tests: validate generated netlink instructions

compare netlink instructions generated by given nft command line with recorded version. Example: udp dport 80 accept in ip family should look like ip test-ip4 input [ payload load 1b @ network header + 9 => reg 1 ] [ cmp eq reg 1 0x00000011 ] [ payload load 2b @ transport header + 2 => reg 1 ] [ cmp eq reg 1 0x00005000 ] [ immediate reg 0 accept ] This is stored in udp.t.payload.ip Other suffixes: .payload.ip6 .payload.inet .payload ('any') The test script first looks for 'testname.t.payload.$family', if that doesn't exist 'testname.t.payload' is used. This allows for family independent test (e.g. meta), where we don't expect/have any family specific expressions. Signed-off-by: Florian Westphal <fw@strlen.de>
author: Florian Westphal <fw@strlen.de> 2015-07-10 11:56:31 +0200
committer: Florian Westphal <fw@strlen.de> 2015-07-20 17:26:37 +0200
commit: 0abfb2b7e01ca07efe1be16a1a5bd8925340dc41 (patch)
tree: 0b4b3f892c990e66f4a01a5d5ba15d3a9c720d47 /tests/regression/ip
parent: efd09355038d53fdd3841ab5ccae1543c4967daf (diff)
10 files changed, 1735 insertions, 0 deletions
diff --git a/tests/regression/ip/dnat.t.payload.ip b/tests/regression/ip/dnat.t.payload.ip
new file mode 100644
index 00000000..93c4d68b
--- /dev/null
+++ b/tests/regression/ip/dnat.t.payload.ip
@@ -0,0 +1,50 @@
+# iifname "eth0" tcp dport 80-90 dnat 192.168.3.2
+ip test-ip4 prerouting
+  [ meta load iifname => reg 1 ]
+  [ cmp eq reg 1 0x30687465 0x00000000 0x00000000 0x00000000 ]
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp gte reg 1 0x00005000 ]
+  [ cmp lte reg 1 0x00005a00 ]
+  [ immediate reg 1 0x0203a8c0 ]
+  [ nat dnat ip addr_min reg 1 addr_max reg 0 ]
+
+# iifname "eth0" tcp dport != 80-90 dnat 192.168.3.2
+ip test-ip4 prerouting
+  [ meta load iifname => reg 1 ]
+  [ cmp eq reg 1 0x30687465 0x00000000 0x00000000 0x00000000 ]
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp lt reg 1 0x00005000 ]
+  [ cmp gt reg 1 0x00005a00 ]
+  [ immediate reg 1 0x0203a8c0 ]
+  [ nat dnat ip addr_min reg 1 addr_max reg 0 ]
+
+# iifname "eth0" tcp dport {80, 90, 23} dnat 192.168.3.2
+set%d test-ip4 3
+set%d test-ip4 0
+	element 00005000  : 0 [end]	element 00005a00  : 0 [end]	element 00001700  : 0 [end]
+ip test-ip4 prerouting
+  [ meta load iifname => reg 1 ]
+  [ cmp eq reg 1 0x30687465 0x00000000 0x00000000 0x00000000 ]
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ lookup reg 1 set set%d ]
+  [ immediate reg 1 0x0203a8c0 ]
+  [ nat dnat ip addr_min reg 1 addr_max reg 0 ]
+
+# iifname "eth0" tcp dport != 23-34 dnat 192.168.3.2
+ip test-ip4 prerouting
+  [ meta load iifname => reg 1 ]
+  [ cmp eq reg 1 0x30687465 0x00000000 0x00000000 0x00000000 ]
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp lt reg 1 0x00001700 ]
+  [ cmp gt reg 1 0x00002200 ]
+  [ immediate reg 1 0x0203a8c0 ]
+  [ nat dnat ip addr_min reg 1 addr_max reg 0 ]
+
diff --git a/tests/regression/ip/icmp.t.payload.ip b/tests/regression/ip/icmp.t.payload.ip
new file mode 100644
index 00000000..a6071a65
--- /dev/null
+++ b/tests/regression/ip/icmp.t.payload.ip
@@ -0,0 +1,463 @@
+# icmp type echo-reply accept
+ip test-ip4 input
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ cmp eq reg 1 0x00000000 ]
+  [ immediate reg 0 accept ]
+
+# icmp type destination-unreachable accept
+ip test-ip4 input
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ cmp eq reg 1 0x00000003 ]
+  [ immediate reg 0 accept ]
+
+# icmp type source-quench accept
+ip test-ip4 input
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ cmp eq reg 1 0x00000004 ]
+  [ immediate reg 0 accept ]
+
+# icmp type redirect accept
+ip test-ip4 input
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ cmp eq reg 1 0x00000005 ]
+  [ immediate reg 0 accept ]
+
+# icmp type echo-request accept
+ip test-ip4 input
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ immediate reg 0 accept ]
+
+# icmp type time-exceeded accept
+ip test-ip4 input
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ cmp eq reg 1 0x0000000b ]
+  [ immediate reg 0 accept ]
+
+# icmp type parameter-problem accept
+ip test-ip4 input
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ cmp eq reg 1 0x0000000c ]
+  [ immediate reg 0 accept ]
+
+# icmp type timestamp-request accept
+ip test-ip4 input
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ cmp eq reg 1 0x0000000d ]
+  [ immediate reg 0 accept ]
+
+# icmp type timestamp-reply accept
+ip test-ip4 input
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ cmp eq reg 1 0x0000000e ]
+  [ immediate reg 0 accept ]
+
+# icmp type info-request accept
+ip test-ip4 input
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ cmp eq reg 1 0x0000000f ]
+  [ immediate reg 0 accept ]
+
+# icmp type info-reply accept
+ip test-ip4 input
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ cmp eq reg 1 0x00000010 ]
+  [ immediate reg 0 accept ]
+
+# icmp type address-mask-request accept
+ip test-ip4 input
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ immediate reg 0 accept ]
+
+# icmp type address-mask-reply accept
+ip test-ip4 input
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ cmp eq reg 1 0x00000012 ]
+  [ immediate reg 0 accept ]
+
+# icmp type {echo-reply, destination-unreachable, source-quench, redirect, echo-request, time-exceeded, parameter-problem, timestamp-request, timestamp-reply, info-request, info-reply, address-mask-request, address-mask-reply} accept
+set%d test-ip4 3
+set%d test-ip4 0
+	element 00000000  : 0 [end]	element 00000003  : 0 [end]	element 00000004  : 0 [end]	element 00000005  : 0 [end]	element 00000008  : 0 [end]	element 0000000b  : 0 [end]	element 0000000c  : 0 [end]	element 0000000d  : 0 [end]	element 0000000e  : 0 [end]	element 0000000f  : 0 [end]	element 00000010  : 0 [end]	element 00000011  : 0 [end]	element 00000012  : 0 [end]
+ip test-ip4 input
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ lookup reg 1 set set%d ]
+  [ immediate reg 0 accept ]
+
+# icmp code 111 accept
+ip test-ip4 input
