Do not clear top bits of connmark when saving fwmark
This change gets rid of the string formatting to make the command more readable and reverses
the old parameter of --ctmask. Previously, we set --ctmask to ~0x000FFFFF, though as was
correctly pointed out to us, --ctmask defines which bits to *clear*. This means that until now,
this rule would have cleared the strict mode flags that are in the top-byte of the connmark.
Per man iptables-extensions:
--save-mark [--nfmask nfmask] [--ctmask ctmask]
Copy the packet mark (nfmark) to the connection mark (ctmark) using the given masks. The new
nfmark value is determined as follows:
ctmark = (ctmark & ~ctmask) ^ (nfmark & nfmask)
i.e. ctmask defines what bits to clear and nfmask what bits of the nfmark to XOR into the
ctmark. ctmask and nfmask default to 0xFFFFFFFF.
$ adb shell nc 8.8.8.8 12
$ adb shell cat /proc/net/nf_conntrack
ipv4 2 tcp 6 108 SYN_SENT src=192.168.99.55 dst=8.8.8.8 sport=33060 dport=12 [UNREPLIED] src=8.8.8.8 dst=192.168.99.55 sport=12 dport=33060 mark=786533 secctx=u:object_r:unlabeled:s0 use=2
[..]
$ adb shell dumpsys connectivity
Active default network: 101
[..]
mark=786533 => 0xC0065 (0x0065 == 101)
Bug: 340775174
Test: verified manually
Change-Id: I4d0dc86c6604ff11aa37426f91c73c2bb2982c66
1 file changed