summaryrefslogtreecommitdiffstats
path: root/tests/py/ip
diff options
context:
space:
mode:
Diffstat (limited to 'tests/py/ip')
-rw-r--r--tests/py/ip/chains.t15
-rw-r--r--tests/py/ip/dnat.t15
-rw-r--r--tests/py/ip/dnat.t.payload.ip69
-rw-r--r--tests/py/ip/dup.t6
-rw-r--r--tests/py/ip/dup.t.payload21
-rw-r--r--tests/py/ip/ether.t8
-rw-r--r--tests/py/ip/ether.t.payload50
-rw-r--r--tests/py/ip/icmp.t93
-rw-r--r--tests/py/ip/icmp.t.payload.ip463
-rw-r--r--tests/py/ip/ip.t117
-rw-r--r--tests/py/ip/ip.t.payload386
-rw-r--r--tests/py/ip/ip.t.payload.inet506
-rw-r--r--tests/py/ip/masquerade.t25
-rw-r--r--tests/py/ip/masquerade.t.payload127
-rw-r--r--tests/py/ip/redirect.t45
-rw-r--r--tests/py/ip/redirect.t.payload201
-rw-r--r--tests/py/ip/reject.t14
-rw-r--r--tests/py/ip/reject.t.payload32
-rw-r--r--tests/py/ip/sets.t30
-rw-r--r--tests/py/ip/sets.t.payload.inet16
-rw-r--r--tests/py/ip/sets.t.payload.ip12
-rw-r--r--tests/py/ip/snat.t12
-rw-r--r--tests/py/ip/snat.t.payload50
23 files changed, 2313 insertions, 0 deletions
diff --git a/tests/py/ip/chains.t b/tests/py/ip/chains.t
new file mode 100644
index 00000000..8edf62b5
--- /dev/null
+++ b/tests/py/ip/chains.t
@@ -0,0 +1,15 @@
+*ip;test-ip4
+
+# filter chains available are: input, output, forward, prerouting, postrouting
+:filter-input;type filter hook input priority 0
+:filter-pre;type filter hook prerouting priority 0
+:filter-forw;type filter hook forward priority 0
+:filter-out;type filter hook output priority 0
+:filter-post;type filter hook postrouting priority 0
+# nat chains available are: input, output, prerouting, postrouting
+:nat-input-t;type nat hook input priority 0
+:nat-pre-t;type nat hook prerouting priority 0
+:nat-out-t;type nat hook output priority 0
+:nat-post-t;type nat hook postrouting priority 0
+# route chain available are: output
+:route-out-t;type route hook output priority 0
diff --git a/tests/py/ip/dnat.t b/tests/py/ip/dnat.t
new file mode 100644
index 00000000..cdb78116
--- /dev/null
+++ b/tests/py/ip/dnat.t
@@ -0,0 +1,15 @@
+*ip;test-ip4
+:prerouting;type nat hook prerouting priority 0
+
+iifname "eth0" tcp dport 80-90 dnat 192.168.3.2;ok
+iifname "eth0" tcp dport != 80-90 dnat 192.168.3.2;ok
+iifname "eth0" tcp dport {80, 90, 23} dnat 192.168.3.2;ok
+- iifname "eth0" tcp dport != {80, 90, 23} dnat 192.168.3.2;ok
+- iifname "eth0" tcp dport != {80, 90, 23} dnat 192.168.3.2;ok
+# BUG: invalid expression type set
+# nft: src/evaluate.c:975: expr_evaluate_relational: Assertion '0' failed.
