@@ -26,6 +26,7 @@ enum {
enum {
TC_CT_COMMIT,
TC_CT_FORCE,
+ TC_CT_CLEAR,
__TC_CT_MAX
};
#define TC_CT_MAX (__TC_CT_MAX - 1)
@@ -196,6 +196,18 @@ static int tcf_ct_act(struct sk_buff *skb, const struct tc_action *a,
if (unlikely(action == TC_ACT_SHOT))
goto drop;
+ if (flags & BIT(TC_CT_CLEAR)) {
+ new_ct = nf_ct_get(skb, &ctinfo);
+ if (new_ct) {
+ if (nf_ct_is_confirmed(new_ct))
+ nf_ct_delete(new_ct, 0, 0);
+
+ nf_conntrack_put(&new_ct->ct_general);
+ nf_ct_set(skb, NULL, IP_CT_UNTRACKED);
+ goto out;
+ }
+ }
+
/* FIXME: For when we support cloning the packet
orig_skb = skb;
skb = skb_clone(orig_skb, GFP_ATOMIC);
@@ -257,6 +269,7 @@ static int tcf_ct_act(struct sk_buff *skb, const struct tc_action *a,
skb_push(skb, nh_ofs);
skb_postpush_rcsum(skb, skb->data, nh_ofs);
+out:
return TC_ACT_PIPE;
drop:
OvS ct action supports a 'clear' flag: it removes any ConnTrack marking in the packet. Implement it similarly here: drop the reference and return. Note that the packet is also marked as UNTRACKED. Yes, parsing should ensure that clear is not used with any other flags as they are mutually exclusive. Signed-off-by: Marcelo Ricardo Leitner <mleitner@redhat.com> --- include/uapi/linux/tc_act/tc_ct.h | 1 + net/sched/act_ct.c | 13 +++++++++++++ 2 files changed, 14 insertions(+)