summaryrefslogtreecommitdiffstats
path: root/tests/py/bridge
diff options
context:
space:
mode:
authorPhil Sutter <phil@nwl.cc>2018-05-08 13:08:45 +0200
committerPablo Neira Ayuso <pablo@netfilter.org>2018-05-11 12:17:45 +0200
commitd196dccf1853039656f15c8da94ad349a3b7d07c (patch)
treeada3c2446bd764efd12fed37ea7a9bc16ab4b328 /tests/py/bridge
parent875232bc3e6bf55cc31f3763449503a80a7c2382 (diff)
tests/py: Support testing JSON input and output as well
This extends nft-test.py by optional JSON testing capabilities, activated via '-j'/'--enable-json' parameter). JSON testing happens for all rules which are supposed to work: After a rule has been added and the existing tests (payload, ruleset listing output) have been performed, basically the same test is done again using a recorded JSON equivalent and (if necessary) a recorded listing output. The code tries to ease new test case creation overhead by auto-generating JSON equivalent input via listing the (non-JSON) rule in JSON format. Also, differing netlink debug and listing output are stored in *.got files to assist in analyzing/fixing failing test cases. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'tests/py/bridge')
-rw-r--r--tests/py/bridge/ether.t.json180
-rw-r--r--tests/py/bridge/ether.t.json.output77
-rw-r--r--tests/py/bridge/icmpX.t.json82
-rw-r--r--tests/py/bridge/icmpX.t.json.output52
-rw-r--r--tests/py/bridge/meta.t.json23
-rw-r--r--tests/py/bridge/reject.t.json221
-rw-r--r--tests/py/bridge/reject.t.json.output260
-rw-r--r--tests/py/bridge/vlan.t.json468
8 files changed, 1363 insertions, 0 deletions
diff --git a/tests/py/bridge/ether.t.json b/tests/py/bridge/ether.t.json
new file mode 100644
index 00000000..89cd128c
--- /dev/null
+++ b/tests/py/bridge/ether.t.json
@@ -0,0 +1,180 @@
+# tcp dport 22 iiftype ether ip daddr 1.2.3.4 ether saddr 00:0f:54:0c:11:4 accept
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "dport",
+ "name": "tcp"
+ }
+ },
+ "right": 22
+ }
+ },
+ {
+ "match": {
+ "left": {
+ "meta": "iiftype"
+ },
+ "right": "ether"
+ }
+ },
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "daddr",
+ "name": "ip"
+ }
+ },
+ "right": "1.2.3.4"
+ }
+ },
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "saddr",
+ "name": "ether"
+ }
+ },
+ "right": "00:0f:54:0c:11:04"
+ }
+ },
+ {
+ "accept": null
+ }
+]
+
+# tcp dport 22 ip daddr 1.2.3.4 ether saddr 00:0f:54:0c:11:04
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "dport",
+ "name": "tcp"
+ }
+ },
+ "right": 22
+ }
+ },
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "daddr",
+ "name": "ip"
+ }
+ },
+ "right": "1.2.3.4"
+ }
+ },
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "saddr",
+ "name": "ether"
+ }
+ },
+ "right": "00:0f:54:0c:11:04"
+ }
+ }
+]
+
+# tcp dport 22 ether saddr 00:0f:54:0c:11:04 ip daddr 1.2.3.4
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "dport",
+ "name": "tcp"
+ }
+ },
+ "right": 22
+ }
+ },
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "saddr",
+ "name": "ether"
+ }
+ },
+ "right": "00:0f:54:0c:11:04"
+ }
+ },
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "daddr",
+ "name": "ip"
+ }
+ },
+ "right": "1.2.3.4"
+ }
+ }
+]
+
+# ether saddr 00:0f:54:0c:11:04 ip daddr 1.2.3.4 accept
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "saddr",
+ "name": "ether"
+ }
+ },
+ "right": "00:0f:54:0c:11:04"
+ }
+ },
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "daddr",
+ "name": "ip"
+ }
+ },
+ "right": "1.2.3.4"
+ }
+ },
+ {
+ "accept": null
+ }
+]
+
+# ether daddr 00:01:02:03:04:05 ether saddr set ff:fe:dc:ba:98:76 drop
