tcp: disable repair mode for sockets on rollback (v2)

Currently if a network namespace is dumped and something fails, sockets
remain in repair mode. It's because cpt_unlock_tcp_connections is
executed only if network namespace is not dumped.

cpt_unlock_tcp_connections disables repair mode for sockets and drops
netfilters. netfilters are not used in case of network namespaces.

v2: don't execute network-unlock scripts, if network namespace are not
    dumped.
Signed-off-by: Andrey Vagin <avagin@openvz.org>
Signed-off-by: Pavel Emelyanov <xemul@parallels.com>

net.c

@@ -585,13 +585,10 @@ void network_unlock(void)
 {
 	pr_info("Unlock network\n");
 
-	if  (!(current_ns_mask & CLONE_NEWNET)) {
 	cpt_unlock_tcp_connections();
 	rst_unlock_tcp_connections();
 
-		return;
-	}
-
+	if (current_ns_mask & CLONE_NEWNET)
 		run_scripts("network-unlock");
 }
 

sk-tcp.c

@@ -154,9 +154,11 @@ static void tcp_unlock_one(struct inet_sk_desc *sk)
 
 	list_del(&sk->rlist);
 
+	if (!(current_ns_mask & CLONE_NEWNET)) {
 		ret = nf_unlock_connection(sk);
 		if (ret < 0)
 			pr_perror("Failed to unlock TCP connection");
+	}
 
 	tcp_repair_off(sk->rfd);
 
@@ -648,6 +650,10 @@ void rst_unlock_tcp_connections(void)
 {
 	struct inet_sk_info *ii;
 
+	/* Network will be unlocked by network-unlock scripts */
+	if (current_ns_mask & CLONE_NEWNET)
+		return;
+
 	list_for_each_entry(ii, &rst_tcp_repair_sockets, rlist)
 		nf_unlock_connection_info(ii);
 }