netfilter: nf_tables: hide clash bit from userspace

Florian Westphal · ummakynes · commit 6ac86ac74e3a · 2025-07-14T15:22:35.000+02:00
Its a kernel implementation detail, at least at this time: We can later decide to revert this patch if there is a compelling reason, but then we should also remove the ifdef that prevents exposure of ip_conntrack_status enum IPS_NAT_CLASH value in the uapi header. Clash entries are not included in dumps (true for both old /proc and ctnetlink) either. So for now exclude the clash bit when dumping. Fixes: 7e5c6aa ("netfilter: nf_tables: add packets conntrack state to debug trace info") Link: https://lore.kernel.org/netfilter-devel/aGwf3dCggwBlRKKC@strlen.de/ Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
diff --git a/net/netfilter/nf_tables_trace.c b/net/netfilter/nf_tables_trace.c
@@ -127,6 +127,9 @@ static int nf_trace_fill_ct_info(struct sk_buff *nlskb,
 		if (nla_put_be32(nlskb, NFTA_TRACE_CT_ID, (__force __be32)id))
 			return -1;
 
+		/* Kernel implementation detail, withhold this from userspace for now */
+		status &= ~IPS_NAT_CLASH;
+
 		if (status && nla_put_be32(nlskb, NFTA_TRACE_CT_STATUS, htonl(status)))
 			return -1;
 	}

Original file line number	Diff line number	Diff line change
`@@ -127,6 +127,9 @@ static int nf_trace_fill_ct_info(struct sk_buff *nlskb,`
`127`	`127`	`if (nla_put_be32(nlskb, NFTA_TRACE_CT_ID, (__force __be32)id))`
`128`	`128`	`return -1;`
`129`	`129`
	`130`	`+ /* Kernel implementation detail, withhold this from userspace for now */`
	`131`	`+ status &= ~IPS_NAT_CLASH;`
	`132`	`+`
`130`	`133`	`if (status && nla_put_be32(nlskb, NFTA_TRACE_CT_STATUS, htonl(status)))`
`131`	`134`	`return -1;`
`132`	`135`	`}`