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "daddr",
+ "name": "ether"
+ }
+ },
+ "right": "00:01:02:03:04:05"
+ }
+ },
+ {
+ "mangle": {
+ "left": {
+ "payload": {
+ "field": "saddr",
+ "name": "ether"
+ }
+ },
+ "right": "ff:fe:dc:ba:98:76"
+ }
+ },
+ {
+ "drop": null
+ }
+]
+
diff --git a/tests/py/bridge/ether.t.json.output b/tests/py/bridge/ether.t.json.output
new file mode 100644
index 00000000..f68748cb
--- /dev/null
+++ b/tests/py/bridge/ether.t.json.output
@@ -0,0 +1,77 @@
+# tcp dport 22 iiftype ether ip daddr 1.2.3.4 ether saddr 00:0f:54:0c:11:4 accept
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "dport",
+ "name": "tcp"
+ }
+ },
+ "right": 22
+ }
+ },
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "saddr",
+ "name": "ether"
+ }
+ },
+ "right": "00:0f:54:0c:11:04"
+ }
+ },
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "daddr",
+ "name": "ip"
+ }
+ },
+ "right": "1.2.3.4"
+ }
+ },
+ {
+ "accept": null
+ }
+]
+
+# tcp dport 22 ip daddr 1.2.3.4 ether saddr 00:0f:54:0c:11:04
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "dport",
+ "name": "tcp"
+ }
+ },
+ "right": 22
+ }
+ },
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "saddr",
+ "name": "ether"
+ }
+ },
+ "right": "00:0f:54:0c:11:04"
+ }
+ },
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "daddr",
+ "name": "ip"
+ }
+ },
+ "right": "1.2.3.4"
+ }
+ }
+]
+
diff --git a/tests/py/bridge/icmpX.t.json b/tests/py/bridge/icmpX.t.json
new file mode 100644
index 00000000..77638825
--- /dev/null
+++ b/tests/py/bridge/icmpX.t.json
@@ -0,0 +1,82 @@
+# ip protocol icmp icmp type echo-request
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "protocol",
+ "name": "ip"
+ }
+ },
+ "right": "icmp"
+ }
+ },
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "type",
+ "name": "icmp"
+ }
+ },
+ "right": "echo-request"
+ }
+ }
+]
+
+# icmp type echo-request
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "type",
+ "name": "icmp"
+ }
+ },
+ "right": "echo-request"
+ }
+ }
+]
+
+# ip6 nexthdr icmpv6 icmpv6 type echo-request
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "nexthdr",
+ "name": "ip6"
+ }
+ },
+ "right": "icmpv6"
+ }
+ },
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "type",
+ "name": "icmpv6"
+ }
+ },
+ "right": "echo-request"
+ }
+ }
+]
+
+# icmpv6 type echo-request
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "type",
+ "name": "icmpv6"
+ }
+ },
+ "right": "echo-request"
+ }
+ }
+]
+
diff --git a/tests/py/bridge/icmpX.t.json.output b/tests/py/bridge/icmpX.t.json.output
new file mode 100644
index 00000000..e2695750
--- /dev/null
+++ b/tests/py/bridge/icmpX.t.json.output
@@ -0,0 +1,52 @@
+# ip protocol icmp icmp type echo-request
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "protocol",
+ "name": "ip"
+ }
+ },
+ "right": 1
+ }
+ },
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "type",
+ "name": "icmp"
+ }
+ },
+ "right": "echo-request"
+ }
+ }
+]
+
+# ip6 nexthdr icmpv6 icmpv6 type echo-request
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "nexthdr",
+ "name": "ip6"
+ }
+ },
+ "right": 58
+ }
+ },
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "type",
+ "name": "icmpv6"
+ }
+ },
+ "right": "echo-request"
+ }
+ }
+]
+
diff --git a/tests/py/bridge/meta.t.json b/tests/py/bridge/meta.t.json
new file mode 100644
index 00000000..dad5c6e1
--- /dev/null
+++ b/tests/py/bridge/meta.t.json
@@ -0,0 +1,23 @@
+# meta obrname "br0"
+[
+ {
+ "match": {
+ "left": {
+ "meta": "obrname"
+ },
+ "right": "br0"
+ }
+ }
+]
