rodanber@xxxxxxxxx <rodanber@xxxxxxxxx> wrote:
> From: Roberto García <rodanber@xxxxxxxxx>
>
> Fix translation of MARK target's --set-xmark option.
>
> Before:
>
> # iptables-translate -t mangle -A PREROUTING -j MARK --set-xmark 0x64/0xaf
> nft add rule ip mangle PREROUTING counter meta mark set mark xor 0x64 and 0xaf
>
> After:
>
> # iptables-translate -t mangle -A PREROUTING -j MARK --set-xmark 0x64/0xaf
> nft add rule ip mangle PREROUTING counter meta mark set mark xor 0x64 and \
> 0xffffff50
Hmm, I wonder if this is correct... iptables man page says:
--set-xmark value[/mask]
Zeroes out the bits given by mask and XORs value into the packet
mark ("nfmark"). If mask is omitted, 0xFFFFFFFF is assumed.
So the iptables command is supposed to
mark = skb->mark
mark = mark & ~0xaf
mark ^= 0x64
skb->mark = mark
The proposed translation results in:
nft --debug=netlink add rule ip mangle PREROUTING meta mark set mark xor 0x64 and 0xffffff50
[ meta load mark => reg 1 ]
[ bitwise reg 1 = (reg=1 & 0xffffffff ) ^ 0x00000040 ]
[ meta set mark with reg 1 ]
As you can see nft did perform the '0x64 and 0xffffff50' part in an
optimization pass so we end up not masking anything and then xor'ing
0x40.
I think this should be:
nft --debug=netlink add rule ip mangle PREROUTING meta mark set mark and 0xffffff50 xor 0x64
[ meta load mark => reg 1 ]
[ bitwise reg 1 = (reg=1 & 0xffffff50 ) ^ 0x00000064 ]
[ meta set mark with reg 1 ]
which -- afaiu -- matches what the xtables target would do.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
