Drop the early nf_reset() call in ip_input(), so that SOCKET hook matches
and targets can make use of packet state information via conntrack.

I've not been able to establish that this can cause the ip_conntrack
module to be loaded indefinitely (perhaps it used to be the case some
years ago?)

This is essential for making real use of the SOCKET hook, as
much of the time we want rules for established and related
packets.