diff options
| author | Florian Westphal <fw@strlen.de> | 2018-02-19 10:57:18 +0100 |
|---|---|---|
| committer | Florian Westphal <fw@strlen.de> | 2018-02-20 12:44:06 +0100 |
| commit | a93b5021ae85940803a890e1dc4a2ba3d6a6f37c (patch) | |
| tree | 754d38f67860b299068d636d540f5346a3ba961c /extensions | |
| parent | 577b7e20c2af1e6ea2bbe72e0c01802334fa4069 (diff) | |
extensions: prefer plain 'set' over 'set mark and'
adding a test case for MARK --set-mark 0 fails with
exp: nft add rule ip mangle OUTPUT counter meta mark set 0x0
res: nft add rule ip mangle OUTPUT counter meta mark set mark and 0x0
This translation isn't wrong, but unneccessarily complex, so
change order to first check if mask bits are all ones.
In that case we can simply use an immediate value without
need for logical operators.
Signed-off-by: Florian Westphal <fw@strlen.de>
Diffstat (limited to 'extensions')
| -rw-r--r-- | extensions/libxt_CONNMARK.c | 6 | ||||
| -rw-r--r-- | extensions/libxt_CONNMARK.txlate | 3 | ||||
| -rw-r--r-- | extensions/libxt_MARK.c | 6 | ||||
| -rw-r--r-- | extensions/libxt_MARK.txlate | 3 |
4 files changed, 12 insertions, 6 deletions
diff --git a/extensions/libxt_CONNMARK.c b/extensions/libxt_CONNMARK.c index f60be583..c7933464 100644 --- a/extensions/libxt_CONNMARK.c +++ b/extensions/libxt_CONNMARK.c @@ -356,7 +356,9 @@ static int connmark_tg_xlate(struct xt_xlate *xl, switch (info->mode) { case XT_CONNMARK_SET: xt_xlate_add(xl, "ct mark set "); - if (info->ctmark == 0) + if (info->ctmask == 0xFFFFFFFFU) + xt_xlate_add(xl, "0x%x ", info->ctmark); + else if (info->ctmark == 0) xt_xlate_add(xl, "ct mark and 0x%x", ~info->ctmask); else if (info->ctmark == info->ctmask) xt_xlate_add(xl, "ct mark or 0x%x", @@ -364,8 +366,6 @@ static int connmark_tg_xlate(struct xt_xlate *xl, else if (info->ctmask == 0) xt_xlate_add(xl, "ct mark xor 0x%x", info->ctmark); - else if (info->ctmask == 0xFFFFFFFFU) - xt_xlate_add(xl, "0x%x ", info->ctmark); else xt_xlate_add(xl, "ct mark xor 0x%x and 0x%x", info->ctmark, ~info->ctmask); diff --git a/extensions/libxt_CONNMARK.txlate b/extensions/libxt_CONNMARK.txlate index 62321be1..a47cbb2b 100644 --- a/extensions/libxt_CONNMARK.txlate +++ b/extensions/libxt_CONNMARK.txlate @@ -1,3 +1,6 @@ +iptables-translate -t mangle -A PREROUTING -j CONNMARK --set-mark 0 +nft add rule ip mangle PREROUTING counter ct mark set 0x0 + iptables-translate -t mangle -A PREROUTING -j CONNMARK --set-mark 0x16 nft add rule ip mangle PREROUTING counter ct mark set 0x16 diff --git a/extensions/libxt_MARK.c b/extensions/libxt_MARK.c index 12b1695e..5c6186fe 100644 --- a/extensions/libxt_MARK.c +++ b/extensions/libxt_MARK.c @@ -252,14 +252,14 @@ static int mark_tg_xlate(struct xt_xlate *xl, xt_xlate_add(xl, "meta mark set "); - if (info->mark == 0) + if (info->mask == 0xffffffffU) + xt_xlate_add(xl, "0x%x ", info->mark); + else if (info->mark == 0) xt_xlate_add(xl, "mark and 0x%x ", ~info->mask); else if (info->mark == info->mask) xt_xlate_add(xl, "mark or 0x%x ", info->mark); else if (info->mask == 0) xt_xlate_add(xl, "mark xor 0x%x ", info->mark); - else if (info->mask == 0xffffffffU) - xt_xlate_add(xl, "0x%x ", info->mark); else xt_xlate_add(xl, "mark and 0x%x xor 0x%x ", ~info->mask, info->mark); diff --git a/extensions/libxt_MARK.txlate b/extensions/libxt_MARK.txlate index ab5977e9..d3250ab6 100644 --- a/extensions/libxt_MARK.txlate +++ b/extensions/libxt_MARK.txlate @@ -1,3 +1,6 @@ +iptables-translate -t mangle -A OUTPUT -j MARK --set-mark 0 +nft add rule ip mangle OUTPUT counter meta mark set 0x0 + iptables-translate -t mangle -A OUTPUT -j MARK --set-mark 64 nft add rule ip mangle OUTPUT counter meta mark set 0x40 |