extensions: libxt_CONNMARK: incorrect translation after v2

src: iptables-translate -t mangle -A PREROUTING -j CONNMARK --set-mark 0
exp: nft add rule ip mangle PREROUTING counter ct mark set 0x0
res: nft add rule ip mangle PREROUTING counter ct mark set ct mark and 0x0

Fixes: db7b4e0de960 ("extensions: libxt_CONNMARK: Support bit-shifting for --restore,set and save-mark")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

1 files changed, 3 insertions, 3 deletions

diff --git a/extensions/libxt_CONNMARK.c b/extensions/libxt_CONNMARK.c
index 2532563d..21e10913 100644
--- a/extensions/libxt_CONNMARK.c
+++ b/extensions/libxt_CONNMARK.c
@@ -600,7 +600,9 @@ static int connmark_tg_xlate_v2(struct xt_xlate *xl,
 	switch (info->mode) {
 	case XT_CONNMARK_SET:
 		xt_xlate_add(xl, "ct mark set ");
-		if (info->ctmark == 0)
+		if (info->ctmask == 0xFFFFFFFFU)
+			xt_xlate_add(xl, "0x%x ", info->ctmark);
+		else if (info->ctmark == 0)
 			xt_xlate_add(xl, "ct mark and 0x%x", ~info->ctmask);
 		else if (info->ctmark == info->ctmask)
 			xt_xlate_add(xl, "ct mark or 0x%x",
@@ -608,8 +610,6 @@ static int connmark_tg_xlate_v2(struct xt_xlate *xl,
 		else if (info->ctmask == 0)
 			xt_xlate_add(xl, "ct mark xor 0x%x",
 				     info->ctmark);
-		else if (info->ctmask == 0xFFFFFFFFU)
-			xt_xlate_add(xl, "0x%x ", info->ctmark);
 		else
 			xt_xlate_add(xl, "ct mark xor 0x%x and 0x%x",
 				     info->ctmark, ~info->ctmask);