@@ -130,12 +130,14 @@ ctnetlink_dump_tuples(struct sk_buff *skb,
static inline int
ctnetlink_dump_status(struct sk_buff *skb, const struct nf_conn *ct)
{
- if (nla_put_be32(skb, CTA_STATUS, htonl(ct->status)))
- goto nla_put_failure;
- return 0;
-
-nla_put_failure:
- return -1;
+ static const u32 public_flag_mask = IPS_EXPECTED |
+ IPS_SEEN_REPLY | IPS_ASSURED | IPS_CONFIRMED |
+ IPS_NAT_MASK | IPS_SEQ_ADJUST | IPS_NAT_DONE_MASK |
+ IPS_DYING | IPS_FIXED_TIMEOUT | IPS_TEMPLATE |
+ IPS_UNTRACKED | IPS_HELPER;
+
+ return nla_put_be32(skb, CTA_STATUS,
+ htonl(ct->status & public_flag_mask));
}
static inline int
Flag bits are part of ABI as they're exposed to userspace. Upcoming patch will introduce kernel-only flag that we might want to remove again in the future, so only expose the whitelisted ones (i.e, all the flags we currently have). Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Florian Westphal <fw@strlen.de> --- net/netfilter/nf_conntrack_netlink.c | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-)