ruleset: fix emitting set_mark/set_xmark rules with masks

Fix a bad variable access when emitting set_mark/set_xmark rules with
masks and add test coverage for the various mark target variants.

Fixes: #10965
Signed-off-by: Jo-Philipp Wich <jo@mein.io>

root/usr/share/firewall4/templates/rule.uc

@@ -78,12 +78,12 @@
 		(rule.set_xmark.mask == 0xFFFFFFFF)
 			? fw4.hex(rule.set_xmark.mark)
 			: (rule.set_xmark.mark == 0)
-				? 'mark and ' + fw4.hex(~rule.set_xmark.mask & 0xFFFFFFFF)
+				? `mark and ${fw4.hex(~rule.set_xmark.mask & 0xFFFFFFFF)}`
 				: (rule.set_xmark.mark == rule.set_xmark.mask)
-					? 'mark or ' + fw4.hex(rule.set_xmark.mark)
+					? `mark or ${fw4.hex(rule.set_xmark.mark)}`
 					: (rule.set_xmark.mask == 0)
-						? 'mark xor ' + fw4.hex(rule.set_xmark.mark)
-						: 'mark and ' + fw4.hex(~r.set_xmark.mask & 0xFFFFFFFF) + ' xor ' + fw4.hex(r.set_xmark.mark)
+						? `mark xor ${fw4.hex(rule.set_xmark.mark)}`
+						: `mark and ${fw4.hex(~rule.set_xmark.mask & 0xFFFFFFFF)} xor ${fw4.hex(rule.set_xmark.mark)}`
 	}} {%+
    elif (rule.target == "dscp"): -%}
 	{{ fw4.ipproto(rule.family) }} dscp set {{ fw4.hex(rule.set_dscp.dscp) }} {%+

tests/03_rules/12_mark

@@ -0,0 +1,184 @@
+Testing various MARK rules.
+
+-- Testcase --
+{%
+	include("./root/usr/share/firewall4/main.uc", {
+		getenv: function(varname) {
+			switch (varname) {
+			case 'ACTION':
+				return 'print';
+			}
+		}
+	})
+%}
+-- End --
+
+-- File uci/helpers.json --
+{}
+-- End --
+
+-- File uci/firewall.json --
+{
+	"rule": [
+		{
+			".description": "Test setting mark",
+			"name": "Mark rule #1",
+			"proto": "all",
+			"src": "*",
+			"target": "MARK",
+			"set_mark": "0xaa"
+		},
+		{
+			".description": "Test setting mark with mask",
+			"name": "Mark rule #2",
+			"proto": "all",
+			"src": "*",
+			"target": "MARK",
+			"set_mark": "0xab/0xff00"
+		},
+		{
+			".description": "Test setting xor mark",
+			"name": "Mark rule #3",
+			"proto": "all",
+			"src": "*",
+			"target": "MARK",
+			"set_xmark": "0xac"
+		},
+		{
+			".description": "Test setting xor mark with mask",
+			"name": "Mark rule #4",
+			"proto": "all",
+			"src": "*",
+			"target": "MARK",
+			"set_xmark": "0xad/0xff00"
+		},
+		{
+			".description": "Test ANDing bits (set xmark 0/~bits)",
+			"name": "Mark rule #5",
+			"proto": "all",
+			"src": "*",
+			"target": "MARK",
+			"set_xmark": "0/0xffffff51"
+		},
+		{
+			".description": "Test ORing bits (set xmark bits/bits)",
+			"name": "Mark rule #6",
+			"proto": "all",
+			"src": "*",
+			"target": "MARK",
+			"set_xmark": "0xaf/0xaf"
+		}
+	]
+}
+-- End --
+
+-- Expect stdout --
+table inet fw4
+flush table inet fw4
+
+table inet fw4 {
+	#
+	# Defines
+	#
+
+
+	#
+	# User includes
+	#
+
+	include "/etc/nftables.d/*.nft"
+
+
+	#
+	# Filter rules
+	#
+
+	chain input {
+		type filter hook input priority filter; policy drop;
+
+		iifname "lo" accept comment "!fw4: Accept traffic from loopback"
+
+		ct state established,related accept comment "!fw4: Allow inbound established and related flows"
+	}
+
+	chain forward {
+		type filter hook forward priority filter; policy drop;
+
+		ct state established,related accept comment "!fw4: Allow forwarded established and related flows"
+	}
+
+	chain output {
+		type filter hook output priority filter; policy drop;
+
+		oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
+
+		ct state established,related accept comment "!fw4: Allow outbound established and related flows"
+	}
+
+	chain prerouting {
+		type filter hook prerouting priority filter; policy accept;
+	}
+
+	chain handle_reject {
+		meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic"
+		reject with icmpx type port-unreachable comment "!fw4: Reject any other traffic"
+	}
+
+
+	#
+	# NAT rules
+	#
+
+	chain dstnat {
+		type nat hook prerouting priority dstnat; policy accept;
+	}
+
+	chain srcnat {
+		type nat hook postrouting priority srcnat; policy accept;
+	}
+
+
+	#
+	# Raw rules (notrack)
+	#
+
+	chain raw_prerouting {
+		type filter hook prerouting priority raw; policy accept;
+	}
+
+	chain raw_output {
+		type filter hook output priority raw; policy accept;
+	}
+
+
+	#
+	# Mangle rules
+	#
+
+	chain mangle_prerouting {
+		type filter hook prerouting priority mangle; policy accept;
+	}
+
+	chain mangle_postrouting {
+		type filter hook postrouting priority mangle; policy accept;
+	}
+
+	chain mangle_input {
+		type filter hook input priority mangle; policy accept;
+		counter meta mark set 0xaa comment "!fw4: Mark rule #1"
+		counter meta mark set mark and 0xffff0054 xor 0xab comment "!fw4: Mark rule #2"
+		counter meta mark set 0xac comment "!fw4: Mark rule #3"
+		counter meta mark set mark and 0xffff00ff xor 0xad comment "!fw4: Mark rule #4"
+		counter meta mark set mark and 0xae comment "!fw4: Mark rule #5"
+		counter meta mark set mark or 0xaf comment "!fw4: Mark rule #6"
+	}
+
+	chain mangle_output {
+		type route hook output priority mangle; policy accept;
+	}
+
+	chain mangle_forward {
+		type filter hook forward priority mangle; policy accept;
+	}
+}
+-- End --