1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
|
*ip;test-ip4
*inet;test-inet
:input;type filter hook input priority 0
- ip version 2;ok
# bug ip hdrlength
- ip hdrlength 10;ok
- ip hdrlength != 5;ok
- ip hdrlength 5-8;ok
- ip hdrlength != 3-13;ok
- ip hdrlength {3, 5, 6, 8};ok
- ip hdrlength != {3, 5, 7, 8};ok
- ip hdrlength { 3-5};ok
- ip hdrlength != { 3-59};ok
# ip hdrlength 12
# <cmdline>:1:1-38: Error: Could not process rule: Invalid argument
# add rule ip test input ip hdrlength 12
# ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
# <cmdline>:1:37-38: Error: Value 22 exceeds valid range 0-15
# add rule ip test input ip hdrlength 22
- ip dscp CS1;ok
- ip dscp != CS1;ok
- ip dscp 0x38;ok
- ip dscp != 0x20;ok
- ip dscp {CS1, CS2, CS3, CS4, CS5, CS6, CS7, BE, AF11, AF12, AF13, AF21, AF22, AF23, AF31, AF32, AF33, AF41, AF42, AF43, EF};ok
- ip dscp {0x08, 0x10, 0x18, 0x20, 0x28, 0x30, 0x38, 0x00, 0x0a, 0x0c, 0x0e, 0x12, 0x14, 0x16, 0x1a, 0x1c, 0x1e, 0x22, 0x24, 0x26, 0x2e};ok
- ip dscp != {CS0, CS3};ok
ip length 232;ok
ip length != 233;ok
ip length 333-435;ok
ip length != 333-453;ok
ip length { 333, 553, 673, 838};ok
- ip length != { 333, 535, 637, 883};ok
ip length { 333-535};ok
- ip length != { 333-553};ok
ip id 22;ok
ip id != 233;ok
ip id 33-45;ok
ip id != 33-45;ok
ip id { 33, 55, 67, 88};ok
- ip id != { 33, 55, 67, 88};ok
ip id { 33-55};ok
- ip id != { 33-55};ok
ip frag-off 222 accept;ok
ip frag-off != 233;ok
ip frag-off 33-45;ok
ip frag-off != 33-45;ok
ip frag-off { 33, 55, 67, 88};ok
- ip frag-off != { 33, 55, 67, 88};ok
ip frag-off { 33-55};ok
- ip frag-off != { 33-55};ok
ip ttl 0 drop;ok
ip ttl 233 log;ok
ip ttl 33-55;ok
ip ttl != 45-50;ok
ip ttl {43, 53, 45 };ok
- ip ttl != {46, 56, 93 };ok
# BUG: ip ttl != {46, 56, 93 };ok
# BUG: invalid expression type set
# nft: src/evaluate.c:975: expr_evaluate_relational: Assertion '0' failed.
ip ttl { 33-55};ok
- ip ttl != { 33-55};ok
ip protocol tcp log;ok;ip protocol 6 log
ip protocol != tcp log;ok;ip protocol != 6 log
ip protocol { icmp, esp, ah, comp, udp, udplite, tcp, dccp, sctp} accept;ok;ip protocol { 33, 136, 17, 51, 50, 6, 132, 1, 108} accept
- ip protocol != { icmp, esp, ah, comp, udp, udplite, tcp, dccp, sctp} accept;ok
ip checksum 13172 drop;ok
ip checksum 22;ok
ip checksum != 233;ok
ip checksum 33-45;ok
ip checksum != 33-45;ok
ip checksum { 33, 55, 67, 88};ok
- ip checksum != { 33, 55, 67, 88};ok
ip checksum { 33-55};ok
- ip checksum != { 33-55};ok
ip saddr 192.168.2.0/24;ok
ip saddr != 192.168.2.0/24;ok
ip saddr 192.168.3.1 ip daddr 192.168.3.100;ok
ip saddr != 1.1.1.1 log prefix giuseppe;ok;ip saddr != 1.1.1.1 log prefix "giuseppe"
ip saddr 1.1.1.1 log prefix example group 1;ok;ip saddr 1.1.1.1 log prefix "example" group 1
ip daddr 192.168.0.1-192.168.0.250;ok
ip daddr 10.0.0.0-10.255.255.255;ok
ip daddr 172.16.0.0-172.31.255.255;ok
ip daddr 192.168.3.1-192.168.4.250;ok
ip daddr != 192.168.0.1-192.168.0.250;ok
ip daddr { 192.168.0.1-192.168.0.250};ok
- ip daddr != { 192.168.0.1-192.168.0.250};ok
ip daddr { 192.168.5.1, 192.168.5.2, 192.168.5.3 } accept;ok
- ip daddr != { 192.168.5.1, 192.168.5.2, 192.168.5.3 } accept;ok
ip daddr 192.168.1.2-192.168.1.55;ok
ip daddr != 192.168.1.2-192.168.1.55;ok
ip saddr 192.168.1.3-192.168.33.55;ok
ip saddr != 192.168.1.3-192.168.33.55;ok
ip daddr 192.168.0.1;ok
ip daddr 192.168.0.1 drop;ok
ip daddr 192.168.0.2 log;ok
ip saddr \& 0xff == 1;ok;ip saddr & 0.0.0.255 == 0.0.0.1
ip saddr \& 0.0.0.255 \< 0.0.0.127;ok;ip saddr & 0.0.0.255 < 0.0.0.127
ip saddr \& 0xffff0000 == 0xffff0000;ok;ip saddr 255.255.0.0/16
ip version 4 ip hdrlength 5;ok
ip hdrlength 0;ok
ip hdrlength 15;ok
ip hdrlength 16;fail
|