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 1b @ transport header + 1 => reg 1 ]
+  [ cmp eq reg 1 0x0000006f ]
+  [ immediate reg 0 accept ]
+
+# icmp code != 111 accept
+ip test-ip4 input
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 1b @ transport header + 1 => reg 1 ]
+  [ cmp neq reg 1 0x0000006f ]
+  [ immediate reg 0 accept ]
+
+# icmp code 33-55
+ip test-ip4 input
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 1b @ transport header + 1 => reg 1 ]
+  [ cmp gte reg 1 0x00000021 ]
+  [ cmp lte reg 1 0x00000037 ]
+
+# icmp code != 33-55
+ip test-ip4 input
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 1b @ transport header + 1 => reg 1 ]
+  [ cmp lt reg 1 0x00000021 ]
+  [ cmp gt reg 1 0x00000037 ]
+
+# icmp code { 33-55}
+set%d test-ip4 7
+set%d test-ip4 0
+	element 00000000  : 1 [end]	element 00000021  : 0 [end]	element 00000038  : 1 [end]
+ip test-ip4 input
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 1b @ transport header + 1 => reg 1 ]
+  [ lookup reg 1 set set%d ]
+
+# icmp code { 2, 4, 54, 33, 56}
+set%d test-ip4 3
+set%d test-ip4 0
+	element 00000002  : 0 [end]	element 00000004  : 0 [end]	element 00000036  : 0 [end]	element 00000021  : 0 [end]	element 00000038  : 0 [end]
+ip test-ip4 input
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 1b @ transport header + 1 => reg 1 ]
+  [ lookup reg 1 set set%d ]
+
+# icmp checksum 12343 accept
+ip test-ip4 input
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00003730 ]
+  [ immediate reg 0 accept ]
+
+# icmp checksum != 12343 accept
+ip test-ip4 input
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp neq reg 1 0x00003730 ]
+  [ immediate reg 0 accept ]
+
+# icmp checksum 11-343 accept
+ip test-ip4 input
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp gte reg 1 0x00000b00 ]
+  [ cmp lte reg 1 0x00005701 ]
+  [ immediate reg 0 accept ]
+
+# icmp checksum != 11-343 accept
+ip test-ip4 input
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp lt reg 1 0x00000b00 ]
+  [ cmp gt reg 1 0x00005701 ]
+  [ immediate reg 0 accept ]
+
+# icmp checksum { 11-343} accept
+set%d test-ip4 7
+set%d test-ip4 0
+	element 00000000  : 1 [end]	element 00000b00  : 0 [end]	element 00005801  : 1 [end]
+ip test-ip4 input
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ lookup reg 1 set set%d ]
+  [ immediate reg 0 accept ]
+
+# icmp checksum { 1111, 222, 343} accept
+set%d test-ip4 3
+set%d test-ip4 0
+	element 00005704  : 0 [end]	element 0000de00  : 0 [end]	element 00005701  : 0 [end]
+ip test-ip4 input
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ lookup reg 1 set set%d ]
+  [ immediate reg 0 accept ]
+
+# icmp id 1245 log
+ip test-ip4 input
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 2b @ transport header + 4 => reg 1 ]
+  [ cmp eq reg 1 0x0000dd04 ]
+  [ log prefix (null) ]
+
+# icmp id 22
+ip test-ip4 input
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 2b @ transport header + 4 => reg 1 ]
+  [ cmp eq reg 1 0x00001600 ]
+
+# icmp id != 233
+ip test-ip4 input
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 2b @ transport header + 4 => reg 1 ]
+  [ cmp neq reg 1 0x0000e900 ]
+
+# icmp id 33-45
+ip test-ip4 input
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 2b @ transport header + 4 => reg 1 ]
+  [ cmp gte reg 1 0x00002100 ]
+  [ cmp lte reg 1 0x00002d00 ]
+
+# icmp id != 33-45
+ip test-ip4 input
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 2b @ transport header + 4 => reg 1 ]
+  [ cmp lt reg 1 0x00002100 ]
+  [ cmp gt reg 1 0x00002d00 ]
+
+# icmp id { 33-55}
+set%d test-ip4 7
+set%d test-ip4 0
+	element 00000000  : 1 [end]	element 00002100  : 0 [end]	element 00003800  : 1 [end]
+ip test-ip4 input
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 2b @ transport header + 4 => reg 1 ]
+  [ lookup reg 1 set set%d ]
+
+# icmp id { 22, 34, 333}
+set%d test-ip4 3
+set%d test-ip4 0
+	element 00001600  : 0 [end]	element 00002200  : 0 [end]	element 00004d01  : 0 [end]
+ip test-ip4 input
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 2b @ transport header + 4 => reg 1 ]
+  [ lookup reg 1 set set%d ]
+
+# icmp sequence 22
+ip test-ip4 input
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 2b @ transport header + 6 => reg 1 ]
+  [ cmp eq reg 1 0x00001600 ]
+
+# icmp sequence != 233
+ip test-ip4 input
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 2b @ transport header + 6 => reg 1 ]
+  [ cmp neq reg 1 0x0000e900 ]
+
+# icmp sequence 33-45
+ip test-ip4 input
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 2b @ transport header + 6 => reg 1 ]
+  [ cmp gte reg 1 0x00002100 ]
+  [ cmp lte reg 1 0x00002d00 ]
+
+# icmp sequence != 33-45
+ip test-ip4 input
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 2b @ transport header + 6 => reg 1 ]
+  [ cmp lt reg 1 0x00002100 ]
+  [ cmp gt reg 1 0x00002d00 ]
+
+# icmp sequence { 33, 55, 67, 88}
+set%d test-ip4 3
+set%d test-ip4 0
+	element 00002100  : 0 [end]	element 00003700  : 0 [end]	element 00004300  : 0 [end]	element 00005800  : 0 [end]
+ip test-ip4 input
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 2b @ transport header + 6 => reg 1 ]
+  [ lookup reg 1 set set%d ]
+
+# icmp sequence { 33-55}
+set%d test-ip4 7
+set%d test-ip4 0
+	element 00000000  : 1 [end]	element 00002100  : 0 [end]	element 00003800  : 1 [end]
+ip test-ip4 input
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 2b @ transport header + 6 => reg 1 ]
+  [ lookup reg 1 set set%d ]
+
+# icmp mtu 33
+ip test-ip4 input
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 2b @ transport header + 6 => reg 1 ]
+  [ cmp eq reg 1 0x00002100 ]
+
+# icmp mtu 22-33
+ip test-ip4 input
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 2b @ transport header + 6 => reg 1 ]
+  [ cmp gte reg 1 0x00001600 ]
+  [ cmp lte reg 1 0x00002100 ]
+
+# icmp mtu { 22-33}
+set%d test-ip4 7
+set%d test-ip4 0
+	element 00000000  : 1 [end]	element 00001600  : 0 [end]	element 00002200  : 1 [end]
+ip test-ip4 input
