On Mon, Feb 19, 2018 at 12:47:55PM +0100, Florian Westphal wrote: > ... and return 0 so output reflects that no translation was performed. > > iptables-translate -A I -j CONNMARK --save-mark --mask 0xff > nft # -A I -j CONNMARK --save-mark --mask 0xff > > The translation that was performed: > nft add rule ip mangle PREROUTING counter meta mark set ct mark and 0xff > > will clear (zero) most bits: > [ meta load mark => reg 1 ] > [ bitwise reg 1 = (reg=1 & 0x000000ff ) ^ 0x00000000 ] > [ ct set mark with reg 1 ] > > The xtables module however does this: > > newmark = (ct->mark & ~info->ctmask) ^ > (skb->mark & info->nfmask); > > I.e., for ctmark mask defines what to clear, > for nfmark what to keep, i.e. we're supposed to only alter the lower > bits of the ctmark. > > nftables can't do this at the moment because bitwise operator RHS > requires immediate values. > > same is true for 'restore'. OK. Please push this. Please place this somewhere in the wiki so we don't forget we need some plumbing to support this usecase. Thanks ! -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
