From: Florian Westphal <fw@strlen.de>
To: rodanber@gmail.com
Cc: arturo.borrero.glez@gmail.com, pablo@netfilter.org,
netfilter-devel@vger.kernel.org
Subject: Re: [PATCH] iptables: extensions: libxt_MARK: Fix translation of --set-xmark option
Date: Wed, 22 Jun 2016 12:23:42 +0200 [thread overview]
Message-ID: <20160622102342.GA6696@breakpoint.cc> (raw)
In-Reply-To: <1466543023-15740-1-git-send-email-rodanber@gmail.com>
rodanber@gmail.com <rodanber@gmail.com> wrote:
> From: Roberto García <rodanber@gmail.com>
>
> Fix translation of MARK target's --set-xmark option.
>
> Before:
>
> # iptables-translate -t mangle -A PREROUTING -j MARK --set-xmark 0x64/0xaf
> nft add rule ip mangle PREROUTING counter meta mark set mark xor 0x64 and 0xaf
>
> After:
>
> # iptables-translate -t mangle -A PREROUTING -j MARK --set-xmark 0x64/0xaf
> nft add rule ip mangle PREROUTING counter meta mark set mark xor 0x64 and \
> 0xffffff50
Hmm, I wonder if this is correct... iptables man page says:
--set-xmark value[/mask]
Zeroes out the bits given by mask and XORs value into the packet
mark ("nfmark"). If mask is omitted, 0xFFFFFFFF is assumed.
So the iptables command is supposed to
mark = skb->mark
mark = mark & ~0xaf
mark ^= 0x64
skb->mark = mark
The proposed translation results in:
nft --debug=netlink add rule ip mangle PREROUTING meta mark set mark xor 0x64 and 0xffffff50
[ meta load mark => reg 1 ]
[ bitwise reg 1 = (reg=1 & 0xffffffff ) ^ 0x00000040 ]
[ meta set mark with reg 1 ]
As you can see nft did perform the '0x64 and 0xffffff50' part in an
optimization pass so we end up not masking anything and then xor'ing
0x40.
I think this should be:
nft --debug=netlink add rule ip mangle PREROUTING meta mark set mark and 0xffffff50 xor 0x64
[ meta load mark => reg 1 ]
[ bitwise reg 1 = (reg=1 & 0xffffff50 ) ^ 0x00000064 ]
[ meta set mark with reg 1 ]
which -- afaiu -- matches what the xtables target would do.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2016-06-22 10:23 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-06-21 21:03 [PATCH] iptables: extensions: libxt_MARK: Fix translation of --set-xmark option rodanber
2016-06-22 9:49 ` Arturo Borrero Gonzalez
2016-06-22 10:23 ` Florian Westphal [this message]
2016-06-22 11:34 ` Roberto García Calero
2016-06-22 17:55 ` Pablo Neira Ayuso
-- strict thread matches above, loose matches on Subject: below --
2016-06-22 12:31 rodanber
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160622102342.GA6696@breakpoint.cc \
--to=fw@strlen.de \
--cc=arturo.borrero.glez@gmail.com \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
--cc=rodanber@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.