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 2b @ transport header + 6 => reg 1 ]
+  [ lookup reg 1 set set%d ]
+
+# icmp mtu 22
+ip test-ip4 input
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 2b @ transport header + 6 => reg 1 ]
+  [ cmp eq reg 1 0x00001600 ]
+
+# icmp mtu != 233
+ip test-ip4 input
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 2b @ transport header + 6 => reg 1 ]
+  [ cmp neq reg 1 0x0000e900 ]
+
+# icmp mtu 33-45
+ip test-ip4 input
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 2b @ transport header + 6 => reg 1 ]
+  [ cmp gte reg 1 0x00002100 ]
+  [ cmp lte reg 1 0x00002d00 ]
+
+# icmp mtu != 33-45
+ip test-ip4 input
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 2b @ transport header + 6 => reg 1 ]
+  [ cmp lt reg 1 0x00002100 ]
+  [ cmp gt reg 1 0x00002d00 ]
+
+# icmp mtu { 33, 55, 67, 88}
+set%d test-ip4 3
+set%d test-ip4 0
+	element 00002100  : 0 [end]	element 00003700  : 0 [end]	element 00004300  : 0 [end]	element 00005800  : 0 [end]
+ip test-ip4 input
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 2b @ transport header + 6 => reg 1 ]
+  [ lookup reg 1 set set%d ]
+
+# icmp mtu { 33-55}
+set%d test-ip4 7
+set%d test-ip4 0
+	element 00000000  : 1 [end]	element 00002100  : 0 [end]	element 00003800  : 1 [end]
+ip test-ip4 input
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 2b @ transport header + 6 => reg 1 ]
+  [ lookup reg 1 set set%d ]
+
+# icmp gateway 22
+ip test-ip4 input
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 4b @ transport header + 4 => reg 1 ]
+  [ cmp eq reg 1 0x16000000 ]
+
+# icmp gateway != 233
+ip test-ip4 input
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 4b @ transport header + 4 => reg 1 ]
+  [ cmp neq reg 1 0xe9000000 ]
+
+# icmp gateway 33-45
+ip test-ip4 input
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 4b @ transport header + 4 => reg 1 ]
+  [ cmp gte reg 1 0x21000000 ]
+  [ cmp lte reg 1 0x2d000000 ]
+
+# icmp gateway != 33-45
+ip test-ip4 input
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 4b @ transport header + 4 => reg 1 ]
+  [ cmp lt reg 1 0x21000000 ]
+  [ cmp gt reg 1 0x2d000000 ]
+
+# icmp gateway { 33, 55, 67, 88}
+set%d test-ip4 3
+set%d test-ip4 0
+	element 21000000  : 0 [end]	element 37000000  : 0 [end]	element 43000000  : 0 [end]	element 58000000  : 0 [end]
+ip test-ip4 input
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 4b @ transport header + 4 => reg 1 ]
+  [ lookup reg 1 set set%d ]
+
+# icmp gateway { 33-55}
+set%d test-ip4 7
+set%d test-ip4 0
+	element 00000000  : 1 [end]	element 21000000  : 0 [end]	element 38000000  : 1 [end]
+ip test-ip4 input
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 4b @ transport header + 4 => reg 1 ]
+  [ lookup reg 1 set set%d ]
+
+# icmp gateway != 34
+ip test-ip4 input
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 4b @ transport header + 4 => reg 1 ]
+  [ cmp neq reg 1 0x22000000 ]
+
diff --git a/tests/regression/ip/ip.t.payload b/tests/regression/ip/ip.t.payload
new file mode 100644
index 00000000..18db172a
--- /dev/null
+++ b/tests/regression/ip/ip.t.payload
@@ -0,0 +1,337 @@
+# ip length 232
+ip test-ip4 input
+  [ payload load 2b @ network header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x0000e800 ]
+
+# ip length != 233
+ip test-ip4 input
+  [ payload load 2b @ network header + 2 => reg 1 ]
+  [ cmp neq reg 1 0x0000e900 ]
+
+# ip length 333-435
+ip test-ip4 input
+  [ payload load 2b @ network header + 2 => reg 1 ]
+  [ cmp gte reg 1 0x00004d01 ]
+  [ cmp lte reg 1 0x0000b301 ]
+
+# ip length != 333-453
+ip test-ip4 input
+  [ payload load 2b @ network header + 2 => reg 1 ]
+  [ cmp lt reg 1 0x00004d01 ]
+  [ cmp gt reg 1 0x0000c501 ]
+
+# ip length { 333, 553, 673, 838}
+set%d test-ip4 3
+set%d test-ip4 0
+	element 00004d01  : 0 [end]	element 00002902  : 0 [end]	element 0000a102  : 0 [end]	element 00004603  : 0 [end]
+ip test-ip4 input
+  [ payload load 2b @ network header + 2 => reg 1 ]
+  [ lookup reg 1 set set%d ]
+
+# ip length { 333-535}
+set%d test-ip4 7
+set%d test-ip4 0
+	element 00000000  : 1 [end]	element 00004d01  : 0 [end]	element 00001802  : 1 [end]
+ip test-ip4 input
+  [ payload load 2b @ network header + 2 => reg 1 ]
+  [ lookup reg 1 set set%d ]
+
+# ip id 22
+ip test-ip4 input
+  [ payload load 2b @ network header + 4 => reg 1 ]
+  [ cmp eq reg 1 0x00001600 ]
+
+# ip id != 233
+ip test-ip4 input
+  [ payload load 2b @ network header + 4 => reg 1 ]
+  [ cmp neq reg 1 0x0000e900 ]
+
+# ip id 33-45
+ip test-ip4 input
+  [ payload load 2b @ network header + 4 => reg 1 ]
+  [ cmp gte reg 1 0x00002100 ]
+  [ cmp lte reg 1 0x00002d00 ]
+
+# ip id != 33-45
+ip test-ip4 input
+  [ payload load 2b @ network header + 4 => reg 1 ]
+  [ cmp lt reg 1 0x00002100 ]
+  [ cmp gt reg 1 0x00002d00 ]
+
+# ip id { 33, 55, 67, 88}
+set%d test-ip4 3
+set%d test-ip4 0
+	element 00002100  : 0 [end]	element 00003700  : 0 [end]	element 00004300  : 0 [end]	element 00005800  : 0 [end]
+ip test-ip4 input
+  [ payload load 2b @ network header + 4 => reg 1 ]
+  [ lookup reg 1 set set%d ]
+
+# ip id { 33-55}
+set%d test-ip4 7
+set%d test-ip4 0
+	element 00000000  : 1 [end]	element 00002100  : 0 [end]	element 00003800  : 1 [end]
+ip test-ip4 input
+  [ payload load 2b @ network header + 4 => reg 1 ]
+  [ lookup reg 1 set set%d ]
+
+# ip frag-off 222 accept
+ip test-ip4 input
+  [ payload load 2b @ network header + 6 => reg 1 ]
+  [ cmp eq reg 1 0x0000de00 ]
+  [ immediate reg 0 accept ]
+
+# ip frag-off != 233
+ip test-ip4 input
+  [ payload load 2b @ network header + 6 => reg 1 ]
+  [ cmp neq reg 1 0x0000e900 ]
+
+# ip frag-off 33-45
+ip test-ip4 input
+  [ payload load 2b @ network header + 6 => reg 1 ]
+  [ cmp gte reg 1 0x00002100 ]
+  [ cmp lte reg 1 0x00002d00 ]
+
+# ip frag-off != 33-45
+ip test-ip4 input
+  [ payload load 2b @ network header + 6 => reg 1 ]
+  [ cmp lt reg 1 0x00002100 ]
+  [ cmp gt reg 1 0x00002d00 ]
+
+# ip frag-off { 33, 55, 67, 88}
+set%d test-ip4 3
+set%d test-ip4 0
+	element 00002100  : 0 [end]	element 00003700  : 0 [end]	element 00004300  : 0 [end]	element 00005800  : 0 [end]
