Patchwork [3.5.y.z,extended,stable] Patch "netfilter: don't reset nf_trace in nf_reset()" has been added to staging queue

mail settings
Submitter Luis Henriques
Date May 1, 2013, 11:34 p.m.
Message ID <>
Download mbox | patch
Permalink /patch/240852/
State New
Headers show


Luis Henriques - May 1, 2013, 11:34 p.m.
This is a note to let you know that I have just added a patch titled

    netfilter: don't reset nf_trace in nf_reset()

to the linux-3.5.y-queue branch of the 3.5.y.z extended stable tree 
which can be found at:;a=shortlog;h=refs/heads/linux-3.5.y-queue

If you, or anyone else, feels it should not be added to this tree, please 
reply to this email.

For more information about the 3.5.y.z tree, see



From 584352ff677c8f7457c2bdc1823fe2f3c042f034 Mon Sep 17 00:00:00 2001
From: Patrick McHardy <>
Date: Fri, 5 Apr 2013 20:42:05 +0200
Subject: [PATCH] netfilter: don't reset nf_trace in nf_reset()

commit 124dff01afbdbff251f0385beca84ba1b9adda68 upstream.

Commit 130549fe ("netfilter: reset nf_trace in nf_reset") added code
to reset nf_trace in nf_reset(). This is wrong and unnecessary.

nf_reset() is used in the following cases:

- when passing packets up the the socket layer, at which point we want to
  release all netfilter references that might keep modules pinned while
  the packet is queued. nf_trace doesn't matter anymore at this point.

- when encapsulating or decapsulating IPsec packets. We want to continue
  tracing these packets after IPsec processing.

- when passing packets through virtual network devices. Only devices on
  that encapsulate in IPv4/v6 matter since otherwise nf_trace is not
  used anymore. Its not entirely clear whether those packets should
  be traced after that, however we've always done that.

- when passing packets through virtual network devices that make the
  packet cross network namespace boundaries. This is the only cases
  where we clearly want to reset nf_trace and is also what the
  original patch intended to fix.

Add a new function nf_reset_trace() and use it in dev_forward_skb() to
fix this properly.

Signed-off-by: Patrick McHardy <>
Signed-off-by: David S. Miller <>
[ luis: adjust context ]
Signed-off-by: Luis Henriques <>
 include/linux/skbuff.h | 7 +++++++
 net/core/dev.c         | 1 +
 2 files changed, 8 insertions(+)



diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h
index 5af4bef..e1c1e64 100644
--- a/include/linux/skbuff.h
+++ b/include/linux/skbuff.h
@@ -2404,6 +2404,13 @@  static inline void nf_reset(struct sk_buff *skb)

+static inline void nf_reset_trace(struct sk_buff *skb)
+	skb->nf_trace = 0;
 /* Note: This doesn't put any conntrack and bridge info in dst. */
 static inline void __nf_copy(struct sk_buff *dst, const struct sk_buff *src)
diff --git a/net/core/dev.c b/net/core/dev.c
index 845a83a..196bc5f 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -1627,6 +1627,7 @@  int dev_forward_skb(struct net_device *dev, struct sk_buff *skb)
 	skb->mark = 0;
+	nf_reset_trace(skb);
 	return netif_rx(skb);