arptables "--set-mark" is really just "--or-mark".
This bug is also in arptables-legacy.
Fix this and add test cases.
Note that the test for "16" vs. "0x16" is intentional,
arptables parser is buggy and always uses "%x".
Signed-off-by: Florian Westphal <fw@xxxxxxxxx>
---
extensions/libxt_MARK.c | 2 ++
extensions/libxt_MARK.txlate | 9 +++++++++
2 files changed, 11 insertions(+)
diff --git a/extensions/libxt_MARK.c b/extensions/libxt_MARK.c
index 100f6a38996a..d6eacfcb33f6 100644
--- a/extensions/libxt_MARK.c
+++ b/extensions/libxt_MARK.c
@@ -290,6 +290,7 @@ mark_tg_arp_parse(int c, char **argv, int invert, unsigned int *flags,
return 0;
}
info->mark = i;
+ info->mask = 0xffffffffU;
if (*flags)
xtables_error(PARAMETER_PROBLEM,
"MARK: Can't specify --set-mark twice");
@@ -430,6 +431,7 @@ static struct xtables_target mark_tg_reg[] = {
.save = mark_tg_arp_save,
.parse = mark_tg_arp_parse,
.extra_opts = mark_tg_arp_opts,
+ .xlate = mark_tg_xlate,
},
};
diff --git a/extensions/libxt_MARK.txlate b/extensions/libxt_MARK.txlate
index 36ee7a3b8f18..cef8239a599f 100644
--- a/extensions/libxt_MARK.txlate
+++ b/extensions/libxt_MARK.txlate
@@ -24,3 +24,12 @@ nft 'add rule ip mangle PREROUTING counter meta mark set mark and 0x64'
iptables-translate -t mangle -A PREROUTING -j MARK --or-mark 0x64
nft 'add rule ip mangle PREROUTING counter meta mark set mark or 0x64'
+
+arptables-translate -A OUTPUT -j MARK --set-mark 0x4
+nft 'add rule arp filter OUTPUT arp htype 1 arp hlen 6 arp plen 4 counter meta mark set 0x4'
+
+arptables-translate -I OUTPUT -o odev -j MARK --and-mark 0x8
+nft 'insert rule arp filter OUTPUT oifname "odev" arp htype 1 arp hlen 6 arp plen 4 counter meta mark set mark and 0x8'
+
+arptables-translate -t mangle -A OUTPUT -o odev -j MARK --or-mark 16
+nft 'add rule arp mangle OUTPUT oifname "odev" arp htype 1 arp hlen 6 arp plen 4 counter meta mark set mark or 0x16'
--
2.41.0