+ip test-ip4 input
+  [ payload load 2b @ network header + 6 => reg 1 ]
+  [ lookup reg 1 set set%d ]
+
+# ip frag-off { 33-55}
+set%d test-ip4 7
+set%d test-ip4 0
+	element 00000000  : 1 [end]	element 00002100  : 0 [end]	element 00003800  : 1 [end]
+ip test-ip4 input
+  [ payload load 2b @ network header + 6 => reg 1 ]
+  [ lookup reg 1 set set%d ]
+
+# ip ttl 0 drop
+ip test-ip4 input
+  [ payload load 1b @ network header + 8 => reg 1 ]
+  [ cmp eq reg 1 0x00000000 ]
+  [ immediate reg 0 drop ]
+
+# ip ttl 233 log
+ip test-ip4 input
+  [ payload load 1b @ network header + 8 => reg 1 ]
+  [ cmp eq reg 1 0x000000e9 ]
+  [ log prefix (null) ]
+
+# ip ttl 33-55
+ip test-ip4 input
+  [ payload load 1b @ network header + 8 => reg 1 ]
+  [ cmp gte reg 1 0x00000021 ]
+  [ cmp lte reg 1 0x00000037 ]
+
+# ip ttl != 45-50
+ip test-ip4 input
+  [ payload load 1b @ network header + 8 => reg 1 ]
+  [ cmp lt reg 1 0x0000002d ]
+  [ cmp gt reg 1 0x00000032 ]
+
+# ip ttl {43, 53, 45 }
+set%d test-ip4 3
+set%d test-ip4 0
+	element 0000002b  : 0 [end]	element 00000035  : 0 [end]	element 0000002d  : 0 [end]
+ip test-ip4 input
+  [ payload load 1b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set set%d ]
+
+# ip ttl { 33-55}
+set%d test-ip4 7
+set%d test-ip4 0
+	element 00000000  : 1 [end]	element 00000021  : 0 [end]	element 00000038  : 1 [end]
+ip test-ip4 input
+  [ payload load 1b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set set%d ]
+
+# ip protocol tcp log
+ip test-ip4 input
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ log prefix (null) ]
+
+# ip protocol != tcp log
+ip test-ip4 input
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp neq reg 1 0x00000006 ]
+  [ log prefix (null) ]
+
+# ip protocol { icmp, esp, ah, comp, udp, udplite, tcp, dccp, sctp} accept
+set%d test-ip4 3
+set%d test-ip4 0
+	element 00000001  : 0 [end]	element 00000032  : 0 [end]	element 00000033  : 0 [end]	element 0000006c  : 0 [end]	element 00000011  : 0 [end]	element 00000088  : 0 [end]	element 00000006  : 0 [end]	element 00000021  : 0 [end]	element 00000084  : 0 [end]
+ip test-ip4 input
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ lookup reg 1 set set%d ]
+  [ immediate reg 0 accept ]
+
+# ip checksum 13172 drop
+ip test-ip4 input
+  [ payload load 2b @ network header + 10 => reg 1 ]
+  [ cmp eq reg 1 0x00007433 ]
+  [ immediate reg 0 drop ]
+
+# ip checksum 22
+ip test-ip4 input
+  [ payload load 2b @ network header + 10 => reg 1 ]
+  [ cmp eq reg 1 0x00001600 ]
+
+# ip checksum != 233
+ip test-ip4 input
+  [ payload load 2b @ network header + 10 => reg 1 ]
+  [ cmp neq reg 1 0x0000e900 ]
+
+# ip checksum 33-45
+ip test-ip4 input
+  [ payload load 2b @ network header + 10 => reg 1 ]
+  [ cmp gte reg 1 0x00002100 ]
+  [ cmp lte reg 1 0x00002d00 ]
+
+# ip checksum != 33-45
+ip test-ip4 input
+  [ payload load 2b @ network header + 10 => reg 1 ]
+  [ cmp lt reg 1 0x00002100 ]
+  [ cmp gt reg 1 0x00002d00 ]
+
+# ip checksum { 33, 55, 67, 88}
+set%d test-ip4 3
+set%d test-ip4 0
+	element 00002100  : 0 [end]	element 00003700  : 0 [end]	element 00004300  : 0 [end]	element 00005800  : 0 [end]
+ip test-ip4 input
+  [ payload load 2b @ network header + 10 => reg 1 ]
+  [ lookup reg 1 set set%d ]
+
+# ip checksum { 33-55}
+set%d test-ip4 7
+set%d test-ip4 0
+	element 00000000  : 1 [end]	element 00002100  : 0 [end]	element 00003800  : 1 [end]
+ip test-ip4 input
+  [ payload load 2b @ network header + 10 => reg 1 ]
+  [ lookup reg 1 set set%d ]
+
+# ip saddr 192.168.2.0/24
+ip test-ip4 input
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ bitwise reg 1 = (reg=1 & 0x00ffffff ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x0002a8c0 ]
+
+# ip saddr != 192.168.2.0/24
+ip test-ip4 input
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ bitwise reg 1 = (reg=1 & 0x00ffffff ) ^ 0x00000000 ]
+  [ cmp neq reg 1 0x0002a8c0 ]
+
+# ip saddr 192.168.3.1 ip daddr 192.168.3.100
+ip test-ip4 input
+  [ payload load 8b @ network header + 12 => reg 1 ]
+  [ cmp eq reg 1 0x0103a8c0 0x6403a8c0 ]
+
+# ip saddr != 1.1.1.1 log prefix giuseppe
+ip test-ip4 input
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ cmp neq reg 1 0x01010101 ]
+  [ log prefix giuseppe ]
+
+# ip saddr 1.1.1.1 log prefix example group 1
+ip test-ip4 input
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ cmp eq reg 1 0x01010101 ]
+  [ log prefix example group 1 snaplen 0 qthreshold 0]
+
+# ip daddr 192.168.0.1-192.168.0.250
+ip test-ip4 input
+  [ payload load 4b @ network header + 16 => reg 1 ]
+  [ cmp gte reg 1 0x0100a8c0 ]
+  [ cmp lte reg 1 0xfa00a8c0 ]
+
+# ip daddr 10.0.0.0-10.255.255.255
+ip test-ip4 input
+  [ payload load 4b @ network header + 16 => reg 1 ]
+  [ cmp gte reg 1 0x0000000a ]
+  [ cmp lte reg 1 0xffffff0a ]
+
+# ip daddr 172.16.0.0-172.31.255.255
+ip test-ip4 input
+  [ payload load 4b @ network header + 16 => reg 1 ]
+  [ cmp gte reg 1 0x000010ac ]
+  [ cmp lte reg 1 0xffff1fac ]
+
+# ip daddr 192.168.3.1-192.168.4.250
+ip test-ip4 input
+  [ payload load 4b @ network header + 16 => reg 1 ]
+  [ cmp gte reg 1 0x0103a8c0 ]
+  [ cmp lte reg 1 0xfa04a8c0 ]
+
+# ip daddr != 192.168.0.1-192.168.0.250
+ip test-ip4 input
+  [ payload load 4b @ network header + 16 => reg 1 ]
+  [ cmp lt reg 1 0x0100a8c0 ]
+  [ cmp gt reg 1 0xfa00a8c0 ]
+
+# ip daddr { 192.168.0.1-192.168.0.250}
+set%d test-ip4 7
+set%d test-ip4 0
+	element 00000000  : 1 [end]	element 0100a8c0  : 0 [end]	element fb00a8c0  : 1 [end]
+ip test-ip4 input
+  [ payload load 4b @ network header + 16 => reg 1 ]
+  [ lookup reg 1 set set%d ]
+
+# ip daddr { 192.168.5.1, 192.168.5.2, 192.168.5.3 } accept
+set%d test-ip4 3
+set%d test-ip4 0
+	element 0105a8c0  : 0 [end]	element 0205a8c0  : 0 [end]	element 0305a8c0  : 0 [end]
+ip test-ip4 input
+  [ payload load 4b @ network header + 16 => reg 1 ]
+  [ lookup reg 1 set set%d ]
+  [ immediate reg 0 accept ]
+
+# ip daddr 192.168.1.2-192.168.1.55
+ip test-ip4 input