+
+iifname "eth0" tcp dport != 23-34 dnat 192.168.3.2;ok
+
+dnat ct mark map { 0x00000014 : 1.2.3.4};ok
+dnat ct mark . ip daddr map { 0x00000014 . 1.1.1.1 : 1.2.3.4};ok
diff --git a/tests/py/ip/dnat.t.payload.ip b/tests/py/ip/dnat.t.payload.ip
new file mode 100644
index 00000000..026e8719
--- /dev/null
+++ b/tests/py/ip/dnat.t.payload.ip
@@ -0,0 +1,69 @@
+# iifname "eth0" tcp dport 80-90 dnat 192.168.3.2
+ip test-ip4 prerouting
+ [ meta load iifname => reg 1 ]
+ [ cmp eq reg 1 0x30687465 0x00000000 0x00000000 0x00000000 ]
+ [ payload load 1b @ network header + 9 => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ cmp gte reg 1 0x00005000 ]
+ [ cmp lte reg 1 0x00005a00 ]
+ [ immediate reg 1 0x0203a8c0 ]
+ [ nat dnat ip addr_min reg 1 addr_max reg 0 ]
+
+# iifname "eth0" tcp dport != 80-90 dnat 192.168.3.2
+ip test-ip4 prerouting
+ [ meta load iifname => reg 1 ]
+ [ cmp eq reg 1 0x30687465 0x00000000 0x00000000 0x00000000 ]
+ [ payload load 1b @ network header + 9 => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ cmp lt reg 1 0x00005000 ]
+ [ cmp gt reg 1 0x00005a00 ]
+ [ immediate reg 1 0x0203a8c0 ]
+ [ nat dnat ip addr_min reg 1 addr_max reg 0 ]
+
+# iifname "eth0" tcp dport {80, 90, 23} dnat 192.168.3.2
+set%d test-ip4 3
+set%d test-ip4 0
+ element 00005000 : 0 [end] element 00005a00 : 0 [end] element 00001700 : 0 [end]
+ip test-ip4 prerouting
+ [ meta load iifname => reg 1 ]
+ [ cmp eq reg 1 0x30687465 0x00000000 0x00000000 0x00000000 ]
+ [ payload load 1b @ network header + 9 => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ lookup reg 1 set set%d ]
+ [ immediate reg 1 0x0203a8c0 ]
+ [ nat dnat ip addr_min reg 1 addr_max reg 0 ]
+
+# iifname "eth0" tcp dport != 23-34 dnat 192.168.3.2
+ip test-ip4 prerouting
+ [ meta load iifname => reg 1 ]
+ [ cmp eq reg 1 0x30687465 0x00000000 0x00000000 0x00000000 ]
+ [ payload load 1b @ network header + 9 => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ cmp lt reg 1 0x00001700 ]
+ [ cmp gt reg 1 0x00002200 ]
+ [ immediate reg 1 0x0203a8c0 ]
+ [ nat dnat ip addr_min reg 1 addr_max reg 0 ]
+
+# dnat ct mark map { 0x00000014 : 1.2.3.4}
+map%d test-ip4 b
+map%d test-ip4 0
+ element 00000014 : 04030201 0 [end]
+ip test-ip4 prerouting
+ [ ct load mark => reg 1 ]
+ [ lookup reg 1 set map%d dreg 1 ]
+ [ nat dnat ip addr_min reg 1 addr_max reg 0 ]
+
+# dnat ct mark . ip daddr map { 0x00000014 . 1.1.1.1 : 1.2.3.4}
+map%d test-ip4 b
+map%d test-ip4 0
+ element 00000014 01010101 : 04030201 0 [end]
+ip test-ip4 output
+ [ ct load mark => reg 1 ]
+ [ payload load 4b @ network header + 16 => reg 9 ]
+ [ lookup reg 1 set map%d dreg 1 ]
+ [ nat dnat ip addr_min reg 1 addr_max reg 0 ]
+
diff --git a/tests/py/ip/dup.t b/tests/py/ip/dup.t
new file mode 100644
index 00000000..9320d546
--- /dev/null
+++ b/tests/py/ip/dup.t
@@ -0,0 +1,6 @@
+*ip;test-ip4
+:input;type filter hook input priority 0
+
+dup to 192.168.2.1;ok
+dup to 192.168.2.1 device eth0;ok
+dup to ip saddr map { 192.168.2.120 : 192.168.2.1 } device eth0;ok
diff --git a/tests/py/ip/dup.t.payload b/tests/py/ip/dup.t.payload
new file mode 100644
index 00000000..7928d5d5
--- /dev/null
+++ b/tests/py/ip/dup.t.payload
@@ -0,0 +1,21 @@
+# dup to 192.168.2.1
+ip test-ip4 test
