extensions: libxt_mark: fix a wrong translation to nft when mask is specified

The mask and mark's order is reversed, so when we specify the mask, we will
get the wrong translation result:
  # iptables-translate -A INPUT -m mark --mark 0x1/0xff
  nft add rule ip filter INPUT mark and 0x1 == 0xff counter

Apply this patch, translation will become:
  # iptables-translate -A INPUT -m mark --mark 0x1/0xff
  nft add rule ip filter INPUT mark and 0xff == 0x1 counter

Cc: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/extensions/libxt_mark.c b/extensions/libxt_mark.c
index 939b4acd77b463dcace88f04bc49a6fda770fae1..6eccd5b301f62ccc0bce20eb27b79e2fe8c253a2 100644 (file)
--- a/extensions/libxt_mark.c
+++ b/extensions/libxt_mark.c
@@ -107,8 +107,8 @@ print_mark_xlate(struct xt_xlate *xl, unsigned int mark,
                 unsigned int mask, uint32_t op)
 {
        if (mask != 0xffffffffU)
-               xt_xlate_add(xl, " and 0x%x %s 0x%x ", mark,
-                          op == XT_OP_EQ ? "==" : "!=", mask);
+               xt_xlate_add(xl, " and 0x%x %s 0x%x ", mask,
+                          op == XT_OP_EQ ? "==" : "!=", mark);
        else
                xt_xlate_add(xl, " %s0x%x ",
                           op == XT_OP_EQ ? "" : "!= ", mark);