extensions: connmark: remove non-working translation

... and return 0 so output reflects that no translation was performed.

iptables-translate -A I -j CONNMARK --save-mark --mask 0xff
nft # -A I -j CONNMARK --save-mark --mask 0xff

The translation that was performed:
nft add rule ip mangle PREROUTING counter meta mark set ct mark and 0xff

will clear (zero) most bits:
  [ meta load mark => reg 1 ]
  [ bitwise reg 1 = (reg=1 & 0x000000ff ) ^ 0x00000000 ]
  [ ct set mark with reg 1 ]

The xtables module however does this:

newmark = (ct->mark & ~info->ctmask) ^
           (skb->mark & info->nfmask);

I.e., for ctmark mask defines what to clear,
for nfmark what to keep, i.e. we're supposed to only alter the lower
bits of the ctmark.

nftables can't do this at the moment because bitwise operator RHS
requires immediate values.

same is true for 'restore'.

Signed-off-by: Florian Westphal <fw@strlen.de>

diff --git a/extensions/libxt_CONNMARK.c b/extensions/libxt_CONNMARK.c
index c7933464101bf24b58517dd56865eb2185b22cd3..94984cdc8a214f6ec32ee0a1bc4739378f142671 100644 (file)
--- a/extensions/libxt_CONNMARK.c
+++ b/extensions/libxt_CONNMARK.c
@@ -371,20 +371,18 @@ static int connmark_tg_xlate(struct xt_xlate *xl,
                                     info->ctmark, ~info->ctmask);
                break;
        case XT_CONNMARK_SAVE:
-               xt_xlate_add(xl, "ct mark set mark");
-               if (!(info->nfmask == UINT32_MAX &&
-                   info->ctmask == UINT32_MAX)) {
-                       if (info->nfmask == info->ctmask)
-                               xt_xlate_add(xl, " and 0x%x", info->nfmask);
-               }
+               if (info->nfmask == info->ctmask &&
+                   info->nfmask == UINT32_MAX)
+                       xt_xlate_add(xl, "ct mark set mark");
+               else
+                       return 0;
                break;
        case XT_CONNMARK_RESTORE:
-               xt_xlate_add(xl, "meta mark set ct mark");
-               if (!(info->nfmask == UINT32_MAX &&
-                   info->ctmask == UINT32_MAX)) {
-                       if (info->nfmask == info->ctmask)
-                               xt_xlate_add(xl, " and 0x%x", info->nfmask);
-               }
+               if (info->nfmask == info->ctmask &&
+                   info->nfmask == UINT32_MAX)
+                       xt_xlate_add(xl, "meta mark set ct mark");
+               else
+                       return 0;
                break;
        }
 

diff --git a/extensions/libxt_CONNMARK.txlate b/extensions/libxt_CONNMARK.txlate
index a47cbb2b00db7e342ebf1cb6fc313a7c22828ee3..ce40ae5ea65e0517e302e094141396da0f9719c9 100644 (file)
--- a/extensions/libxt_CONNMARK.txlate
+++ b/extensions/libxt_CONNMARK.txlate
@@ -16,11 +16,5 @@ nft add rule ip mangle PREROUTING counter ct mark set ct mark or 0x16
 iptables-translate -t mangle -A PREROUTING -j CONNMARK --save-mark
 nft add rule ip mangle PREROUTING counter ct mark set mark
 
-iptables-translate -t mangle -A PREROUTING -j CONNMARK --save-mark --mask 0x12
-nft add rule ip mangle PREROUTING counter ct mark set mark and 0x12
-
 iptables-translate -t mangle -A PREROUTING -j CONNMARK --restore-mark
 nft add rule ip mangle PREROUTING counter meta mark set ct mark
-
-iptables-translate -t mangle -A PREROUTING -j CONNMARK --restore-mark --mask 0x12
-nft add rule ip mangle PREROUTING counter meta mark set ct mark and 0x12