diff options
| author | Florian Westphal <fw@strlen.de> | 2018-02-19 12:30:45 +0100 |
|---|---|---|
| committer | Florian Westphal <fw@strlen.de> | 2018-02-20 12:44:12 +0100 |
| commit | 043da5b959296af7e664e8a36af606ee2609a64c (patch) | |
| tree | cb88266799076617c111c7afe671a1db29b8777b /extensions | |
| parent | a93b5021ae85940803a890e1dc4a2ba3d6a6f37c (diff) | |
extensions: connmark: remove non-working translation
... and return 0 so output reflects that no translation was performed.
iptables-translate -A I -j CONNMARK --save-mark --mask 0xff
nft # -A I -j CONNMARK --save-mark --mask 0xff
The translation that was performed:
nft add rule ip mangle PREROUTING counter meta mark set ct mark and 0xff
will clear (zero) most bits:
[ meta load mark => reg 1 ]
[ bitwise reg 1 = (reg=1 & 0x000000ff ) ^ 0x00000000 ]
[ ct set mark with reg 1 ]
The xtables module however does this:
newmark = (ct->mark & ~info->ctmask) ^
(skb->mark & info->nfmask);
I.e., for ctmark mask defines what to clear,
for nfmark what to keep, i.e. we're supposed to only alter the lower
bits of the ctmark.
nftables can't do this at the moment because bitwise operator RHS
requires immediate values.
same is true for 'restore'.
Signed-off-by: Florian Westphal <fw@strlen.de>
Diffstat (limited to 'extensions')
| -rw-r--r-- | extensions/libxt_CONNMARK.c | 22 | ||||
| -rw-r--r-- | extensions/libxt_CONNMARK.txlate | 6 |
2 files changed, 10 insertions, 18 deletions
diff --git a/extensions/libxt_CONNMARK.c b/extensions/libxt_CONNMARK.c index c7933464..94984cdc 100644 --- a/extensions/libxt_CONNMARK.c +++ b/extensions/libxt_CONNMARK.c @@ -371,20 +371,18 @@ static int connmark_tg_xlate(struct xt_xlate *xl, info->ctmark, ~info->ctmask); break; case XT_CONNMARK_SAVE: - xt_xlate_add(xl, "ct mark set mark"); - if (!(info->nfmask == UINT32_MAX && - info->ctmask == UINT32_MAX)) { - if (info->nfmask == info->ctmask) - xt_xlate_add(xl, " and 0x%x", info->nfmask); - } + if (info->nfmask == info->ctmask && + info->nfmask == UINT32_MAX) + xt_xlate_add(xl, "ct mark set mark"); + else + return 0; break; case XT_CONNMARK_RESTORE: - xt_xlate_add(xl, "meta mark set ct mark"); - if (!(info->nfmask == UINT32_MAX && - info->ctmask == UINT32_MAX)) { - if (info->nfmask == info->ctmask) - xt_xlate_add(xl, " and 0x%x", info->nfmask); - } + if (info->nfmask == info->ctmask && + info->nfmask == UINT32_MAX) + xt_xlate_add(xl, "meta mark set ct mark"); + else + return 0; break; } diff --git a/extensions/libxt_CONNMARK.txlate b/extensions/libxt_CONNMARK.txlate index a47cbb2b..ce40ae5e 100644 --- a/extensions/libxt_CONNMARK.txlate +++ b/extensions/libxt_CONNMARK.txlate @@ -16,11 +16,5 @@ nft add rule ip mangle PREROUTING counter ct mark set ct mark or 0x16 iptables-translate -t mangle -A PREROUTING -j CONNMARK --save-mark nft add rule ip mangle PREROUTING counter ct mark set mark -iptables-translate -t mangle -A PREROUTING -j CONNMARK --save-mark --mask 0x12 -nft add rule ip mangle PREROUTING counter ct mark set mark and 0x12 - iptables-translate -t mangle -A PREROUTING -j CONNMARK --restore-mark nft add rule ip mangle PREROUTING counter meta mark set ct mark - -iptables-translate -t mangle -A PREROUTING -j CONNMARK --restore-mark --mask 0x12 -nft add rule ip mangle PREROUTING counter meta mark set ct mark and 0x12 |