use only the top bit for our accept marks

[pve-firewall.git] / src / PVE / FirewallSimulator.pm

diff --git a/src/PVE/FirewallSimulator.pm b/src/PVE/FirewallSimulator.pm
index 2e9bc38a84f43275159f5c5a4b17e4cee3f16a7c..c924b41c3e9377fb99668ea6b00fff19cc4d74ad 100644 (file)
--- a/src/PVE/FirewallSimulator.pm
+++ b/src/PVE/FirewallSimulator.pm
@@ -13,6 +13,8 @@ my $mark;
 my $trace;
 my $debug = 0;
 
+my $NUMBER_RE = qr/0x[0-9a-fA-F]+|\d+/;
+
 sub debug {
     my $new_value = shift;
 
@@ -211,15 +213,17 @@ sub rule_match {
            next;
        }
 
-       if ($rule =~ s/^-m mark --mark (\d+)\s*//) {
-           return undef if !defined($mark) || $mark != $1;
+       if ($rule =~ s@^-m mark --mark ($NUMBER_RE)(?:/($NUMBER_RE))?\s*@@) {
+           my ($value, $mask) = PVE::Firewall::get_mark_values($1, $2);
+           return undef if !defined($mark) || ($mark & $mask) != $value;
            next;
        }
 
        # final actions
 
-       if ($rule =~ s/^-j MARK --set-mark (\d+)\s*$//) {
-           $mark = $1;
+       if ($rule =~ s@^-j MARK --set-mark ($NUMBER_RE)(?:/($NUMBER_RE))?\s*$@@) {
+           my ($value, $mask) = PVE::Firewall::get_mark_values($1, $2);
+           $mark = ($mark & ~$mask) | $value;
            return undef;
        }