diff options
Diffstat (limited to 'tests/py/inet')
95 files changed, 4490 insertions, 2430 deletions
diff --git a/tests/py/inet/ah.t b/tests/py/inet/ah.t index 8544d9dd..83b6202b 100644 --- a/tests/py/inet/ah.t +++ b/tests/py/inet/ah.t @@ -1,12 +1,11 @@ :input;type filter hook input priority 0 :ingress;type filter hook ingress device lo priority 0 +:egress;type filter hook egress device lo priority 0 *ip;test-ip4;input *ip6;test-ip6;input *inet;test-inet;input -*netdev;test-netdev;ingress - -# nexthdr Bug to list table. +*netdev;test-netdev;ingress,egress - ah nexthdr esp;ok - ah nexthdr ah;ok @@ -22,8 +21,6 @@ ah hdrlength 11-23;ok ah hdrlength != 11-23;ok -ah hdrlength { 11-23};ok -ah hdrlength != { 11-23};ok ah hdrlength {11, 23, 44 };ok ah hdrlength != {11, 23, 44 };ok @@ -33,8 +30,6 @@ ah reserved 33-45;ok ah reserved != 33-45;ok ah reserved {23, 100};ok ah reserved != {23, 100};ok -ah reserved { 33-55};ok -ah reserved != { 33-55};ok ah spi 111;ok ah spi != 111;ok @@ -42,15 +37,11 @@ ah spi 111-222;ok ah spi != 111-222;ok ah spi {111, 122};ok ah spi != {111, 122};ok -ah spi { 111-122};ok -ah spi != { 111-122};ok # sequence ah sequence 123;ok ah sequence != 123;ok ah sequence {23, 25, 33};ok ah sequence != {23, 25, 33};ok -ah sequence { 23-33};ok -ah sequence != { 23-33};ok ah sequence 23-33;ok ah sequence != 23-33;ok diff --git a/tests/py/inet/ah.t.json b/tests/py/inet/ah.t.json index 4efdb0dd..217280b6 100644 --- a/tests/py/inet/ah.t.json +++ b/tests/py/inet/ah.t.json @@ -34,46 +34,6 @@ } ] -# ah hdrlength { 11-23} -[ - { - "match": { - "left": { - "payload": { - "field": "hdrlength", - "protocol": "ah" - } - }, - "op": "==", - "right": { - "set": [ - { "range": [ 11, 23 ] } - ] - } - } - } -] - -# ah hdrlength != { 11-23} -[ - { - "match": { - "left": { - "payload": { - "field": "hdrlength", - "protocol": "ah" - } - }, - "op": "!=", - "right": { - "set": [ - { "range": [ 11, 23 ] } - ] - } - } - } -] - # ah hdrlength {11, 23, 44 } [ { @@ -228,46 +188,6 @@ } ] -# ah reserved { 33-55} -[ - { - "match": { - "left": { - "payload": { - "field": "reserved", - "protocol": "ah" - } - }, - "op": "==", - "right": { - "set": [ - { "range": [ 33, 55 ] } - ] - } - } - } -] - -# ah reserved != { 33-55} -[ - { - "match": { - "left": { - "payload": { - "field": "reserved", - "protocol": "ah" - } - }, - "op": "!=", - "right": { - "set": [ - { "range": [ 33, 55 ] } - ] - } - } - } -] - # ah spi 111 [ { @@ -378,46 +298,6 @@ } ] -# ah spi { 111-122} -[ - { - "match": { - "left": { - "payload": { - "field": "spi", - "protocol": "ah" - } - }, - "op": "==", - "right": { - "set": [ - { "range": [ 111, 122 ] } - ] - } - } - } -] - -# ah spi != { 111-122} -[ - { - "match": { - "left": { - "payload": { - "field": "spi", - "protocol": "ah" - } - }, - "op": "!=", - "right": { - "set": [ - { "range": [ 111, 122 ] } - ] - } - } - } -] - # ah sequence 123 [ { @@ -494,46 +374,6 @@ } ] -# ah sequence { 23-33} -[ - { - "match": { - "left": { - "payload": { - "field": "sequence", - "protocol": "ah" - } - }, - "op": "==", - "right": { - "set": [ - { "range": [ 23, 33 ] } - ] - } - } - } -] - -# ah sequence != { 23-33} -[ - { - "match": { - "left": { - "payload": { - "field": "sequence", - "protocol": "ah" - } - }, - "op": "!=", - "right": { - "set": [ - { "range": [ 23, 33 ] } - ] - } - } - } -] - # ah sequence 23-33 [ { diff --git a/tests/py/inet/ah.t.payload b/tests/py/inet/ah.t.payload index 5ec5fba1..7ddd72d5 100644 --- a/tests/py/inet/ah.t.payload +++ b/tests/py/inet/ah.t.payload @@ -13,26 +13,6 @@ inet test-inet input [ payload load 1b @ transport header + 1 => reg 1 ] [ range neq reg 1 0x0000000b 0x00000017 ] -# ah hdrlength { 11-23} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 0000000b : 0 [end] element 00000018 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000033 ] - [ payload load 1b @ transport header + 1 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# ah hdrlength != { 11-23} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 0000000b : 0 [end] element 00000018 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000033 ] - [ payload load 1b @ transport header + 1 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # ah hdrlength {11, 23, 44 } __set%d test-inet 3 __set%d test-inet 0 @@ -102,26 +82,6 @@ inet test-inet input [ payload load 2b @ transport header + 2 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# ah reserved { 33-55} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000033 ] - [ payload load 2b @ transport header + 2 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# ah reserved != { 33-55} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000033 ] - [ payload load 2b @ transport header + 2 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # ah spi 111 inet test-inet input [ meta load l4proto => reg 1 ] @@ -171,26 +131,6 @@ inet test-inet input [ payload load 4b @ transport header + 4 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# ah spi { 111-122} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 6f000000 : 0 [end] element 7b000000 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000033 ] - [ payload load 4b @ transport header + 4 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# ah spi != { 111-122} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 6f000000 : 0 [end] element 7b000000 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000033 ] - [ payload load 4b @ transport header + 4 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # ah sequence 123 inet test-inet input [ meta load l4proto => reg 1 ] @@ -225,26 +165,6 @@ inet test-inet input [ payload load 4b @ transport header + 8 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# ah sequence { 23-33} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 17000000 : 0 [end] element 22000000 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000033 ] - [ payload load 4b @ transport header + 8 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# ah sequence != { 23-33} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 17000000 : 0 [end] element 22000000 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000033 ] - [ payload load 4b @ transport header + 8 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # ah sequence 23-33 inet test-inet input [ meta load l4proto => reg 1 ] diff --git a/tests/py/inet/comp.t b/tests/py/inet/comp.t index 0df18139..2ef53820 100644 --- a/tests/py/inet/comp.t +++ b/tests/py/inet/comp.t @@ -1,10 +1,11 @@ :input;type filter hook input priority 0 :ingress;type filter hook ingress device lo priority 0 +:egress;type filter hook egress device lo priority 0 *ip;test-ip4;input *ip6;test-ip6;input *inet;test-inet;input -*netdev;test-netdev;ingress +*netdev;test-netdev;ingress,egress # BUG: nft: payload.c:88: payload_expr_pctx_update: Assertion `left->payload.base + 1 <= (__PROTO_BASE_MAX - 1)' failed. - comp nexthdr esp;ok;comp nexthdr 50 @@ -20,8 +21,6 @@ comp flags 0x33-0x45;ok comp flags != 0x33-0x45;ok comp flags {0x33, 0x55, 0x67, 0x88};ok comp flags != {0x33, 0x55, 0x67, 0x88};ok -comp flags { 0x33-0x55};ok -comp flags != { 0x33-0x55};ok comp cpi 22;ok comp cpi != 233;ok @@ -29,5 +28,3 @@ comp cpi 33-45;ok comp cpi != 33-45;ok comp cpi {33, 55, 67, 88};ok comp cpi != {33, 55, 67, 88};ok -comp cpi { 33-55};ok -comp cpi != { 33-55};ok diff --git a/tests/py/inet/comp.t.json b/tests/py/inet/comp.t.json index b9b24f98..c9f6fcac 100644 --- a/tests/py/inet/comp.t.json +++ b/tests/py/inet/comp.t.json @@ -128,46 +128,6 @@ } ] -# comp flags { 0x33-0x55} -[ - { - "match": { - "left": { - "payload": { - "field": "flags", - "protocol": "comp" - } - }, - "op": "==", - "right": { - "set": [ - { "range": [ "0x33", "0x55" ] } - ] - } - } - } -] - -# comp flags != { 0x33-0x55} -[ - { - "match": { - "left": { - "payload": { - "field": "flags", - "protocol": "comp" - } - }, - "op": "!=", - "right": { - "set": [ - { "range": [ "0x33", "0x55" ] } - ] - } - } - } -] - # comp cpi 22 [ { @@ -282,43 +242,3 @@ } ] -# comp cpi { 33-55} -[ - { - "match": { - "left": { - "payload": { - "field": "cpi", - "protocol": "comp" - } - }, - "op": "==", - "right": { - "set": [ - { "range": [ 33, 55 ] } - ] - } - } - } -] - -# comp cpi != { 33-55} -[ - { - "match": { - "left": { - "payload": { - "field": "cpi", - "protocol": "comp" - } - }, - "op": "!=", - "right": { - "set": [ - { "range": [ 33, 55 ] } - ] - } - } - } -] - diff --git a/tests/py/inet/comp.t.payload b/tests/py/inet/comp.t.payload index dec38aea..024e47cd 100644 --- a/tests/py/inet/comp.t.payload +++ b/tests/py/inet/comp.t.payload @@ -54,26 +54,6 @@ inet test-inet input [ payload load 1b @ transport header + 1 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# comp flags { 0x33-0x55} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00000033 : 0 [end] element 00000056 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x0000006c ] - [ payload load 1b @ transport header + 1 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# comp flags != { 0x33-0x55} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00000033 : 0 [end] element 00000056 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x0000006c ] - [ payload load 1b @ transport header + 1 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # comp cpi 22 inet test-inet input [ meta load l4proto => reg 1 ] @@ -123,23 +103,3 @@ inet test-inet input [ payload load 2b @ transport header + 2 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# comp cpi { 33-55} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x0000006c ] - [ payload load 2b @ transport header + 2 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# comp cpi != { 33-55} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x0000006c ] - [ payload load 2b @ transport header + 2 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - diff --git a/tests/py/inet/ct.t b/tests/py/inet/ct.t index 3d0dffad..5312b328 100644 --- a/tests/py/inet/ct.t +++ b/tests/py/inet/ct.t @@ -6,7 +6,7 @@ meta nfproto ipv4 ct original saddr 1.2.3.4;ok;ct original ip saddr 1.2.3.4 ct original ip6 saddr ::1;ok -ct original ip daddr {1.2.3.4} accept;ok +ct original ip daddr 1.2.3.4 accept;ok # missing protocol context ct original saddr ::1;fail diff --git a/tests/py/inet/ct.t.json b/tests/py/inet/ct.t.json index e7f928ca..223ac9e7 100644 --- a/tests/py/inet/ct.t.json +++ b/tests/py/inet/ct.t.json @@ -39,7 +39,7 @@ } ] -# ct original ip daddr {1.2.3.4} accept +# ct original ip daddr 1.2.3.4 accept [ { "match": { @@ -50,11 +50,7 @@ } }, "op": "==", - "right": { - "set": [ - "1.2.3.4" - ] - } + "right": "1.2.3.4" } }, { diff --git a/tests/py/inet/ct.t.payload b/tests/py/inet/ct.t.payload index 3b274f8c..f7a2ef27 100644 --- a/tests/py/inet/ct.t.payload +++ b/tests/py/inet/ct.t.payload @@ -10,11 +10,8 @@ inet test-inet input [ ct load src_ip6 => reg 1 , dir original ] [ cmp eq reg 1 0x00000000 0x00000000 0x00000000 0x01000000 ] -# ct original ip daddr {1.2.3.4} accept -__set%d test-inet 3 size 1 -__set%d test-inet 0 - element 04030201 : 0 [end] +# ct original ip daddr 1.2.3.4 accept inet test-inet input [ ct load dst_ip => reg 1 , dir original ] - [ lookup reg 1 set __set%d ] + [ cmp eq reg 1 0x04030201 ] [ immediate reg 0 accept ] diff --git a/tests/py/inet/dccp.t b/tests/py/inet/dccp.t index 9a81bb2e..99cddbe7 100644 --- a/tests/py/inet/dccp.t +++ b/tests/py/inet/dccp.t @@ -1,29 +1,30 @@ :input;type filter hook input priority 0 :ingress;type filter hook ingress device lo priority 0 +:egress;type filter hook egress device lo priority 0 *ip;test-ip4;input *ip6;test-ip6;input *inet;test-inet;input -*netdev;test-netdev;ingress +*netdev;test-netdev;ingress,egress dccp sport 21-35;ok dccp sport != 21-35;ok dccp sport {23, 24, 25};ok dccp sport != {23, 24, 25};ok -dccp sport { 20-50 };ok dccp sport 20-50;ok -dccp sport { 20-50};ok -dccp sport != { 20-50};ok # dccp dport 21-35;ok # dccp dport != 21-35;ok dccp dport {23, 24, 25};ok dccp dport != {23, 24, 25};ok -dccp dport { 20-50};ok -dccp dport != { 20-50};ok dccp type {request, response, data, ack, dataack, closereq, close, reset, sync, syncack};ok dccp type != {request, response, data, ack, dataack, closereq, close, reset, sync, syncack};ok dccp type request;ok dccp type != request;ok + +dccp option 0 exists;ok +dccp option 43 missing;ok +dccp option 255 exists;ok +dccp option 256 exists;fail diff --git a/tests/py/inet/dccp.t.json b/tests/py/inet/dccp.t.json index 9260fbc5..9f47e97b 100644 --- a/tests/py/inet/dccp.t.json +++ b/tests/py/inet/dccp.t.json @@ -78,44 +78,6 @@ } ] -# dccp sport { 20-50 } -[ - { - "match": { - "left": { - "payload": { - "field": "sport", - "protocol": "dccp" - } - }, - "op": "==", - "right": { - "set": [ - { "range": [ 20, 50 ] } - ] - } - } - } -] - -# dccp sport ftp-data - re-mail-ck -[ - { - "match": { - "left": { - "payload": { - "field": "sport", - "protocol": "dccp" - } - }, - "op": "==", - "right": { - "range": [ "ftp-data", "re-mail-ck" ] - } - } - } -] - # dccp sport 20-50 [ { @@ -134,46 +96,6 @@ } ] -# dccp sport { 20-50} -[ - { - "match": { - "left": { - "payload": { - "field": "sport", - "protocol": "dccp" - } - }, - "op": "==", - "right": { - "set": [ - { "range": [ 20, 50 ] } - ] - } - } - } -] - -# dccp sport != { 20-50} -[ - { - "match": { - "left": { - "payload": { - "field": "sport", - "protocol": "dccp" - } - }, - "op": "!=", - "right": { - "set": [ - { "range": [ 20, 50 ] } - ] - } - } - } -] - # dccp dport {23, 24, 25} [ { @@ -218,46 +140,6 @@ } ] -# dccp dport { 20-50} -[ - { - "match": { - "left": { - "payload": { - "field": "dport", - "protocol": "dccp" - } - }, - "op": "==", - "right": { - "set": [ - { "range": [ 20, 50 ] } - ] - } - } - } -] - -# dccp dport != { 20-50} -[ - { - "match": { - "left": { - "payload": { - "field": "dport", - "protocol": "dccp" - } - }, - "op": "!=", - "right": { - "set": [ - { "range": [ 20, 50 ] } - ] - } - } - } -] - # dccp type {request, response, data, ack, dataack, closereq, close, reset, sync, syncack} [ { @@ -348,3 +230,47 @@ } ] +# dccp option 0 exists +[ + { + "match": { + "left": { + "dccp option": { + "type": 0 + } + }, + "op": "==", + "right": true + } + } +] + +# dccp option 43 missing +[ + { + "match": { + "left": { + "dccp option": { + "type": 43 + } + }, + "op": "==", + "right": false + } + } +] + +# dccp option 255 exists +[ + { + "match": { + "left": { + "dccp option": { + "type": 255 + } + }, + "op": "==", + "right": true + } + } +] diff --git a/tests/py/inet/dccp.t.payload b/tests/py/inet/dccp.t.payload index b5a48f40..c0b87be1 100644 --- a/tests/py/inet/dccp.t.payload +++ b/tests/py/inet/dccp.t.payload @@ -33,24 +33,6 @@ inet test-inet input [ payload load 2b @ transport header + 0 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# dccp sport { 20-50 } -__set%d test-ip4 7 -__set%d test-ip4 0 - element 00000000 : 1 [end] element 00001400 : 0 [end] element 00003300 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000021 ] - [ payload load 2b @ transport header + 0 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# dccp sport ftp-data - re-mail-ck -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000021 ] - [ payload load 2b @ transport header + 0 => reg 1 ] - [ cmp gte reg 1 0x00001400 ] - [ cmp lte reg 1 0x00003200 ] - # dccp sport 20-50 inet test-inet input [ meta load l4proto => reg 1 ] @@ -59,26 +41,6 @@ inet test-inet input [ cmp gte reg 1 0x00001400 ] [ cmp lte reg 1 0x00003200 ] -# dccp sport { 20-50} -__set%d test-ip4 7 -__set%d test-ip4 0 - element 00000000 : 1 [end] element 00001400 : 0 [end] element 00003300 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000021 ] - [ payload load 2b @ transport header + 0 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# dccp sport != { 20-50} -__set%d test-ip4 7 -__set%d test-ip4 0 - element 00000000 : 1 [end] element 00001400 : 0 [end] element 00003300 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000021 ] - [ payload load 2b @ transport header + 0 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # dccp dport {23, 24, 25} __set%d test-ip4 3 __set%d test-ip4 0 @@ -99,26 +61,6 @@ inet test-inet input [ payload load 2b @ transport header + 2 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# dccp dport { 20-50} -__set%d test-ip4 7 -__set%d test-ip4 0 - element 00000000 : 1 [end] element 00001400 : 0 [end] element 00003300 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000021 ] - [ payload load 2b @ transport header + 2 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# dccp dport != { 20-50} -__set%d test-ip4 7 -__set%d test-ip4 0 - element 00000000 : 1 [end] element 00001400 : 0 [end] element 00003300 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000021 ] - [ payload load 2b @ transport header + 2 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # dccp type {request, response, data, ack, dataack, closereq, close, reset, sync, syncack} __set%d test-inet 3 __set%d test-inet 0 @@ -127,7 +69,7 @@ inet test-inet input [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000021 ] [ payload load 1b @ transport header + 8 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x0000001e ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x0000001e ) ^ 0x00000000 ] [ lookup reg 1 set __set%d ] # dccp type != {request, response, data, ack, dataack, closereq, close, reset, sync, syncack} @@ -138,7 +80,7 @@ inet test-inet input [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000021 ] [ payload load 1b @ transport header + 8 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x0000001e ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x0000001e ) ^ 0x00000000 ] [ lookup reg 1 set __set%d 0x1 ] # dccp type request @@ -146,7 +88,7 @@ inet test-inet input [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000021 ] [ payload load 1b @ transport header + 8 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x0000001e ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x0000001e ) ^ 0x00000000 ] [ cmp eq reg 1 0x00000000 ] # dccp type != request @@ -154,6 +96,20 @@ inet test-inet input [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000021 ] [ payload load 1b @ transport header + 8 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x0000001e ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x0000001e ) ^ 0x00000000 ] [ cmp neq reg 1 0x00000000 ] +# dccp option 0 exists +ip test-inet input + [ exthdr load 1b @ 0 + 0 present => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + +# dccp option 43 missing +ip test-inet input + [ exthdr load 1b @ 43 + 0 present => reg 1 ] + [ cmp eq reg 1 0x00000000 ] + +# dccp option 255 exists +ip test-inet input + [ exthdr load 1b @ 255 + 0 present => reg 1 ] + [ cmp eq reg 1 0x00000001 ] diff --git a/tests/py/inet/dnat.t b/tests/py/inet/dnat.t index fcdf9436..e4e169f2 100644 --- a/tests/py/inet/dnat.t +++ b/tests/py/inet/dnat.t @@ -6,6 +6,7 @@ iifname "foo" tcp dport 80 redirect to :8080;ok iifname "eth0" tcp dport 443 dnat ip to 192.168.3.2;ok iifname "eth0" tcp dport 443 dnat ip6 to [dead::beef]:4443;ok +meta l4proto tcp dnat to :80;ok;meta l4proto 6 dnat to :80 dnat ip to ct mark map { 0x00000014 : 1.2.3.4};ok dnat ip to ct mark . ip daddr map { 0x00000014 . 1.1.1.1 : 1.2.3.4};ok @@ -14,3 +15,8 @@ dnat ip6 to 1.2.3.4;fail dnat to 1.2.3.4;fail dnat ip6 to ct mark . ip daddr map { 0x00000014 . 1.1.1.1 : 1.2.3.4};fail ip6 daddr dead::beef dnat to 10.1.2.3;fail + +meta l4proto { tcp, udp } dnat ip to 1.1.1.1:80;ok;meta l4proto { 6, 17} dnat ip to 1.1.1.1:80 +ip protocol { tcp, udp } dnat ip to 1.1.1.1:80;ok;ip protocol { 6, 17} dnat ip to 1.1.1.1:80 +meta l4proto { tcp, udp } tcp dport 20 dnat to 1.1.1.1:80;fail +ip protocol { tcp, udp } tcp dport 20 dnat to 1.1.1.1:80;fail diff --git a/tests/py/inet/dnat.t.json b/tests/py/inet/dnat.t.json index ac6dac62..c341a045 100644 --- a/tests/py/inet/dnat.t.json +++ b/tests/py/inet/dnat.t.json @@ -164,3 +164,78 @@ } ] +# meta l4proto { tcp, udp } dnat ip to 1.1.1.1:80 +[ + { + "match": { + "left": { + "meta": { + "key": "l4proto" + } + }, + "op": "==", + "right": { + "set": [ + 6, + 17 + ] + } + } + }, + { + "dnat": { + "addr": "1.1.1.1", + "family": "ip", + "port": 80 + } + } +] + +# ip protocol { tcp, udp } dnat ip to 1.1.1.1:80 +[ + { + "match": { + "left": { + "payload": { + "field": "protocol", + "protocol": "ip" + } + }, + "op": "==", + "right": { + "set": [ + 6, + 17 + ] + } + } + }, + { + "dnat": { + "addr": "1.1.1.1", + "family": "ip", + "port": 80 + } + } +] + +# meta l4proto tcp dnat to :80 +[ + { + "match": { + "left": { + "meta": { + "key": "l4proto" + } + }, + "op": "==", + "right": 6 + } + }, + { + "dnat": { + "port": 80 + } + } +] + diff --git a/tests/py/inet/dnat.t.payload b/tests/py/inet/dnat.t.payload index 75cf1b77..ce1601ab 100644 --- a/tests/py/inet/dnat.t.payload +++ b/tests/py/inet/dnat.t.payload @@ -18,7 +18,7 @@ inet test-inet prerouting [ payload load 2b @ transport header + 2 => reg 1 ] [ cmp eq reg 1 0x0000bb01 ] [ immediate reg 1 0x0203a8c0 ] - [ nat dnat ip addr_min reg 1 addr_max reg 0 ] + [ nat dnat ip addr_min reg 1 ] # iifname "eth0" tcp dport 443 dnat ip6 to [dead::beef]:4443 inet test-inet prerouting @@ -30,7 +30,7 @@ inet test-inet prerouting [ cmp eq reg 1 0x0000bb01 ] [ immediate reg 1 0x0000adde 0x00000000 0x00000000 0xefbe0000 ] [ immediate reg 2 0x00005b11 ] - [ nat dnat ip6 addr_min reg 1 addr_max reg 0 proto_min reg 2 proto_max reg 0 flags 0x2 ] + [ nat dnat ip6 addr_min reg 1 proto_min reg 2 flags 0x2 ] # dnat ip to ct mark map { 0x00000014 : 1.2.3.4} __map%d test-inet b size 1 @@ -39,7 +39,7 @@ __map%d test-inet 0 inet test-inet prerouting [ ct load mark => reg 1 ] [ lookup reg 1 set __map%d dreg 1 ] - [ nat dnat ip addr_min reg 1 addr_max reg 0 ] + [ nat dnat ip addr_min reg 1 ] # dnat ip to ct mark . ip daddr map { 0x00000014 . 