+ [ immediate reg 1 0x0102a8c0 ]
+ [ dup sreg_addr 1 ]
+
+# dup to 192.168.2.1 device eth0
+ip test-ip4 test
+ [ immediate reg 1 0x0102a8c0 ]
+ [ immediate reg 2 0x00000002 ]
+ [ dup sreg_addr 1 sreg_dev 2 ]
+
+# dup to ip saddr map { 192.168.2.120 : 192.168.2.1 } device eth0
+map%d test-ip4 b
+map%d test-ip4 0
+ element 7802a8c0 : 0102a8c0 0 [end]
+ip test-ip4 test
+ [ payload load 4b @ network header + 12 => reg 1 ]
+ [ lookup reg 1 set map%d dreg 1 ]
+ [ immediate reg 2 0x00000002 ]
+ [ dup sreg_addr 1 sreg_dev 2 ]
+
diff --git a/tests/py/ip/ether.t b/tests/py/ip/ether.t
new file mode 100644
index 00000000..4d30f51c
--- /dev/null
+++ b/tests/py/ip/ether.t
@@ -0,0 +1,8 @@
+*ip;test-ip
+
+:input;type filter hook input priority 0
+
+tcp dport 22 iiftype ether ip daddr 1.2.3.4 ether saddr 00:0f:54:0c:11:4 accept;ok;tcp dport 22 ip daddr 1.2.3.4 ether saddr 00:0f:54:0c:11:04 accept
+tcp dport 22 ip daddr 1.2.3.4 ether saddr 00:0f:54:0c:11:04;ok
+tcp dport 22 ether saddr 00:0f:54:0c:11:04 ip daddr 1.2.3.4;ok
+ether saddr 00:0f:54:0c:11:04 ip daddr 1.2.3.4 accept;ok
diff --git a/tests/py/ip/ether.t.payload b/tests/py/ip/ether.t.payload
new file mode 100644
index 00000000..0d234dab
--- /dev/null
+++ b/tests/py/ip/ether.t.payload
@@ -0,0 +1,50 @@
+# tcp dport 22 iiftype ether ip daddr 1.2.3.4 ether saddr 00:0f:54:0c:11:4 accept
+ip test-ip input
+ [ payload load 1b @ network header + 9 => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ cmp eq reg 1 0x00001600 ]
+ [ meta load iiftype => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+ [ payload load 4b @ network header + 16 => reg 1 ]
+ [ cmp eq reg 1 0x04030201 ]
+ [ payload load 6b @ link header + 6 => reg 1 ]
+ [ cmp eq reg 1 0x0c540f00 0x00000411 ]
+ [ immediate reg 0 accept ]
+
+# tcp dport 22 ether saddr 00:0f:54:0c:11:04 ip daddr 1.2.3.4
+ip test-ip input
+ [ payload load 1b @ network header + 9 => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ cmp eq reg 1 0x00001600 ]
+ [ meta load iiftype => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+ [ payload load 6b @ link header + 6 => reg 1 ]
+ [ cmp eq reg 1 0x0c540f00 0x00000411 ]
+ [ payload load 4b @ network header + 16 => reg 1 ]
+ [ cmp eq reg 1 0x04030201 ]
+
+# tcp dport 22 ip daddr 1.2.3.4 ether saddr 00:0f:54:0c:11:04
+ip test-ip input
+ [ payload load 1b @ network header + 9 => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ cmp eq reg 1 0x00001600 ]
+ [ payload load 4b @ network header + 16 => reg 1 ]
+ [ cmp eq reg 1 0x04030201 ]
+ [ meta load iiftype => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+ [ payload load 6b @ link header + 6 => reg 1 ]
+ [ cmp eq reg 1 0x0c540f00 0x00000411 ]
+
+# ether saddr 00:0f:54:0c:11:04 ip daddr 1.2.3.4 accept
+ip test-ip input
+ [ meta load iiftype => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+ [ payload load 6b @ link header + 6 => reg 1 ]
+ [ cmp eq reg 1 0x0c540f00 0x00000411 ]
+ [ payload load 4b @ network header + 16 => reg 1 ]
+ [ cmp eq reg 1 0x04030201 ]
+ [ immediate reg 0 accept ]
+
diff --git a/tests/py/ip/icmp.t b/tests/py/ip/icmp.t
new file mode 100644
index 00000000..bd00f5ca
--- /dev/null
+++ b/tests/py/ip/icmp.t
@@ -0,0 +1,93 @@
+*ip;test-ip4
+# BUG: There is a bug with icmp protocol and inet family.
