netfilter: nf_tables: hide clash bit from userspace

JIRA: https://issues.redhat.com/browse/RHEL-106441
Upstream Status: commit 6ac86ac

commit 6ac86ac
Author: Florian Westphal <fw@strlen.de>
Date:   Mon Jul 7 22:32:44 2025 +0200

    netfilter: nf_tables: hide clash bit from userspace

    Its a kernel implementation detail, at least at this time:

    We can later decide to revert this patch if there is a compelling
    reason, but then we should also remove the ifdef that prevents exposure
    of ip_conntrack_status enum IPS_NAT_CLASH value in the uapi header.

    Clash entries are not included in dumps (true for both old /proc
    and ctnetlink) either.  So for now exclude the clash bit when dumping.

    Fixes: 7e5c6aa ("netfilter: nf_tables: add packets conntrack state to debug trace info")
    Link: https://lore.kernel.org/netfilter-devel/aGwf3dCggwBlRKKC@strlen.de/
    Signed-off-by: Florian Westphal <fw@strlen.de>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

Signed-off-by: Florian Westphal <fwestpha@redhat.com>

Author: fw-strlen

net/netfilter/nf_tables_trace.c

@@ -127,6 +127,9 @@ static int nf_trace_fill_ct_info(struct sk_buff *nlskb,
 		if (nla_put_be32(nlskb, NFTA_TRACE_CT_ID, (__force __be32)id))
 			return -1;
 
+		/* Kernel implementation detail, withhold this from userspace for now */
+		status &= ~IPS_NAT_CLASH;
+
 		if (status && nla_put_be32(nlskb, NFTA_TRACE_CT_STATUS, htonl(status)))
 			return -1;
 	}