+  [ payload load 4b @ network header + 16 => reg 1 ]
+  [ cmp gte reg 1 0x0201a8c0 ]
+  [ cmp lte reg 1 0x3701a8c0 ]
+
+# ip daddr != 192.168.1.2-192.168.1.55
+ip test-ip4 input
+  [ payload load 4b @ network header + 16 => reg 1 ]
+  [ cmp lt reg 1 0x0201a8c0 ]
+  [ cmp gt reg 1 0x3701a8c0 ]
+
+# ip saddr 192.168.1.3-192.168.33.55
+ip test-ip4 input
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ cmp gte reg 1 0x0301a8c0 ]
+  [ cmp lte reg 1 0x3721a8c0 ]
+
+# ip saddr != 192.168.1.3-192.168.33.55
+ip test-ip4 input
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ cmp lt reg 1 0x0301a8c0 ]
+  [ cmp gt reg 1 0x3721a8c0 ]
+
+# ip daddr 192.168.0.1
+ip test-ip4 input
+  [ payload load 4b @ network header + 16 => reg 1 ]
+  [ cmp eq reg 1 0x0100a8c0 ]
+
+# ip daddr 192.168.0.1 drop
+ip test-ip4 input
+  [ payload load 4b @ network header + 16 => reg 1 ]
+  [ cmp eq reg 1 0x0100a8c0 ]
+  [ immediate reg 0 drop ]
+
+# ip daddr 192.168.0.2 log
+ip test-ip4 input
+  [ payload load 4b @ network header + 16 => reg 1 ]
+  [ cmp eq reg 1 0x0200a8c0 ]
+  [ log prefix (null) ]
+
diff --git a/tests/regression/ip/ip.t.payload.inet b/tests/regression/ip/ip.t.payload.inet
new file mode 100644
index 00000000..be635cdb
--- /dev/null
+++ b/tests/regression/ip/ip.t.payload.inet
@@ -0,0 +1,443 @@
+# ip length 232
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 2b @ network header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x0000e800 ]
+
+# ip length != 233
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 2b @ network header + 2 => reg 1 ]
+  [ cmp neq reg 1 0x0000e900 ]
+
+# ip length 333-435
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 2b @ network header + 2 => reg 1 ]
+  [ cmp gte reg 1 0x00004d01 ]
+  [ cmp lte reg 1 0x0000b301 ]
+
+# ip length != 333-453
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 2b @ network header + 2 => reg 1 ]
+  [ cmp lt reg 1 0x00004d01 ]
+  [ cmp gt reg 1 0x0000c501 ]
+
+# ip length { 333, 553, 673, 838}
+set%d test-inet 3
+set%d test-inet 0
+	element 00004d01  : 0 [end]	element 00002902  : 0 [end]	element 0000a102  : 0 [end]	element 00004603  : 0 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 2b @ network header + 2 => reg 1 ]
+  [ lookup reg 1 set set%d ]
+
+# ip length { 333-535}
+set%d test-inet 7
+set%d test-inet 0
+	element 00000000  : 1 [end]	element 00004d01  : 0 [end]	element 00001802  : 1 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 2b @ network header + 2 => reg 1 ]
+  [ lookup reg 1 set set%d ]
+
+# ip id 22
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 2b @ network header + 4 => reg 1 ]
+  [ cmp eq reg 1 0x00001600 ]
+
+# ip id != 233
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 2b @ network header + 4 => reg 1 ]
+  [ cmp neq reg 1 0x0000e900 ]
+
+# ip id 33-45
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 2b @ network header + 4 => reg 1 ]
+  [ cmp gte reg 1 0x00002100 ]
+  [ cmp lte reg 1 0x00002d00 ]
+
+# ip id != 33-45
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 2b @ network header + 4 => reg 1 ]
+  [ cmp lt reg 1 0x00002100 ]
+  [ cmp gt reg 1 0x00002d00 ]
+
+# ip id { 33, 55, 67, 88}
+set%d test-inet 3
+set%d test-inet 0
+	element 00002100  : 0 [end]	element 00003700  : 0 [end]	element 00004300  : 0 [end]	element 00005800  : 0 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 2b @ network header + 4 => reg 1 ]
+  [ lookup reg 1 set set%d ]
+
+# ip id { 33-55}
+set%d test-inet 7
+set%d test-inet 0
+	element 00000000  : 1 [end]	element 00002100  : 0 [end]	element 00003800  : 1 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 2b @ network header + 4 => reg 1 ]
+  [ lookup reg 1 set set%d ]
+
+# ip frag-off 222 accept
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 2b @ network header + 6 => reg 1 ]
+  [ cmp eq reg 1 0x0000de00 ]
+  [ immediate reg 0 accept ]
+
+# ip frag-off != 233
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 2b @ network header + 6 => reg 1 ]
+  [ cmp neq reg 1 0x0000e900 ]
+
+# ip frag-off 33-45
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 2b @ network header + 6 => reg 1 ]
+  [ cmp gte reg 1 0x00002100 ]
+  [ cmp lte reg 1 0x00002d00 ]
+
+# ip frag-off != 33-45
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 2b @ network header + 6 => reg 1 ]
+  [ cmp lt reg 1 0x00002100 ]
+  [ cmp gt reg 1 0x00002d00 ]
+
+# ip frag-off { 33, 55, 67, 88}
+set%d test-inet 3
+set%d test-inet 0
+	element 00002100  : 0 [end]	element 00003700  : 0 [end]	element 00004300  : 0 [end]	element 00005800  : 0 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 2b @ network header + 6 => reg 1 ]
+  [ lookup reg 1 set set%d ]
+
+# ip frag-off { 33-55}
+set%d test-inet 7
+set%d test-inet 0
+	element 00000000  : 1 [end]	element 00002100  : 0 [end]	element 00003800  : 1 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 2b @ network header + 6 => reg 1 ]
+  [ lookup reg 1 set set%d ]
+
+# ip ttl 0 drop
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 1b @ network header + 8 => reg 1 ]
+  [ cmp eq reg 1 0x00000000 ]
+  [ immediate reg 0 drop ]
+
+# ip ttl 233 log
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 1b @ network header + 8 => reg 1 ]
+  [ cmp eq reg 1 0x000000e9 ]
+  [ log prefix (null) ]
+
+# ip ttl 33-55
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 1b @ network header + 8 => reg 1 ]
+  [ cmp gte reg 1 0x00000021 ]
+  [ cmp lte reg 1 0x00000037 ]
+
+# ip ttl != 45-50
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 1b @ network header + 8 => reg 1 ]
+  [ cmp lt reg 1 0x0000002d ]
+  [ cmp gt reg 1 0x00000032 ]
+
+# ip ttl {43, 53, 45 }
+set%d test-inet 3
+set%d test-inet 0
+	element 0000002b  : 0 [end]	element 00000035  : 0 [end]	element 0000002d  : 0 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 1b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set set%d ]
+
+# ip ttl { 33-55}
+set%d test-inet 7
+set%d test-inet 0
+	element 00000000  : 1 [end]	element 00000021  : 0 [end]	element 00000038  : 1 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 1b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set set%d ]
