[PATCH iptables] extensions: mark: prefer plain 'set' over 'set mark and'

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

adding a test case for MARK --set-mark 0 fails with
exp: nft add rule ip mangle OUTPUT counter meta mark set 0x0
res: nft add rule ip mangle OUTPUT counter meta mark set mark and 0x0

This translation isn't wrong, but unneccessarily complex, so
change order to first check if mask bits are all ones.

In that case we can simply use an immediate value without
need for logical operators.

Signed-off-by: Florian Westphal <fw@xxxxxxxxx>
---
 extensions/libxt_CONNMARK.c      | 6 +++---
 extensions/libxt_CONNMARK.txlate | 3 +++
 extensions/libxt_MARK.c          | 6 +++---
 extensions/libxt_MARK.txlate     | 3 +++
 4 files changed, 12 insertions(+), 6 deletions(-)

diff --git a/extensions/libxt_CONNMARK.c b/extensions/libxt_CONNMARK.c
index f60be58346a5..c7933464101b 100644
--- a/extensions/libxt_CONNMARK.c
+++ b/extensions/libxt_CONNMARK.c
@@ -356,7 +356,9 @@ static int connmark_tg_xlate(struct xt_xlate *xl,
 	switch (info->mode) {
 	case XT_CONNMARK_SET:
 		xt_xlate_add(xl, "ct mark set ");
-		if (info->ctmark == 0)
+		if (info->ctmask == 0xFFFFFFFFU)
+			xt_xlate_add(xl, "0x%x ", info->ctmark);
+		else if (info->ctmark == 0)
 			xt_xlate_add(xl, "ct mark and 0x%x", ~info->ctmask);
 		else if (info->ctmark == info->ctmask)
 			xt_xlate_add(xl, "ct mark or 0x%x",
@@ -364,8 +366,6 @@ static int connmark_tg_xlate(struct xt_xlate *xl,
 		else if (info->ctmask == 0)
 			xt_xlate_add(xl, "ct mark xor 0x%x",
 				     info->ctmark);
-		else if (info->ctmask == 0xFFFFFFFFU)
-			xt_xlate_add(xl, "0x%x ", info->ctmark);
 		else
 			xt_xlate_add(xl, "ct mark xor 0x%x and 0x%x",
 				     info->ctmark, ~info->ctmask);
diff --git a/extensions/libxt_CONNMARK.txlate b/extensions/libxt_CONNMARK.txlate
index 62321be10552..a47cbb2b00db 100644
--- a/extensions/libxt_CONNMARK.txlate
+++ b/extensions/libxt_CONNMARK.txlate
@@ -1,3 +1,6 @@
+iptables-translate -t mangle -A PREROUTING -j CONNMARK --set-mark 0
+nft add rule ip mangle PREROUTING counter ct mark set 0x0
+
 iptables-translate -t mangle -A PREROUTING -j CONNMARK --set-mark 0x16
 nft add rule ip mangle PREROUTING counter ct mark set 0x16
 
diff --git a/extensions/libxt_MARK.c b/extensions/libxt_MARK.c
index 12b1695eeac2..5c6186fe0340 100644
--- a/extensions/libxt_MARK.c
+++ b/extensions/libxt_MARK.c
@@ -252,14 +252,14 @@ static int mark_tg_xlate(struct xt_xlate *xl,
 
 	xt_xlate_add(xl, "meta mark set ");
 
-	if (info->mark == 0)
+	if (info->mask == 0xffffffffU)
+		xt_xlate_add(xl, "0x%x ", info->mark);
+	else if (info->mark == 0)
 		xt_xlate_add(xl, "mark and 0x%x ", ~info->mask);
 	else if (info->mark == info->mask)
 		xt_xlate_add(xl, "mark or 0x%x ", info->mark);
 	else if (info->mask == 0)
 		xt_xlate_add(xl, "mark xor 0x%x ", info->mark);
-	else if (info->mask == 0xffffffffU)
-		xt_xlate_add(xl, "0x%x ", info->mark);
 	else
 		xt_xlate_add(xl, "mark and 0x%x xor 0x%x ", ~info->mask,
 			     info->mark);
diff --git a/extensions/libxt_MARK.txlate b/extensions/libxt_MARK.txlate
index ab5977e9c6ab..d3250ab6c2e1 100644
--- a/extensions/libxt_MARK.txlate
+++ b/extensions/libxt_MARK.txlate
@@ -1,3 +1,6 @@
+iptables-translate -t mangle -A OUTPUT -j MARK --set-mark 0
+nft add rule ip mangle OUTPUT counter meta mark set 0x0
+
 iptables-translate -t mangle -A OUTPUT -j MARK --set-mark 64
 nft add rule ip mangle OUTPUT counter meta mark set 0x40
 
-- 
2.16.1

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux