iptables: extensions: libxt_MARK: Fix translation of --set-xmark option

Fix translation of MARK target's --set-xmark option.

Before:
  #iptables-translate -t mangle -A PREROUTING -j MARK --set-xmark 0x64/0xaf
  nft add rule ip mangle PREROUTING counter meta mark set mark xor 0x64 and 0xaf

After:

  # iptables-translate -t mangle -A PREROUTING -j MARK --set-xmark 0x64/0xaf
  nft add rule ip mangle PREROUTING counter meta mark set mark and 0xffffff50 \
  xor 0x64

Signed-off-by: Roberto García <rodanber@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/extensions/libxt_MARK.c b/extensions/libxt_MARK.c
index 8bd4d4106100937fd145a7632236ed982c81af27..c7b179437f46bcacffae7377d8d58bf495527913 100644 (file)
--- a/extensions/libxt_MARK.c
+++ b/extensions/libxt_MARK.c
@@ -261,8 +261,8 @@ static int mark_tg_xlate(const void *ip, const struct xt_entry_target *target,
        else if (info->mask == 0xffffffffU)
                xt_xlate_add(xl, "0x%x ", info->mark);
        else
-               xt_xlate_add(xl, "mark xor 0x%x and 0x%x ", info->mark,
-                            info->mask);
+               xt_xlate_add(xl, "mark and 0x%x xor 0x%x ", ~info->mask,
+                            info->mark);
 
        return 1;
 }