+
+# ip protocol tcp log
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ log prefix (null) ]
+
+# ip protocol != tcp log
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp neq reg 1 0x00000006 ]
+  [ log prefix (null) ]
+
+# ip protocol { icmp, esp, ah, comp, udp, udplite, tcp, dccp, sctp} accept
+set%d test-inet 3
+set%d test-inet 0
+	element 00000001  : 0 [end]	element 00000032  : 0 [end]	element 00000033  : 0 [end]	element 0000006c  : 0 [end]	element 00000011  : 0 [end]	element 00000088  : 0 [end]	element 00000006  : 0 [end]	element 00000021  : 0 [end]	element 00000084  : 0 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ lookup reg 1 set set%d ]
+  [ immediate reg 0 accept ]
+
+# ip checksum 13172 drop
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 2b @ network header + 10 => reg 1 ]
+  [ cmp eq reg 1 0x00007433 ]
+  [ immediate reg 0 drop ]
+
+# ip checksum 22
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 2b @ network header + 10 => reg 1 ]
+  [ cmp eq reg 1 0x00001600 ]
+
+# ip checksum != 233
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 2b @ network header + 10 => reg 1 ]
+  [ cmp neq reg 1 0x0000e900 ]
+
+# ip checksum 33-45
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 2b @ network header + 10 => reg 1 ]
+  [ cmp gte reg 1 0x00002100 ]
+  [ cmp lte reg 1 0x00002d00 ]
+
+# ip checksum != 33-45
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 2b @ network header + 10 => reg 1 ]
+  [ cmp lt reg 1 0x00002100 ]
+  [ cmp gt reg 1 0x00002d00 ]
+
+# ip checksum { 33, 55, 67, 88}
+set%d test-inet 3
+set%d test-inet 0
+	element 00002100  : 0 [end]	element 00003700  : 0 [end]	element 00004300  : 0 [end]	element 00005800  : 0 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 2b @ network header + 10 => reg 1 ]
+  [ lookup reg 1 set set%d ]
+
+# ip checksum { 33-55}
+set%d test-inet 7
+set%d test-inet 0
+	element 00000000  : 1 [end]	element 00002100  : 0 [end]	element 00003800  : 1 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 2b @ network header + 10 => reg 1 ]
+  [ lookup reg 1 set set%d ]
+
+# ip saddr 192.168.2.0/24
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ bitwise reg 1 = (reg=1 & 0x00ffffff ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x0002a8c0 ]
+
+# ip saddr != 192.168.2.0/24
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ bitwise reg 1 = (reg=1 & 0x00ffffff ) ^ 0x00000000 ]
+  [ cmp neq reg 1 0x0002a8c0 ]
+
+# ip saddr 192.168.3.1 ip daddr 192.168.3.100
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 8b @ network header + 12 => reg 1 ]
+  [ cmp eq reg 1 0x0103a8c0 0x6403a8c0 ]
+
+# ip saddr != 1.1.1.1 log prefix giuseppe
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ cmp neq reg 1 0x01010101 ]
+  [ log prefix giuseppe ]
+
+# ip saddr 1.1.1.1 log prefix example group 1
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ cmp eq reg 1 0x01010101 ]
+  [ log prefix example group 1 snaplen 0 qthreshold 0]
+
+# ip daddr 192.168.0.1-192.168.0.250
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 4b @ network header + 16 => reg 1 ]
+  [ cmp gte reg 1 0x0100a8c0 ]
+  [ cmp lte reg 1 0xfa00a8c0 ]
+
+# ip daddr 10.0.0.0-10.255.255.255
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 4b @ network header + 16 => reg 1 ]
+  [ cmp gte reg 1 0x0000000a ]
+  [ cmp lte reg 1 0xffffff0a ]
+
+# ip daddr 172.16.0.0-172.31.255.255
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 4b @ network header + 16 => reg 1 ]
+  [ cmp gte reg 1 0x000010ac ]
+  [ cmp lte reg 1 0xffff1fac ]
+
+# ip daddr 192.168.3.1-192.168.4.250
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 4b @ network header + 16 => reg 1 ]
+  [ cmp gte reg 1 0x0103a8c0 ]
+  [ cmp lte reg 1 0xfa04a8c0 ]
+
+# ip daddr != 192.168.0.1-192.168.0.250
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 4b @ network header + 16 => reg 1 ]
+  [ cmp lt reg 1 0x0100a8c0 ]
+  [ cmp gt reg 1 0xfa00a8c0 ]
+
+# ip daddr { 192.168.0.1-192.168.0.250}
+set%d test-inet 7
+set%d test-inet 0
+	element 00000000  : 1 [end]	element 0100a8c0  : 0 [end]	element fb00a8c0  : 1 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 4b @ network header + 16 => reg 1 ]
+  [ lookup reg 1 set set%d ]
+
+# ip daddr { 192.168.5.1, 192.168.5.2, 192.168.5.3 } accept
+set%d test-inet 3
+set%d test-inet 0
+	element 0105a8c0  : 0 [end]	element 0205a8c0  : 0 [end]	element 0305a8c0  : 0 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 4b @ network header + 16 => reg 1 ]
+  [ lookup reg 1 set set%d ]
+  [ immediate reg 0 accept ]
+
+# ip daddr 192.168.1.2-192.168.1.55
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 4b @ network header + 16 => reg 1 ]
+  [ cmp gte reg 1 0x0201a8c0 ]
+  [ cmp lte reg 1 0x3701a8c0 ]
+
+# ip daddr != 192.168.1.2-192.168.1.55
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 4b @ network header + 16 => reg 1 ]
+  [ cmp lt reg 1 0x0201a8c0 ]
+  [ cmp gt reg 1 0x3701a8c0 ]
+
+# ip saddr 192.168.1.3-192.168.33.55
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ cmp gte reg 1 0x0301a8c0 ]
+  [ cmp lte reg 1 0x3721a8c0 ]
+
+# ip saddr != 192.168.1.3-192.168.33.55
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ cmp lt reg 1 0x0301a8c0 ]
+  [ cmp gt reg 1 0x3721a8c0 ]
+
+# ip daddr 192.168.0.1
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 4b @ network header + 16 => reg 1 ]
+  [ cmp eq reg 1 0x0100a8c0 ]
+
+# ip daddr 192.168.0.1 drop
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 4b @ network header + 16 => reg 1 ]
+  [ cmp eq reg 1 0x0100a8c0 ]
+  [ immediate reg 0 drop ]
+
+# ip daddr 192.168.0.2 log
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 4b @ network header + 16 => reg 1 ]
+  [ cmp eq reg 1 0x0200a8c0 ]
+  [ log prefix (null) ]
+
diff --git a/tests/regression/ip/masquerade.t.payload b/tests/regression/ip/masquerade.t.payload
new file mode 100644
index 00000000..9390f0cf
--- /dev/null
+++ b/tests/regression/ip/masquerade.t.payload
@@ -0,0 +1,127 @@
