I misunderstood the explanation of the option. I'm going to fix that
right now.
Thanks for pointing out the error!
On 22/06/16 12:23, Florian Westphal wrote:
rodanber@xxxxxxxxx <rodanber@xxxxxxxxx> wrote:
From: Roberto García <rodanber@xxxxxxxxx>
Fix translation of MARK target's --set-xmark option.
Before:
# iptables-translate -t mangle -A PREROUTING -j MARK --set-xmark 0x64/0xaf
nft add rule ip mangle PREROUTING counter meta mark set mark xor 0x64 and 0xaf
After:
# iptables-translate -t mangle -A PREROUTING -j MARK --set-xmark 0x64/0xaf
nft add rule ip mangle PREROUTING counter meta mark set mark xor 0x64 and \
0xffffff50
Hmm, I wonder if this is correct... iptables man page says:
--set-xmark value[/mask]
Zeroes out the bits given by mask and XORs value into the packet
mark ("nfmark"). If mask is omitted, 0xFFFFFFFF is assumed.
So the iptables command is supposed to
mark = skb->mark
mark = mark & ~0xaf
mark ^= 0x64
skb->mark = mark
The proposed translation results in:
nft --debug=netlink add rule ip mangle PREROUTING meta mark set mark xor 0x64 and 0xffffff50
[ meta load mark => reg 1 ]
[ bitwise reg 1 = (reg=1 & 0xffffffff ) ^ 0x00000040 ]
[ meta set mark with reg 1 ]
As you can see nft did perform the '0x64 and 0xffffff50' part in an
optimization pass so we end up not masking anything and then xor'ing
0x40.
I think this should be:
nft --debug=netlink add rule ip mangle PREROUTING meta mark set mark and 0xffffff50 xor 0x64
[ meta load mark => reg 1 ]
[ bitwise reg 1 = (reg=1 & 0xffffff50 ) ^ 0x00000064 ]
[ meta set mark with reg 1 ]
which -- afaiu -- matches what the xtables target would do.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