+
+# meta ibrname "br0"
+[
+ {
+ "match": {
+ "left": {
+ "meta": "ibrname"
+ },
+ "right": "br0"
+ }
+ }
+]
diff --git a/tests/py/bridge/reject.t.json b/tests/py/bridge/reject.t.json
new file mode 100644
index 00000000..aa716f80
--- /dev/null
+++ b/tests/py/bridge/reject.t.json
@@ -0,0 +1,221 @@
+# reject with icmp type host-unreachable
+[
+ {
+ "reject": {
+ "expr": "host-unreachable",
+ "type": "icmp"
+ }
+ }
+]
+
+# reject with icmp type net-unreachable
+[
+ {
+ "reject": {
+ "expr": "net-unreachable",
+ "type": "icmp"
+ }
+ }
+]
+
+# reject with icmp type prot-unreachable
+[
+ {
+ "reject": {
+ "expr": "prot-unreachable",
+ "type": "icmp"
+ }
+ }
+]
+
+# reject with icmp type port-unreachable
+[
+ {
+ "reject": {
+ "expr": "port-unreachable",
+ "type": "icmp"
+ }
+ }
+]
+
+# reject with icmp type net-prohibited
+[
+ {
+ "reject": {
+ "expr": "net-prohibited",
+ "type": "icmp"
+ }
+ }
+]
+
+# reject with icmp type host-prohibited
+[
+ {
+ "reject": {
+ "expr": "host-prohibited",
+ "type": "icmp"
+ }
+ }
+]
+
+# reject with icmp type admin-prohibited
+[
+ {
+ "reject": {
+ "expr": "admin-prohibited",
+ "type": "icmp"
+ }
+ }
+]
+
+# reject with icmpv6 type no-route
+[
+ {
+ "reject": {
+ "expr": "no-route",
+ "type": "icmpv6"
+ }
+ }
+]
+
+# reject with icmpv6 type admin-prohibited
+[
+ {
+ "reject": {
+ "expr": "admin-prohibited",
+ "type": "icmpv6"
+ }
+ }
+]
+
+# reject with icmpv6 type addr-unreachable
+[
+ {
+ "reject": {
+ "expr": "addr-unreachable",
+ "type": "icmpv6"
+ }
+ }
+]
+
+# reject with icmpv6 type port-unreachable
+[
+ {
+ "reject": {
+ "expr": "port-unreachable",
+ "type": "icmpv6"
+ }
+ }
+]
+
+# mark 12345 ip protocol tcp reject with tcp reset
+[
+ {
+ "match": {
+ "left": {
+ "meta": "mark"
+ },
+ "right": 12345
+ }
+ },
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "protocol",
+ "name": "ip"
+ }
+ },
+ "right": "tcp"
+ }
+ },
+ {
+ "reject": {
+ "type": "tcp reset"
+ }
+ }
+]
+
+# reject
+[
+ {
+ "reject": null
+ }
+]
+
+# ether type ip reject
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "type",
+ "name": "ether"
+ }
+ },
+ "right": "ip"
+ }
+ },
+ {
+ "reject": null
+ }
+]
+
+# ether type ip6 reject
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "type",
+ "name": "ether"
+ }
+ },
+ "right": "ip6"
+ }
+ },
+ {
+ "reject": null
+ }
+]
+
+# reject with icmpx type host-unreachable
+[
+ {
+ "reject": {
+ "expr": "host-unreachable",
+ "type": "icmpx"
+ }
+ }
+]
+
+# reject with icmpx type no-route
+[
+ {
+ "reject": {
+ "expr": "no-route",
+ "type": "icmpx"
+ }
+ }
+]
+
+# reject with icmpx type admin-prohibited
+[
+ {
+ "reject": {
+ "expr": "admin-prohibited",
+ "type": "icmpx"
+ }
+ }
+]
+
+# reject with icmpx type port-unreachable
+[
+ {
+ "reject": {
+ "expr": "port-unreachable",
+ "type": "icmpx"
+ }
+ }
+]
+
diff --git a/tests/py/bridge/reject.t.json.output b/tests/py/bridge/reject.t.json.output
new file mode 100644
index 00000000..6effd179
--- /dev/null
+++ b/tests/py/bridge/reject.t.json.output
@@ -0,0 +1,260 @@
+# reject with icmp type host-unreachable
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "type",
+ "name": "ether"
+ }
+ },
+ "right": "ip"
+ }
+ },
+ {
+ "reject": {
+ "expr": "host-unreachable",
+ "type": "icmp"
+ }
+ }
+]
+
+# reject with icmp type net-unreachable
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "type",
+ "name": "ether"
+ }
+ },
+ "right": "ip"
+ }
+ },
+ {
+ "reject": {
+ "expr": "net-unreachable",
+ "type": "icmp"
+ }
+ }
+]
+
+# reject with icmp type prot-unreachable