1.1.1.1 : 1.2.3.4} __map%d test-inet b size 1 @@ -51,4 +51,36 @@ inet test-inet prerouting [ ct load mark => reg 1 ] [ payload load 4b @ network header + 16 => reg 9 ] [ lookup reg 1 set __map%d dreg 1 ] - [ nat dnat ip addr_min reg 1 addr_max reg 0 ] + [ nat dnat ip addr_min reg 1 ] + +# meta l4proto { tcp, udp } dnat ip to 1.1.1.1:80 +__set%d test-inet 3 +__set%d test-inet 0 + element 00000006 : 0 [end] element 00000011 : 0 [end] +inet + [ meta load l4proto => reg 1 ] + [ lookup reg 1 set __set%d ] + [ immediate reg 1 0x01010101 ] + [ immediate reg 2 0x00005000 ] + [ nat dnat ip addr_min reg 1 proto_min reg 2 flags 0x2 ] + +# ip protocol { tcp, udp } dnat ip to 1.1.1.1:80 +__set%d test-inet 3 +__set%d test-inet 0 + element 00000006 : 0 [end] element 00000011 : 0 [end] +inet + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 1b @ network header + 9 => reg 1 ] + [ lookup reg 1 set __set%d ] + [ immediate reg 1 0x01010101 ] + [ immediate reg 2 0x00005000 ] + [ nat dnat ip addr_min reg 1 proto_min reg 2 flags 0x2 ] + +# meta l4proto tcp dnat to :80 +inet + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ immediate reg 1 0x00005000 ] + [ nat dnat inet proto_min reg 1 flags 0x2 ] + diff --git a/tests/py/inet/esp.t b/tests/py/inet/esp.t index e79eeada..536260cf 100644 --- a/tests/py/inet/esp.t +++ b/tests/py/inet/esp.t @@ -1,10 +1,11 @@ :input;type filter hook input priority 0 :ingress;type filter hook ingress device lo priority 0 +:egress;type filter hook egress device lo priority 0 *ip;test-ip4;input *ip6;test-ip6;input *inet;test-inet;input -*netdev;test-netdev;ingress +*netdev;test-netdev;ingress,egress esp spi 100;ok esp spi != 100;ok @@ -12,13 +13,9 @@ esp spi 111-222;ok esp spi != 111-222;ok esp spi { 100, 102};ok esp spi != { 100, 102};ok -esp spi { 100-102};ok -- esp spi {100-102};ok esp sequence 22;ok esp sequence 22-24;ok esp sequence != 22-24;ok esp sequence { 22, 24};ok esp sequence != { 22, 24};ok -esp sequence { 22-25};ok -esp sequence != { 22-25};ok diff --git a/tests/py/inet/esp.t.json b/tests/py/inet/esp.t.json index 84ea9eea..a9dedd6f 100644 --- a/tests/py/inet/esp.t.json +++ b/tests/py/inet/esp.t.json @@ -108,26 +108,6 @@ } ] -# esp spi { 100-102} -[ - { - "match": { - "left": { - "payload": { - "field": "spi", - "protocol": "esp" - } - }, - "op": "==", - "right": { - "set": [ - { "range": [ 100, 102 ] } - ] - } - } - } -] - # esp sequence 22 [ { @@ -222,43 +202,3 @@ } ] -# esp sequence { 22-25} -[ - { - "match": { - "left": { - "payload": { - "field": "sequence", - "protocol": "esp" - } - }, - "op": "==", - "right": { - "set": [ - { "range": [ 22, 25 ] } - ] - } - } - } -] - -# esp sequence != { 22-25} -[ - { - "match": { - "left": { - "payload": { - "field": "sequence", - "protocol": "esp" - } - }, - "op": "!=", - "right": { - "set": [ - { "range": [ 22, 25 ] } - ] - } - } - } -] - diff --git a/tests/py/inet/esp.t.payload b/tests/py/inet/esp.t.payload index ad68530b..0353b056 100644 --- a/tests/py/inet/esp.t.payload +++ b/tests/py/inet/esp.t.payload @@ -47,26 +47,6 @@ inet test-inet input [ payload load 4b @ transport header + 0 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# esp spi { 100-102} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 64000000 : 0 [end] element 67000000 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000032 ] - [ payload load 4b @ transport header + 0 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# esp spi != { 100-102} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 64000000 : 0 [end] element 67000000 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000032 ] - [ payload load 4b @ transport header + 0 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # esp sequence 22 inet test-inet input [ meta load l4proto => reg 1 ] @@ -109,23 +89,3 @@ inet test-inet input [ payload load 4b @ transport header + 4 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# esp sequence { 22-25} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 16000000 : 0 [end] element 1a000000 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000032 ] - [ payload load 4b @ transport header + 4 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# esp sequence != { 22-25} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 16000000 : 0 [end] element 1a000000 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000032 ] - [ payload load 4b @ transport header + 4 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - diff --git a/tests/py/inet/ether-ip.t b/tests/py/inet/ether-ip.t index 0c8c7f9d..759124de 100644 --- a/tests/py/inet/ether-ip.t +++ b/tests/py/inet/ether-ip.t @@ -1,8 +1,9 @@ :input;type filter hook input priority 0 :ingress;type filter hook ingress device lo priority 0 +:egress;type filter hook egress device lo priority 0 *inet;test-inet;input -*netdev;test-netdev;ingress +*netdev;test-netdev;ingress,egress tcp dport 22 iiftype ether ip daddr 1.2.3.4 ether saddr 00:0f:54:0c:11:4 accept;ok;tcp dport 22 ether saddr 00:0f:54:0c:11:04 ip daddr 1.2.3.4 accept tcp dport 22 ip daddr 1.2.3.4 ether saddr 00:0f:54:0c:11:04;ok diff --git a/tests/py/inet/ether-ip.t.payload.netdev b/tests/py/inet/ether-ip.t.payload.netdev index 16b09212..b0fa6d84 100644 --- a/tests/py/inet/ether-ip.t.payload.netdev +++ b/tests/py/inet/ether-ip.t.payload.netdev @@ -13,21 +13,6 @@ netdev test-netdev ingress [ payload load 6b @ link header + 6 => reg 1 ] [ cmp eq reg 1 0x0c540f00 0x00000411 ] -# tcp dport 22 ip daddr 1.2.3.4 ether saddr 00:0f:54:0c:11:04 -netdev test-netdev ingress - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ payload load 2b @ transport header + 2 => reg 1 ] - [ cmp eq reg 1 0x00001600 ] - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x00000008 ] - [ payload load 4b @ network header + 16 => reg 1 ] - [ cmp eq reg 1 0x04030201 ] - [ meta load iiftype => reg 1 ] - [ cmp eq reg 1 0x00000001 ] - [ payload load 6b @ link header + 6 => reg 1 ] - [ cmp eq reg 1 0x0c540f00 0x00000411 ] - # tcp dport 22 iiftype ether ip daddr 1.2.3.4 ether saddr 00:0f:54:0c:11:4 accept netdev test-netdev ingress [ meta load l4proto => reg 1 ] diff --git a/tests/py/inet/ether.t b/tests/py/inet/ether.t index afdf8b89..8625f70b 100644 --- a/tests/py/inet/ether.t +++ b/tests/py/inet/ether.t @@ -1,13 +1,20 @@ :input;type filter hook input priority 0 :ingress;type filter hook ingress device lo priority 0 +:egress;type filter hook egress device lo priority 0 *ip;test-ip4;input *ip6;test-ip6;input *inet;test-inet;input *bridge;test-bridge;input -*netdev;test-netdev;ingress +*netdev;test-netdev;ingress,egress tcp dport 22 iiftype ether ether saddr 00:0f:54:0c:11:4 accept;ok;tcp dport 22 ether saddr 00:0f:54:0c:11:04 accept tcp dport 22 ether saddr 00:0f:54:0c:11:04 accept;ok ether saddr 00:0f:54:0c:11:04 accept;ok + +vlan id 1;ok +ether type vlan vlan id 2;ok;vlan id 2 + +# invalid dependency +ether type ip vlan id 1;fail diff --git a/tests/py/inet/ether.t.json b/tests/py/inet/ether.t.json index 84b184c7..c7a7f886 100644 --- a/tests/py/inet/ether.t.json +++ b/tests/py/inet/ether.t.json @@ -88,3 +88,35 @@ } ] +# vlan id 1 +[ + { + "match": { + "left": { + "payload": { + "field": "id", + "protocol": "vlan" + } + }, + "op": "==", + "right": 1 + } + } +] + +# ether type vlan vlan id 2 +[ + { + "match": { + "left": { + "payload": { + "field": "id", + "protocol": "vlan" + } + }, + "op": "==", + "right": 2 + } + } +] + diff --git a/tests/py/inet/ether.t.payload b/tests/py/inet/ether.t.payload index 53648413..8b74a781 100644 --- a/tests/py/inet/ether.t.payload +++ b/tests/py/inet/ether.t.payload @@ -30,3 +30,23 @@ inet test-inet input [ cmp eq reg 1 0x0c540f00 0x00000411 ] [ immediate reg 0 accept ] +# vlan id 1 +netdev test-netdev ingress + [ meta load iiftype => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ payload load 2b @ link header + 12 => reg 1 ] + [ cmp eq reg 1 0x00000081 ] + [ payload load 2b @ link header + 14 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000100 ] + +# ether type vlan vlan id 2 +netdev test-netdev ingress + [ meta load iiftype => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ payload load 2b @ link header + 12 => reg 1 ] + [ cmp eq reg 1 0x00000081 ] + [ payload load 2b @ link header + 14 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000200 ] + diff --git a/tests/py/inet/ether.t.payload.bridge b/tests/py/inet/ether.t.payload.bridge index 4a6bccbe..0128d5f0 100644 --- a/tests/py/inet/ether.t.payload.bridge +++ b/tests/py/inet/ether.t.payload.bridge @@ -1,17 +1,3 @@ -# tcp dport 22 iiftype ether ether saddr 00:0f:54:0c:11:4 meta nfproto ipv4 accept -bridge test-bridge input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ payload load 2b @ transport header + 2 => reg 1 ] - [ cmp eq reg 1 0x00001600 ] - [ meta load iiftype => reg 1 ] - [ cmp eq reg 1 0x00000001 ] - [ payload load 6b @ link header + 6 => reg 1 ] - [ cmp eq reg 1 0x0c540f00 0x00000411 ] - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x00000002 ] - [ immediate reg 0 accept ] - # tcp dport 22 iiftype ether ether saddr 00:0f:54:0c:11:4 accept bridge test-bridge input [ meta load l4proto => reg 1 ] @@ -40,10 +26,19 @@ bridge test-bridge input [ cmp eq reg 1 0x0c540f00 0x00000411 ] [ immediate reg 0 accept ] -# ether saddr 00:0f:54:0c:11:04 meta nfproto ipv4 +# vlan id 1 bridge test-bridge input - [ payload load 6b @ link header + 6 => reg 1 ] - [ cmp eq reg 1 0x0c540f00 0x00000411 ] - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x00000002 ] + [ payload load 2b @ link header + 12 => reg 1 ] + [ cmp eq reg 1 0x00000081 ] + [ payload load 2b @ link header + 14 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000100 ] + +# ether type vlan vlan id 2 +bridge test-bridge input + [ payload load 2b @ link header + 12 => reg 1 ] + [ cmp eq reg 1 0x00000081 ] + [ payload load 2b @ link header + 14 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000200 ] diff --git a/tests/py/inet/ether.t.payload.ip b/tests/py/inet/ether.t.payload.ip index 196930fd..7c91f412 100644 --- a/tests/py/inet/ether.t.payload.ip +++ b/tests/py/inet/ether.t.payload.ip @@ -1,4 +1,4 @@ -# tcp dport 22 iiftype ether ether saddr 00:0f:54:0c:11:4 meta nfproto ipv4 accept +# tcp dport 22 iiftype ether ether saddr 00:0f:54:0c:11:4 accept ip test-ip4 input [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000006 ] @@ -8,11 +8,9 @@ ip test-ip4 input [ cmp eq reg 1 0x00000001 ] [ payload load 6b @ link header + 6 => reg 1 ] [ cmp eq reg 1 0x0c540f00 0x00000411 ] - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x00000002 ] [ immediate reg 0 accept ] -# tcp dport 22 iiftype ether ether saddr 00:0f:54:0c:11:4 accept +# tcp dport 22 ether saddr 00:0f:54:0c:11:04 accept ip test-ip4 input [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000006 ] @@ -24,32 +22,31 @@ ip test-ip4 input [ cmp eq reg 1 0x0c540f00 0x00000411 ] [ immediate reg 0 accept ] -# tcp dport 22 ether saddr 00:0f:54:0c:11:04 accept +# ether saddr 00:0f:54:0c:11:04 accept ip test-ip4 input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ payload load 2b @ transport header + 2 => reg 1 ] - [ cmp eq reg 1 0x00001600 ] [ meta load iiftype => reg 1 ] [ cmp eq reg 1 0x00000001 ] [ payload load 6b @ link header + 6 => reg 1 ] [ cmp eq reg 1 0x0c540f00 0x00000411 ] [ immediate reg 0 accept ] -# ether saddr 00:0f:54:0c:11:04 accept +# vlan id 1 ip test-ip4 input [ meta load iiftype => reg 1 ] [ cmp eq reg 1 0x00000001 ] - [ payload load 6b @ link header + 6 => reg 1 ] - [ cmp eq reg 1 0x0c540f00 0x00000411 ] - [ immediate reg 0 accept ] + [ payload load 2b @ link header + 12 => reg 1 ] + [ cmp eq reg 1 0x00000081 ] + [ payload load 2b @ link header + 14 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000100 ] -# ether saddr 00:0f:54:0c:11:04 meta nfproto ipv4 +# ether type vlan vlan id 2 ip test-ip4 input [ meta load iiftype => reg 1 ] [ cmp eq reg 1 0x00000001 ] - [ payload load 6b @ link header + 6 => reg 1 ] - [ cmp eq reg 1 0x0c540f00 0x00000411 ] - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x00000002 ] + [ payload load 2b @ link header + 12 => reg 1 ] + [ cmp eq reg 1 0x00000081 ] + [ payload load 2b @ link header + 14 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000200 ] diff --git a/tests/py/inet/fib.t.payload b/tests/py/inet/fib.t.payload index 1d4c3d94..050857d9 100644 --- a/tests/py/inet/fib.t.payload +++ b/tests/py/inet/fib.t.payload @@ -16,7 +16,7 @@ ip test-ip prerouting # fib daddr . iif type vmap { blackhole : drop, prohibit : drop, unicast : accept } __map%d test-ip b __map%d test-ip 0 - element 00000006 : 0 [end] element 00000008 : 0 [end] element 00000001 : 0 [end] + element 00000006 : drop 0 [end] element 00000008 : drop 0 [end] element 00000001 : accept 0 [end] ip test-ip prerouting [ fib daddr . iif type => reg 1 ] [ lookup reg 1 set __map%d dreg 0 ] diff --git a/tests/py/inet/geneve.t b/tests/py/inet/geneve.t new file mode 100644 index 00000000..101f6dfc --- /dev/null +++ b/tests/py/inet/geneve.t @@ -0,0 +1,23 @@ +:input;type filter hook input priority 0 +:ingress;type filter hook ingress device lo priority 0 +:egress;type filter hook egress device lo priority 0 + +*ip;test-ip4;input +*ip6;test-ip6;input +*inet;test-inet;input +*netdev;test-netdev;ingress,egress + +geneve vni 10;fail +udp dport 6081 geneve vni 10;ok +udp dport 6081 geneve ip saddr 10.141.11.2;ok +udp dport 6081 geneve ip saddr 10.141.11.0/24;ok +udp dport 6081 geneve ip protocol 1;ok +udp dport 6081 geneve udp sport 8888;ok +udp dport 6081 geneve icmp type echo-reply;ok +udp dport 6081 geneve ether saddr 62:87:4d:d6:19:05;ok +udp dport 6081 geneve vlan id 10;ok +udp dport 6081 geneve ip dscp 0x02;ok +udp dport 6081 geneve ip dscp 0x02;ok +udp dport 6081 geneve ip saddr . geneve ip daddr { 1.2.3.4 . 4.3.2.1 };ok + +udp dport 6081 geneve ip saddr set 1.2.3.4;fail diff --git a/tests/py/inet/geneve.t.json b/tests/py/inet/geneve.t.json new file mode 100644 index 00000000..a299fcd2 --- /dev/null +++ b/tests/py/inet/geneve.t.json @@ -0,0 +1,344 @@ +# udp dport 6081 geneve vni 10 +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 6081 + } + }, + { + "match": { + "left": { + "payload": { + "field": "vni", + "protocol": "geneve", + "tunnel": "geneve" + } + }, + "op": "==", + "right": 10 + } + } +] + +# udp dport 6081 geneve ip saddr 10.141.11.2 +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 6081 + } + }, + { + "match": { + "left": { + "payload": { + "field": "saddr", + "protocol": "ip", + "tunnel": "geneve" + } + }, + "op": "==", + "right": "10.141.11.2" + } + } +] + +# udp dport 6081 geneve ip saddr 10.141.11.0/24 +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 6081 + } + }, + { + "match": { + "left": { + "payload": { + "field": "saddr", + "protocol": "ip", + "tunnel": "geneve" + } + }, + "op": "==", + "right": { + "prefix": { + "addr": "10.141.11.0", + "len": 24 + } + } + } + } +] + +# udp dport 6081 geneve ip protocol 1 +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 6081 + } + }, + { + "match": { + "left": { + "payload": { + "field": "protocol", + "protocol": "ip", + "tunnel": "geneve" + } + }, + "op": "==", + "right": 1 + } + } +] + +# udp dport 6081 geneve udp sport 8888 +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 6081 + } + }, + { + "match": { + "left": { + "payload": { + "field": "sport", + "protocol": "udp", + "tunnel": "geneve" + } + }, + "op": "==", + "right": 8888 + } + } +] + +# udp dport 6081 geneve icmp type echo-reply +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 6081 + } + }, + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "icmp", + "tunnel": "geneve" + } + }, + "op": "==", + "right": "echo-reply" + } + } +] + +# udp dport 6081 geneve ether saddr 62:87:4d:d6:19:05 +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 6081 + } + }, + { + "match": { + "left": { + "payload": { + "field": "saddr", + "protocol": "ether", + "tunnel": "geneve" + } + }, + "op": "==", + "right": "62:87:4d:d6:19:05" + } + } +] + +# udp dport 6081 geneve vlan id 10 +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 6081 + } + }, + { + "match": { + "left": { + "payload": { + "field": "id", + "protocol": "vlan", + "tunnel": "geneve" + } + }, + "op": "==", + "right": 10 + } + } +] + +# udp dport 6081 geneve ip dscp 0x02 +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 6081 + } + }, + { + "match": { + "left": { + "payload": { + "field": "dscp", + "protocol": "ip", + "tunnel": "geneve" + } + }, + "op": "==", + "right": 2 + } + } +] + +# udp dport 6081 geneve ip dscp 0x02 +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 6081 + } + }, + { + "match": { + "left": { + "payload": { + "field": "dscp", + "protocol": "ip", + "tunnel": "geneve" + } + }, + "op": "==", + "right": 2 + } + } +] + +# udp dport 6081 geneve ip saddr . geneve ip daddr { 1.2.3.4 . 4.3.2.1 } +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 6081 + } + }, + { + "match": { + "left": { + "concat": [ + { + "payload": { + "field": "saddr", + "protocol": "ip", + "tunnel": "geneve" + } + }, + { + "payload": { + "field": "daddr", + "protocol": "ip", + "tunnel": "geneve" + } + } + ] + }, + "op": "==", + "right": { + "set": [ + { + "concat": [ + "1.2.3.4", + "4.3.2.1" + ] + } + ] + } + } + } +] + diff --git a/tests/py/inet/geneve.t.payload b/tests/py/inet/geneve.t.payload new file mode 100644 index 00000000..1ce54de6 --- /dev/null +++ b/tests/py/inet/geneve.t.payload @@ -0,0 +1,114 @@ +# udp dport 6081 geneve vni 10 +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x0000c117 ] + [ inner type 2 hdrsize 8 flags f [ payload load 3b @ unknown header + 4 => reg 1 ] ] + [ cmp eq reg 1 0x000a0000 ] + +# udp dport 6081 geneve ip saddr 10.141.11.2 +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x0000c117 ] + [ inner type 2 hdrsize 8 flags f [ meta load protocol => reg 1 ] ] + [ cmp eq reg 1 0x00000008 ] + [ inner type 2 hdrsize 8 flags f [ payload load 4b @ network header + 12 => reg 1 ] ] + [ cmp eq reg 1 0x020b8d0a ] + +# udp dport 6081 geneve ip saddr 10.141.11.0/24 +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x0000c117 ] + [ inner type 2 hdrsize 8 flags f [ meta load protocol => reg 1 ] ] + [ cmp eq reg 1 0x00000008 ] + [ inner type 2 hdrsize 8 flags f [ payload load 3b @ network header + 12 => reg 1 ] ] + [ cmp eq reg 1 0x000b8d0a ] + +# udp dport 6081 geneve ip protocol 1 +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x0000c117 ] + [ inner type 2 hdrsize 8 flags f [ meta load protocol => reg 1 ] ] + [ cmp eq reg 1 0x00000008 ] + [ inner type 2 hdrsize 8 flags f [ payload load 1b @ network header + 9 => reg 1 ] ] + [ cmp eq reg 1 0x00000001 ] + +# udp dport 6081 geneve udp sport 8888 +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x0000c117 ] + [ inner type 2 hdrsize 8 flags f [ meta load l4proto => reg 1 ] ] + [ cmp eq reg 1 0x00000011 ] + [ inner type 2 hdrsize 8 flags f [ payload load 2b @ transport header + 0 => reg 1 ] ] + [ cmp eq reg 1 0x0000b822 ] + +# udp dport 6081 geneve icmp type echo-reply +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x0000c117 ] + [ inner type 2 hdrsize 8 flags f [ payload load 2b @ link header + 12 => reg 1 ] ] + [ cmp eq reg 1 0x00000008 ] + [ inner type 2 hdrsize 8 flags f [ meta load l4proto => reg 1 ] ] + [ cmp eq reg 1 0x00000001 ] + [ inner type 2 hdrsize 8 flags f [ payload load 1b @ transport header + 0 => reg 1 ] ] + [ cmp eq reg 1 0x00000000 ] + +# udp dport 6081 geneve ether saddr 62:87:4d:d6:19:05 +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x0000c117 ] + [ inner type 2 hdrsize 8 flags f [ payload load 6b @ link header + 6 => reg 1 ] ] + [ cmp eq reg 1 0xd64d8762 0x00000519 ] + +# udp dport 6081 geneve vlan id 10 +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x0000c117 ] + [ inner type 2 hdrsize 8 flags f [ payload load 2b @ link header + 12 => reg 1 ] ] + [ cmp eq reg 1 0x00000081 ] + [ inner type 2 hdrsize 8 flags f [ payload load 2b @ link header + 14 => reg 1 ] ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000a00 ] + +# udp dport 6081 geneve ip dscp 0x02 +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x0000c117 ] + [ inner type 2 hdrsize 8 flags f [ meta load protocol => reg 1 ] ] + [ cmp eq reg 1 0x00000008 ] + [ inner type 2 hdrsize 8 flags f [ payload load 1b @ network header + 1 => reg 1 ] ] + [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000008 ] + +# udp dport 6081 geneve ip saddr . geneve ip daddr { 1.2.3.4 . 4.3.2.1 } +__set%d test-ip4 3 size 1 +__set%d test-ip4 0 + element 04030201 01020304 : 0 [end] +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x0000c117 ] + [ inner type 2 hdrsize 8 flags f [ meta load protocol => reg 1 ] ] + [ cmp eq reg 1 0x00000008 ] + [ inner type 2 hdrsize 8 flags f [ payload load 4b @ network header + 12 => reg 1 ] ] + [ inner type 2 hdrsize 8 flags f [ payload load 4b @ network header + 16 => reg 9 ] ] + [ lookup reg 1 set __set%d ] + diff --git a/tests/py/inet/gre.t b/tests/py/inet/gre.t new file mode 100644 index 00000000..a3e046a1 --- /dev/null +++ b/tests/py/inet/gre.t @@ -0,0 +1,22 @@ +:input;type filter hook input priority 0 +:ingress;type filter hook ingress device lo priority 0 +:egress;type filter hook egress device lo priority 0 + +*ip;test-ip4;input +*ip6;test-ip6;input +*inet;test-inet;input +*netdev;test-netdev;ingress,egress + +gre version 0;ok +gre ip saddr 10.141.11.2;ok +gre ip saddr 10.141.11.0/24;ok +gre ip protocol 1;ok +gre udp sport 8888;ok +gre icmp type echo-reply;ok +gre ether saddr 62:87:4d:d6:19:05;fail +gre vlan id 10;fail +gre ip dscp 0x02;ok +gre ip dscp 0x02;ok +gre ip saddr . gre ip daddr { 1.2.3.4 . 