@@ -196,16 +196,19 @@ static int tcf_ct_act(struct sk_buff *skb, const struct tc_action *a,
if (unlikely(action == TC_ACT_SHOT))
goto drop;
- if (flags & BIT(TC_CT_CLEAR)) {
- new_ct = nf_ct_get(skb, &ctinfo);
- if (new_ct) {
- if (nf_ct_is_confirmed(new_ct))
- nf_ct_delete(new_ct, 0, 0);
+ new_ct = nf_ct_get(skb, &ctinfo);
+ if (new_ct) {
+ if (nf_ct_is_confirmed(new_ct))
+ nf_ct_delete(new_ct, 0, 0);
- nf_conntrack_put(&new_ct->ct_general);
+ nf_conntrack_put(&new_ct->ct_general);
+
+ if (flags & BIT(TC_CT_CLEAR)) {
nf_ct_set(skb, NULL, IP_CT_UNTRACKED);
goto out;
}
+
+ nf_ct_set(skb, NULL, 0);
}
/* FIXME: For when we support cloning the packet
@@ -218,7 +221,6 @@ static int tcf_ct_act(struct sk_buff *skb, const struct tc_action *a,
skb_pull_rcsum(skb, nh_ofs);
/* FIXME: OvS trims the packet here. Should we? */
- /* FIXME: Need to handle multiple calls to CT action here. */
if (ct)
nf_ct_set(skb, ct, IP_CT_NEW);
The first time it may use conntrack to track the tunnel information, then jump into another chain, and go through conntrack again so that the inner header is tracked. This commit clears previous conntrack info if any so that we can submit it to conntrack again. Header offsets are supposed to be updated by the decapsulating action. The main difference from just adding another act_ct(clear) action is that the clear flag also sets the UNTRACKED mark in the packet (like OvS does). Signed-off-by: Marcelo Ricardo Leitner <mleitner@redhat.com> --- net/sched/act_ct.c | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-)