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "type",
+ "name": "ether"
+ }
+ },
+ "right": "ip"
+ }
+ },
+ {
+ "reject": {
+ "expr": "prot-unreachable",
+ "type": "icmp"
+ }
+ }
+]
+
+# reject with icmp type port-unreachable
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "type",
+ "name": "ether"
+ }
+ },
+ "right": "ip"
+ }
+ },
+ {
+ "reject": null
+ }
+]
+
+# reject with icmp type net-prohibited
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "type",
+ "name": "ether"
+ }
+ },
+ "right": "ip"
+ }
+ },
+ {
+ "reject": {
+ "expr": "net-prohibited",
+ "type": "icmp"
+ }
+ }
+]
+
+# reject with icmp type host-prohibited
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "type",
+ "name": "ether"
+ }
+ },
+ "right": "ip"
+ }
+ },
+ {
+ "reject": {
+ "expr": "host-prohibited",
+ "type": "icmp"
+ }
+ }
+]
+
+# reject with icmp type admin-prohibited
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "type",
+ "name": "ether"
+ }
+ },
+ "right": "ip"
+ }
+ },
+ {
+ "reject": {
+ "expr": "admin-prohibited",
+ "type": "icmp"
+ }
+ }
+]
+
+# reject with icmpv6 type no-route
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "type",
+ "name": "ether"
+ }
+ },
+ "right": "ip6"
+ }
+ },
+ {
+ "reject": {
+ "expr": "no-route",
+ "type": "icmpv6"
+ }
+ }
+]
+
+# reject with icmpv6 type admin-prohibited
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "type",
+ "name": "ether"
+ }
+ },
+ "right": "ip6"
+ }
+ },
+ {
+ "reject": {
+ "expr": "admin-prohibited",
+ "type": "icmpv6"
+ }
+ }
+]
+
+# reject with icmpv6 type addr-unreachable
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "type",
+ "name": "ether"
+ }
+ },
+ "right": "ip6"
+ }
+ },
+ {
+ "reject": {
+ "expr": "addr-unreachable",
+ "type": "icmpv6"
+ }
+ }
+]
+
+# reject with icmpv6 type port-unreachable
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "type",
+ "name": "ether"
+ }
+ },
+ "right": "ip6"
+ }
+ },
+ {
+ "reject": null
+ }
+]
+
+# mark 12345 ip protocol tcp reject with tcp reset
+[
+ {
+ "match": {
+ "left": {
+ "meta": "mark"
+ },
+ "right": 12345
+ }
+ },
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "protocol",
+ "name": "ip"
+ }
+ },
+ "right": 6
+ }
+ },
+ {
+ "reject": {
+ "type": "tcp reset"
+ }
+ }
+]
+
+# reject with icmpx type port-unreachable
+[
+ {
+ "reject": null
+ }
+]
+
diff --git a/tests/py/bridge/vlan.t.json b/tests/py/bridge/vlan.t.json
new file mode 100644
index 00000000..b57deca7
--- /dev/null
+++ b/tests/py/bridge/vlan.t.json
@@ -0,0 +1,468 @@
+# vlan id 4094
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "id",
+ "name": "vlan"
+ }
+ },
+ "right": 4094
+ }
+ }
+]
+
+# vlan id 0
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "id",
+ "name": "vlan"
+ }
+ },
+ "right": 0
+ }
+ }
+]
+
+# vlan id 4094 vlan cfi 0
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "id",
+ "name": "vlan"
+ }
+ },
+ "right": 4094
+ }
+ },
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "cfi",
+ "name": "vlan"
+ }
+ },
+ "right": 0
+ }
+ }
+]
+
+# vlan id 4094 vlan cfi != 1
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "id",
+ "name": "vlan"
+ }
+ },
+ "right": 4094
+ }
+ },
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "cfi",
+ "name": "vlan"
+ }
+ },
+ "op": "!=",
+ "right": 1
+ }
+ }
+]
+
+# vlan id 4094 vlan cfi 1
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "id",
+ "name": "vlan"
+ }
+ },
+ "right": 4094
+ }
+ },
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "cfi",
+ "name": "vlan"
+ }
+ },
+ "right": 1
+ }
+ }
+]
+
+# vlan id 4094 vlan cfi 1 vlan pcp 7