4.3.2.1 };ok + +gre ip saddr set 1.2.3.4;fail diff --git a/tests/py/inet/gre.t.json b/tests/py/inet/gre.t.json new file mode 100644 index 00000000..c4431764 --- /dev/null +++ b/tests/py/inet/gre.t.json @@ -0,0 +1,177 @@ +# gre version 0 +[ + { + "match": { + "left": { + "payload": { + "field": "version", + "protocol": "gre" + } + }, + "op": "==", + "right": 0 + } + } +] + +# gre ip saddr 10.141.11.2 +[ + { + "match": { + "left": { + "payload": { + "field": "saddr", + "protocol": "ip", + "tunnel": "gre" + } + }, + "op": "==", + "right": "10.141.11.2" + } + } +] + +# gre ip saddr 10.141.11.0/24 +[ + { + "match": { + "left": { + "payload": { + "field": "saddr", + "protocol": "ip", + "tunnel": "gre" + } + }, + "op": "==", + "right": { + "prefix": { + "addr": "10.141.11.0", + "len": 24 + } + } + } + } +] + +# gre ip protocol 1 +[ + { + "match": { + "left": { + "payload": { + "field": "protocol", + "protocol": "ip", + "tunnel": "gre" + } + }, + "op": "==", + "right": 1 + } + } +] + +# gre udp sport 8888 +[ + { + "match": { + "left": { + "payload": { + "field": "sport", + "protocol": "udp", + "tunnel": "gre" + } + }, + "op": "==", + "right": 8888 + } + } +] + +# gre icmp type echo-reply +[ + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "icmp", + "tunnel": "gre" + } + }, + "op": "==", + "right": "echo-reply" + } + } +] + +# gre ip dscp 0x02 +[ + { + "match": { + "left": { + "payload": { + "field": "dscp", + "protocol": "ip", + "tunnel": "gre" + } + }, + "op": "==", + "right": 2 + } + } +] + +# gre ip dscp 0x02 +[ + { + "match": { + "left": { + "payload": { + "field": "dscp", + "protocol": "ip", + "tunnel": "gre" + } + }, + "op": "==", + "right": 2 + } + } +] + +# gre ip saddr . gre ip daddr { 1.2.3.4 . 4.3.2.1 } +[ + { + "match": { + "left": { + "concat": [ + { + "payload": { + "field": "saddr", + "protocol": "ip", + "tunnel": "gre" + } + }, + { + "payload": { + "field": "daddr", + "protocol": "ip", + "tunnel": "gre" + } + } + ] + }, + "op": "==", + "right": { + "set": [ + { + "concat": [ + "1.2.3.4", + "4.3.2.1" + ] + } + ] + } + } + } +] + diff --git a/tests/py/inet/gre.t.payload b/tests/py/inet/gre.t.payload new file mode 100644 index 00000000..333133ed --- /dev/null +++ b/tests/py/inet/gre.t.payload @@ -0,0 +1,78 @@ +# gre version 0 +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x0000002f ] + [ payload load 1b @ transport header + 1 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x00000007 ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000000 ] + +# gre ip saddr 10.141.11.2 +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x0000002f ] + [ inner type 3 hdrsize 4 flags c [ meta load protocol => reg 1 ] ] + [ cmp eq reg 1 0x00000008 ] + [ inner type 3 hdrsize 4 flags c [ payload load 4b @ network header + 12 => reg 1 ] ] + [ cmp eq reg 1 0x020b8d0a ] + +# gre ip saddr 10.141.11.0/24 +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x0000002f ] + [ inner type 3 hdrsize 4 flags c [ meta load protocol => reg 1 ] ] + [ cmp eq reg 1 0x00000008 ] + [ inner type 3 hdrsize 4 flags c [ payload load 3b @ network header + 12 => reg 1 ] ] + [ cmp eq reg 1 0x000b8d0a ] + +# gre ip protocol 1 +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x0000002f ] + [ inner type 3 hdrsize 4 flags c [ meta load protocol => reg 1 ] ] + [ cmp eq reg 1 0x00000008 ] + [ inner type 3 hdrsize 4 flags c [ payload load 1b @ network header + 9 => reg 1 ] ] + [ cmp eq reg 1 0x00000001 ] + +# gre udp sport 8888 +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x0000002f ] + [ inner type 3 hdrsize 4 flags c [ meta load l4proto => reg 1 ] ] + [ cmp eq reg 1 0x00000011 ] + [ inner type 3 hdrsize 4 flags c [ payload load 2b @ transport header + 0 => reg 1 ] ] + [ cmp eq reg 1 0x0000b822 ] + +# gre icmp type echo-reply +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x0000002f ] + [ inner type 3 hdrsize 4 flags c [ meta load protocol => reg 1 ] ] + [ cmp eq reg 1 0x00000008 ] + [ inner type 3 hdrsize 4 flags c [ meta load l4proto => reg 1 ] ] + [ cmp eq reg 1 0x00000001 ] + [ inner type 3 hdrsize 4 flags c [ payload load 1b @ transport header + 0 => reg 1 ] ] + [ cmp eq reg 1 0x00000000 ] + +# gre ip dscp 0x02 +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x0000002f ] + [ inner type 3 hdrsize 4 flags c [ meta load protocol => reg 1 ] ] + [ cmp eq reg 1 0x00000008 ] + [ inner type 3 hdrsize 4 flags c [ payload load 1b @ network header + 1 => reg 1 ] ] + [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000008 ] + +# gre ip saddr . gre ip daddr { 1.2.3.4 . 4.3.2.1 } +__set%d test-ip4 3 size 1 +__set%d test-ip4 0 + element 04030201 01020304 : 0 [end] +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x0000002f ] + [ inner type 3 hdrsize 4 flags c [ meta load protocol => reg 1 ] ] + [ cmp eq reg 1 0x00000008 ] + [ inner type 3 hdrsize 4 flags c [ payload load 4b @ network header + 12 => reg 1 ] ] + [ inner type 3 hdrsize 4 flags c [ payload load 4b @ network header + 16 => reg 9 ] ] + [ lookup reg 1 set __set%d ] + diff --git a/tests/py/inet/gretap.t b/tests/py/inet/gretap.t new file mode 100644 index 00000000..cd7ee215 --- /dev/null +++ b/tests/py/inet/gretap.t @@ -0,0 +1,21 @@ +:input;type filter hook input priority 0 +:ingress;type filter hook ingress device lo priority 0 +:egress;type filter hook egress device lo priority 0 + +*ip;test-ip4;input +*ip6;test-ip6;input +*inet;test-inet;input +*netdev;test-netdev;ingress,egress + +gretap ip saddr 10.141.11.2;ok +gretap ip saddr 10.141.11.0/24;ok +gretap ip protocol 1;ok +gretap udp sport 8888;ok +gretap icmp type echo-reply;ok +gretap ether saddr 62:87:4d:d6:19:05;ok +gretap vlan id 10;ok +gretap ip dscp 0x02;ok +gretap ip dscp 0x02;ok +gretap ip saddr . gretap ip daddr { 1.2.3.4 . 4.3.2.1 };ok + +gretap ip saddr set 1.2.3.4;fail diff --git a/tests/py/inet/gretap.t.json b/tests/py/inet/gretap.t.json new file mode 100644 index 00000000..36fa9782 --- /dev/null +++ b/tests/py/inet/gretap.t.json @@ -0,0 +1,195 @@ +# gretap ip saddr 10.141.11.2 +[ + { + "match": { + "left": { + "payload": { + "field": "saddr", + "protocol": "ip", + "tunnel": "gretap" + } + }, + "op": "==", + "right": "10.141.11.2" + } + } +] + +# gretap ip saddr 10.141.11.0/24 +[ + { + "match": { + "left": { + "payload": { + "field": "saddr", + "protocol": "ip", + "tunnel": "gretap" + } + }, + "op": "==", + "right": { + "prefix": { + "addr": "10.141.11.0", + "len": 24 + } + } + } + } +] + +# gretap ip protocol 1 +[ + { + "match": { + "left": { + "payload": { + "field": "protocol", + "protocol": "ip", + "tunnel": "gretap" + } + }, + "op": "==", + "right": 1 + } + } +] + +# gretap udp sport 8888 +[ + { + "match": { + "left": { + "payload": { + "field": "sport", + "protocol": "udp", + "tunnel": "gretap" + } + }, + "op": "==", + "right": 8888 + } + } +] + +# gretap icmp type echo-reply +[ + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "icmp", + "tunnel": "gretap" + } + }, + "op": "==", + "right": "echo-reply" + } + } +] + +# gretap ether saddr 62:87:4d:d6:19:05 +[ + { + "match": { + "left": { + "payload": { + "field": "saddr", + "protocol": "ether", + "tunnel": "gretap" + } + }, + "op": "==", + "right": "62:87:4d:d6:19:05" + } + } +] + +# gretap vlan id 10 +[ + { + "match": { + "left": { + "payload": { + "field": "id", + "protocol": "vlan", + "tunnel": "gretap" + } + }, + "op": "==", + "right": 10 + } + } +] + +# gretap ip dscp 0x02 +[ + { + "match": { + "left": { + "payload": { + "field": "dscp", + "protocol": "ip", + "tunnel": "gretap" + } + }, + "op": "==", + "right": 2 + } + } +] + +# gretap ip dscp 0x02 +[ + { + "match": { + "left": { + "payload": { + "field": "dscp", + "protocol": "ip", + "tunnel": "gretap" + } + }, + "op": "==", + "right": 2 + } + } +] + +# gretap ip saddr . gretap ip daddr { 1.2.3.4 . 4.3.2.1 } +[ + { + "match": { + "left": { + "concat": [ + { + "payload": { + "field": "saddr", + "protocol": "ip", + "tunnel": "gretap" + } + }, + { + "payload": { + "field": "daddr", + "protocol": "ip", + "tunnel": "gretap" + } + } + ] + }, + "op": "==", + "right": { + "set": [ + { + "concat": [ + "1.2.3.4", + "4.3.2.1" + ] + } + ] + } + } + } +] + diff --git a/tests/py/inet/gretap.t.payload b/tests/py/inet/gretap.t.payload new file mode 100644 index 00000000..654c71e4 --- /dev/null +++ b/tests/py/inet/gretap.t.payload @@ -0,0 +1,87 @@ +# gretap ip saddr 10.141.11.2 +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x0000002f ] + [ inner type 4 hdrsize 4 flags e [ meta load protocol => reg 1 ] ] + [ cmp eq reg 1 0x00000008 ] + [ inner type 4 hdrsize 4 flags e [ payload load 4b @ network header + 12 => reg 1 ] ] + [ cmp eq reg 1 0x020b8d0a ] + +# gretap ip saddr 10.141.11.0/24 +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x0000002f ] + [ inner type 4 hdrsize 4 flags e [ meta load protocol => reg 1 ] ] + [ cmp eq reg 1 0x00000008 ] + [ inner type 4 hdrsize 4 flags e [ payload load 3b @ network header + 12 => reg 1 ] ] + [ cmp eq reg 1 0x000b8d0a ] + +# gretap ip protocol 1 +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x0000002f ] + [ inner type 4 hdrsize 4 flags e [ meta load protocol => reg 1 ] ] + [ cmp eq reg 1 0x00000008 ] + [ inner type 4 hdrsize 4 flags e [ payload load 1b @ network header + 9 => reg 1 ] ] + [ cmp eq reg 1 0x00000001 ] + +# gretap udp sport 8888 +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x0000002f ] + [ inner type 4 hdrsize 4 flags e [ meta load l4proto => reg 1 ] ] + [ cmp eq reg 1 0x00000011 ] + [ inner type 4 hdrsize 4 flags e [ payload load 2b @ transport header + 0 => reg 1 ] ] + [ cmp eq reg 1 0x0000b822 ] + +# gretap icmp type echo-reply +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x0000002f ] + [ inner type 4 hdrsize 4 flags e [ payload load 2b @ link header + 12 => reg 1 ] ] + [ cmp eq reg 1 0x00000008 ] + [ inner type 4 hdrsize 4 flags e [ meta load l4proto => reg 1 ] ] + [ cmp eq reg 1 0x00000001 ] + [ inner type 4 hdrsize 4 flags e [ payload load 1b @ transport header + 0 => reg 1 ] ] + [ cmp eq reg 1 0x00000000 ] + +# gretap ether saddr 62:87:4d:d6:19:05 +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x0000002f ] + [ inner type 4 hdrsize 4 flags e [ payload load 6b @ link header + 6 => reg 1 ] ] + [ cmp eq reg 1 0xd64d8762 0x00000519 ] + +# gretap vlan id 10 +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x0000002f ] + [ inner type 4 hdrsize 4 flags e [ payload load 2b @ link header + 12 => reg 1 ] ] + [ cmp eq reg 1 0x00000081 ] + [ inner type 4 hdrsize 4 flags e [ payload load 2b @ link header + 14 => reg 1 ] ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000a00 ] + +# gretap ip dscp 0x02 +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x0000002f ] + [ inner type 4 hdrsize 4 flags e [ meta load protocol => reg 1 ] ] + [ cmp eq reg 1 0x00000008 ] + [ inner type 4 hdrsize 4 flags e [ payload load 1b @ network header + 1 => reg 1 ] ] + [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000008 ] + +# gretap ip saddr . gretap ip daddr { 1.2.3.4 . 4.3.2.1 } +__set%d test-ip4 3 size 1 +__set%d test-ip4 0 + element 04030201 01020304 : 0 [end] +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x0000002f ] + [ inner type 4 hdrsize 4 flags e [ meta load protocol => reg 1 ] ] + [ cmp eq reg 1 0x00000008 ] + [ inner type 4 hdrsize 4 flags e [ payload load 4b @ network header + 12 => reg 1 ] ] + [ inner type 4 hdrsize 4 flags e [ payload load 4b @ network header + 16 => reg 9 ] ] + [ lookup reg 1 set __set%d ] + diff --git a/tests/py/inet/icmpX.t b/tests/py/inet/icmpX.t index 97ff96d0..9430b3d3 100644 --- a/tests/py/inet/icmpX.t +++ b/tests/py/inet/icmpX.t @@ -7,4 +7,4 @@ icmp type echo-request;ok ip6 nexthdr icmpv6 icmpv6 type echo-request;ok;ip6 nexthdr 58 icmpv6 type echo-request icmpv6 type echo-request;ok # must not remove 'ip protocol' dependency, this explicitly matches icmpv6-in-ipv4. -ip protocol ipv6-icmp meta l4proto ipv6-icmp icmpv6 type 1;ok;ip protocol 58 meta l4proto 58 icmpv6 type destination-unreachable +ip protocol ipv6-icmp meta l4proto ipv6-icmp icmpv6 type 1;ok;ip protocol 58 icmpv6 type destination-unreachable diff --git a/tests/py/inet/icmpX.t.json.output b/tests/py/inet/icmpX.t.json.output index 9b0bf9f7..7765cd90 100644 --- a/tests/py/inet/icmpX.t.json.output +++ b/tests/py/inet/icmpX.t.json.output @@ -71,15 +71,6 @@ { "match": { "left": { - "meta": { "key": "l4proto" } - }, - "op": "==", - "right": 58 - } - }, - { - "match": { - "left": { "payload": { "field": "type", "protocol": "icmpv6" diff --git a/tests/py/inet/ip.t b/tests/py/inet/ip.t index 86604a63..bdb3330c 100644 --- a/tests/py/inet/ip.t +++ b/tests/py/inet/ip.t @@ -1,11 +1,12 @@ :input;type filter hook input priority 0 :ingress;type filter hook ingress device lo priority 0 +:egress;type filter hook egress device lo priority 0 *ip;test-ip4;input *inet;test-inet;input *bridge;test-bridge;input -*netdev;test-netdev;ingress +*netdev;test-netdev;ingress,egress ip saddr . ip daddr . ether saddr { 1.1.1.1 . 2.2.2.2 . ca:fe:ca:fe:ca:fe };ok ip saddr vmap { 10.0.1.0-10.0.1.255 : accept, 10.0.1.1-10.0.2.255 : drop };fail -ip saddr vmap { 1.1.1.1-1.1.1.255 : accept, 1.1.1.0-1.1.2.1 : drop};fail +ip saddr vmap { 3.3.3.3-3.3.3.4 : accept, 1.1.1.1-1.1.1.255 : accept, 1.1.1.0-1.1.2.1 : drop};fail diff --git a/tests/py/inet/ip.t.payload.bridge b/tests/py/inet/ip.t.payload.bridge index a422ed76..57dbc9eb 100644 --- a/tests/py/inet/ip.t.payload.bridge +++ b/tests/py/inet/ip.t.payload.bridge @@ -3,7 +3,7 @@ __set%d test-bridge 3 __set%d test-bridge 0 element 01010101 02020202 fecafeca 0000feca : 0 [end] bridge test-bridge input - [ payload load 2b @ link header + 12 => reg 1 ] + [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x00000008 ] [ payload load 4b @ network header + 12 => reg 1 ] [ payload load 4b @ network header + 16 => reg 9 ] diff --git a/tests/py/inet/ip_tcp.t b/tests/py/inet/ip_tcp.t index f2a28ebd..03bafc09 100644 --- a/tests/py/inet/ip_tcp.t +++ b/tests/py/inet/ip_tcp.t @@ -1,15 +1,16 @@ :input;type filter hook input priority 0 :ingress;type filter hook ingress device lo priority 0 +:egress;type filter hook egress device lo priority 0 *inet;test-inet;input *bridge;test-bridge;input -*netdev;test-netdev;ingress +*netdev;test-netdev;ingress,egress # must not remove ip dependency -- ONLY ipv4 packets should be matched ip protocol tcp tcp dport 22;ok;ip protocol 6 tcp dport 22 -# can remove it here, ip protocol is implied via saddr. -ip protocol tcp ip saddr 1.2.3.4 tcp dport 22;ok;ip saddr 1.2.3.4 tcp dport 22 +# could in principle remove it here since ipv4 is implied via saddr. +ip protocol tcp ip saddr 1.2.3.4 tcp dport 22;ok;ip protocol 6 ip saddr 1.2.3.4 tcp dport 22 # but not here. ip protocol tcp counter ip saddr 1.2.3.4 tcp dport 22;ok;ip protocol 6 counter ip saddr 1.2.3.4 tcp dport 22 diff --git a/tests/py/inet/ip_tcp.t.json.output b/tests/py/inet/ip_tcp.t.json.output index 4a6a05d7..acad8b1f 100644 --- a/tests/py/inet/ip_tcp.t.json.output +++ b/tests/py/inet/ip_tcp.t.json.output @@ -32,6 +32,18 @@ "match": { "left": { "payload": { + "field": "protocol", + "protocol": "ip" + } + }, + "op": "==", + "right": 6 + } + }, + { + "match": { + "left": { + "payload": { "field": "saddr", "protocol": "ip" } diff --git a/tests/py/inet/ipsec.t b/tests/py/inet/ipsec.t index e924e9bc..b18df395 100644 --- a/tests/py/inet/ipsec.t +++ b/tests/py/inet/ipsec.t @@ -19,3 +19,5 @@ ipsec in ip6 daddr dead::beef;ok ipsec out ip6 saddr dead::feed;ok ipsec in spnum 256 reqid 1;fail + +counter ipsec out ip daddr 192.168.1.2;ok diff --git a/tests/py/inet/ipsec.t.json b/tests/py/inet/ipsec.t.json index d7d3a03c..18a64f35 100644 --- a/tests/py/inet/ipsec.t.json +++ b/tests/py/inet/ipsec.t.json @@ -134,3 +134,24 @@ } } ] + +# counter ipsec out ip daddr 192.168.1.2 +[ + { + "counter": null + }, + { + "match": { + "left": { + "ipsec": { + "dir": "out", + "family": "ip", + "key": "daddr", + "spnum": 0 + } + }, + "op": "==", + "right": "192.168.1.2" + } + } +] diff --git a/tests/py/inet/ipsec.t.payload b/tests/py/inet/ipsec.t.payload index c46a2263..9648255d 100644 --- a/tests/py/inet/ipsec.t.payload +++ b/tests/py/inet/ipsec.t.payload @@ -37,3 +37,9 @@ ip ipsec-ip4 ipsec-forw [ xfrm load out 0 saddr6 => reg 1 ] [ cmp eq reg 1 0x0000adde 0x00000000 0x00000000 0xedfe0000 ] +# counter ipsec out ip daddr 192.168.1.2 +ip ipsec-ip4 ipsec-forw + [ counter pkts 0 bytes 0 ] + [ xfrm load out 0 daddr4 => reg 1 ] + [ cmp eq reg 1 0x0201a8c0 ] + diff --git a/tests/py/inet/map.t b/tests/py/inet/map.t index e83490a8..5a7161b7 100644 --- a/tests/py/inet/map.t +++ b/tests/py/inet/map.t @@ -1,9 +1,10 @@ :input;type filter hook input priority 0 :ingress;type filter hook ingress device lo priority 0 +:egress;type filter hook egress device lo priority 0 *ip;test-ip4;input *inet;test-inet;input -*netdev;test-netdev;ingress +*netdev;test-netdev;ingress,egress mark set ip saddr map { 10.2.3.2 : 0x0000002a, 10.2.3.1 : 0x00000017};ok;meta mark set ip saddr map { 10.2.3.1 : 0x00000017, 10.2.3.2 : 0x0000002a} mark set ip hdrlength map { 5 : 0x00000017, 4 : 0x00000001};ok;meta mark set ip hdrlength map { 4 : 0x00000001, 5 : 0x00000017} diff --git a/tests/py/inet/map.t.payload b/tests/py/inet/map.t.payload index 16225cbd..50344ada 100644 --- a/tests/py/inet/map.t.payload +++ b/tests/py/inet/map.t.payload @@ -17,7 +17,7 @@ inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ payload load 1b @ network header + 0 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x0000000f ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x0000000f ) ^ 0x00000000 ] [ lookup reg 1 set __map%d dreg 1 ] [ meta set mark with reg 1 ] diff --git a/tests/py/inet/map.t.payload.ip b/tests/py/inet/map.t.payload.ip index 59575749..3e456675 100644 --- a/tests/py/inet/map.t.payload.ip +++ b/tests/py/inet/map.t.payload.ip @@ -13,7 +13,7 @@ __map%d test-ip4 0 element 00000005 : 00000017 0 [end] element 00000004 : 00000001 0 [end] ip test-ip4 input [ payload load 1b @ network header + 0 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x0000000f ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x0000000f ) ^ 0x00000000 ] [ lookup reg 1 set __map%d dreg 1 ] [ meta set mark with reg 1 ] diff --git a/tests/py/inet/map.t.payload.netdev b/tests/py/inet/map.t.payload.netdev index 501fb8ee..2e60f09d 100644 --- a/tests/py/inet/map.t.payload.netdev +++ b/tests/py/inet/map.t.payload.netdev @@ -17,7 +17,7 @@ netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x00000008 ] [ payload load 1b @ network header + 0 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x0000000f ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x0000000f ) ^ 0x00000000 ] [ lookup reg 1 set __map%d dreg 1 ] [ meta set mark with reg 1 ] diff --git a/tests/py/inet/meta.t b/tests/py/inet/meta.t index 3638898b..7d2515c9 100644 --- a/tests/py/inet/meta.t +++ b/tests/py/inet/meta.t @@ -12,8 +12,22 @@ meta nfproto ipv4 tcp dport 22;ok meta nfproto ipv4 ip saddr 1.2.3.4;ok;ip saddr 1.2.3.4 meta nfproto ipv6 meta l4proto tcp;ok;meta nfproto ipv6 meta l4proto 6 meta nfproto ipv4 counter ip saddr 1.2.3.4;ok + +meta protocol ip udp dport 67;ok +meta protocol ip6 udp dport 67;ok + meta ipsec exists;ok meta secpath missing;ok;meta ipsec missing meta ibrname "br0";fail meta obrname "br0";fail meta mark set ct mark >> 8;ok + +meta mark . tcp dport { 0x0000000a-0x00000014 . 80-90, 0x00100000-0x00100123 . 100-120 };ok +ip saddr . meta mark { 1.2.3.4 . 0x00000100 , 1.2.3.6-1.2.3.8 . 0x00000200-0x00000300 };ok +ip saddr . meta mark { 1.2.3.4 . 0x00000100 , 5.6.7.8 . 0x00000200 };ok +ip saddr . ether saddr . meta l4proto { 1.2.3.4 . aa:bb:cc:dd:ee:ff . 6 };ok + +meta mark set ip dscp;ok +meta mark set ip dscp | 0x40;ok +meta mark set ip6 dscp;ok +meta mark set ip6 dscp | 0x40;ok diff --git a/tests/py/inet/meta.t.json b/tests/py/inet/meta.t.json index 5c0e7d2e..0fee165f 100644 --- a/tests/py/inet/meta.t.json +++ b/tests/py/inet/meta.t.json @@ -235,3 +235,335 @@ } } ] + +# meta protocol ip udp dport 67 +[ + { + "match": { + "left": { + "meta": { + "key": "protocol" + } + }, + "op": "==", + "right": "ip" + } + }, + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 67 + } + } +] + +# meta protocol ip6 udp dport 67 +[ + { + "match": { + "left": { + "meta": { + "key": "protocol" + } + }, + "op": "==", + "right": "ip6" + } + }, + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 67 + } + } +] + +# meta mark . tcp dport { 0x0000000a-0x00000014 . 80-90, 0x00100000-0x00100123 . 100-120 } +[ + { + "match": { + "left": { + "concat": [ + { + "meta": { + "key": "mark" + } + }, + { + "payload": { + "field": "dport", + "protocol": "tcp" + } + } + ] + }, + "op": "==", + "right": { + "set": [ + { + "concat": [ + { + "range": [ + 10, + 20 + ] + }, + { + "range": [ + 80, + 90 + ] + } + ] + }, + { + "concat": [ + { + "range": [ + 1048576, + 1048867 + ] + }, + { + "range": [ + 100, + 120 + ] + } + ] + } + ] + } + } + } +] + +# ip saddr . meta mark { 1.2.3.4 . 0x00000100 , 1.2.3.6-1.2.3.8 . 0x00000200-0x00000300 } +[ + { + "match": { + "left": { + "concat": [ + { + "payload": { + "field": "saddr", + "protocol": "ip" + } + }, + { + "meta": { + "key": "mark" + } + } + ] + }, + "op": "==", + "right": { + "set": [ + { + "concat": [ + "1.2.3.4", + 256 + ] + }, + { + "concat": [ + { + "range": [ + "1.2.3.6", + "1.2.3.8" + ] + }, + { + "range": [ + 512, + 768 + ] + } + ] + } + ] + } + } + } +] + +# ip saddr . meta mark { 1.2.3.4 . 0x00000100 , 5.6.7.8 . 