diff options
author | Florian Westphal <fw@strlen.de> | 2023-11-07 12:15:40 +0100 |
---|---|---|
committer | Phil Sutter <phil@nwl.cc> | 2023-11-07 23:40:14 +0100 |
commit | a3ae0dc4b34046e0d7893841e86b93c4c010632f (patch) | |
tree | 36aaee979fcb94cd57b932773d376356e0648bfa | |
parent | 50f40b2c05e11ab0276b2dd6d860855968358bb5 (diff) |
extensions: MARK: fix arptables support
arptables "--set-mark" is really just "--or-mark".
This bug is also in arptables-legacy.
Fix this and add test cases.
Note that the test for "16" vs. "0x16" is intentional,
arptables parser is buggy and always uses "%x".
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Phil Sutter <phil@nwl.cc>
-rw-r--r-- | extensions/libxt_MARK.c | 2 | ||||
-rw-r--r-- | extensions/libxt_MARK.txlate | 9 |
2 files changed, 11 insertions, 0 deletions
diff --git a/extensions/libxt_MARK.c b/extensions/libxt_MARK.c index 100f6a38..d6eacfcb 100644 --- a/extensions/libxt_MARK.c +++ b/extensions/libxt_MARK.c @@ -290,6 +290,7 @@ mark_tg_arp_parse(int c, char **argv, int invert, unsigned int *flags, return 0; } info->mark = i; + info->mask = 0xffffffffU; if (*flags) xtables_error(PARAMETER_PROBLEM, "MARK: Can't specify --set-mark twice"); @@ -430,6 +431,7 @@ static struct xtables_target mark_tg_reg[] = { .save = mark_tg_arp_save, .parse = mark_tg_arp_parse, .extra_opts = mark_tg_arp_opts, + .xlate = mark_tg_xlate, }, }; diff --git a/extensions/libxt_MARK.txlate b/extensions/libxt_MARK.txlate index 36ee7a3b..cef8239a 100644 --- a/extensions/libxt_MARK.txlate +++ b/extensions/libxt_MARK.txlate @@ -24,3 +24,12 @@ nft 'add rule ip mangle PREROUTING counter meta mark set mark and 0x64' iptables-translate -t mangle -A PREROUTING -j MARK --or-mark 0x64 nft 'add rule ip mangle PREROUTING counter meta mark set mark or 0x64' + +arptables-translate -A OUTPUT -j MARK --set-mark 0x4 +nft 'add rule arp filter OUTPUT arp htype 1 arp hlen 6 arp plen 4 counter meta mark set 0x4' + +arptables-translate -I OUTPUT -o odev -j MARK --and-mark 0x8 +nft 'insert rule arp filter OUTPUT oifname "odev" arp htype 1 arp hlen 6 arp plen 4 counter meta mark set mark and 0x8' + +arptables-translate -t mangle -A OUTPUT -o odev -j MARK --or-mark 16 +nft 'add rule arp mangle OUTPUT oifname "odev" arp htype 1 arp hlen 6 arp plen 4 counter meta mark set mark or 0x16' |