From a93b5021ae85940803a890e1dc4a2ba3d6a6f37c Mon Sep 17 00:00:00 2001
From: Florian Westphal <fw@strlen.de>
Date: Mon, 19 Feb 2018 10:57:18 +0100
Subject: extensions: prefer plain 'set' over 'set mark and'

adding a test case for MARK --set-mark 0 fails with
exp: nft add rule ip mangle OUTPUT counter meta mark set 0x0
res: nft add rule ip mangle OUTPUT counter meta mark set mark and 0x0

This translation isn't wrong, but unneccessarily complex, so
change order to first check if mask bits are all ones.

In that case we can simply use an immediate value without
need for logical operators.

Signed-off-by: Florian Westphal <fw@strlen.de>
---
 extensions/libxt_CONNMARK.txlate | 3 +++
 1 file changed, 3 insertions(+)

(limited to 'extensions/libxt_CONNMARK.txlate')

diff --git a/extensions/libxt_CONNMARK.txlate b/extensions/libxt_CONNMARK.txlate
index 62321be1..a47cbb2b 100644
--- a/extensions/libxt_CONNMARK.txlate
+++ b/extensions/libxt_CONNMARK.txlate
@@ -1,3 +1,6 @@
+iptables-translate -t mangle -A PREROUTING -j CONNMARK --set-mark 0
+nft add rule ip mangle PREROUTING counter ct mark set 0x0
+
 iptables-translate -t mangle -A PREROUTING -j CONNMARK --set-mark 0x16
 nft add rule ip mangle PREROUTING counter ct mark set 0x16
 
-- 
cgit v1.2.3