0x00000200 } +[ + { + "match": { + "left": { + "concat": [ + { + "payload": { + "field": "saddr", + "protocol": "ip" + } + }, + { + "meta": { + "key": "mark" + } + } + ] + }, + "op": "==", + "right": { + "set": [ + { + "concat": [ + "1.2.3.4", + 256 + ] + }, + { + "concat": [ + "5.6.7.8", + 512 + ] + } + ] + } + } + } +] + +# meta mark set ip dscp +[ + { + "mangle": { + "key": { + "meta": { + "key": "mark" + } + }, + "value": { + "payload": { + "field": "dscp", + "protocol": "ip" + } + } + } + } +] + +# meta mark set ip dscp | 0x40 +[ + { + "mangle": { + "key": { + "meta": { + "key": "mark" + } + }, + "value": { + "|": [ + { + "payload": { + "field": "dscp", + "protocol": "ip" + } + }, + 64 + ] + } + } + } +] + +# meta mark set ip6 dscp +[ + { + "mangle": { + "key": { + "meta": { + "key": "mark" + } + }, + "value": { + "payload": { + "field": "dscp", + "protocol": "ip6" + } + } + } + } +] + +# meta mark set ip6 dscp | 0x40 +[ + { + "mangle": { + "key": { + "meta": { + "key": "mark" + } + }, + "value": { + "|": [ + { + "payload": { + "field": "dscp", + "protocol": "ip6" + } + }, + 64 + ] + } + } + } +] + +# ip saddr . ether saddr . meta l4proto { 1.2.3.4 . aa:bb:cc:dd:ee:ff . 6 } +[ + { + "match": { + "left": { + "concat": [ + { + "payload": { + "field": "saddr", + "protocol": "ip" + } + }, + { + "payload": { + "field": "saddr", + "protocol": "ether" + } + }, + { + "meta": { + "key": "l4proto" + } + } + ] + }, + "op": "==", + "right": { + "set": [ + { + "concat": [ + "1.2.3.4", + "aa:bb:cc:dd:ee:ff", + "tcp" + ] + } + ] + } + } + } +] + diff --git a/tests/py/inet/meta.t.json.output b/tests/py/inet/meta.t.json.output index 3e7dd214..8697d5a2 100644 --- a/tests/py/inet/meta.t.json.output +++ b/tests/py/inet/meta.t.json.output @@ -51,3 +51,44 @@ } ] +# ip saddr . ether saddr . meta l4proto { 1.2.3.4 . aa:bb:cc:dd:ee:ff . 6 } +[ + { + "match": { + "left": { + "concat": [ + { + "payload": { + "field": "saddr", + "protocol": "ip" + } + }, + { + "payload": { + "field": "saddr", + "protocol": "ether" + } + }, + { + "meta": { + "key": "l4proto" + } + } + ] + }, + "op": "==", + "right": { + "set": [ + { + "concat": [ + "1.2.3.4", + "aa:bb:cc:dd:ee:ff", + 6 + ] + } + ] + } + } + } +] + diff --git a/tests/py/inet/meta.t.payload b/tests/py/inet/meta.t.payload index 6ccf6d24..7184fa0c 100644 --- a/tests/py/inet/meta.t.payload +++ b/tests/py/inet/meta.t.payload @@ -79,3 +79,111 @@ inet test-inet input [ ct load mark => reg 1 ] [ bitwise reg 1 = ( reg 1 >> 0x00000008 ) ] [ meta set mark with reg 1 ] + +# meta protocol ip udp dport 67 +inet test-inet input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x00004300 ] + +# meta protocol ip6 udp dport 67 +inet test-inet input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x0000dd86 ] + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x00004300 ] + +# meta mark . tcp dport { 0x0000000a-0x00000014 . 80-90, 0x00100000-0x00100123 . 100-120 } +__set%d test-inet 87 size 1 +__set%d test-inet 0 + element 0a000000 00005000 - 14000000 00005a00 : 0 [end] element 00001000 00006400 - 23011000 00007800 : 0 [end] +ip test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ meta load mark => reg 1 ] + [ byteorder reg 1 = hton(reg 1, 4, 4) ] + [ payload load 2b @ transport header + 2 => reg 9 ] + [ lookup reg 1 set __set%d ] + +# ip saddr . meta mark { 1.2.3.4 . 0x00000100 , 1.2.3.6-1.2.3.8 . 0x00000200-0x00000300 } +__set%d test-inet 87 size 2 +__set%d test-inet 0 + element 04030201 00010000 - 04030201 00010000 : 0 [end] element 06030201 00020000 - 08030201 00030000 : 0 [end] +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ meta load mark => reg 9 ] + [ byteorder reg 9 = hton(reg 9, 4, 4) ] + [ lookup reg 1 set __set%d ] + +# ip saddr . meta mark { 1.2.3.4 . 0x00000100 , 5.6.7.8 . 0x00000200 } +__set%d test-inet 3 size 2 +__set%d test-inet 0 + element 04030201 00000100 : 0 [end] element 08070605 00000200 : 0 [end] +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ meta load mark => reg 9 ] + [ lookup reg 1 set __set%d ] + +# meta mark set ip dscp +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 1b @ network header + 1 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 >> 0x00000002 ) ] + [ meta set mark with reg 1 ] + +# meta mark set ip dscp | 0x40 +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 1b @ network header + 1 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 >> 0x00000002 ) ] + [ bitwise reg 1 = ( reg 1 & 0xffffffbf ) ^ 0x00000040 ] + [ meta set mark with reg 1 ] + +# meta mark set ip6 dscp +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x0000000a ] + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000c00f ) ^ 0x00000000 ] + [ byteorder reg 1 = ntoh(reg 1, 2, 2) ] + [ bitwise reg 1 = ( reg 1 >> 0x00000006 ) ] + [ meta set mark with reg 1 ] + +# meta mark set ip6 dscp | 0x40 +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x0000000a ] + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000c00f ) ^ 0x00000000 ] + [ byteorder reg 1 = ntoh(reg 1, 2, 2) ] + [ bitwise reg 1 = ( reg 1 >> 0x00000006 ) ] + [ bitwise reg 1 = ( reg 1 & 0xffffffbf ) ^ 0x00000040 ] + [ meta set mark with reg 1 ] + +# ip saddr . ether saddr . meta l4proto { 1.2.3.4 . aa:bb:cc:dd:ee:ff . 6 } +__set%d test-inet 3 size 1 +__set%d test-inet 0 + element 04030201 ddccbbaa 0000ffee 00000006 : 0 [end] +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ meta load iiftype => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ payload load 6b @ link header + 6 => reg 9 ] + [ meta load l4proto => reg 11 ] + [ lookup reg 1 set __set%d ] + diff --git a/tests/py/inet/osf.t.payload b/tests/py/inet/osf.t.payload index 6f5fba34..6ddab976 100644 --- a/tests/py/inet/osf.t.payload +++ b/tests/py/inet/osf.t.payload @@ -1,80 +1,24 @@ # osf name "Linux" -ip osfip osfchain - [ osf dreg 1 ] - [ cmp eq reg 1 0x756e694c 0x00000078 0x00000000 0x00000000 ] - -# osf name "Linux" -ip6 osfip6 osfchain - [ osf dreg 1 ] - [ cmp eq reg 1 0x756e694c 0x00000078 0x00000000 0x00000000 ] - -# osf name "Linux" inet osfinet osfchain [ osf dreg 1 ] [ cmp eq reg 1 0x756e694c 0x00000078 0x00000000 0x00000000 ] # osf ttl loose name "Linux" -ip osfip osfchain - [ osf dreg 1 ] - [ cmp eq reg 1 0x756e694c 0x00000078 0x00000000 0x00000000 ] - -# osf ttl loose name "Linux" -ip6 osfip6 osfchain - [ osf dreg 1 ] - [ cmp eq reg 1 0x756e694c 0x00000078 0x00000000 0x00000000 ] - -# osf ttl loose name "Linux" inet osfinet osfchain [ osf dreg 1 ] [ cmp eq reg 1 0x756e694c 0x00000078 0x00000000 0x00000000 ] # osf ttl skip name "Linux" -ip osfip osfchain - [ osf dreg 1 ] - [ cmp eq reg 1 0x756e694c 0x00000078 0x00000000 0x00000000 ] - -# osf ttl skip name "Linux" -ip6 osfip6 osfchain - [ osf dreg 1 ] - [ cmp eq reg 1 0x756e694c 0x00000078 0x00000000 0x00000000 ] - -# osf ttl skip name "Linux" inet osfinet osfchain [ osf dreg 1 ] [ cmp eq reg 1 0x756e694c 0x00000078 0x00000000 0x00000000 ] # osf ttl skip version "Linux:3.0" -ip osfip osfchain - [ osf dreg 1 ] - [ cmp eq reg 1 0x756e694c 0x2e333a78 0x00000030 0x00000000 ] - -# osf ttl skip version "Linux:3.0" -ip6 osfip6 osfchain - [ osf dreg 1 ] - [ cmp eq reg 1 0x756e694c 0x2e333a78 0x00000030 0x00000000 ] - -# osf ttl skip version "Linux:3.0" inet osfinet osfchain [ osf dreg 1 ] [ cmp eq reg 1 0x756e694c 0x2e333a78 0x00000030 0x00000000 ] # osf name { "Windows", "MacOs" } -__set%d osfip 3 size 2 -__set%d osfip 0 - element 646e6957 0073776f 00000000 00000000 : 0 [end] element 4f63614d 00000073 00000000 00000000 : 0 [end] -ip osfip osfchain - [ osf dreg 1 ] - [ lookup reg 1 set __set%d ] - -# osf name { "Windows", "MacOs" } -__set%d osfip6 3 size 2 -__set%d osfip6 0 - element 646e6957 0073776f 00000000 00000000 : 0 [end] element 4f63614d 00000073 00000000 00000000 : 0 [end] -ip6 osfip6 osfchain - [ osf dreg 1 ] - [ lookup reg 1 set __set%d ] - -# osf name { "Windows", "MacOs" } __set%d osfinet 3 size 2 __set%d osfinet 0 element 646e6957 0073776f 00000000 00000000 : 0 [end] element 4f63614d 00000073 00000000 00000000 : 0 [end] @@ -83,22 +27,6 @@ inet osfinet osfchain [ lookup reg 1 set __set%d ] # osf version { "Windows:XP", "MacOs:Sierra" } -__set%d osfip 3 size 2 -__set%d osfip 0 - element 646e6957 3a73776f 00005058 00000000 : 0 [end] element 4f63614d 69533a73 61727265 00000000 : 0 [end] -ip osfip osfchain - [ osf dreg 1 ] - [ lookup reg 1 set __set%d ] - -# osf version { "Windows:XP", "MacOs:Sierra" } -__set%d osfip6 3 size 2 -__set%d osfip6 0 - element 646e6957 3a73776f 00005058 00000000 : 0 [end] element 4f63614d 69533a73 61727265 00000000 : 0 [end] -ip6 osfip6 osfchain - [ osf dreg 1 ] - [ lookup reg 1 set __set%d ] - -# osf version { "Windows:XP", "MacOs:Sierra" } __set%d osfinet 3 size 2 __set%d osfinet 0 element 646e6957 3a73776f 00005058 00000000 : 0 [end] element 4f63614d 69533a73 61727265 00000000 : 0 [end] @@ -107,24 +35,6 @@ inet osfinet osfchain [ lookup reg 1 set __set%d ] # ct mark set osf name map { "Windows" : 0x00000001, "MacOs" : 0x00000002 } -__map%d osfip b size 2 -__map%d osfip 0 - element 646e6957 0073776f 00000000 00000000 : 00000001 0 [end] element 4f63614d 00000073 00000000 00000000 : 00000002 0 [end] -ip osfip osfchain - [ osf dreg 1 ] - [ lookup reg 1 set __map%d dreg 1 ] - [ ct set mark with reg 1 ] - -# ct mark set osf name map { "Windows" : 0x00000001, "MacOs" : 0x00000002 } -__map%d osfip6 b size 2 -__map%d osfip6 0 - element 646e6957 0073776f 00000000 00000000 : 00000001 0 [end] element 4f63614d 00000073 00000000 00000000 : 00000002 0 [end] -ip6 osfip6 osfchain - [ osf dreg 1 ] - [ lookup reg 1 set __map%d dreg 1 ] - [ ct set mark with reg 1 ] - -# ct mark set osf name map { "Windows" : 0x00000001, "MacOs" : 0x00000002 } __map%d osfinet b size 2 __map%d osfinet 0 element 646e6957 0073776f 00000000 00000000 : 00000001 0 [end] element 4f63614d 00000073 00000000 00000000 : 00000002 0 [end] @@ -134,24 +44,6 @@ inet osfinet osfchain [ ct set mark with reg 1 ] # ct mark set osf version map { "Windows:XP" : 0x00000003, "MacOs:Sierra" : 0x00000004 } -__map%d osfip b size 2 -__map%d osfip 0 - element 646e6957 3a73776f 00005058 00000000 : 00000003 0 [end] element 4f63614d 69533a73 61727265 00000000 : 00000004 0 [end] -ip osfip osfchain - [ osf dreg 1 ] - [ lookup reg 1 set __map%d dreg 1 ] - [ ct set mark with reg 1 ] - -# ct mark set osf version map { "Windows:XP" : 0x00000003, "MacOs:Sierra" : 0x00000004 } -__map%d osfip6 b size 2 -__map%d osfip6 0 - element 646e6957 3a73776f 00005058 00000000 : 00000003 0 [end] element 4f63614d 69533a73 61727265 00000000 : 00000004 0 [end] -ip6 osfip6 osfchain - [ osf dreg 1 ] - [ lookup reg 1 set __map%d dreg 1 ] - [ ct set mark with reg 1 ] - -# ct mark set osf version map { "Windows:XP" : 0x00000003, "MacOs:Sierra" : 0x00000004 } __map%d osfinet b size 2 __map%d osfinet 0 element 646e6957 3a73776f 00005058 00000000 : 00000003 0 [end] element 4f63614d 69533a73 61727265 00000000 : 00000004 0 [end] diff --git a/tests/py/inet/payloadmerge.t b/tests/py/inet/payloadmerge.t new file mode 100644 index 00000000..04ba1ce6 --- /dev/null +++ b/tests/py/inet/payloadmerge.t @@ -0,0 +1,14 @@ +:input;type filter hook input priority 0 + +*ip;test-ip4;input +*ip6;test-ip6;input +*inet;test-inet;input + +tcp sport 1 tcp dport 2;ok +tcp sport != 1 tcp dport != 2;ok +tcp sport 1 tcp dport != 2;ok +tcp sport != 1 tcp dport 2;ok +meta l4proto != 6 th dport 2;ok +meta l4proto 6 tcp dport 22;ok;tcp dport 22 +tcp sport > 1 tcp dport > 2;ok +tcp sport 1 tcp dport > 2;ok diff --git a/tests/py/inet/payloadmerge.t.json b/tests/py/inet/payloadmerge.t.json new file mode 100644 index 00000000..e5b66cf9 --- /dev/null +++ b/tests/py/inet/payloadmerge.t.json @@ -0,0 +1,211 @@ +# tcp sport 1 tcp dport 2 +[ + { + "match": { + "left": { + "payload": { + "field": "sport", + "protocol": "tcp" + } + }, + "op": "==", + "right": 1 + } + }, + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "tcp" + } + }, + "op": "==", + "right": 2 + } + } +] + +# tcp sport != 1 tcp dport != 2 +[ + { + "match": { + "left": { + "payload": { + "field": "sport", + "protocol": "tcp" + } + }, + "op": "!=", + "right": 1 + } + }, + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "tcp" + } + }, + "op": "!=", + "right": 2 + } + } +] + +# tcp sport 1 tcp dport != 2 +[ + { + "match": { + "left": { + "payload": { + "field": "sport", + "protocol": "tcp" + } + }, + "op": "==", + "right": 1 + } + }, + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "tcp" + } + }, + "op": "!=", + "right": 2 + } + } +] + +# tcp sport != 1 tcp dport 2 +[ + { + "match": { + "left": { + "payload": { + "field": "sport", + "protocol": "tcp" + } + }, + "op": "!=", + "right": 1 + } + }, + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "tcp" + } + }, + "op": "==", + "right": 2 + } + } +] + +# meta l4proto != 6 th dport 2 +[ + { + "match": { + "left": { + "meta": { + "key": "l4proto" + } + }, + "op": "!=", + "right": 6 + } + }, + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "th" + } + }, + "op": "==", + "right": 2 + } + } +] + +# meta l4proto 6 tcp dport 22 +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "tcp" + } + }, + "op": "==", + "right": 22 + } + } +] + +# tcp sport > 1 tcp dport > 2 +[ + { + "match": { + "left": { + "payload": { + "field": "sport", + "protocol": "tcp" + } + }, + "op": ">", + "right": 1 + } + }, + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "tcp" + } + }, + "op": ">", + "right": 2 + } + } +] + +# tcp sport 1 tcp dport > 2 +[ + { + "match": { + "left": { + "payload": { + "field": "sport", + "protocol": "tcp" + } + }, + "op": "==", + "right": 1 + } + }, + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "tcp" + } + }, + "op": ">", + "right": 2 + } + } +] + diff --git a/tests/py/inet/payloadmerge.t.payload b/tests/py/inet/payloadmerge.t.payload new file mode 100644 index 00000000..a0465cdd --- /dev/null +++ b/tests/py/inet/payloadmerge.t.payload @@ -0,0 +1,66 @@ +# tcp sport 1 tcp dport 2 +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 4b @ transport header + 0 => reg 1 ] + [ cmp eq reg 1 0x02000100 ] + +# tcp sport != 1 tcp dport != 2 +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 0 => reg 1 ] + [ cmp neq reg 1 0x00000100 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp neq reg 1 0x00000200 ] + +# tcp sport 1 tcp dport != 2 +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 0 => reg 1 ] + [ cmp eq reg 1 0x00000100 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp neq reg 1 0x00000200 ] + +# tcp sport != 1 tcp dport 2 +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 0 => reg 1 ] + [ cmp neq reg 1 0x00000100 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x00000200 ] + +# meta l4proto != 6 th dport 2 +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp neq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x00000200 ] + +# meta l4proto 6 tcp dport 22 +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x00001600 ] + +# tcp sport > 1 tcp dport > 2 +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 0 => reg 1 ] + [ cmp gt reg 1 0x00000100 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp gt reg 1 0x00000200 ] + +# tcp sport 1 tcp dport > 2 +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 0 => reg 1 ] + [ cmp eq reg 1 0x00000100 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp gt reg 1 0x00000200 ] + diff --git a/tests/py/inet/reject.t b/tests/py/inet/reject.t index 0e8966c9..61a6d556 100644 --- a/tests/py/inet/reject.t +++ b/tests/py/inet/reject.t @@ -2,38 +2,40 @@ *inet;test-inet;input -# The output is specific for inet family -reject with icmp type host-unreachable;ok;meta nfproto ipv4 reject with icmp type host-unreachable -reject with icmp type net-unreachable;ok;meta nfproto ipv4 reject with icmp type net-unreachable -reject with icmp type prot-unreachable;ok;meta nfproto ipv4 reject with icmp type prot-unreachable -reject with icmp type port-unreachable;ok;meta nfproto ipv4 reject -reject with icmp type net-prohibited;ok;meta nfproto ipv4 reject with icmp type net-prohibited -reject with icmp type host-prohibited;ok;meta nfproto ipv4 reject with icmp type host-prohibited -reject with icmp type admin-prohibited;ok;meta nfproto ipv4 reject with icmp type admin-prohibited - -reject with icmpv6 type no-route;ok;meta nfproto ipv6 reject with icmpv6 type no-route -reject with icmpv6 type admin-prohibited;ok;meta nfproto ipv6 reject with icmpv6 type admin-prohibited -reject with icmpv6 type addr-unreachable;ok;meta nfproto ipv6 reject with icmpv6 type addr-unreachable -reject with icmpv6 type port-unreachable;ok;meta nfproto ipv6 reject +reject with icmp host-unreachable;ok +reject with icmp net-unreachable;ok +reject with icmp prot-unreachable;ok +reject with icmp port-unreachable;ok +reject with icmp net-prohibited;ok +reject with icmp host-prohibited;ok +reject with icmp admin-prohibited;ok + +reject with icmpv6 no-route;ok +reject with icmpv6 admin-prohibited;ok +reject with icmpv6 addr-unreachable;ok +reject with icmpv6 port-unreachable;ok mark 12345 reject with tcp reset;ok;meta l4proto 6 meta mark 0x00003039 reject with tcp reset reject;ok -meta nfproto ipv4 reject;ok -meta nfproto ipv6 reject;ok +meta nfproto ipv4 reject;ok;reject with icmp port-unreachable +meta nfproto ipv6 reject;ok;reject with icmpv6 port-unreachable -reject with icmpx type host-unreachable;ok -reject with icmpx type no-route;ok -reject with icmpx type admin-prohibited;ok -reject with icmpx type port-unreachable;ok;reject +reject with icmpx host-unreachable;ok +reject with icmpx no-route;ok +reject with icmpx admin-prohibited;ok +reject with icmpx port-unreachable;ok;reject +reject with icmpx 3;ok;reject with icmpx admin-prohibited -meta nfproto ipv4 reject with icmp type host-unreachable;ok -meta nfproto ipv6 reject with icmpv6 type no-route;ok +meta nfproto ipv4 reject with icmp host-unreachable;ok;reject with icmp host-unreachable +meta nfproto ipv6 reject with icmpv6 no-route;ok;reject with icmpv6 no-route -meta nfproto ipv6 reject with icmp type host-unreachable;fail -meta nfproto ipv4 ip protocol icmp reject with icmpv6 type no-route;fail -meta nfproto ipv6 ip protocol icmp reject with icmp type host-unreachable;fail +meta nfproto ipv6 reject with icmp host-unreachable;fail +meta nfproto ipv4 ip protocol icmp reject with icmpv6 no-route;fail +meta nfproto ipv6 ip protocol icmp reject with icmp host-unreachable;fail meta l4proto udp reject with tcp reset;fail -meta nfproto ipv4 reject with icmpx type admin-prohibited;ok -meta nfproto ipv6 reject with icmpx type admin-prohibited;ok +meta nfproto ipv4 reject with icmpx admin-prohibited;ok +meta nfproto ipv6 reject with icmpx admin-prohibited;ok + +ether saddr aa:bb:cc:dd:ee:ff ip daddr 192.168.0.1 reject;ok;ether saddr aa:bb:cc:dd:ee:ff ip daddr 192.168.0.1 reject with icmp port-unreachable diff --git a/tests/py/inet/reject.t.json b/tests/py/inet/reject.t.json index bfa94f84..02ac9007 100644 --- a/tests/py/inet/reject.t.json +++ b/tests/py/inet/reject.t.json @@ -1,4 +1,4 @@ -# reject with icmp type host-unreachable +# reject with icmp host-unreachable [ { "reject": { @@ -8,7 +8,7 @@ } ] -# reject with icmp type net-unreachable +# reject with icmp net-unreachable [ { "reject": { @@ -18,7 +18,7 @@ } ] -# reject with icmp type prot-unreachable +# reject with icmp prot-unreachable [ { "reject": { @@ -28,7 +28,7 @@ } ] -# reject with icmp type port-unreachable +# reject with icmp port-unreachable [ { "reject": { @@ -38,7 +38,7 @@ } ] -# reject with icmp type net-prohibited +# reject with icmp net-prohibited [ { "reject": { @@ -48,7 +48,7 @@ } ] -# reject with icmp type host-prohibited +# reject with icmp host-prohibited [ { "reject": { @@ -58,7 +58,7 @@ } ] -# reject with icmp type admin-prohibited +# reject with icmp admin-prohibited [ { "reject": { @@ -68,7 +68,7 @@ } ] -# reject with icmpv6 type no-route +# reject with icmpv6 no-route [ { "reject": { @@ -78,7 +78,7 @@ } ] -# reject with icmpv6 type admin-prohibited +# reject with icmpv6 admin-prohibited [ { "reject": { @@ -88,7 +88,7 @@ } ] -# reject with icmpv6 type addr-unreachable +# reject with icmpv6 addr-unreachable [ { "reject": { @@ -98,7 +98,7 @@ } ] -# reject with icmpv6 type port-unreachable +# reject with icmpv6 port-unreachable [ { "reject": { @@ -165,7 +165,7 @@ } ] -# reject with icmpx type host-unreachable +# reject with icmpx host-unreachable [ { "reject": { @@ -175,7 +175,7 @@ } ] -# reject with icmpx type no-route +# reject with icmpx no-route [ { "reject": { @@ -185,7 +185,7 @@ } ] -# reject with icmpx type admin-prohibited +# reject with icmpx admin-prohibited [ { "reject": { @@ -195,7 +195,7 @@ } ] -# reject with icmpx type port-unreachable +# reject with icmpx port-unreachable [ { "reject": { @@ -205,7 +205,17 @@ } ] -# meta nfproto ipv4 reject with icmp type host-unreachable +# reject with icmpx 3 +[ + { + "reject": { + "expr": "admin-prohibited", + "type": "icmpx" + } + } +] + +# meta nfproto ipv4 reject with icmp host-unreachable [ { "match": { @@ -224,7 +234,7 @@ } ] -# meta nfproto ipv6 reject with icmpv6 type no-route +# meta nfproto ipv6 reject with icmpv6 no-route [ { "match": { @@ -243,7 +253,7 @@ } ] -# meta nfproto ipv4 reject with icmpx type admin-prohibited +# meta nfproto ipv4 reject with icmpx admin-prohibited [ { "match": { @@ -264,7 +274,7 @@ } ] -# meta nfproto ipv6 reject with icmpx type admin-prohibited +# meta nfproto ipv6 reject with icmpx admin-prohibited [ { "match": { @@ -285,3 +295,37 @@ } ] +# ether saddr aa:bb:cc:dd:ee:ff ip daddr 192.168.0.1 reject +[ + { + "match": { + "left": { + "payload": { + "field": "saddr", + "protocol": "ether" + } + }, + "op": "==", + "right": "aa:bb:cc:dd:ee:ff" + } + }, + { + "match": { + "left": { + "payload": { + "field": "daddr", + "protocol": "ip" + } + }, + "op": "==", + "right": "192.168.0.1" + } + }, + { + "reject": { + "expr": "port-unreachable", + "type": "icmp" + } + } +] + diff --git a/tests/py/inet/reject.t.json.output b/tests/py/inet/reject.t.json.output index 73846fb0..496ce557 100644 --- a/tests/py/inet/reject.t.json.output +++ b/tests/py/inet/reject.t.json.output @@ -1,145 +1,73 @@ -# reject with icmp type host-unreachable +# mark 12345 reject with tcp reset [ { "match": { "left": { - "meta": { "key": "nfproto" } + "meta": { "key": "l4proto" } }, "op": "==", - "right": "ipv4" + "right": 6 } }, { - "reject": { - "expr": "host-unreachable", - "type": "icmp" - } - } -] - -# reject with icmp type net-unreachable -[ - { "match": { "left": { - "meta": { "key": "nfproto" } + "meta": { "key": "mark" } }, "op": "==", - "right": "ipv4" + "right": 12345 } }, { "reject": { - "expr": "net-unreachable", - "type": "icmp" + "type": "tcp reset" } } ] -# reject with icmp type prot-unreachable +# reject [ { - "match": { - "left": { - "meta": { "key": "nfproto" } - }, - "op": "==", - "right": "ipv4" - } - }, - { "reject": { - "expr": "prot-unreachable", - "type": "icmp" - } - } -] - -# reject with icmp type port-unreachable -[ - { - "match": { - "left": { - "meta": { "key": "nfproto" } - }, - "op": "==", - "right": "ipv4" + "expr": "port-unreachable", + "type": "icmpx" } - }, - { - "reject": null } ] -# reject with icmp type net-prohibited +# meta nfproto ipv4 reject [ { - "match": { - "left": { - "meta": { "key": "nfproto" } - }, - "op": "==", - "right": "ipv4" - } - }, - { "reject": { - "expr": "net-prohibited", + "expr": "port-unreachable", "type": "icmp" } } ] -# reject with icmp type host-prohibited +# meta nfproto ipv6 reject [ { - "match": { - "left": { - "meta": { "key": "nfproto" } - }, - "op": "==", - "right": "ipv4" - } - }, - { "reject": { - "expr": "host-prohibited", - "type": "icmp" + "expr": "port-unreachable", + "type": "icmpv6" } } ] -# reject with icmp type admin-prohibited +# meta nfproto ipv4 reject with icmp host-unreachable [ { - "match": { - "left": { - "meta": { "key": "nfproto" } - }, - "op": "==", - "right": "ipv4" - } - }, - { "reject": { - "expr": "admin-prohibited", + "expr": "host-unreachable", "type": "icmp" } } ] -# reject with icmpv6 type no-route +# meta nfproto ipv6 reject with icmpv6 no-route [ { - "match": { - "left": { - "meta": { "key": "nfproto" } - }, - "op": "==", - "right": "ipv6" - } - }, - { "reject": { "expr": "no-route", "type": "icmpv6" @@ -147,91 +75,3 @@ } ] -# reject with icmpv6 type admin-prohibited -[ - { - "match": { - "left": { - "meta": { "key": "nfproto" } - }, - "op": "==", - "right": "ipv6" - } - }, - { - "reject": { - "expr": "admin-prohibited", - "type": "icmpv6" - } - } -] - -# reject with icmpv6 type addr-unreachable -[ - { - "match": { - "left": { - "meta": { "key": "nfproto" } - }, - "op": "==", - "right": "ipv6" - } - }, - { - "reject": { - "expr": "addr-unreachable", - "type": "icmpv6" - } - } -] - -# reject with icmpv6 type port-unreachable -[ - { - "match": { - "left": { - "meta": { "key": "nfproto" } - }, - "op": "==", - "right": "ipv6" - } - }, - { - "reject": null - } -] - -# mark 12345 reject with tcp reset -[ - { - "match": { - "left": { - "meta": { "key": "l4proto" } - }, - "op": "==", - "right": 6 - } - }, - { - "match": { - "left": { - "meta": { "key": "mark" } - }, - "op": "==", - "right": 12345 - } - }, - { - "reject": { - "type": "tcp reset" - } - } -] - -# reject with icmpx type port-unreachable -[ - { - "reject": null - } -] - diff --git a/tests/py/inet/reject.t.payload.inet b/tests/py/inet/reject.t.payload.inet index ee1aae02..828cb839 100644 --- a/tests/py/inet/reject.t.payload.inet +++ b/tests/py/inet/reject.t.payload.inet @@ -1,64 +1,64 @@ -# reject with icmp type host-unreachable +# reject with icmp host-unreachable inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ reject type 0 code 1 ] -# reject with icmp type net-unreachable +# reject with icmp net-unreachable inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ reject type 0 code 0 ] -# reject with icmp type prot-unreachable +# reject with icmp prot-unreachable inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ reject type 0 code 2 ] -# reject with icmp type port-unreachable +# reject with icmp port-unreachable inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ reject type 0 code 3 ] -# reject with icmp type net-prohibited +# reject with icmp net-prohibited inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ reject type 0 code 9 ] -# reject with icmp type host-prohibited +# reject with icmp host-prohibited inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ reject type 0 code 10 ] -# reject with icmp type admin-prohibited +# reject with icmp admin-prohibited inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ reject type 0 code 13 ] -# reject with icmpv6 type no-route +# reject with icmpv6 no-route inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x0000000a ] [ reject type 0 code 0 ] -# reject with icmpv6 type admin-prohibited +# reject with icmpv6 admin-prohibited inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x0000000a ] [ reject type 0 code 1 ] -# reject with icmpv6 type addr-unreachable +# reject with icmpv6 addr-unreachable inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x0000000a ] [ reject type 0 code 3 ] -# reject with icmpv6 type port-unreachable +# reject with icmpv6 port-unreachable inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x0000000a ] @@ -88,147 +88,57 @@ inet test-inet input [ cmp eq reg 1 0x0000000a ] [ reject type 0 code 4 ] -# reject with icmpx type host-unreachable +# reject with icmpx host-unreachable inet test-inet input [ reject type 2 code 2 ] -# reject with icmpx type no-route +# reject with icmpx no-route inet test-inet input [ reject type 2 code 0 ] -# reject with icmpx type admin-prohibited +# reject with icmpx admin-prohibited inet test-inet input [ reject type 2 code 3 ] -# reject with icmpx type port-unreachable +# reject with icmpx port-unreachable inet test-inet input [ reject type 2 code 1 ] -# meta nfproto ipv4 reject with icmp type host-unreachable -inet test-inet input - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x00000002 ] - [ reject type 0 code 1 ] - -# meta nfproto ipv6 reject with icmpv6 type no-route -inet test-inet input - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x0000000a ] - [ reject type 0 code 0 ] - -# reject with icmp type prot-unreachable -inet test-inet input - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x00000002 ] - [ reject type 0 code 2 ] - -# reject with icmp type port-unreachable -inet test-inet input - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x00000002 ] - [ reject type 0 code 3 ] - -# reject with icmp type net-prohibited -inet test-inet input - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x00000002 ] - [ reject type 0 code 9 ] - -# reject with icmp type host-prohibited -inet test-inet input - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x00000002 ] - [ reject type 0 code 10 ] - -# reject with icmp type admin-prohibited -inet test-inet input - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x00000002 ] - [ reject type 0 code 13 ] - -# reject with icmpv6 type no-route -inet test-inet input - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x0000000a ] - [ reject type 0 code 0 ] - -# reject with icmpv6 type admin-prohibited -inet test-inet input - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x0000000a ] - [ reject type 0 code 1 ] - -# reject with icmpv6 type addr-unreachable -inet test-inet input - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x0000000a ] - [ reject type 0 code 3 ] - -# reject with icmpv6 type port-unreachable -inet test-inet input - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x0000000a ] - [ reject type 0 code 4 ] - -# reject with tcp reset -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ reject type 1 code 0 ] - -# reject -inet test-inet input - [ reject type 2 code 1 ] - -# meta nfproto ipv4 reject -inet test-inet input - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x00000002 ] - [ reject type 0 code 3 ] - -# meta nfproto ipv6 reject -inet test-inet input - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x0000000a ] - [ reject type 0 code 4 ] - -# reject with icmpx type host-unreachable -inet test-inet input - [ reject type 2 code 2 ] - -# reject with icmpx type no-route -inet test-inet input - [ reject type 2 code 0 ] - -# reject with icmpx type admin-prohibited +# reject with icmpx 3 inet test-inet input [ reject type 2 code 3 ] -# reject with icmpx type port-unreachable -inet test-inet input - [ reject type 2 code 1 ] - -# meta nfproto ipv4 reject with icmp type host-unreachable +# meta nfproto ipv4 reject with icmp host-unreachable inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ reject type 0 code 1 ] -# meta nfproto ipv6 reject with icmpv6 type no-route +# meta nfproto ipv6 reject with icmpv6 no-route inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x0000000a ] [ reject type 0 code 0 ] -# meta nfproto ipv4 reject with icmpx type admin-prohibited +# meta nfproto ipv4 reject with icmpx admin-prohibited inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ reject type 2 code 3 ] -# meta nfproto ipv6 reject with icmpx type admin-prohibited +# meta nfproto ipv6 reject with icmpx admin-prohibited inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x0000000a ] [ reject type 2 code 3 ] +# ether saddr aa:bb:cc:dd:ee:ff ip daddr 192.168.0.1 reject +inet test-inet input + [ meta load iiftype => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ payload load 8b @ link header + 6 => reg 1 ] + [ cmp eq reg 1 0xddccbbaa 0x0008ffee ] + [ payload load 4b @ network header + 16 => reg 1 ] + [ cmp eq reg 1 0x0100a8c0 ] + [ reject type 0 code 3 ] + diff --git a/tests/py/inet/rt.t b/tests/py/inet/rt.t index 23608ab2..a0e0d003 100644 --- a/tests/py/inet/rt.t +++ b/tests/py/inet/rt.t @@ -2,14 +2,13 @@ *inet;test-inet;output -rt nexthop 192.168.0.1;fail -rt nexthop fd00::1;fail - meta nfproto ipv4 rt nexthop 192.168.0.1;ok;meta nfproto ipv4 rt ip nexthop 192.168.0.1 rt ip6 nexthop fd00::1;ok # missing context +rt nexthop 192.168.0.1;fail rt nexthop fd00::1;fail + # wrong context rt ip nexthop fd00::1;fail diff --git a/tests/py/inet/sctp.t b/tests/py/inet/sctp.t index 5188b57e..016173b9 100644 --- a/tests/py/inet/sctp.t +++ b/tests/py/inet/sctp.t @@ -1,10 +1,11 @@ :input;type filter hook input priority 0 :ingress;type filter hook ingress device lo priority 0 +:egress;type filter hook egress device lo priority 0 *ip;test-ip4;input *ip6;test-ip6;input *inet;test-inet;input -*netdev;test-netdev;ingress +*netdev;test-netdev;ingress,egress sctp sport 23;ok sctp sport != 23;ok @@ -12,8 +13,6 @@ sctp sport 23-44;ok sctp sport != 23-44;ok sctp sport { 23, 24, 25};ok sctp sport != { 23, 24, 25};ok -sctp sport { 23-44};ok -sctp sport != { 23-44};ok sctp dport 23;ok sctp dport != 23;ok @@ -21,8 +20,6 @@ sctp dport 23-44;ok sctp dport != 23-44;ok sctp dport { 23, 24, 25};ok sctp dport != { 23, 24, 25};ok -sctp dport { 23-44};ok -sctp dport != { 23-44};ok sctp checksum 1111;ok sctp checksum != 11;ok @@ -30,8 +27,6 @@ sctp checksum 21-333;ok sctp checksum != 32-111;ok sctp checksum { 22, 33, 44};ok sctp checksum != { 22, 33, 44};ok -sctp checksum { 22-44};ok -sctp checksum != { 22-44};ok sctp vtag 22;ok sctp vtag != 233;ok @@ -39,5 +34,40 @@ sctp vtag 33-45;ok sctp vtag != 33-45;ok sctp vtag {33, 55, 67, 88};ok sctp vtag != {33, 55, 67, 88};ok -sctp vtag { 33-55};ok -sctp vtag != { 33-55};ok + +# assert all chunk types are recognized +sctp chunk data exists;ok +sctp chunk init exists;ok +sctp chunk init-ack exists;ok +sctp chunk sack exists;ok +sctp chunk heartbeat exists;ok +sctp chunk heartbeat-ack exists;ok +sctp chunk abort exists;ok +sctp chunk shutdown exists;ok +sctp chunk shutdown-ack exists;ok +sctp chunk error exists;ok +sctp chunk cookie-echo exists;ok +sctp chunk cookie-ack exists;ok +sctp chunk ecne exists;ok +sctp chunk cwr exists;ok +sctp chunk shutdown-complete exists;ok +sctp chunk asconf-ack exists;ok +sctp chunk forward-tsn exists;ok +sctp chunk asconf exists;ok + +# test common header fields in random chunk types +sctp chunk data type 0;ok +sctp chunk init flags 23;ok +sctp chunk init-ack length 42;ok + +# test one custom field in every applicable chunk type +sctp chunk data stream 1337;ok +sctp chunk init initial-tsn 5;ok +sctp chunk init-ack num-outbound-streams 3;ok +sctp chunk sack a-rwnd 1;ok +sctp chunk shutdown cum-tsn-ack 65535;ok +sctp chunk ecne lowest-tsn 5;ok +sctp chunk cwr lowest-tsn 8;ok +sctp chunk asconf-ack seqno 12345;ok +sctp chunk forward-tsn new-cum-tsn 31337;ok +sctp chunk asconf seqno 12345;ok diff --git a/tests/py/inet/sctp.t.json b/tests/py/inet/sctp.t.json index 2684b034..75a9b01c 100644 --- a/tests/py/inet/sctp.t.json +++ b/tests/py/inet/sctp.t.json @@ -110,46 +110,6 @@ } ] -# sctp sport { 23-44} -[ - { - "match": { - "left": { - "payload": { - "field": "sport", - "protocol": "sctp" - } - }, - "op": "==", - "right": { - "set": [ - { "range": [ 23, 44 ] } - ] - } - } - } -] - -# sctp sport != { 23-44} -[ - { - "match": { - "left": { - "payload": { - "field": "sport", - "protocol": "sctp" - } - }, - "op": "!=", - "right": { - "set": [ - { "range": [ 23, 44 ] } - ] - } - } - } -] - # sctp dport 23 [ { @@ -262,46 +222,6 @@ } ] -# sctp dport { 23-44} -[ - { - "match": { - "left": { - "payload": { - "field": "dport", - "protocol": "sctp" - } - }, - "op": "==", - "right": { - "set": [ - { "range": [ 23, 44 ] } - ] - } - } - } -] - -# sctp dport != { 23-44} -[ - { - "match": { - "left": { - "payload": { - "field": "dport", - "protocol": "sctp" - } - }, - "op": "!=", - "right": { - "set": [ - { "range": [ 23, 44 ] } - ] - } - } - } -] - # sctp checksum 1111 [ { @@ -414,46 +334,6 @@ } ] -# sctp checksum { 22-44} -[ - { - "match": { - "left": { - "payload": { - "field": "checksum", - "protocol": "sctp" - } - }, - "op": "==", - "right": { - "set": [ - { "range": [ 22, 44 ] } - ] - } - } - } -] - -# sctp checksum != { 22-44} -[ - { - "match": { - "left": { - "payload": { - "field": "checksum", - "protocol": "sctp" - } - }, - "op": "!=", - "right": { - "set": [ - { "range": [ 22, 44 ] } - ] - } - } - } -] - # sctp vtag 22 [ { @@ -568,42 +448,480 @@ } ] -# sctp vtag { 33-55} +# sctp chunk data exists [ { "match": { "left": { - "payload": { - "field": "vtag", - "protocol": "sctp" + "sctp chunk": { + "name": "data" } }, - "op": "==", - "right": { - "set": [ - { "range": [ 33, 55 ] } - ] - } + "op": "==", + "right": true } } ] -# sctp vtag != { 33-55} +# sctp chunk init exists [ { "match": { "left": { - "payload": { - "field": "vtag", - "protocol": "sctp" + "sctp chunk": { + "name": "init" } }, - "op": "!=", - "right": { - "set": [ - { "range": [ 33, 55 ] } - ] - } + "op": "==", + "right": true + } + } +] + +# sctp chunk init-ack exists +[ + { + "match": { + "left": { + "sctp chunk": { + "name": "init-ack" + } + }, + "op": "==", + "right": true + } + } +] + +# sctp chunk sack exists +[ + { + "match": { + "left": { + "sctp chunk": { + "name": "sack" + } + }, + "op": "==", + "right": true + } + } +] + +# sctp chunk heartbeat exists +[ + { + "match": { + "left": { + "sctp chunk": { + "name": "heartbeat" + } + }, + "op": "==", + "right": true + } + } +] + +# sctp chunk heartbeat-ack exists +[ + { + "match": { + "left": { + "sctp chunk": { + "name": "heartbeat-ack" + } + }, + "op": "==", + "right": true + } + } +] + +# sctp chunk abort exists +[ + { + "match": { + "left": { + "sctp chunk": { + "name": "abort" + } + }, + "op": "==", + "right": true + } + } +] + +# sctp chunk shutdown exists +[ + { + "match": { + "left": { + "sctp chunk": { + "name": "shutdown" + } + }, + "op": "==", + "right": true + } + } +] + +# sctp chunk shutdown-ack exists +[ + { + "match": { + "left": { + "sctp chunk": { + "name": "shutdown-ack" + } + }, + "op": "==", + "right": true + } + } +] + +# sctp chunk error exists +[ + { + "match": { + "left": { + "sctp chunk": { + "name": "error" + } + }, + "op": "==", + "right": true + } + } +] + +# sctp chunk cookie-echo exists +[ + { + "match": { + "left": { + "sctp chunk": { + "name": "cookie-echo" + } + }, + "op": "==", + "right": true + } + } +] + +# sctp chunk cookie-ack exists +[ + { + "match": { + "left": { + "sctp chunk": { + "name": "cookie-ack" + } + }, + "op": "==", + "right": true + } + } +] + +# sctp chunk ecne exists +[ + { + "match": { + "left": { + "sctp chunk": { + "name": "ecne" + } + }, + "op": "==", + "right": true + } + } +] + +# sctp chunk cwr exists +[ + { + "match": { + "left": { + "sctp chunk": { + "name": "cwr" + } + }, + "op": "==", + "right": true + } + } +] + +# sctp chunk shutdown-complete exists +[ + { + "match": { + "left": { + "sctp chunk": { + "name": "shutdown-complete" + } + }, + "op": "==", + "right": true + } + } +] + +# sctp chunk asconf-ack exists +[ + { + "match": { + "left": { + "sctp chunk": { + "name": "asconf-ack" + } + }, + "op": "==", + "right": true + } + } +] + +# sctp chunk forward-tsn exists +[ + { + "match": { + "left": { + "sctp chunk": { + "name": "forward-tsn" + } + }, + "op": "==", + "right": true + } + } +] + +# sctp chunk asconf exists +[ + { + "match": { + "left": { + "sctp chunk": { + "name": "asconf" + } + }, + "op": "==", + "right": true + } + } +] + +# sctp chunk data type 0 +[ + { + "match": { + "left": { + "sctp chunk": { + "field": "type", + "name": "data" + } + }, + "op": "==", + "right": 0 + } + } +] + +# sctp chunk init flags 23 +[ + { + "match": { + "left": { + "sctp chunk": { + "field": "flags", + "name": "init" + } + }, + "op": "==", + "right": 23 + } + } +] + +# sctp chunk init-ack length 42 +[ + { + "match": { + "left": { + "sctp chunk": { + "field": "length", + "name": "init-ack" + } + }, + "op": "==", + "right": 42 + } + } +] + +# sctp chunk data stream 1337 +[ + { + "match": { + "left": { + "sctp chunk": { + "field": "stream", + "name": "data" + } + }, + "op": "==", + "right": 1337 + } + } +] + +# sctp chunk init initial-tsn 5 +[ + { + "match": { + "left": { + "sctp chunk": { + "field": "initial-tsn", + "name": "init" + } + }, + "op": "==", + "right": 5 + } + } +] + +# sctp chunk init-ack num-outbound-streams 3 +[ + { + "match": { + "left": { + "sctp chunk": { + "field": "num-outbound-streams", + "name": "init-ack" + } + }, + "op": "==", + "right": 3 + } + } +] + +# sctp chunk sack a-rwnd 1 +[ + { + "match": { + "left": { + "sctp chunk": { + "field": "a-rwnd", + "name": "sack" + } + }, + "op": "==", + "right": 1 + } + } +] + +# sctp chunk shutdown cum-tsn-ack 65535 +[ + { + "match": { + "left": { + "sctp chunk": { + "field": "cum-tsn-ack", + "name": "shutdown" + } + }, + "op": "==", + "right": 65535 + } + } +] + +# sctp chunk ecne lowest-tsn 5 +[ + { + "match": { + "left": { + "sctp chunk": { + "field": "lowest-tsn", + "name": "ecne" + } + }, + "op": "==", + "right": 5 + } + } +] + +# sctp chunk cwr lowest-tsn 8 +[ + { + "match": { + "left": { + "sctp chunk": { + "field": "lowest-tsn", + "name": "cwr" + } + }, + "op": "==", + "right": 8 + } + } +] + +# sctp chunk asconf-ack seqno 12345 +[ + { + "match": { + "left": { + "sctp chunk": { + "field": "seqno", + "name": "asconf-ack" + } + }, + "op": "==", + "right": 12345 + } + } +] + +# sctp chunk forward-tsn new-cum-tsn 31337 +[ + { + "match": { + "left": { + "sctp chunk": { + "field": "new-cum-tsn", + "name": "forward-tsn" + } + }, + "op": "==", + "right": 31337 + } + } +] + +# sctp chunk asconf seqno 12345 +[ + { + "match": { + "left": { + "sctp chunk": { + "field": "seqno", + "name": "asconf" + } + }, + "op": "==", + "right": 12345 } } ] diff --git a/tests/py/inet/sctp.t.payload b/tests/py/inet/sctp.t.payload index ecfcc725..7337e2ea 100644 --- a/tests/py/inet/sctp.t.payload +++ b/tests/py/inet/sctp.t.payload @@ -47,26 +47,6 @@ inet test-inet input [ payload load 2b @ transport header + 0 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# sctp sport { 23-44} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00001700 : 0 [end] element 00002d00 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000084 ] - [ payload load 2b @ transport header + 0 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# sctp sport != { 23-44} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00001700 : 0 [end] element 00002d00 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000084 ] - [ payload load 2b @ transport header + 0 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # sctp dport 23 inet test-inet input [ meta load l4proto => reg 1 ] @@ -116,26 +96,6 @@ inet test-inet input [ payload load 2b @ transport header + 2 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# sctp dport { 23-44} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00001700 : 0 [end] element 00002d00 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000084 ] - [ payload load 2b @ transport header + 2 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# sctp dport != { 23-44} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00001700 : 0 [end] element 00002d00 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000084 ] - [ payload load 2b @ transport header + 2 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # sctp checksum 1111 inet test-inet input [ meta load l4proto => reg 1 ] @@ -185,26 +145,6 @@ inet test-inet input [ payload load 4b @ transport header + 8 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# sctp checksum { 22-44} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 16000000 : 0 [end] element 2d000000 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000084 ] - [ payload load 4b @ transport header + 8 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# sctp checksum != { 22-44} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 16000000 : 0 [end] element 2d000000 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000084 ] - [ payload load 4b @ transport header + 8 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # sctp vtag 22 inet test-inet input [ meta load l4proto => reg 1 ] @@ -254,23 +194,158 @@ inet test-inet input [ payload load 4b @ transport header + 4 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# sctp vtag { 