+# udp dport 53 masquerade
+ip test-ip4 postrouting
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00003500 ]
+  [ masq ]
+
+# udp dport 53 masquerade random
+ip test-ip4 postrouting
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00003500 ]
+  [ masq flags 0x4 ]
+
+# udp dport 53 masquerade random,persistent
+ip test-ip4 postrouting
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00003500 ]
+  [ masq flags 0xc ]
+
+# udp dport 53 masquerade random,persistent,fully-random
+ip test-ip4 postrouting
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00003500 ]
+  [ masq flags 0x1c ]
+
+# udp dport 53 masquerade random,fully-random
+ip test-ip4 postrouting
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00003500 ]
+  [ masq flags 0x14 ]
+
+# udp dport 53 masquerade random,fully-random,persistent
+ip test-ip4 postrouting
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00003500 ]
+  [ masq flags 0x1c ]
+
+# udp dport 53 masquerade persistent
+ip test-ip4 postrouting
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00003500 ]
+  [ masq flags 0x8 ]
+
+# udp dport 53 masquerade persistent,random
+ip test-ip4 postrouting
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00003500 ]
+  [ masq flags 0xc ]
+
+# udp dport 53 masquerade persistent,random,fully-random
+ip test-ip4 postrouting
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00003500 ]
+  [ masq flags 0x1c ]
+
+# udp dport 53 masquerade persistent,fully-random
+ip test-ip4 postrouting
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00003500 ]
+  [ masq flags 0x18 ]
+
+# udp dport 53 masquerade persistent,fully-random,random
+ip test-ip4 postrouting
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00003500 ]
+  [ masq flags 0x1c ]
+
+# tcp dport { 1,2,3,4,5,6,7,8,101,202,303,1001,2002,3003} masquerade
+set%d test-ip4 3
+set%d test-ip4 0
+	element 00000100  : 0 [end]	element 00000200  : 0 [end]	element 00000300  : 0 [end]	element 00000400  : 0 [end]	element 00000500  : 0 [end]	element 00000600  : 0 [end]	element 00000700  : 0 [end]	element 00000800  : 0 [end]	element 00006500  : 0 [end]	element 0000ca00  : 0 [end]	element 00002f01  : 0 [end]	element 0000e903  : 0 [end]	element 0000d207  : 0 [end]	element 0000bb0b  : 0 [end]
+ip test-ip4 postrouting
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ lookup reg 1 set set%d ]
+  [ masq ]
+
+# ip daddr 10.0.0.0-10.2.3.4 udp dport 53 counter packets 0 bytes 0 masquerade
+ip test-ip4 postrouting
+  [ payload load 4b @ network header + 16 => reg 1 ]
+  [ cmp gte reg 1 0x0000000a ]
+  [ cmp lte reg 1 0x0403020a ]
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00003500 ]
+  [ counter pkts 0 bytes 0 ]
+  [ masq ]
+
+# iifname eth0 ct state new,established tcp dport vmap {22 : drop, 222 : drop } masquerade
+map%d test-ip4 b
+map%d test-ip4 0
+	element 00001600  : 0 [end]	element 0000de00  : 0 [end]
+ip test-ip4 postrouting
+  [ meta load iifname => reg 1 ]
+  [ cmp eq reg 1 0x30687465 0x00000000 0x00000000 0x00000000 ]
+  [ ct load state => reg 1 ]
+  [ bitwise reg 1 = (reg=1 & 0x0000000a ) ^ 0x00000000 ]
+  [ cmp neq reg 1 0x00000000 ]
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ lookup reg 1 set map%d dreg 0 ]
+  [ masq ]
+
diff --git a/tests/regression/ip/redirect.t.payload b/tests/regression/ip/redirect.t.payload
new file mode 100644
index 00000000..3c6e1e06
--- /dev/null
+++ b/tests/regression/ip/redirect.t.payload
@@ -0,0 +1,201 @@
+# udp dport 53 redirect
+ip test-ip4 output
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00003500 ]
+  [ redir ]
+
+# udp dport 53 redirect random
+ip test-ip4 output
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00003500 ]
+  [ redir ]
+
+# udp dport 53 redirect random,persistent
+ip test-ip4 output
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00003500 ]
+  [ redir ]
+
+# udp dport 53 redirect random,persistent,fully-random
+ip test-ip4 output
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00003500 ]
+  [ redir ]
+
+# udp dport 53 redirect random,fully-random
+ip test-ip4 output
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00003500 ]
+  [ redir ]
+
+# udp dport 53 redirect random,fully-random,persistent
+ip test-ip4 output
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00003500 ]
+  [ redir ]
+
+# udp dport 53 redirect persistent
+ip test-ip4 output
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00003500 ]
+  [ redir ]
+
+# udp dport 53 redirect persistent,random
+ip test-ip4 output
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00003500 ]
+  [ redir ]
+
+# udp dport 53 redirect persistent,random,fully-random
+ip test-ip4 output
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00003500 ]
+  [ redir ]
+
+# udp dport 53 redirect persistent,fully-random
+ip test-ip4 output
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00003500 ]
+  [ redir ]
+
+# udp dport 53 redirect persistent,fully-random,random
+ip test-ip4 output
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00003500 ]
+  [ redir ]
+
+# tcp dport 22 redirect to 22
+ip test-ip4 output
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00001600 ]
+  [ immediate reg 1 0x00001600 ]
+  [ redir ]
+
+# udp dport 1234 redirect to 4321
+ip test-ip4 output
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x0000d204 ]
+  [ immediate reg 1 0x0000e110 ]
+  [ redir ]
+
+# ip daddr 172.16.0.1 udp dport 9998 redirect to 6515
+ip test-ip4 output
+  [ payload load 4b @ network header + 16 => reg 1 ]
+  [ cmp eq reg 1 0x010010ac ]
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00000e27 ]
+  [ immediate reg 1 0x00007319 ]
+  [ redir ]
+
+# tcp dport 39128 redirect to 993
+ip test-ip4 output
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x0000d898 ]
+  [ immediate reg 1 0x0000e103 ]
+  [ redir ]
+
+# tcp dport 9128 redirect to 993 random
+ip test-ip4 output
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x0000a823 ]
+  [ immediate reg 1 0x0000e103 ]
+  [ redir ]
+
+# tcp dport 9128 redirect to 993 fully-random