+# *inet;test-inet
+:input;type filter hook input priority 0
+
+icmp type echo-reply accept;ok
+icmp type destination-unreachable accept;ok
+icmp type source-quench accept;ok
+icmp type redirect accept;ok
+icmp type echo-request accept;ok
+icmp type time-exceeded accept;ok
+icmp type parameter-problem accept;ok
+icmp type timestamp-request accept;ok
+icmp type timestamp-reply accept;ok
+icmp type info-request accept;ok
+icmp type info-reply accept;ok
+icmp type address-mask-request accept;ok
+icmp type address-mask-reply accept;ok
+icmp type {echo-reply, destination-unreachable, source-quench, redirect, echo-request, time-exceeded, parameter-problem, timestamp-request, timestamp-reply, info-request, info-reply, address-mask-request, address-mask-reply} accept;ok
+- icmp type != {echo-reply, destination-unreachable, source-quench};ok
+# BUG: icmp type != {echo-reply, destination-unreachable, source-quench}
+# BUG: invalid expression type set
+# nft: src/evaluate.c:975: expr_evaluate_relational: Assertion '0' failed.
+
+icmp code 111 accept;ok
+icmp code != 111 accept;ok
+icmp code 33-55;ok
+icmp code != 33-55;ok
+icmp code { 33-55};ok
+- icmp code != { 33-55};ok
+icmp code { 2, 4, 54, 33, 56};ok
+- icmp code != { 2, 4, 54, 33, 56};ok
+# $ sudo nft add rule ip test input icmp code != {2, 4, 54, 33, 56}
+# BUG: invalid expression type set
+# nft: src/evaluate.c:975: expr_evaluate_relational: Assertion '0' failed.
+
+icmp checksum 12343 accept;ok
+icmp checksum != 12343 accept;ok
+icmp checksum 11-343 accept;ok
+icmp checksum != 11-343 accept;ok
+icmp checksum { 11-343} accept;ok
+- icmp checksum != { 11-343} accept;ok
+icmp checksum { 1111, 222, 343} accept;ok
+- icmp checksum != { 1111, 222, 343} accept;ok
+# BUG: invalid expression type set
+# icmp checksum != { 1111, 222, 343} accept;ok
+# nft: src/evaluate.c:975: expr_evaluate_relational: Assertion '0' failed.
+
+icmp id 1245 log;ok
+icmp id 22;ok
+icmp id != 233;ok
+icmp id 33-45;ok
+icmp id != 33-45;ok
+icmp id { 33-55};ok
+- icmp id != { 33-55};ok
+icmp id { 22, 34, 333};ok
+- icmp id != { 22, 34, 333};ok
+# BUG: invalid expression type set
+# icmp id != { 22, 34, 333}
+# nft: src/evaluate.c:975: expr_evaluate_relational: Assertion '0' failed.