33-55} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 21000000 : 0 [end] element 38000000 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000084 ] - [ payload load 4b @ transport header + 4 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# sctp vtag != { 33-55} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 21000000 : 0 [end] element 38000000 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000084 ] - [ payload load 4b @ transport header + 4 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] +# sctp chunk data exists +ip + [ exthdr load 1b @ 0 + 0 present => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + +# sctp chunk init exists +ip + [ exthdr load 1b @ 1 + 0 present => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + +# sctp chunk init-ack exists +ip + [ exthdr load 1b @ 2 + 0 present => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + +# sctp chunk sack exists +ip + [ exthdr load 1b @ 3 + 0 present => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + +# sctp chunk heartbeat exists +ip + [ exthdr load 1b @ 4 + 0 present => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + +# sctp chunk heartbeat-ack exists +ip + [ exthdr load 1b @ 5 + 0 present => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + +# sctp chunk abort exists +ip + [ exthdr load 1b @ 6 + 0 present => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + +# sctp chunk shutdown exists +ip + [ exthdr load 1b @ 7 + 0 present => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + +# sctp chunk shutdown-ack exists +ip + [ exthdr load 1b @ 8 + 0 present => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + +# sctp chunk error exists +ip + [ exthdr load 1b @ 9 + 0 present => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + +# sctp chunk cookie-echo exists +ip + [ exthdr load 1b @ 10 + 0 present => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + +# sctp chunk cookie-ack exists +ip + [ exthdr load 1b @ 11 + 0 present => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + +# sctp chunk ecne exists +ip + [ exthdr load 1b @ 12 + 0 present => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + +# sctp chunk cwr exists +ip + [ exthdr load 1b @ 13 + 0 present => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + +# sctp chunk shutdown-complete exists +ip + [ exthdr load 1b @ 14 + 0 present => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + +# sctp chunk asconf-ack exists +ip + [ exthdr load 1b @ 128 + 0 present => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + +# sctp chunk forward-tsn exists +ip + [ exthdr load 1b @ 192 + 0 present => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + +# sctp chunk asconf exists +ip + [ exthdr load 1b @ 193 + 0 present => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + +# sctp chunk data type 0 +ip + [ exthdr load 1b @ 0 + 0 => reg 1 ] + [ cmp eq reg 1 0x00000000 ] + +# sctp chunk init flags 23 +ip + [ exthdr load 1b @ 1 + 1 => reg 1 ] + [ cmp eq reg 1 0x00000017 ] + +# sctp chunk init-ack length 42 +ip + [ exthdr load 2b @ 2 + 2 => reg 1 ] + [ cmp eq reg 1 0x00002a00 ] + +# sctp chunk data stream 1337 +ip + [ exthdr load 2b @ 0 + 8 => reg 1 ] + [ cmp eq reg 1 0x00003905 ] + +# sctp chunk init initial-tsn 5 +ip + [ exthdr load 4b @ 1 + 16 => reg 1 ] + [ cmp eq reg 1 0x05000000 ] + +# sctp chunk init-ack num-outbound-streams 3 +ip + [ exthdr load 2b @ 2 + 12 => reg 1 ] + [ cmp eq reg 1 0x00000300 ] + +# sctp chunk sack a-rwnd 1 +ip + [ exthdr load 4b @ 3 + 8 => reg 1 ] + [ cmp eq reg 1 0x01000000 ] + +# sctp chunk shutdown cum-tsn-ack 65535 +ip + [ exthdr load 4b @ 7 + 4 => reg 1 ] + [ cmp eq reg 1 0xffff0000 ] + +# sctp chunk ecne lowest-tsn 5 +ip + [ exthdr load 4b @ 12 + 4 => reg 1 ] + [ cmp eq reg 1 0x05000000 ] + +# sctp chunk cwr lowest-tsn 8 +ip + [ exthdr load 4b @ 13 + 4 => reg 1 ] + [ cmp eq reg 1 0x08000000 ] + +# sctp chunk asconf-ack seqno 12345 +ip + [ exthdr load 4b @ 128 + 4 => reg 1 ] + [ cmp eq reg 1 0x39300000 ] + +# sctp chunk forward-tsn new-cum-tsn 31337 +ip + [ exthdr load 4b @ 192 + 4 => reg 1 ] + [ cmp eq reg 1 0x697a0000 ] + +# sctp chunk asconf seqno 12345 +ip + [ exthdr load 4b @ 193 + 4 => reg 1 ] + [ cmp eq reg 1 0x39300000 ] diff --git a/tests/py/inet/sets.t b/tests/py/inet/sets.t index e0b0ee86..5b22e1fe 100644 --- a/tests/py/inet/sets.t +++ b/tests/py/inet/sets.t @@ -1,9 +1,10 @@ :input;type filter hook input priority 0 :ingress;type filter hook ingress device lo priority 0 +:egress;type filter hook egress device lo priority 0 *inet;test-inet;input *bridge;test-inet;input -*netdev;test-netdev;ingress +*netdev;test-netdev;ingress,egress !set1 type ipv4_addr timeout 60s;ok ?set1 192.168.3.4 timeout 30s, 10.2.1.1;ok @@ -21,4 +22,4 @@ ip6 daddr @set1 drop;fail ?set3 10.0.0.0/8 . 192.168.1.3-192.168.1.9 . 1024-65535;ok ip saddr . ip daddr . tcp dport @set3 accept;ok --ip daddr . tcp dport { 10.0.0.0/8 . 10-23, 192.168.1.1-192.168.3.8 . 80-443 } accept;ok +ip daddr . tcp dport { 10.0.0.0/8 . 10-23, 192.168.1.1-192.168.3.8 . 80-443 } accept;ok diff --git a/tests/py/inet/sets.t.json b/tests/py/inet/sets.t.json index 58e19ef6..b44ffc20 100644 --- a/tests/py/inet/sets.t.json +++ b/tests/py/inet/sets.t.json @@ -71,3 +71,66 @@ } ] +# ip daddr . tcp dport { 10.0.0.0/8 . 10-23, 192.168.1.1-192.168.3.8 . 80-443 } accept +[ + { + "match": { + "left": { + "concat": [ + { + "payload": { + "field": "daddr", + "protocol": "ip" + } + }, + { + "payload": { + "field": "dport", + "protocol": "tcp" + } + } + ] + }, + "op": "==", + "right": { + "set": [ + { + "concat": [ + { + "prefix": { + "addr": "10.0.0.0", + "len": 8 + } + }, + { + "range": [ + 10, + 23 + ] + } + ] + }, + { + "concat": [ + { + "range": [ + "192.168.1.1", + "192.168.3.8" + ] + }, + { + "range": [ + 80, + 443 + ] + } + ] + } + ] + } + } + }, + { + "accept": null + } +] diff --git a/tests/py/inet/sets.t.payload.bridge b/tests/py/inet/sets.t.payload.bridge index 089d9dd7..3dd9d57b 100644 --- a/tests/py/inet/sets.t.payload.bridge +++ b/tests/py/inet/sets.t.payload.bridge @@ -26,3 +26,17 @@ bridge [ lookup reg 1 set set3 ] [ immediate reg 0 accept ] +# ip daddr . tcp dport { 10.0.0.0/8 . 10-23, 192.168.1.1-192.168.3.8 . 80-443 } accept +__set%d test-inet 87 +__set%d test-inet 0 + element 0000000a 00000a00 - ffffff0a 00001700 : 0 [end] element 0101a8c0 00005000 - 0803a8c0 0000bb01 : 0 [end] +bridge + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 4b @ network header + 16 => reg 1 ] + [ payload load 2b @ transport header + 2 => reg 9 ] + [ lookup reg 1 set __set%d ] + [ immediate reg 0 accept ] + diff --git a/tests/py/inet/sets.t.payload.inet b/tests/py/inet/sets.t.payload.inet index c5acd610..53c6b182 100644 --- a/tests/py/inet/sets.t.payload.inet +++ b/tests/py/inet/sets.t.payload.inet @@ -26,3 +26,16 @@ inet [ lookup reg 1 set set3 ] [ immediate reg 0 accept ] +# ip daddr . tcp dport { 10.0.0.0/8 . 10-23, 192.168.1.1-192.168.3.8 . 80-443 } accept +__set%d test-inet 87 +__set%d test-inet 0 + element 0000000a 00000a00 - ffffff0a 00001700 : 0 [end] element 0101a8c0 00005000 - 0803a8c0 0000bb01 : 0 [end] +inet + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 4b @ network header + 16 => reg 1 ] + [ payload load 2b @ transport header + 2 => reg 9 ] + [ lookup reg 1 set __set%d ] + [ immediate reg 0 accept ] diff --git a/tests/py/inet/sets.t.payload.netdev b/tests/py/inet/sets.t.payload.netdev index 82994eab..e31aeb92 100644 --- a/tests/py/inet/sets.t.payload.netdev +++ b/tests/py/inet/sets.t.payload.netdev @@ -14,10 +14,10 @@ netdev test-netdev ingress [ lookup reg 1 set set2 0x1 ] [ immediate reg 0 accept ] -# ip saddr . ip daddr . tcp dport @ set3 accept -inet - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x00000002 ] +# ip saddr . ip daddr . tcp dport @set3 accept +netdev + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000006 ] [ payload load 4b @ network header + 12 => reg 1 ] @@ -26,3 +26,16 @@ inet [ lookup reg 1 set set3 ] [ immediate reg 0 accept ] +# ip daddr . tcp dport { 10.0.0.0/8 . 10-23, 192.168.1.1-192.168.3.8 . 80-443 } accept +__set%d test-netdev 87 +__set%d test-netdev 0 + element 0000000a 00000a00 - ffffff0a 00001700 : 0 [end] element 0101a8c0 00005000 - 0803a8c0 0000bb01 : 0 [end] +netdev + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 4b @ network header + 16 => reg 1 ] + [ payload load 2b @ transport header + 2 => reg 9 ] + [ lookup reg 1 set __set%d ] + [ immediate reg 0 accept ] diff --git a/tests/py/inet/snat.t.payload b/tests/py/inet/snat.t.payload index 00bb937f..50519c6b 100644 --- a/tests/py/inet/snat.t.payload +++ b/tests/py/inet/snat.t.payload @@ -7,7 +7,7 @@ inet test-inet postrouting [ payload load 2b @ transport header + 2 => reg 1 ] [ cmp eq reg 1 0x00005100 ] [ immediate reg 1 0x0203a8c0 ] - [ nat snat ip addr_min reg 1 addr_max reg 0 ] + [ nat snat ip addr_min reg 1 ] # iifname "eth0" tcp dport 81 ip saddr 10.1.1.1 snat to 192.168.3.2 inet test-inet postrouting @@ -22,7 +22,7 @@ inet test-inet postrouting [ payload load 4b @ network header + 12 => reg 1 ] [ cmp eq reg 1 0x0101010a ] [ immediate reg 1 0x0203a8c0 ] - [ nat snat ip addr_min reg 1 addr_max reg 0 ] + [ nat snat ip addr_min reg 1 ] # iifname "eth0" tcp dport 81 snat ip6 to dead::beef inet test-inet postrouting @@ -33,7 +33,7 @@ inet test-inet postrouting [ payload load 2b @ transport header + 2 => reg 1 ] [ cmp eq reg 1 0x00005100 ] [ immediate reg 1 0x0000adde 0x00000000 0x00000000 0xefbe0000 ] - [ nat snat ip6 addr_min reg 1 addr_max reg 0 ] + [ nat snat ip6 addr_min reg 1 ] # iifname "foo" masquerade random inet test-inet postrouting diff --git a/tests/py/inet/socket.t b/tests/py/inet/socket.t index 91846e8e..05e9ebb4 100644 --- a/tests/py/inet/socket.t +++ b/tests/py/inet/socket.t @@ -9,3 +9,7 @@ socket transparent 1;ok socket transparent 2;fail socket mark 0x00000005;ok + +socket wildcard 0;ok +socket wildcard 1;ok +socket wildcard 2;fail diff --git a/tests/py/inet/socket.t.json b/tests/py/inet/socket.t.json index 99d6e248..fa48e79d 100644 --- a/tests/py/inet/socket.t.json +++ b/tests/py/inet/socket.t.json @@ -43,3 +43,32 @@ } ] +# socket wildcard 0 +[ + { + "match": { + "left": { + "socket": { + "key": "wildcard" + } + }, + "op": "==", + "right": 0 + } + } +] + +# socket wildcard 1 +[ + { + "match": { + "left": { + "socket": { + "key": "wildcard" + } + }, + "op": "==", + "right": 1 + } + } +] diff --git a/tests/py/inet/socket.t.payload b/tests/py/inet/socket.t.payload index 687b7a45..e66ccbf7 100644 --- a/tests/py/inet/socket.t.payload +++ b/tests/py/inet/socket.t.payload @@ -1,45 +1,24 @@ # socket transparent 0 -ip sockip4 sockchain - [ socket load transparent => reg 1 ] - [ cmp eq reg 1 0x00000000 ] - -# socket transparent 0 -ip6 sockip6 sockchain - [ socket load transparent => reg 1 ] - [ cmp eq reg 1 0x00000000 ] - -# socket transparent 0 inet sockin sockchain [ socket load transparent => reg 1 ] [ cmp eq reg 1 0x00000000 ] # socket transparent 1 -ip sockip4 sockchain - [ socket load transparent => reg 1 ] - [ cmp eq reg 1 0x00000001 ] - -# socket transparent 1 -ip6 sockip6 sockchain - [ socket load transparent => reg 1 ] - [ cmp eq reg 1 0x00000001 ] - -# socket transparent 1 inet sockin sockchain [ socket load transparent => reg 1 ] [ cmp eq reg 1 0x00000001 ] # socket mark 0x00000005 -ip sockip4 sockchain - [ socket load mark => reg 1 ] - [ cmp eq reg 1 0x00000005 ] - -# socket mark 0x00000005 -ip6 sockip6 sockchain - [ socket load mark => reg 1 ] - [ cmp eq reg 1 0x00000005 ] - -# socket mark 0x00000005 inet sockin sockchain [ socket load mark => reg 1 ] [ cmp eq reg 1 0x00000005 ] +# socket wildcard 0 +inet sockin sockchain + [ socket load wildcard => reg 1 ] + [ cmp eq reg 1 0x00000000 ] + +# socket wildcard 1 +inet sockin sockchain + [ socket load wildcard => reg 1 ] + [ cmp eq reg 1 0x00000001 ] diff --git a/tests/py/inet/synproxy.t.json b/tests/py/inet/synproxy.t.json index 92c69d75..1dd85a61 100644 --- a/tests/py/inet/synproxy.t.json +++ b/tests/py/inet/synproxy.t.json @@ -5,24 +5,6 @@ } ] -# synproxy mss 1460 -[ - { - "synproxy": { - "mss": 1460 - } - } -] - -# synproxy wscale 7 -[ - { - "synproxy": { - "wscale": 7 - } - } -] - # synproxy mss 1460 wscale 7 [ { @@ -56,20 +38,6 @@ } ] -# synproxy mss 1460 wscale 7 timestamp sack-perm -[ - { - "synproxy": { - "mss": 1460, - "wscale": 7, - "flags": [ - "timestamp", - "sack-perm" - ] - } - } -] - # synproxy mss 1460 wscale 5 timestamp sack-perm [ { diff --git a/tests/py/inet/synproxy.t.payload b/tests/py/inet/synproxy.t.payload index 2e6feaaf..dd318b9a 100644 --- a/tests/py/inet/synproxy.t.payload +++ b/tests/py/inet/synproxy.t.payload @@ -1,72 +1,24 @@ # synproxy -ip synproxyip synproxychain - [ synproxy mss 0 wscale 0 ] - -# synproxy -ip6 synproxyip6 synproxychain - [ synproxy mss 0 wscale 0 ] - -# synproxy inet synproxyinet synproxychain [ synproxy mss 0 wscale 0 ] # synproxy mss 1460 wscale 7 -ip synproxyip synproxychain - [ synproxy mss 1460 wscale 7 ] - -# synproxy mss 1460 wscale 7 -ip6 synproxyip6 synproxychain - [ synproxy mss 1460 wscale 7 ] - -# synproxy mss 1460 wscale 7 inet synproxyinet synproxychain [ synproxy mss 1460 wscale 7 ] # synproxy mss 1460 wscale 5 timestamp sack-perm -ip synproxyip synproxychain - [ synproxy mss 1460 wscale 5 ] - -# synproxy mss 1460 wscale 5 timestamp sack-perm -ip6 synproxyip6 synproxychain - [ synproxy mss 1460 wscale 5 ] - -# synproxy mss 1460 wscale 5 timestamp sack-perm inet synproxyinet synproxychain [ synproxy mss 1460 wscale 5 ] # synproxy timestamp sack-perm -ip synproxyip synproxychain - [ synproxy mss 0 wscale 0 ] - -# synproxy timestamp sack-perm -ip6 synproxyip6 synproxychain - [ synproxy mss 0 wscale 0 ] - -# synproxy timestamp sack-perm inet synproxyinet synproxychain [ synproxy mss 0 wscale 0 ] # synproxy timestamp -ip synproxyip synproxychain - [ synproxy mss 0 wscale 0 ] - -# synproxy timestamp -ip6 synproxyip6 synproxychain - [ synproxy mss 0 wscale 0 ] - -# synproxy timestamp inet synproxyinet synproxychain [ synproxy mss 0 wscale 0 ] # synproxy sack-perm -ip synproxyip synproxychain - [ synproxy mss 0 wscale 0 ] - -# synproxy sack-perm -ip6 synproxyip6 synproxychain - [ synproxy mss 0 wscale 0 ] - -# synproxy sack-perm inet synproxyinet synproxychain [ synproxy mss 0 wscale 0 ] diff --git a/tests/py/inet/tcp.t b/tests/py/inet/tcp.t index e0a83e2b..f4bdac17 100644 --- a/tests/py/inet/tcp.t +++ b/tests/py/inet/tcp.t @@ -1,10 +1,11 @@ :input;type filter hook input priority 0 :ingress;type filter hook ingress device lo priority 0 +:egress;type filter hook egress device lo priority 0 *ip;test-ip4;input *ip6;test-ip6;input *inet;test-inet;input -*netdev;test-netdev;ingress +*netdev;test-netdev;ingress,egress tcp dport set {1, 2, 3};fail @@ -14,8 +15,6 @@ tcp dport 33-45;ok tcp dport != 33-45;ok tcp dport { 33, 55, 67, 88};ok tcp dport != { 33, 55, 67, 88};ok -tcp dport { 33-55};ok -tcp dport != { 33-55};ok tcp dport {telnet, http, https} accept;ok;tcp dport { 443, 23, 80} accept tcp dport vmap { 22 : accept, 23 : drop };ok tcp dport vmap { 25:accept, 28:drop };ok @@ -30,8 +29,6 @@ tcp sport 33-45;ok tcp sport != 33-45;ok tcp sport { 33, 55, 67, 88};ok tcp sport != { 33, 55, 67, 88};ok -tcp sport { 33-55};ok -tcp sport != { 33-55};ok tcp sport vmap { 25:accept, 28:drop };ok tcp sport 8080 drop;ok @@ -47,8 +44,6 @@ tcp sequence 33-45;ok tcp sequence != 33-45;ok tcp sequence { 33, 55, 67, 88};ok tcp sequence != { 33, 55, 67, 88};ok -tcp sequence { 33-55};ok -tcp sequence != { 33-55};ok tcp ackseq 42949672 drop;ok tcp ackseq 22;ok @@ -57,8 +52,6 @@ tcp ackseq 33-45;ok tcp ackseq != 33-45;ok tcp ackseq { 33, 55, 67, 88};ok tcp ackseq != { 33, 55, 67, 88};ok -tcp ackseq { 33-55};ok -tcp ackseq != { 33-55};ok - tcp doff 22;ok - tcp doff != 233;ok @@ -66,8 +59,6 @@ tcp ackseq != { 33-55};ok - tcp doff != 33-45;ok - tcp doff { 33, 55, 67, 88};ok - tcp doff != { 33, 55, 67, 88};ok -- tcp doff { 33-55};ok -- tcp doff != { 33-55};ok # BUG reserved # BUG: It is accepted but it is not shown then. tcp reserver @@ -77,8 +68,26 @@ tcp flags != { fin, urg, ecn, cwr} drop;ok tcp flags cwr;ok tcp flags != cwr;ok tcp flags == syn;ok -tcp flags & (syn|fin) == (syn|fin);ok;tcp flags & (fin | syn) == fin | syn +tcp flags fin,syn / fin,syn;ok;tcp flags & (fin | syn) == fin | syn +tcp flags != syn / fin,syn;ok;tcp flags & (fin | syn) != syn +tcp flags & syn != 0;ok;tcp flags syn +tcp flags & syn == 0;ok;tcp flags ! syn +tcp flags & (syn | ack) != 0;ok;tcp flags syn,ack +tcp flags & (syn | ack) == 0;ok;tcp flags ! syn,ack +# it should be possible to transform this to: tcp flags syn +tcp flags & syn == syn;ok +tcp flags & syn != syn;ok +tcp flags & (fin | syn | rst | ack) syn;ok;tcp flags & (fin | syn | rst | ack) == syn +tcp flags & (fin | syn | rst | ack) == syn;ok +tcp flags & (fin | syn | rst | ack) != syn;ok +tcp flags & (fin | syn | rst | ack) == syn | ack;ok +tcp flags & (fin | syn | rst | ack) != syn | ack;ok +tcp flags & (syn | ack) == syn | ack;ok tcp flags & (fin | syn | rst | psh | ack | urg | ecn | cwr) == fin | syn | rst | psh | ack | urg | ecn | cwr;ok;tcp flags == 0xff +tcp flags { syn, syn | ack };ok +tcp flags & (fin | syn | rst | psh | ack | urg) == { fin, ack, psh | ack, fin | psh | ack };ok +tcp flags ! fin,rst;ok +tcp flags & (fin | syn | rst | ack) ! syn;fail tcp window 22222;ok tcp window 22;ok @@ -87,8 +96,6 @@ tcp window 33-45;ok tcp window != 33-45;ok tcp window { 33, 55, 67, 88};ok tcp window != { 33, 55, 67, 88};ok -tcp window { 33-55};ok -tcp window != { 33-55};ok tcp checksum 22;ok tcp checksum != 233;ok @@ -96,8 +103,6 @@ tcp checksum 33-45;ok tcp checksum != 33-45;ok tcp checksum { 33, 55, 67, 88};ok tcp checksum != { 33, 55, 67, 88};ok -tcp checksum { 33-55};ok -tcp checksum != { 33-55};ok tcp urgptr 1234 accept;ok tcp urgptr 22;ok @@ -106,7 +111,5 @@ tcp urgptr 33-45;ok tcp urgptr != 33-45;ok tcp urgptr { 33, 55, 67, 88};ok tcp urgptr != { 33, 55, 67, 88};ok -tcp urgptr { 33-55};ok -tcp urgptr != { 33-55};ok tcp doff 8;ok diff --git a/tests/py/inet/tcp.t.json b/tests/py/inet/tcp.t.json index babe5920..28dd4341 100644 --- a/tests/py/inet/tcp.t.json +++ b/tests/py/inet/tcp.t.json @@ -112,46 +112,6 @@ } ] -# tcp dport { 33-55} -[ - { - "match": { - "left": { - "payload": { - "field": "dport", - "protocol": "tcp" - } - }, - "op": "==", - "right": { - "set": [ - { "range": [ 33, 55 ] } - ] - } - } - } -] - -# tcp dport != { 33-55} -[ - { - "match": { - "left": { - "payload": { - "field": "dport", - "protocol": "tcp" - } - }, - "op": "!=", - "right": { - "set": [ - { "range": [ 33, 55 ] } - ] - } - } - } -] - # tcp dport {telnet, http, https} accept [ { @@ -397,46 +357,6 @@ } ] -# tcp sport { 33-55} -[ - { - "match": { - "left": { - "payload": { - "field": "sport", - "protocol": "tcp" - } - }, - "op": "==", - "right": { - "set": [ - { "range": [ 33, 55 ] } - ] - } - } - } -] - -# tcp sport != { 33-55} -[ - { - "match": { - "left": { - "payload": { - "field": "sport", - "protocol": "tcp" - } - }, - "op": "!=", - "right": { - "set": [ - { "range": [ 33, 55 ] } - ] - } - } - } -] - # tcp sport vmap { 25:accept, 28:drop } [ { @@ -753,46 +673,6 @@ } ] -# tcp sequence { 33-55} -[ - { - "match": { - "left": { - "payload": { - "field": "sequence", - "protocol": "tcp" - } - }, - "op": "==", - "right": { - "set": [ - { "range": [ 33, 55 ] } - ] - } - } - } -] - -# tcp sequence != { 33-55} -[ - { - "match": { - "left": { - "payload": { - "field": "sequence", - "protocol": "tcp" - } - }, - "op": "!=", - "right": { - "set": [ - { "range": [ 33, 55 ] } - ] - } - } - } -] - # tcp ackseq 42949672 drop [ { @@ -926,46 +806,6 @@ } ] -# tcp ackseq { 33-55} -[ - { - "match": { - "left": { - "payload": { - "field": "ackseq", - "protocol": "tcp" - } - }, - "op": "==", - "right": { - "set": [ - { "range": [ 33, 55 ] } - ] - } - } - } -] - -# tcp ackseq != { 33-55} -[ - { - "match": { - "left": { - "payload": { - "field": "ackseq", - "protocol": "tcp" - } - }, - "op": "!=", - "right": { - "set": [ - { "range": [ 33, 55 ] } - ] - } - } - } -] - # tcp flags { fin, syn, rst, psh, ack, urg, ecn, cwr} drop [ { @@ -1114,12 +954,12 @@ } }, { - "|": [ "fin", { "|": [ "syn", { "|": [ "rst", { "|": [ "psh", { "|": [ "ack", { "|": [ "urg", { "|": [ "ecn", "cwr" ] } ] } ] } ] } ] } ] } ] + "|": [ "fin", "syn", "rst", "psh", "ack", "urg", "ecn", "cwr" ] } ] }, "op": "==", - "right": { "|": [ "fin", { "|": [ "syn", { "|": [ "rst", { "|": [ "psh", { "|": [ "ack", { "|": [ "urg", { "|": [ "ecn", "cwr" ] } ] } ] } ] } ] } ] } ] } + "right": { "|": [ "fin", "syn", "rst", "psh", "ack", "urg", "ecn", "cwr" ] } } } ] @@ -1254,46 +1094,6 @@ } ] -# tcp window { 33-55} -[ - { - "match": { - "left": { - "payload": { - "field": "window", - "protocol": "tcp" - } - }, - "op": "==", - "right": { - "set": [ - { "range": [ 33, 55 ] } - ] - } - } - } -] - -# tcp window != { 33-55} -[ - { - "match": { - "left": { - "payload": { - "field": "window", - "protocol": "tcp" - } - }, - "op": "!=", - "right": { - "set": [ - { "range": [ 33, 55 ] } - ] - } - } - } -] - # tcp checksum 22 [ { @@ -1408,46 +1208,6 @@ } ] -# tcp checksum { 33-55} -[ - { - "match": { - "left": { - "payload": { - "field": "checksum", - "protocol": "tcp" - } - }, - "op": "==", - "right": { - "set": [ - { "range": [ 33, 55 ] } - ] - } - } - } -] - -# tcp checksum != { 33-55} -[ - { - "match": { - "left": { - "payload": { - "field": "checksum", - "protocol": "tcp" - } - }, - "op": "!