diff options
author | Florian Westphal <fw@strlen.de> | 2018-02-19 12:30:45 +0100 |
---|---|---|
committer | Florian Westphal <fw@strlen.de> | 2018-02-20 12:44:12 +0100 |
commit | 043da5b959296af7e664e8a36af606ee2609a64c (patch) | |
tree | cb88266799076617c111c7afe671a1db29b8777b /extensions/libxt_TRACE.c | |
parent | a93b5021ae85940803a890e1dc4a2ba3d6a6f37c (diff) |
extensions: connmark: remove non-working translation
... and return 0 so output reflects that no translation was performed.
iptables-translate -A I -j CONNMARK --save-mark --mask 0xff
nft # -A I -j CONNMARK --save-mark --mask 0xff
The translation that was performed:
nft add rule ip mangle PREROUTING counter meta mark set ct mark and 0xff
will clear (zero) most bits:
[ meta load mark => reg 1 ]
[ bitwise reg 1 = (reg=1 & 0x000000ff ) ^ 0x00000000 ]
[ ct set mark with reg 1 ]
The xtables module however does this:
newmark = (ct->mark & ~info->ctmask) ^
(skb->mark & info->nfmask);
I.e., for ctmark mask defines what to clear,
for nfmark what to keep, i.e. we're supposed to only alter the lower
bits of the ctmark.
nftables can't do this at the moment because bitwise operator RHS
requires immediate values.
same is true for 'restore'.
Signed-off-by: Florian Westphal <fw@strlen.de>
Diffstat (limited to 'extensions/libxt_TRACE.c')
0 files changed, 0 insertions, 0 deletions