+ip test-ip4 output
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x0000a823 ]
+  [ immediate reg 1 0x0000e103 ]
+  [ redir ]
+
+# tcp dport 9128 redirect to 123 persistent
+ip test-ip4 output
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x0000a823 ]
+  [ immediate reg 1 0x00007b00 ]
+  [ redir ]
+
+# tcp dport 9128 redirect to 123 random,persistent
+ip test-ip4 output
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x0000a823 ]
+  [ immediate reg 1 0x00007b00 ]
+  [ redir ]
+
+# tcp dport { 1, 2, 3, 4, 5, 6, 7, 8, 101, 202, 303, 1001, 2002, 3003} redirect
+set%d test-ip4 3
+set%d test-ip4 0
+	element 00000100  : 0 [end]	element 00000200  : 0 [end]	element 00000300  : 0 [end]	element 00000400  : 0 [end]	element 00000500  : 0 [end]	element 00000600  : 0 [end]	element 00000700  : 0 [end]	element 00000800  : 0 [end]	element 00006500  : 0 [end]	element 0000ca00  : 0 [end]	element 00002f01  : 0 [end]	element 0000e903  : 0 [end]	element 0000d207  : 0 [end]	element 0000bb0b  : 0 [end]
+ip test-ip4 output
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ lookup reg 1 set set%d ]
+  [ redir ]
+
+# ip daddr 10.0.0.0-10.2.3.4 udp dport 53 counter packets 0 bytes 0 redirect
+ip test-ip4 output
+  [ payload load 4b @ network header + 16 => reg 1 ]
+  [ cmp gte reg 1 0x0000000a ]
+  [ cmp lte reg 1 0x0403020a ]
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00003500 ]
+  [ counter pkts 0 bytes 0 ]
+  [ redir ]
+
+# iifname eth0 ct state new,established tcp dport vmap {22 : drop, 222 : drop } redirect
+map%d test-ip4 b
+map%d test-ip4 0
+	element 00001600  : 0 [end]	element 0000de00  : 0 [end]
+ip test-ip4 output
+  [ meta load iifname => reg 1 ]
+  [ cmp eq reg 1 0x30687465 0x00000000 0x00000000 0x00000000 ]
+  [ ct load state => reg 1 ]
+  [ bitwise reg 1 = (reg=1 & 0x0000000a ) ^ 0x00000000 ]
+  [ cmp neq reg 1 0x00000000 ]
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ lookup reg 1 set map%d dreg 0 ]
+  [ redir ]
+
diff --git a/tests/regression/ip/reject.t.payload b/tests/regression/ip/reject.t.payload
new file mode 100644
index 00000000..d5e87665
--- /dev/null
+++ b/tests/regression/ip/reject.t.payload
@@ -0,0 +1,32 @@
+# reject
+ip test-ip4 output
+  [ reject type 0 code 3 ]
+
+# reject with icmp type host-unreachable
+ip test-ip4 output
+  [ reject type 0 code 1 ]
+
+# reject with icmp type net-unreachable
+ip test-ip4 output
+  [ reject type 0 code 0 ]
+
+# reject with icmp type prot-unreachable
+ip test-ip4 output
+  [ reject type 0 code 2 ]
+
+# reject with icmp type port-unreachable
+ip test-ip4 output
+  [ reject type 0 code 3 ]
+
+# reject with icmp type net-prohibited
+ip test-ip4 output
+  [ reject type 0 code 9 ]
+
+# reject with icmp type host-prohibited
+ip test-ip4 output
+  [ reject type 0 code 10 ]
+
+# reject with icmp type admin-prohibited
+ip test-ip4 output
+  [ reject type 0 code 13 ]
+
diff --git a/tests/regression/ip/sets.t.payload.inet b/tests/regression/ip/sets.t.payload.inet
new file mode 100644
index 00000000..90417815
--- /dev/null
+++ b/tests/regression/ip/sets.t.payload.inet
@@ -0,0 +1,18 @@
+# ip saddr @set1 drop
+set1 test-inet 0
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ lookup reg 1 set set1 ]
+  [ immediate reg 0 drop ]
+
+# ip saddr @set2 drop
+set2 test-inet 0
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ lookup reg 1 set set2 ]
+  [ immediate reg 0 drop ]
+
diff --git a/tests/regression/ip/sets.t.payload.ip b/tests/regression/ip/sets.t.payload.ip
new file mode 100644
index 00000000..eb3770ea
--- /dev/null
+++ b/tests/regression/ip/sets.t.payload.ip
@@ -0,0 +1,14 @@
+# ip saddr @set1 drop
+set1 test-ip4 0
+ip test-ip4 input
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ lookup reg 1 set set1 ]
+  [ immediate reg 0 drop ]
+
+# ip saddr @set2 drop
+set2 test-ip4 0
+ip test-ip4 input
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ lookup reg 1 set set2 ]
+  [ immediate reg 0 drop ]
+
diff --git a/tests/regression/ip/snat.t.payload b/tests/regression/ip/snat.t.payload
new file mode 100644
index 00000000..32ba4fa8
--- /dev/null
+++ b/tests/regression/ip/snat.t.payload
@@ -0,0 +1,50 @@
+# iifname "eth0" tcp dport 80-90 snat 192.168.3.2
+ip test-ip4 postrouting
+  [ meta load iifname => reg 1 ]
+  [ cmp eq reg 1 0x30687465 0x00000000 0x00000000 0x00000000 ]
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp gte reg 1 0x00005000 ]
+  [ cmp lte reg 1 0x00005a00 ]
+  [ immediate reg 1 0x0203a8c0 ]
+  [ nat snat ip addr_min reg 1 addr_max reg 0 ]
+
+# iifname "eth0" tcp dport != 80-90 snat 192.168.3.2
+ip test-ip4 postrouting
+  [ meta load iifname => reg 1 ]
+  [ cmp eq reg 1 0x30687465 0x00000000 0x00000000 0x00000000 ]
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp lt reg 1 0x00005000 ]
+  [ cmp gt reg 1 0x00005a00 ]
+  [ immediate reg 1 0x0203a8c0 ]
+  [ nat snat ip addr_min reg 1 addr_max reg 0 ]
+
+# iifname "eth0" tcp dport {80, 90, 23} snat 192.168.3.2
+set%d test-ip4 3
+set%d test-ip4 0
+	element 00005000  : 0 [end]	element 00005a00  : 0 [end]	element 00001700  : 0 [end]
+ip test-ip4 postrouting
+  [ meta load iifname => reg 1 ]
+  [ cmp eq reg 1 0x30687465 0x00000000 0x00000000 0x00000000 ]
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ lookup reg 1 set set%d ]
+  [ immediate reg 1 0x0203a8c0 ]
+  [ nat snat ip addr_min reg 1 addr_max reg 0 ]
+
+# iifname "eth0" tcp dport != 23-34 snat 192.168.3.2
+ip test-ip4 postrouting
+  [ meta load iifname => reg 1 ]
+  [ cmp eq reg 1 0x30687465 0x00000000 0x00000000 0x00000000 ]
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp lt reg 1 0x00001700 ]
+  [ cmp gt reg 1 0x00002200 ]
+  [ immediate reg 1 0x0203a8c0 ]
+  [ nat snat ip addr_min reg 1 addr_max reg 0 ]
+
author	Florian Westphal <fw@strlen.de>	2015-07-10 11:56:31 +0200
committer	Florian Westphal <fw@strlen.de>	2015-07-20 17:26:37 +0200
commit	0abfb2b7e01ca07efe1be16a1a5bd8925340dc41 (patch)
tree	0b4b3f892c990e66f4a01a5d5ba15d3a9c720d47 /tests/regression/ip
parent	efd09355038d53fdd3841ab5ccae1543c4967daf (diff)