=", - "right": { - "set": [ - { "range": [ 33, 55 ] } - ] - } - } - } -] - # tcp urgptr 1234 accept [ { @@ -1581,58 +1341,435 @@ } ] -# tcp urgptr { 33-55} +# tcp doff 8 [ { "match": { "left": { "payload": { - "field": "urgptr", + "field": "doff", "protocol": "tcp" } }, "op": "==", + "right": 8 + } + } +] + +# tcp flags { syn, syn | ack } +[ + { + "match": { + "left": { + "payload": { + "field": "flags", + "protocol": "tcp" + } + }, + "op": "==", "right": { "set": [ - { "range": [ 33, 55 ] } + "syn", + { + "|": [ + "syn", + "ack" + ] + } ] } } } ] -# tcp urgptr != { 33-55} +# tcp flags & (fin | syn | rst | psh | ack | urg) == { fin, ack, psh | ack, fin | psh | ack } [ { "match": { "left": { + "&": [ + { + "payload": { + "field": "flags", + "protocol": "tcp" + } + }, + { "|": [ "fin", "syn", "rst", "psh", "ack", "urg" ] } + ] + }, + "op": "==", + "right": { + "set": [ + "fin", + "ack", + { "|": [ "psh", "ack" ] }, + { "|": [ "fin", "psh", "ack" ] } + ] + } + } + } +] + +# tcp flags ! fin,rst +[ + { + "match": { + "op": "!", + "left": { "payload": { - "field": "urgptr", - "protocol": "tcp" + "protocol": "tcp", + "field": "flags" } }, - "op": "!=", + "right": [ + "fin", + "rst" + ] + } + } +] + +# tcp flags fin,syn / fin,syn +[ + { + "match": { + "left": { + "&": [ + { + "payload": { + "field": "flags", + "protocol": "tcp" + } + }, + { + "|": [ + "fin", + "syn" + ] + } + ] + }, + "op": "==", "right": { - "set": [ - { "range": [ 33, 55 ] } + "|": [ + "fin", + "syn" ] } } } ] -# tcp doff 8 +# tcp flags != syn / fin,syn +[ + { + "match": { + "left": { + "&": [ + { + "payload": { + "field": "flags", + "protocol": "tcp" + } + }, + { + "|": [ + "fin", + "syn" + ] + } + ] + }, + "op": "!=", + "right": "syn" + } + } +] + +# tcp flags & syn == 0 [ { "match": { "left": { "payload": { - "field": "doff", + "field": "flags", "protocol": "tcp" } }, - "op": "==", - "right": 8 + "op": "!", + "right": "syn" + } + } +] + +# tcp flags & syn != 0 +[ + { + "match": { + "left": { + "payload": { + "field": "flags", + "protocol": "tcp" + } + }, + "op": "in", + "right": "syn" + } + } +] + +# tcp flags & (syn | ack) != 0 +[ + { + "match": { + "left": { + "payload": { + "field": "flags", + "protocol": "tcp" + } + }, + "op": "in", + "right": [ + "syn", + "ack" + ] + } + } +] + +# tcp flags & (syn | ack) == 0 +[ + { + "match": { + "left": { + "payload": { + "field": "flags", + "protocol": "tcp" + } + }, + "op": "!", + "right": [ + "syn", + "ack" + ] + } + } +] + +# tcp flags & syn == syn +[ + { + "match": { + "left": { + "&": [ + { + "payload": { + "field": "flags", + "protocol": "tcp" + } + }, + "syn" + ] + }, + "op": "==", + "right": "syn" + } + } +] + +# tcp flags & syn != syn +[ + { + "match": { + "left": { + "&": [ + { + "payload": { + "field": "flags", + "protocol": "tcp" + } + }, + "syn" + ] + }, + "op": "!=", + "right": "syn" + } + } +] + +# tcp flags & (fin | syn | rst | ack) syn +[ + { + "match": { + "left": { + "&": [ + { + "payload": { + "field": "flags", + "protocol": "tcp" + } + }, + { + "|": [ + "fin", + "syn", + "rst", + "ack" + ] + } + ] + }, + "op": "==", + "right": "syn" + } + } +] + +# tcp flags & (fin | syn | rst | ack) == syn +[ + { + "match": { + "left": { + "&": [ + { + "payload": { + "field": "flags", + "protocol": "tcp" + } + }, + { + "|": [ + "fin", + "syn", + "rst", + "ack" + ] + } + ] + }, + "op": "==", + "right": "syn" + } + } +] + + +# tcp flags & (fin | syn | rst | ack) != syn +[ + { + "match": { + "left": { + "&": [ + { + "payload": { + "field": "flags", + "protocol": "tcp" + } + }, + { + "|": [ + "fin", + "syn", + "rst", + "ack" + ] + } + ] + }, + "op": "!=", + "right": "syn" + } + } +] + +# tcp flags & (fin | syn | rst | ack) == syn | ack +[ + { + "match": { + "left": { + "&": [ + { + "payload": { + "field": "flags", + "protocol": "tcp" + } + }, + { + "|": [ + "fin", + "syn", + "rst", + "ack" + ] + } + ] + }, + "op": "==", + "right": { + "|": [ + "syn", + "ack" + ] + } + } + } +] + +# tcp flags & (syn | ack) == syn | ack +[ + { + "match": { + "left": { + "&": [ + { + "payload": { + "field": "flags", + "protocol": "tcp" + } + }, + { + "|": [ + "syn", + "ack" + ] + } + ] + }, + "op": "==", + "right": { + "|": [ + "syn", + "ack" + ] + } + } + } +] + +# tcp flags & (fin | syn | rst | ack) != syn | ack +[ + { + "match": { + "left": { + "&": [ + { + "payload": { + "field": "flags", + "protocol": "tcp" + } + }, + { "|": [ "fin", "syn", "rst", "ack" ] } + ] + }, + "op": "!=", + "right": { + "|": [ + "syn", + "ack" + ] + } } } ] diff --git a/tests/py/inet/tcp.t.json.output b/tests/py/inet/tcp.t.json.output index 0f7a593b..d487a8f1 100644 --- a/tests/py/inet/tcp.t.json.output +++ b/tests/py/inet/tcp.t.json.output @@ -115,3 +115,50 @@ } ] +# tcp flags & (fin | syn | rst | psh | ack | urg) == { fin, ack, psh | ack, fin | psh | ack } +[ + { + "match": { + "left": { + "&": [ + { + "payload": { + "field": "flags", + "protocol": "tcp" + } + }, + { + "|": [ + "fin", + "syn", + "rst", + "psh", + "ack", + "urg" + ] + } + ] + }, + "op": "==", + "right": { + "set": [ + "fin", + { + "|": [ + "fin", + "psh", + "ack" + ] + }, + { + "|": [ + "psh", + "ack" + ] + }, + "ack" + ] + } + } + } +] diff --git a/tests/py/inet/tcp.t.payload b/tests/py/inet/tcp.t.payload index 55f1bc2e..bc6bb989 100644 --- a/tests/py/inet/tcp.t.payload +++ b/tests/py/inet/tcp.t.payload @@ -47,26 +47,6 @@ inet test-inet input [ payload load 2b @ transport header + 2 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# tcp dport { 33-55} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ payload load 2b @ transport header + 2 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# tcp dport != { 33-55} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ payload load 2b @ transport header + 2 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # tcp dport {telnet, http, https} accept __set%d test-inet 3 __set%d test-inet 0 @@ -81,7 +61,7 @@ inet test-inet input # tcp dport vmap { 22 : accept, 23 : drop } __map%d test-inet b __map%d test-inet 0 - element 00001600 : 0 [end] element 00001700 : 0 [end] + element 00001600 : accept 0 [end] element 00001700 : drop 0 [end] inet test-inet input [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000006 ] @@ -91,7 +71,7 @@ inet test-inet input # tcp dport vmap { 25:accept, 28:drop } __map%d test-inet b __map%d test-inet 0 - element 00001900 : 0 [end] element 00001c00 : 0 [end] + element 00001900 : accept 0 [end] element 00001c00 : drop 0 [end] inet test-inet input [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000006 ] @@ -167,30 +147,10 @@ inet test-inet input [ payload load 2b @ transport header + 0 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# tcp sport { 33-55} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ payload load 2b @ transport header + 0 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# tcp sport != { 33-55} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ payload load 2b @ transport header + 0 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # tcp sport vmap { 25:accept, 28:drop } __map%d test-inet b __map%d test-inet 0 - element 00001900 : 0 [end] element 00001c00 : 0 [end] + element 00001900 : accept 0 [end] element 00001c00 : drop 0 [end] inet test-inet input [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000006 ] @@ -293,26 +253,6 @@ inet test-inet input [ payload load 4b @ transport header + 4 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# tcp sequence { 33-55} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 21000000 : 0 [end] element 38000000 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ payload load 4b @ transport header + 4 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# tcp sequence != { 33-55} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 21000000 : 0 [end] element 38000000 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ payload load 4b @ transport header + 4 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # tcp ackseq 42949672 drop inet test-inet input [ meta load l4proto => reg 1 ] @@ -370,26 +310,6 @@ inet test-inet input [ payload load 4b @ transport header + 8 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# tcp ackseq { 33-55} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 21000000 : 0 [end] element 38000000 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ payload load 4b @ transport header + 8 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# tcp ackseq != { 33-55} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 21000000 : 0 [end] element 38000000 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ payload load 4b @ transport header + 8 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # tcp flags { fin, syn, rst, psh, ack, urg, ecn, cwr} drop __set%d test-inet 3 __set%d test-inet 0 @@ -417,7 +337,7 @@ inet test-inet input [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000006 ] [ payload load 1b @ transport header + 13 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x00000080 ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x00000080 ) ^ 0x00000000 ] [ cmp neq reg 1 0x00000000 ] # tcp flags != cwr @@ -434,20 +354,124 @@ inet test-inet input [ payload load 1b @ transport header + 13 => reg 1 ] [ cmp eq reg 1 0x00000002 ] -# tcp flags & (syn|fin) == (syn|fin) +# tcp flags fin,syn / fin,syn inet test-inet input [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000006 ] [ payload load 1b @ transport header + 13 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x00000003 ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x00000003 ) ^ 0x00000000 ] [ cmp eq reg 1 0x00000003 ] +# tcp flags != syn / fin,syn +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 1b @ transport header + 13 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x00000003 ) ^ 0x00000000 ] + [ cmp neq reg 1 0x00000002 ] + +# tcp flags & syn != 0 +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 1b @ transport header + 13 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x00000002 ) ^ 0x00000000 ] + [ cmp neq reg 1 0x00000000 ] + +# tcp flags & syn == 0 +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 1b @ transport header + 13 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x00000002 ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000000 ] + +# tcp flags & (syn | ack) != 0 +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 1b @ transport header + 13 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x00000012 ) ^ 0x00000000 ] + [ cmp neq reg 1 0x00000000 ] + +# tcp flags & (syn | ack) == 0 +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 1b @ transport header + 13 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x00000012 ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000000 ] + +# tcp flags & syn == syn +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 1b @ transport header + 13 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x00000002 ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000002 ] + +# tcp flags & syn != syn +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 1b @ transport header + 13 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x00000002 ) ^ 0x00000000 ] + [ cmp neq reg 1 0x00000002 ] + +# tcp flags & (fin | syn | rst | ack) syn +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 1b @ transport header + 13 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x00000017 ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000002 ] + +# tcp flags & (fin | syn | rst | ack) == syn +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 1b @ transport header + 13 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x00000017 ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000002 ] + +# tcp flags & (fin | syn | rst | ack) != syn +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 1b @ transport header + 13 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x00000017 ) ^ 0x00000000 ] + [ cmp neq reg 1 0x00000002 ] + +# tcp flags & (fin | syn | rst | ack) == syn | ack +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 1b @ transport header + 13 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x00000017 ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000012 ] + +# tcp flags & (fin | syn | rst | ack) != syn | ack +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 1b @ transport header + 13 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x00000017 ) ^ 0x00000000 ] + [ cmp neq reg 1 0x00000012 ] + +# tcp flags & (syn | ack) == syn | ack +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 1b @ transport header + 13 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x00000012 ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000012 ] + # tcp flags & (fin | syn | rst | psh | ack | urg | ecn | cwr) == fin | syn | rst | psh | ack | urg | ecn | cwr inet test-inet input [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000006 ] [ payload load 1b @ transport header + 13 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x000000ff ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x000000ff ) ^ 0x00000000 ] [ cmp eq reg 1 0x000000ff ] # tcp window 22222 @@ -506,26 +530,6 @@ inet test-inet input [ payload load 2b @ transport header + 14 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# tcp window { 33-55} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ payload load 2b @ transport header + 14 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# tcp window != { 33-55} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ payload load 2b @ transport header + 14 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # tcp checksum 22 inet test-inet input [ meta load l4proto => reg 1 ] @@ -575,26 +579,6 @@ inet test-inet input [ payload load 2b @ transport header + 16 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# tcp checksum { 33-55} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ payload load 2b @ transport header + 16 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# tcp checksum != { 33-55} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ payload load 2b @ transport header + 16 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # tcp urgptr 1234 accept inet test-inet input [ meta load l4proto => reg 1 ] @@ -652,31 +636,39 @@ inet test-inet input [ payload load 2b @ transport header + 18 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# tcp urgptr { 33-55} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] +# tcp doff 8 inet test-inet input [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000006 ] - [ payload load 2b @ transport header + 18 => reg 1 ] - [ lookup reg 1 set __set%d ] + [ payload load 1b @ transport header + 12 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x000000f0 ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000080 ] -# tcp urgptr != { 33-55} -__set%d test-inet 7 +# tcp flags & (fin | syn | rst | psh | ack | urg) == { fin, ack, psh | ack, fin | psh | ack } +__set%d test-inet 3 __set%d test-inet 0 - element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] -inet test-inet input + element 00000001 : 0 [end] element 00000010 : 0 [end] element 00000018 : 0 [end] element 00000019 : 0 [end] +ip [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000006 ] - [ payload load 2b @ transport header + 18 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] + [ payload load 1b @ transport header + 13 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000003f ) ^ 0x00000000 ] + [ lookup reg 1 set __set%d ] -# tcp doff 8 -inet test-inet input +# tcp flags { syn, syn | ack } +__set%d test-inet 3 +__set%d test-inet 0 + element 00000002 : 0 [end] element 00000012 : 0 [end] +inet [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000006 ] - [ payload load 1b @ transport header + 12 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x000000f0 ) ^ 0x00000000 ] - [ cmp eq reg 1 0x00000080 ] + [ payload load 1b @ transport header + 13 => reg 1 ] + [ lookup reg 1 set __set%d ] +# tcp flags ! fin,rst +inet + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 1b @ transport header + 13 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x00000005 ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000000 ] diff --git a/tests/py/inet/tproxy.t b/tests/py/inet/tproxy.t index d23bbcb5..9901df75 100644 --- a/tests/py/inet/tproxy.t +++ b/tests/py/inet/tproxy.t @@ -19,3 +19,5 @@ meta l4proto 17 tproxy ip to :50080;ok meta l4proto 17 tproxy ip6 to :50080;ok meta l4proto 17 tproxy to :50080;ok ip daddr 0.0.0.0/0 meta l4proto 6 tproxy ip to :2000;ok + +meta l4proto 6 tproxy ip to 127.0.0.1:symhash mod 2 map { 0 : 23, 1 : 42 };ok diff --git a/tests/py/inet/tproxy.t.json b/tests/py/inet/tproxy.t.json index 7b3b11c4..71b6fd2f 100644 --- a/tests/py/inet/tproxy.t.json +++ b/tests/py/inet/tproxy.t.json @@ -183,3 +183,38 @@ } } ] + +# meta l4proto 6 tproxy ip to 127.0.0.1:symhash mod 2 map { 0 : 23, 1 : 42 } +[ + { + "match": { + "left": { + "meta": { + "key": "l4proto" + } + }, + "op": "==", + "right": 6 + } + }, + { + "tproxy": { + "addr": "127.0.0.1", + "family": "ip", + "port": { + "map": { + "data": { + "set": [ + [ 0, 23 ], + [ 1, 42 ] + ] + }, + "key": { + "symhash": { "mod": 2 } + } + } + } + } + } +] + diff --git a/tests/py/inet/tproxy.t.payload b/tests/py/inet/tproxy.t.payload index 82ff928d..2f419042 100644 --- a/tests/py/inet/tproxy.t.payload +++ b/tests/py/inet/tproxy.t.payload @@ -54,10 +54,22 @@ inet x y [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ payload load 4b @ network header + 16 => reg 1 ] - [ bitwise reg 1 = (reg=1 & 0x00000000 ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 & 0x00000000 ) ^ 0x00000000 ] [ cmp eq reg 1 0x00000000 ] [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000006 ] [ immediate reg 1 0x0000d007 ] [ tproxy ip port reg 1 ] +# meta l4proto 6 tproxy ip to 127.0.0.1:symhash mod 2 map { 0 : 23, 1 : 42 } +__map%d x b size 2 +__map%d x 0 + element 00000000 : 00001700 0 [end] element 00000001 : 00002a00 0 [end] +inet x y + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ immediate reg 1 0x0100007f ] + [ hash reg 2 = symhash() % mod 2 ] + [ lookup reg 2 set __map%d dreg 2 ] + [ tproxy ip addr reg 1 port reg 2 ] + diff --git a/tests/py/inet/udp.t b/tests/py/inet/udp.t index 4e3eaa51..7f21c8ed 100644 --- a/tests/py/inet/udp.t +++ b/tests/py/inet/udp.t @@ -1,10 +1,11 @@ :input;type filter hook input priority 0 :ingress;type filter hook ingress device lo priority 0 +:egress;type filter hook egress device lo priority 0 *ip;test-ip4;input *ip6;test-ip6;input *inet;test-inet;input -*netdev;test-netdev;ingress +*netdev;test-netdev;ingress,egress udp sport 80 accept;ok udp sport != 60 accept;ok @@ -12,8 +13,6 @@ udp sport 50-70 accept;ok udp sport != 50-60 accept;ok udp sport { 49, 50} drop;ok udp sport != { 50, 60} accept;ok -udp sport { 12-40};ok -udp sport != { 13-24};ok udp dport set {1, 2, 3};fail @@ -23,8 +22,6 @@ udp dport 70-75 accept;ok udp dport != 50-60 accept;ok udp dport { 49, 50} drop;ok udp dport != { 50, 60} accept;ok -udp dport { 70-75} accept;ok -udp dport != { 50-60} accept;ok udp length 6666;ok udp length != 6666;ok @@ -32,8 +29,6 @@ udp length 50-65 accept;ok udp length != 50-65 accept;ok udp length { 50, 65} accept;ok udp length != { 50, 65} accept;ok -udp length { 35-50};ok -udp length != { 35-50};ok udp checksum 6666 drop;ok udp checksum != { 444, 555} accept;ok @@ -44,8 +39,6 @@ udp checksum 33-45;ok udp checksum != 33-45;ok udp checksum { 33, 55, 67, 88};ok udp checksum != { 33, 55, 67, 88};ok -udp checksum { 33-55};ok -udp checksum != { 33-55};ok # limit impact to lo iif "lo" udp checksum set 0;ok diff --git a/tests/py/inet/udp.t.json b/tests/py/inet/udp.t.json index f8826640..665998ec 100644 --- a/tests/py/inet/udp.t.json +++ b/tests/py/inet/udp.t.json @@ -126,46 +126,6 @@ } ] -# udp sport { 12-40} -[ - { - "match": { - "left": { - "payload": { - "field": "sport", - "protocol": "udp" - } - }, - "op": "==", - "right": { - "set": [ - { "range": [ 12, 40 ] } - ] - } - } - } -] - -# udp sport != { 13-24} -[ - { - "match": { - "left": { - "payload": { - "field": "sport", - "protocol": "udp" - } - }, - "op": "!=", - "right": { - "set": [ - { "range": [ 13, 24 ] } - ] - } - } - } -] - # udp dport 80 accept [ { @@ -294,52 +254,6 @@ } ] -# udp dport { 70-75} accept -[ - { - "match": { - "left": { - "payload": { - "field": "dport", - "protocol": "udp" - } - }, - "op": "==", - "right": { - "set": [ - { "range": [ 70, 75 ] } - ] - } - } - }, - { - "accept": null - } -] - -# udp dport != { 50-60} accept -[ - { - "match": { - "left": { - "payload": { - "field": "dport", - "protocol": "udp" - } - }, - "op": "!=", - "right": { - "set": [ - { "range": [ 50, 60 ] } - ] - } - } - }, - { - "accept": null - } -] - # udp length 6666 [ { @@ -462,46 +376,6 @@ } ] -# udp length { 35-50} -[ - { - "match": { - "left": { - "payload": { - "field": "length", - "protocol": "udp" - } - }, - "op": "==", - "right": { - "set": [ - { "range": [ 35, 50 ] } - ] - } - } - } -] - -# udp length != { 35-50} -[ - { - "match": { - "left": { - "payload": { - "field": "length", - "protocol": "udp" - } - }, - "op": "!=", - "right": { - "set": [ - { "range": [ 35, 50 ] } - ] - } - } - } -] - # udp checksum 6666 drop [ { @@ -659,46 +533,6 @@ } ] -# udp checksum { 33-55} -[ - { - "match": { - "left": { - "payload": { - "field": "checksum", - "protocol": "udp" - } - }, - "op": "==", - "right": { - "set": [ - { "range": [ 33, 55 ] } - ] - } - } - } -] - -# udp checksum != { 33-55} -[ - { - "match": { - "left": { - "payload": { - "field": "checksum", - "protocol": "udp" - } - }, - "op": "!