Flag bits are part of ABI as they're exposed to userspace.
Upcoming patch will introduce kernel-only flag that we might want to
remove again in the future, so only expose the whitelisted ones (i.e,
all the flags we currently have).
Suggested-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
Signed-off-by: Florian Westphal <fw@xxxxxxxxx>
---
net/netfilter/nf_conntrack_netlink.c | 14 ++++++++------
1 file changed, 8 insertions(+), 6 deletions(-)
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index ccc46fa..66d8e15 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -130,12 +130,14 @@ ctnetlink_dump_tuples(struct sk_buff *skb,
static inline int
ctnetlink_dump_status(struct sk_buff *skb, const struct nf_conn *ct)
{
- if (nla_put_be32(skb, CTA_STATUS, htonl(ct->status)))
- goto nla_put_failure;
- return 0;
-
-nla_put_failure:
- return -1;
+ static const u32 public_flag_mask = IPS_EXPECTED |
+ IPS_SEEN_REPLY | IPS_ASSURED | IPS_CONFIRMED |
+ IPS_NAT_MASK | IPS_SEQ_ADJUST | IPS_NAT_DONE_MASK |
+ IPS_DYING | IPS_FIXED_TIMEOUT | IPS_TEMPLATE |
+ IPS_UNTRACKED | IPS_HELPER;
+
+ return nla_put_be32(skb, CTA_STATUS,
+ htonl(ct->status & public_flag_mask));
}
static inline int
--
1.8.1.5
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
