tcp: disable repair mode for sockets on rollback (v2)

Currently if a network namespace is dumped and something fails, sockets
remain in repair mode. It's because cpt_unlock_tcp_connections is
executed only if network namespace is not dumped.

cpt_unlock_tcp_connections disables repair mode for sockets and drops
netfilters. netfilters are not used in case of network namespaces.

v2: don't execute network-unlock scripts, if network namespace are not
    dumped.
Signed-off-by: Andrey Vagin <avagin@openvz.org>
Signed-off-by: Pavel Emelyanov <xemul@parallels.com>

net.c

@@ -585,14 +585,11 @@ void network_unlock(void)
 {
 	pr_info("Unlock network\n");
 
-	if  (!(current_ns_mask & CLONE_NEWNET)) {
-		cpt_unlock_tcp_connections();
-		rst_unlock_tcp_connections();
+	cpt_unlock_tcp_connections();
+	rst_unlock_tcp_connections();
 
-		return;
-	}
-
-	run_scripts("network-unlock");
+	if (current_ns_mask & CLONE_NEWNET)
+		run_scripts("network-unlock");
 }
 
 struct ns_desc net_ns_desc = NS_DESC_ENTRY(CLONE_NEWNET, "net");

sk-tcp.c

@@ -154,9 +154,11 @@ static void tcp_unlock_one(struct inet_sk_desc *sk)
 
 	list_del(&sk->rlist);
 
-	ret = nf_unlock_connection(sk);
-	if (ret < 0)
-		pr_perror("Failed to unlock TCP connection");
+	if (!(current_ns_mask & CLONE_NEWNET)) {
+		ret = nf_unlock_connection(sk);
+		if (ret < 0)
+			pr_perror("Failed to unlock TCP connection");
+	}
 
 	tcp_repair_off(sk->rfd);
 
@@ -648,6 +650,10 @@ void rst_unlock_tcp_connections(void)
 {
 	struct inet_sk_info *ii;
 
+	/* Network will be unlocked by network-unlock scripts */
+	if (current_ns_mask & CLONE_NEWNET)
+		return;
+
 	list_for_each_entry(ii, &rst_tcp_repair_sockets, rlist)
 		nf_unlock_connection_info(ii);
 }