netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Florian Westphal <fw@strlen.de>
To: <netfilter-devel@vger.kernel.org>
Cc: Florian Westphal <fw@strlen.de>
Subject: [PATCH v2 iptables 4/4] extensions: MARK: fix arptables support
Date: Tue,  7 Nov 2023 12:15:40 +0100	[thread overview]
Message-ID: <20231107111544.17166-5-fw@strlen.de> (raw)
In-Reply-To: <20231107111544.17166-1-fw@strlen.de>

arptables "--set-mark" is really just "--or-mark".
This bug is also in arptables-legacy.

Fix this and add test cases.
Note that the test for "16" vs. "0x16" is intentional,
arptables parser is buggy and always uses "%x".

Signed-off-by: Florian Westphal <fw@strlen.de>
---
 extensions/libxt_MARK.c      | 2 ++
 extensions/libxt_MARK.txlate | 9 +++++++++
 2 files changed, 11 insertions(+)

diff --git a/extensions/libxt_MARK.c b/extensions/libxt_MARK.c
index 100f6a38996a..d6eacfcb33f6 100644
--- a/extensions/libxt_MARK.c
+++ b/extensions/libxt_MARK.c
@@ -290,6 +290,7 @@ mark_tg_arp_parse(int c, char **argv, int invert, unsigned int *flags,
 			return 0;
 		}
 		info->mark = i;
+		info->mask = 0xffffffffU;
 		if (*flags)
 			xtables_error(PARAMETER_PROBLEM,
 				"MARK: Can't specify --set-mark twice");
@@ -430,6 +431,7 @@ static struct xtables_target mark_tg_reg[] = {
 		.save          = mark_tg_arp_save,
 		.parse         = mark_tg_arp_parse,
 		.extra_opts    = mark_tg_arp_opts,
+		.xlate	       = mark_tg_xlate,
 	},
 };
 
diff --git a/extensions/libxt_MARK.txlate b/extensions/libxt_MARK.txlate
index 36ee7a3b8f18..cef8239a599f 100644
--- a/extensions/libxt_MARK.txlate
+++ b/extensions/libxt_MARK.txlate
@@ -24,3 +24,12 @@ nft 'add rule ip mangle PREROUTING counter meta mark set mark and 0x64'
 
 iptables-translate -t mangle -A PREROUTING -j MARK --or-mark 0x64
 nft 'add rule ip mangle PREROUTING counter meta mark set mark or 0x64'
+
+arptables-translate -A OUTPUT -j MARK --set-mark 0x4
+nft 'add rule arp filter OUTPUT arp htype 1 arp hlen 6 arp plen 4 counter meta mark set 0x4'
+
+arptables-translate -I OUTPUT -o odev -j MARK --and-mark 0x8
+nft 'insert rule arp filter OUTPUT oifname "odev" arp htype 1 arp hlen 6 arp plen 4 counter meta mark set mark and 0x8'
+
+arptables-translate -t mangle -A OUTPUT -o odev -j MARK --or-mark 16
+nft 'add rule arp mangle OUTPUT oifname "odev" arp htype 1 arp hlen 6 arp plen 4 counter meta mark set mark or 0x16'
-- 
2.41.0


  parent reply	other threads:[~2023-11-07 11:16 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-11-07 11:15 [PATCH v2 iptables 0/4] xtables-nft: add arptranslate support Florian Westphal
2023-11-07 11:15 ` [PATCH v2 iptables 1/4] nft-arp: add missing mask support Florian Westphal
2023-11-07 11:15 ` [PATCH v2 iptables 2/4] nft-arp: add arptables-translate Florian Westphal
2023-11-07 11:15 ` [PATCH v2 iptables 3/4] arptables-txlate: add test cases Florian Westphal
2023-11-07 11:15 ` Florian Westphal [this message]
2023-11-08  2:51 ` [PATCH v2 iptables 0/4] xtables-nft: add arptranslate support Phil Sutter

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20231107111544.17166-5-fw@strlen.de \
    --to=fw@strlen.de \
    --cc=netfilter-devel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).