extensions: CONNMARK: Fix xlate callback

Bail out if nfmask != ctmask with XT_CONNMARK_SAVE and XT_CONNMARK_RESTORE. Looks like this needs a similar implementation to the one for XT_CONNMARK_SET. Fix shift mark translation: xt_connmark_shift_ops does not contain useful strings for nftables. Also add needed braces around the term being shifted. Fixes: db7b4e0de960c ("extensions: libxt_CONNMARK: Support bit-shifting for --restore,set and save-mark") Signed-off-by: Phil Sutter <phil@nwl.cc>
author: Phil Sutter <phil@nwl.cc> 2022-11-17 15:30:11 +0100
committer: Phil Sutter <phil@nwl.cc> 2022-11-24 10:24:06 +0100
commit: e6747f6b1098b2bc7dfd482f287b3f90b351f164 (patch)
tree: 4a632220e998b840174fbd2bab8b59f02144702e /extensions/libxt_CONNMARK.txlate
parent: 800bed28b2b7bbd931166c7426640ae619f03342 (diff)
1 files changed, 3 insertions, 0 deletions
diff --git a/extensions/libxt_CONNMARK.txlate b/extensions/libxt_CONNMARK.txlate
index ce40ae5e..99627c2b 100644
--- a/extensions/libxt_CONNMARK.txlate
+++ b/extensions/libxt_CONNMARK.txlate
@@ -18,3 +18,6 @@ nft add rule ip mangle PREROUTING counter ct mark set mark
 
 iptables-translate -t mangle -A PREROUTING -j CONNMARK --restore-mark
 nft add rule ip mangle PREROUTING counter meta mark set ct mark
+
+iptables-translate -t mangle -A PREROUTING  -j CONNMARK --set-mark 0x23/0x42 --right-shift-mark 5
+nft add rule ip mangle PREROUTING counter ct mark set ( ct mark xor 0x23 and 0xffffff9c ) >> 5
author	Phil Sutter <phil@nwl.cc>	2022-11-17 15:30:11 +0100
committer	Phil Sutter <phil@nwl.cc>	2022-11-24 10:24:06 +0100
commit	e6747f6b1098b2bc7dfd482f287b3f90b351f164 (patch)
tree	4a632220e998b840174fbd2bab8b59f02144702e /extensions/libxt_CONNMARK.txlate
parent	800bed28b2b7bbd931166c7426640ae619f03342 (diff)