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "id",
+ "name": "vlan"
+ }
+ },
+ "right": 4094
+ }
+ },
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "cfi",
+ "name": "vlan"
+ }
+ },
+ "right": 1
+ }
+ },
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "pcp",
+ "name": "vlan"
+ }
+ },
+ "right": 7
+ }
+ }
+]
+
+# vlan id 4094 vlan cfi 1 vlan pcp 3
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "id",
+ "name": "vlan"
+ }
+ },
+ "right": 4094
+ }
+ },
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "cfi",
+ "name": "vlan"
+ }
+ },
+ "right": 1
+ }
+ },
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "pcp",
+ "name": "vlan"
+ }
+ },
+ "right": 3
+ }
+ }
+]
+
+# ether type vlan vlan id 4094
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "id",
+ "name": "vlan"
+ }
+ },
+ "right": 4094
+ }
+ }
+]
+
+# ether type vlan vlan id 0
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "id",
+ "name": "vlan"
+ }
+ },
+ "right": 0
+ }
+ }
+]
+
+# ether type vlan vlan id 4094 vlan cfi 0
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "id",
+ "name": "vlan"
+ }
+ },
+ "right": 4094
+ }
+ },
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "cfi",
+ "name": "vlan"
+ }
+ },
+ "right": 0
+ }
+ }
+]
+
+# ether type vlan vlan id 4094 vlan cfi 1
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "id",
+ "name": "vlan"
+ }
+ },
+ "right": 4094
+ }
+ },
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "cfi",
+ "name": "vlan"
+ }
+ },
+ "right": 1
+ }
+ }
+]
+
+# vlan id 4094 tcp dport 22
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "id",
+ "name": "vlan"
+ }
+ },
+ "right": 4094
+ }
+ },
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "dport",
+ "name": "tcp"
+ }
+ },
+ "right": 22
+ }
+ }
+]
+
+# vlan id 1 ip saddr 10.0.0.1
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "id",
+ "name": "vlan"
+ }
+ },
+ "right": 1
+ }
+ },
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "saddr",
+ "name": "ip"
+ }
+ },
+ "right": "10.0.0.1"
+ }
+ }
+]
+
+# vlan id 1 ip saddr 10.0.0.0/23
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "id",
+ "name": "vlan"
+ }
+ },
+ "right": 1
+ }
+ },
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "saddr",
+ "name": "ip"
+ }
+ },
+ "right": {
+ "prefix": {
+ "addr": "10.0.0.0",
+ "len": 23
+ }
+ }
+ }
+ }
+]
+
+# vlan id 1 ip saddr 10.0.0.0/23 udp dport 53
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "id",
+ "name": "vlan"
+ }
+ },
+ "right": 1
+ }
+ },
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "saddr",
+ "name": "ip"
+ }
+ },
+ "right": {
+ "prefix": {
+ "addr": "10.0.0.0",
+ "len": 23
+ }
+ }
+ }
+ },
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "dport",
+ "name": "udp"
+ }
+ },
+ "right": 53
+ }
+ }
+]
+
+# ether type vlan vlan id 1 ip saddr 10.0.0.0/23 udp dport 53
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "id",
+ "name": "vlan"
+ }
+ },
+ "right": 1
+ }
+ },
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "saddr",
+ "name": "ip"
+ }
+ },
+ "right": {
+ "prefix": {
+ "addr": "10.0.0.0",
+ "len": 23
+ }
+ }
+ }
+ },
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "dport",
+ "name": "udp"
+ }
+ },
+ "right": 53
+ }
+ }
+]
+
+# vlan id { 1, 2, 4, 100, 4095 } vlan pcp 1-3
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "id",
+ "name": "vlan"
+ }
+ },
+ "right": {
+ "set": [
+ 1,
+ 2,
+ 4,
+ 100,
+ 4095
+ ]
+ }
+ }
+ },
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "pcp",
+ "name": "vlan"
+ }
+ },
+ "right": {
+ "range": [ 1, 3 ]
+ }
+ }
+ }
+]
+