=", - "right": { - "set": [ - { "range": [ 33, 55 ] } - ] - } - } - } -] - # iif "lo" udp checksum set 0 [ { diff --git a/tests/py/inet/udp.t.payload b/tests/py/inet/udp.t.payload index d91eb784..e6beda7f 100644 --- a/tests/py/inet/udp.t.payload +++ b/tests/py/inet/udp.t.payload @@ -53,26 +53,6 @@ inet test-inet input [ lookup reg 1 set __set%d 0x1 ] [ immediate reg 0 accept ] -# udp sport { 12-40} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00000c00 : 0 [end] element 00002900 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000011 ] - [ payload load 2b @ transport header + 0 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# udp sport != { 13-24} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00000d00 : 0 [end] element 00001900 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000011 ] - [ payload load 2b @ transport header + 0 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # udp dport 80 accept inet test-inet input [ meta load l4proto => reg 1 ] @@ -128,28 +108,6 @@ inet test-inet input [ lookup reg 1 set __set%d 0x1 ] [ immediate reg 0 accept ] -# udp dport { 70-75} accept -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00004600 : 0 [end] element 00004c00 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000011 ] - [ payload load 2b @ transport header + 2 => reg 1 ] - [ lookup reg 1 set __set%d ] - [ immediate reg 0 accept ] - -# udp dport != { 50-60} accept -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00003200 : 0 [end] element 00003d00 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000011 ] - [ payload load 2b @ transport header + 2 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - [ immediate reg 0 accept ] - # udp length 6666 inet test-inet input [ meta load l4proto => reg 1 ] @@ -203,26 +161,6 @@ inet test-inet input [ lookup reg 1 set __set%d 0x1 ] [ immediate reg 0 accept ] -# udp length { 35-50} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00002300 : 0 [end] element 00003300 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000011 ] - [ payload load 2b @ transport header + 4 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# udp length != { 35-50} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00002300 : 0 [end] element 00003300 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000011 ] - [ payload load 2b @ transport header + 4 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # udp checksum 6666 drop inet test-inet input [ meta load l4proto => reg 1 ] @@ -291,26 +229,6 @@ inet test-inet input [ payload load 2b @ transport header + 6 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# udp checksum { 33-55} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000011 ] - [ payload load 2b @ transport header + 6 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# udp checksum != { 33-55} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000011 ] - [ payload load 2b @ transport header + 6 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # iif "lo" udp checksum set 0 inet test-inet input [ meta load iif => reg 1 ] diff --git a/tests/py/inet/udplite.t b/tests/py/inet/udplite.t index 7c22acb9..6a54709c 100644 --- a/tests/py/inet/udplite.t +++ b/tests/py/inet/udplite.t @@ -1,10 +1,11 @@ :input;type filter hook input priority 0 :ingress;type filter hook ingress device lo priority 0 +:egress;type filter hook egress device lo priority 0 *ip;test-ip4;input *ip6;test-ip6;input *inet;test-inet;input -*netdev;test-netdev;ingress +*netdev;test-netdev;ingress,egress udplite sport 80 accept;ok udplite sport != 60 accept;ok @@ -12,8 +13,6 @@ udplite sport 50-70 accept;ok udplite sport != 50-60 accept;ok udplite sport { 49, 50} drop;ok udplite sport != { 49, 50} accept;ok -udplite sport { 12-40};ok -udplite sport != { 12-40};ok udplite dport 80 accept;ok udplite dport != 60 accept;ok @@ -21,8 +20,6 @@ udplite dport 70-75 accept;ok udplite dport != 50-60 accept;ok udplite dport { 49, 50} drop;ok udplite dport != { 49, 50} accept;ok -udplite dport { 70-75} accept;ok -udplite dport != { 70-75} accept;ok - udplite csumcov 6666;ok - udplite csumcov != 6666;ok @@ -30,8 +27,6 @@ udplite dport != { 70-75} accept;ok - udplite csumcov != 50-65 accept;ok - udplite csumcov { 50, 65} accept;ok - udplite csumcov != { 50, 65} accept;ok -- udplite csumcov { 35-50};ok -- udplite csumcov != { 35-50};ok udplite checksum 6666 drop;ok udplite checksum != { 444, 555} accept;ok @@ -41,5 +36,3 @@ udplite checksum 33-45;ok udplite checksum != 33-45;ok udplite checksum { 33, 55, 67, 88};ok udplite checksum != { 33, 55, 67, 88};ok -udplite checksum { 33-55};ok -udplite checksum != { 33-55};ok diff --git a/tests/py/inet/udplite.t.json b/tests/py/inet/udplite.t.json index f56bee47..713a534f 100644 --- a/tests/py/inet/udplite.t.json +++ b/tests/py/inet/udplite.t.json @@ -126,46 +126,6 @@ } ] -# udplite sport { 12-40} -[ - { - "match": { - "left": { - "payload": { - "field": "sport", - "protocol": "udplite" - } - }, - "op": "==", - "right": { - "set": [ - { "range": [ 12, 40 ] } - ] - } - } - } -] - -# udplite sport != { 12-40} -[ - { - "match": { - "left": { - "payload": { - "field": "sport", - "protocol": "udplite" - } - }, - "op": "!=", - "right": { - "set": [ - { "range": [ 12, 40 ] } - ] - } - } - } -] - # udplite dport 80 accept [ { @@ -294,52 +254,6 @@ } ] -# udplite dport { 70-75} accept -[ - { - "match": { - "left": { - "payload": { - "field": "dport", - "protocol": "udplite" - } - }, - "op": "==", - "right": { - "set": [ - { "range": [ 70, 75 ] } - ] - } - } - }, - { - "accept": null - } -] - -# udplite dport != { 70-75} accept -[ - { - "match": { - "left": { - "payload": { - "field": "dport", - "protocol": "udplite" - } - }, - "op": "!=", - "right": { - "set": [ - { "range": [ 70, 75 ] } - ] - } - } - }, - { - "accept": null - } -] - # udplite checksum 6666 drop [ { @@ -497,43 +411,3 @@ } ] -# udplite checksum { 33-55} -[ - { - "match": { - "left": { - "payload": { - "field": "checksum", - "protocol": "udplite" - } - }, - "op": "==", - "right": { - "set": [ - { "range": [ 33, 55 ] } - ] - } - } - } -] - -# udplite checksum != { 33-55} -[ - { - "match": { - "left": { - "payload": { - "field": "checksum", - "protocol": "udplite" - } - }, - "op": "!=", - "right": { - "set": [ - { "range": [ 33, 55 ] } - ] - } - } - } -] - diff --git a/tests/py/inet/udplite.t.payload b/tests/py/inet/udplite.t.payload index eb3dc075..de9d09ed 100644 --- a/tests/py/inet/udplite.t.payload +++ b/tests/py/inet/udplite.t.payload @@ -53,26 +53,6 @@ inet test-inet input [ lookup reg 1 set __set%d 0x1 ] [ immediate reg 0 accept ] -# udplite sport { 12-40} -__set%d test-ip4 7 -__set%d test-ip4 0 - element 00000000 : 1 [end] element 00000c00 : 0 [end] element 00002900 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000088 ] - [ payload load 2b @ transport header + 0 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# udplite sport != { 12-40} -__set%d test-ip4 7 -__set%d test-ip4 0 - element 00000000 : 1 [end] element 00000c00 : 0 [end] element 00002900 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000088 ] - [ payload load 2b @ transport header + 0 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # udplite dport 80 accept inet test-inet input [ meta load l4proto => reg 1 ] @@ -128,28 +108,6 @@ inet test-inet input [ lookup reg 1 set __set%d 0x1 ] [ immediate reg 0 accept ] -# udplite dport { 70-75} accept -__set%d test-ip4 7 -__set%d test-ip4 0 - element 00000000 : 1 [end] element 00004600 : 0 [end] element 00004c00 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000088 ] - [ payload load 2b @ transport header + 2 => reg 1 ] - [ lookup reg 1 set __set%d ] - [ immediate reg 0 accept ] - -# udplite dport != { 70-75} accept -__set%d test-ip4 7 -__set%d test-ip4 0 - element 00000000 : 1 [end] element 00004600 : 0 [end] element 00004c00 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000088 ] - [ payload load 2b @ transport header + 2 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - [ immediate reg 0 accept ] - # udplite checksum 6666 drop inet test-inet input [ meta load l4proto => reg 1 ] @@ -218,23 +176,3 @@ inet test-inet input [ payload load 2b @ transport header + 6 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# udplite checksum { 33-55} -__set%d test-ip4 7 -__set%d test-ip4 0 - element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000088 ] - [ payload load 2b @ transport header + 6 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# udplite checksum != { 33-55} -__set%d test-ip4 7 -__set%d test-ip4 0 - element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000088 ] - [ payload load 2b @ transport header + 6 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - diff --git a/tests/py/inet/vmap.t b/tests/py/inet/vmap.t new file mode 100644 index 00000000..0ac6e561 --- /dev/null +++ b/tests/py/inet/vmap.t @@ -0,0 +1,10 @@ +:input;type filter hook input priority 0 +:ingress;type filter hook ingress device lo priority 0 +:egress;type filter hook egress device lo priority 0 + +*inet;test-inet;input +*netdev;test-netdev;ingress,egress + +iifname . ip protocol . th dport vmap { "eth0" . tcp . 22 : accept, "eth1" . udp . 67 : drop };ok;iifname . ip protocol . th dport vmap { "eth0" . 6 . 22 : accept, "eth1" . 17 . 67 : drop } +ip saddr . @ih,32,32 { 1.1.1.1 . 0x14, 2.2.2.2 . 0x1e };ok +udp length . @th,160,128 vmap { 47-63 . 0xe373135363130333131303735353203 : accept };ok diff --git a/tests/py/inet/vmap.t.json b/tests/py/inet/vmap.t.json new file mode 100644 index 00000000..37472cc6 --- /dev/null +++ b/tests/py/inet/vmap.t.json @@ -0,0 +1,144 @@ +# iifname . ip protocol . th dport vmap { "eth0" . tcp . 22 : accept, "eth1" . udp . 67 : drop } +[ + { + "vmap": { + "data": { + "set": [ + [ + { + "concat": [ + "eth0", + 6, + 22 + ] + }, + { + "accept": null + } + ], + [ + { + "concat": [ + "eth1", + 17, + 67 + ] + }, + { + "drop": null + } + ] + ] + }, + "key": { + "concat": [ + { + "meta": { + "key": "iifname" + } + }, + { + "payload": { + "field": "protocol", + "protocol": "ip" + } + }, + { + "payload": { + "field": "dport", + "protocol": "th" + } + } + ] + } + } + } +] + +# ip saddr . @ih,32,32 { 1.1.1.1 . 0x14, 2.2.2.2 . 0x1e } +[ + { + "match": { + "left": { + "concat": [ + { + "payload": { + "field": "saddr", + "protocol": "ip" + } + }, + { + "payload": { + "base": "ih", + "len": 32, + "offset": 32 + } + } + ] + }, + "op": "==", + "right": { + "set": [ + { + "concat": [ + "1.1.1.1", + 20 + ] + }, + { + "concat": [ + "2.2.2.2", + 30 + ] + } + ] + } + } + } +] + +# udp length . @th,160,128 vmap { 47-63 . 0xe373135363130333131303735353203 : accept } +[ + { + "vmap": { + "data": { + "set": [ + [ + { + "concat": [ + { + "range": [ + 47, + 63 + ] + }, + "0xe373135363130333131303735353203" + ] + }, + { + "accept": null + } + ] + ] + }, + "key": { + "concat": [ + { + "payload": { + "field": "length", + "protocol": "udp" + } + }, + { + "payload": { + "base": "th", + "len": 128, + "offset": 160 + } + } + ] + } + } + } +] + diff --git a/tests/py/inet/vmap.t.payload b/tests/py/inet/vmap.t.payload new file mode 100644 index 00000000..29ec846d --- /dev/null +++ b/tests/py/inet/vmap.t.payload @@ -0,0 +1,34 @@ +# iifname . ip protocol . th dport vmap { "eth0" . tcp . 22 : accept, "eth1" . udp . 67 : drop } +__map%d test-inet b size 2 +__map%d test-inet 0 + element 30687465 00000000 00000000 00000000 00000006 00001600 : accept 0 [end] element 31687465 00000000 00000000 00000000 00000011 00004300 : drop 0 [end] +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ meta load iifname => reg 1 ] + [ payload load 1b @ network header + 9 => reg 2 ] + [ payload load 2b @ transport header + 2 => reg 13 ] + [ lookup reg 1 set __map%d dreg 0 ] + +# ip saddr . @ih,32,32 { 1.1.1.1 . 0x14, 2.2.2.2 . 0x1e } +__set%d test-inet 3 size 2 +__set%d test-inet 0 + element 01010101 14000000 : 0 [end] element 02020202 1e000000 : 0 [end] +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ payload load 4b @ inner header + 4 => reg 9 ] + [ lookup reg 1 set __set%d ] + +# udp length . @th,160,128 vmap { 47-63 . 0xe373135363130333131303735353203 : accept } +__map%d x 8f size 1 +__map%d x 0 + element 00002f00 3531370e 33303136 37303131 03323535 - 00003f00 3531370e 33303136 37303131 03323535 : accept 0 [end] +inet x y + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 4 => reg 1 ] + [ payload load 16b @ transport header + 20 => reg 9 ] + [ lookup reg 1 set __map%d dreg 0 ] + diff --git a/tests/py/inet/vmap.t.payload.netdev b/tests/py/inet/vmap.t.payload.netdev new file mode 100644 index 00000000..3f51bb33 --- /dev/null +++ b/tests/py/inet/vmap.t.payload.netdev @@ -0,0 +1,34 @@ +# iifname . ip protocol . th dport vmap { "eth0" . tcp . 22 : accept, "eth1" . udp . 67 : drop } +__map%d test-netdev b size 2 +__map%d test-netdev 0 + element 30687465 00000000 00000000 00000000 00000006 00001600 : accept 0 [end] element 31687465 00000000 00000000 00000000 00000011 00004300 : drop 0 [end] +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ meta load iifname => reg 1 ] + [ payload load 1b @ network header + 9 => reg 2 ] + [ payload load 2b @ transport header + 2 => reg 13 ] + [ lookup reg 1 set __map%d dreg 0 ] + +# ip saddr . @ih,32,32 { 1.1.1.1 . 0x14, 2.2.2.2 . 0x1e } +__set%d test-netdev 3 size 2 +__set%d test-netdev 0 + element 01010101 14000000 : 0 [end] element 02020202 1e000000 : 0 [end] +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ payload load 4b @ inner header + 4 => reg 9 ] + [ lookup reg 1 set __set%d ] + +# udp length . @th,160,128 vmap { 47-63 . 0xe373135363130333131303735353203 : accept } +__map%d test-netdev 8f size 1 +__map%d test-netdev 0 + element 00002f00 3531370e 33303136 37303131 03323535 - 00003f00 3531370e 33303136 37303131 03323535 : accept 0 [end] +netdev test-netdev ingress + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 4 => reg 1 ] + [ payload load 16b @ transport header + 20 => reg 9 ] + [ lookup reg 1 set __map%d dreg 0 ] + diff --git a/tests/py/inet/vxlan.t b/tests/py/inet/vxlan.t new file mode 100644 index 00000000..10cdb7a4 --- /dev/null +++ b/tests/py/inet/vxlan.t @@ -0,0 +1,23 @@ +:input;type filter hook input priority 0 +:ingress;type filter hook ingress device lo priority 0 +:egress;type filter hook egress device lo priority 0 + +*ip;test-ip4;input +*ip6;test-ip6;input +*inet;test-inet;input +*netdev;test-netdev;ingress,egress + +vxlan vni 10;fail +udp dport 4789 vxlan vni 10;ok +udp dport 4789 vxlan ip saddr 10.141.11.2;ok +udp dport 4789 vxlan ip saddr 10.141.11.0/24;ok +udp dport 4789 vxlan ip protocol 1;ok +udp dport 4789 vxlan udp sport 8888;ok +udp dport 4789 vxlan icmp type echo-reply;ok +udp dport 4789 vxlan ether saddr 62:87:4d:d6:19:05;ok +udp dport 4789 vxlan vlan id 10;ok +udp dport 4789 vxlan ip dscp 0x02;ok +udp dport 4789 vxlan ip dscp 0x02;ok +udp dport 4789 vxlan ip saddr . vxlan ip daddr { 1.2.3.4 . 4.3.2.1 };ok + +udp dport 4789 vxlan ip saddr set 1.2.3.4;fail diff --git a/tests/py/inet/vxlan.t.json b/tests/py/inet/vxlan.t.json new file mode 100644 index 00000000..91b3d294 --- /dev/null +++ b/tests/py/inet/vxlan.t.json @@ -0,0 +1,344 @@ +# udp dport 4789 vxlan vni 10 +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 4789 + } + }, + { + "match": { + "left": { + "payload": { + "field": "vni", + "protocol": "vxlan", + "tunnel": "vxlan" + } + }, + "op": "==", + "right": 10 + } + } +] + +# udp dport 4789 vxlan ip saddr 10.141.11.2 +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 4789 + } + }, + { + "match": { + "left": { + "payload": { + "field": "saddr", + "protocol": "ip", + "tunnel": "vxlan" + } + }, + "op": "==", + "right": "10.141.11.2" + } + } +] + +# udp dport 4789 vxlan ip saddr 10.141.11.0/24 +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 4789 + } + }, + { + "match": { + "left": { + "payload": { + "field": "saddr", + "protocol": "ip", + "tunnel": "vxlan" + } + }, + "op": "==", + "right": { + "prefix": { + "addr": "10.141.11.0", + "len": 24 + } + } + } + } +] + +# udp dport 4789 vxlan ip protocol 1 +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 4789 + } + }, + { + "match": { + "left": { + "payload": { + "field": "protocol", + "protocol": "ip", + "tunnel": "vxlan" + } + }, + "op": "==", + "right": 1 + } + } +] + +# udp dport 4789 vxlan udp sport 8888 +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 4789 + } + }, + { + "match": { + "left": { + "payload": { + "field": "sport", + "protocol": "udp", + "tunnel": "vxlan" + } + }, + "op": "==", + "right": 8888 + } + } +] + +# udp dport 4789 vxlan icmp type echo-reply +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 4789 + } + }, + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "icmp", + "tunnel": "vxlan" + } + }, + "op": "==", + "right": "echo-reply" + } + } +] + +# udp dport 4789 vxlan ether saddr 62:87:4d:d6:19:05 +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 4789 + } + }, + { + "match": { + "left": { + "payload": { + "field": "saddr", + "protocol": "ether", + "tunnel": "vxlan" + } + }, + "op": "==", + "right": "62:87:4d:d6:19:05" + } + } +] + +# udp dport 4789 vxlan vlan id 10 +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 4789 + } + }, + { + "match": { + "left": { + "payload": { + "field": "id", + "protocol": "vlan", + "tunnel": "vxlan" + } + }, + "op": "==", + "right": 10 + } + } +] + +# udp dport 4789 vxlan ip dscp 0x02 +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 4789 + } + }, + { + "match": { + "left": { + "payload": { + "field": "dscp", + "protocol": "ip", + "tunnel": "vxlan" + } + }, + "op": "==", + "right": 2 + } + } +] + +# udp dport 4789 vxlan ip dscp 0x02 +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 4789 + } + }, + { + "match": { + "left": { + "payload": { + "field": "dscp", + "protocol": "ip", + "tunnel": "vxlan" + } + }, + "op": "==", + "right": 2 + } + } +] + +# udp dport 4789 vxlan ip saddr . vxlan ip daddr { 1.2.3.4 . 4.3.2.1 } +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 4789 + } + }, + { + "match": { + "left": { + "concat": [ + { + "payload": { + "field": "saddr", + "protocol": "ip", + "tunnel": "vxlan" + } + }, + { + "payload": { + "field": "daddr", + "protocol": "ip", + "tunnel": "vxlan" + } + } + ] + }, + "op": "==", + "right": { + "set": [ + { + "concat": [ + "1.2.3.4", + "4.3.2.1" + ] + } + ] + } + } + } +] + diff --git a/tests/py/inet/vxlan.t.payload b/tests/py/inet/vxlan.t.payload new file mode 100644 index 00000000..cde8e56f --- /dev/null +++ b/tests/py/inet/vxlan.t.payload @@ -0,0 +1,114 @@ +# udp dport 4789 vxlan vni 10 +netdev test-netdev ingress + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x0000b512 ] + [ inner type 1 hdrsize 8 flags f [ payload load 3b @ unknown header + 4 => reg 1 ] ] + [ cmp eq reg 1 0x000a0000 ] + +# udp dport 4789 vxlan ip saddr 10.141.11.2 +netdev test-netdev ingress + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x0000b512 ] + [ inner type 1 hdrsize 8 flags f [ meta load protocol => reg 1 ] ] + [ cmp eq reg 1 0x00000008 ] + [ inner type 1 hdrsize 8 flags f [ payload load 4b @ network header + 12 => reg 1 ] ] + [ cmp eq reg 1 0x020b8d0a ] + +# udp dport 4789 vxlan ip saddr 10.141.11.0/24 +netdev test-netdev ingress + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x0000b512 ] + [ inner type 1 hdrsize 8 flags f [ meta load protocol => reg 1 ] ] + [ cmp eq reg 1 0x00000008 ] + [ inner type 1 hdrsize 8 flags f [ payload load 3b @ network header + 12 => reg 1 ] ] + [ cmp eq reg 1 0x000b8d0a ] + +# udp dport 4789 vxlan ip protocol 1 +netdev test-netdev ingress + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x0000b512 ] + [ inner type 1 hdrsize 8 flags f [ meta load protocol => reg 1 ] ] + [ cmp eq reg 1 0x00000008 ] + [ inner type 1 hdrsize 8 flags f [ payload load 1b @ network header + 9 => reg 1 ] ] + [ cmp eq reg 1 0x00000001 ] + +# udp dport 4789 vxlan udp sport 8888 +netdev test-netdev ingress + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x0000b512 ] + [ inner type 1 hdrsize 8 flags f [ meta load l4proto => reg 1 ] ] + [ cmp eq reg 1 0x00000011 ] + [ inner type 1 hdrsize 8 flags f [ payload load 2b @ transport header + 0 => reg 1 ] ] + [ cmp eq reg 1 0x0000b822 ] + +# udp dport 4789 vxlan icmp type echo-reply +netdev test-netdev ingress + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x0000b512 ] + [ inner type 1 hdrsize 8 flags f [ payload load 2b @ link header + 12 => reg 1 ] ] + [ cmp eq reg 1 0x00000008 ] + [ inner type 1 hdrsize 8 flags f [ meta load l4proto => reg 1 ] ] + [ cmp eq reg 1 0x00000001 ] + [ inner type 1 hdrsize 8 flags f [ payload load 1b @ transport header + 0 => reg 1 ] ] + [ cmp eq reg 1 0x00000000 ] + +# udp dport 4789 vxlan ether saddr 62:87:4d:d6:19:05 +netdev test-netdev ingress + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x0000b512 ] + [ inner type 1 hdrsize 8 flags f [ payload load 6b @ link header + 6 => reg 1 ] ] + [ cmp eq reg 1 0xd64d8762 0x00000519 ] + +# udp dport 4789 vxlan vlan id 10 +netdev test-netdev ingress + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x0000b512 ] + [ inner type 1 hdrsize 8 flags f [ payload load 2b @ link header + 12 => reg 1 ] ] + [ cmp eq reg 1 0x00000081 ] + [ inner type 1 hdrsize 8 flags f [ payload load 2b @ link header + 14 => reg 1 ] ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000a00 ] + +# udp dport 4789 vxlan ip dscp 0x02 +netdev test-netdev ingress + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x0000b512 ] + [ inner type 1 hdrsize 8 flags f [ meta load protocol => reg 1 ] ] + [ cmp eq reg 1 0x00000008 ] + [ inner type 1 hdrsize 8 flags f [ payload load 1b @ network header + 1 => reg 1 ] ] + [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000008 ] + +# udp dport 4789 vxlan ip saddr . vxlan ip daddr { 1.2.3.4 . 4.3.2.1 } +__set%d test-netdev 3 size 1 +__set%d test-netdev 0 + element 04030201 01020304 : 0 [end] +netdev test-netdev ingress + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x0000b512 ] + [ inner type 1 hdrsize 8 flags f [ meta load protocol => reg 1 ] ] + [ cmp eq reg 1 0x00000008 ] + [ inner type 1 hdrsize 8 flags f [ payload load 4b @ network header + 12 => reg 1 ] ] + [ inner type 1 hdrsize 8 flags f [ payload load 4b @ network header + 16 => reg 9 ] ] + [ lookup reg 1 set __set%d ] + |