +++ b/net/sctp/input.c | |||
| @@ -201,7 +201,7 @@ int sctp_rcv(struct sk_buff *skb) | |||
| 201 | 201 | ||
| 202 | if (!xfrm_policy_check(sk, XFRM_POLICY_IN, skb, family)) | 202 | if (!xfrm_policy_check(sk, XFRM_POLICY_IN, skb, family)) |
| 203 | goto discard_release; | 203 | goto discard_release; |
| 204 | nf_reset(skb); | 204 | nf_reset_ct(skb); |
| 205 | 205 | ||
| 206 | if (sk_filter(sk, skb)) | 206 | if (sk_filter(sk, skb)) |
| 207 | goto discard_release; | 207 | goto discard_release; |
diff --git a/net/xfrm/xfrm_input.c b/net/xfrm/xfrm_input.c index 6088bc2dc11e..9b599ed66d97 100644 --- a/net/xfrm/xfrm_input.c +++ b/net/xfrm/xfrm_input.c | |||
| @@ -706,7 +706,7 @@ resume: | |||
| 706 | if (err) | 706 | if (err) |
| 707 | goto drop; | 707 | goto drop; |
| 708 | 708 | ||
| 709 | nf_reset(skb); | 709 | nf_reset_ct(skb); |
| 710 | 710 | ||
| 711 | if (decaps) { | 711 | if (decaps) { |
| 712 | sp = skb_sec_path(skb); | 712 | sp = skb_sec_path(skb); |
diff --git a/net/xfrm/xfrm_interface.c b/net/xfrm/xfrm_interface.c index 2ab4859df55a..0f5131bc3342 100644 --- a/net/xfrm/xfrm_interface.c +++ b/net/xfrm/xfrm_interface.c | |||
| @@ -185,7 +185,7 @@ static void xfrmi_scrub_packet(struct sk_buff *skb, bool xnet) | |||
| 185 | skb->skb_iif = 0; | 185 | skb->skb_iif = 0; |
| 186 | skb->ignore_df = 0; | 186 | skb->ignore_df = 0; |
| 187 | skb_dst_drop(skb); | 187 | skb_dst_drop(skb); |
| 188 | nf_reset(skb); | 188 | nf_reset_ct(skb); |
| 189 | nf_reset_trace(skb); | 189 | nf_reset_trace(skb); |
| 190 | 190 | ||
| 191 | if (!xnet) | 191 | if (!xnet) |
diff --git a/net/xfrm/xfrm_output.c b/net/xfrm/xfrm_output.c index 9499b35feb92..b1db55b50ba1 100644 --- a/net/xfrm/xfrm_output.c +++ b/net/xfrm/xfrm_output.c | |||
| @@ -502,7 +502,7 @@ int xfrm_output_resume(struct sk_buff *skb, int err) | |||
| 502 | struct net *net = xs_net(skb_dst(skb)->xfrm); | 502 | struct net *net = xs_net(skb_dst(skb)->xfrm); |
| 503 | 503 | ||
| 504 | while (likely((err = xfrm_output_one(skb, err)) == 0)) { | 504 | while (likely((err = xfrm_output_one(skb, err)) == 0)) { |
| 505 | nf_reset(skb); | 505 | nf_reset_ct(skb); |
| 506 | 506 | ||
| 507 | err = skb_dst(skb)->ops->local_out(net, skb->sk, skb); | 507 | err = skb_dst(skb)->ops->local_out(net, skb->sk, skb); |
| 508 | if (unlikely(err != 1)) | 508 | if (unlikely(err != 1)) |
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c index 21e939235b39..f2d1e573ea55 100644 --- a/net/xfrm/xfrm_policy.c +++ b/net/xfrm/xfrm_policy.c | |||
| @@ -2808,7 +2808,7 @@ static void xfrm_policy_queue_process(struct timer_list *t) | |||
| 2808 | continue; | 2808 | continue; |
| 2809 | } | 2809 | } |
| 2810 | 2810 | ||
| 2811 | nf_reset(skb); | 2811 | nf_reset_ct(skb); |
| 2812 | skb_dst_drop(skb); | 2812 | skb_dst_drop(skb); |
| 2813 | skb_dst_set(skb, dst); | 2813 | skb_dst_set(skb, dst); |
| 2814 | 2814 | ||