+
+icmp sequence 22;ok
+icmp sequence != 233;ok
+icmp sequence 33-45;ok
+icmp sequence != 33-45;ok
+icmp sequence { 33, 55, 67, 88};ok
+- icmp sequence != { 33, 55, 67, 88};ok
+icmp sequence { 33-55};ok
+- icmp sequence != { 33-55};ok
+
+icmp mtu 33;ok
+icmp mtu 22-33;ok
+icmp mtu { 22-33};ok
+- icmp mtu != { 22-33};ok
+icmp mtu 22;ok
+icmp mtu != 233;ok
+icmp mtu 33-45;ok
+icmp mtu != 33-45;ok
+icmp mtu { 33, 55, 67, 88};ok
+- icmp mtu != { 33, 55, 67, 88};ok
+icmp mtu { 33-55};ok
+- icmp mtu != { 33-55};ok
+
+icmp gateway 22;ok
+icmp gateway != 233;ok
+icmp gateway 33-45;ok
+icmp gateway != 33-45;ok
+icmp gateway { 33, 55, 67, 88};ok
+- icmp gateway != { 33, 55, 67, 88};ok
+icmp gateway { 33-55};ok
+- icmp gateway != { 33-55};ok
+icmp gateway != 34;ok
+- icmp gateway != { 333, 334};ok
diff --git a/tests/py/ip/icmp.t.payload.ip b/tests/py/ip/icmp.t.payload.ip
new file mode 100644
index 00000000..a6071a65
--- /dev/null
+++ b/tests/py/ip/icmp.t.payload.ip
@@ -0,0 +1,463 @@
+# icmp type echo-reply accept
+ip test-ip4 input
+ [ payload load 1b @ network header + 9 => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+ [ payload load 1b @ transport header + 0 => reg 1 ]
+ [ cmp eq reg 1 0x00000000 ]
+ [ immediate reg 0 accept ]
+
+# icmp type destination-unreachable accept
+ip test-ip4 input
+ [ payload load 1b @ network header + 9 => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+ [ payload load 1b @ transport header + 0 => reg 1 ]
+ [ cmp eq reg 1 0x00000003 ]
+ [ immediate reg 0 accept ]
+
+# icmp type source-quench accept
+ip test-ip4 input
+ [ payload load 1b @ network header + 9 => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+ [ payload load 1b @ transport header + 0 => reg 1 ]
+ [ cmp eq reg 1 0x00000004 ]
+ [ immediate reg 0 accept ]
+
+# icmp type redirect accept
+ip test-ip4 input
+ [ payload load 1b @ network header + 9 => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+ [ payload load 1b @ transport header + 0 => reg 1 ]
+ [ cmp eq reg 1 0x00000005 ]
+ [ immediate reg 0 accept ]
+
+# icmp type echo-request accept
+ip test-ip4 input
+ [ payload load 1b @ network header + 9 => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+ [ payload load 1b @ transport header + 0 => reg 1 ]
+ [ cmp eq reg 1 0x00000008 ]
+ [ immediate reg 0 accept ]
+
+# icmp type time-exceeded accept
+ip test-ip4 input
+ [ payload load 1b @ network header + 9 => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+ [ payload load 1b @ transport header + 0 => reg 1 ]
+ [ cmp eq reg 1 0x0000000b ]
+ [ immediate reg 0 accept ]
+
+# icmp type parameter-problem accept
+ip test-ip4 input
+ [ payload load 1b @ network header + 9 => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+ [ payload load 1b @ transport header + 0 => reg 1 ]
+ [ cmp eq reg 1 0x0000000c ]
+ [ immediate reg 0 accept ]
+
+# icmp type timestamp-request accept
+ip test-ip4 input
+ [ payload load 1b @ network header + 9 => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+ [ payload load 1b @ transport header + 0 => reg 1 ]
+ [ cmp eq reg 1 0x0000000d ]
+ [ immediate reg 0 accept ]
+
+# icmp type timestamp-reply accept
+ip test-ip4 input
+ [ payload load 1b @ network header + 9 => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+ [ payload load 1b @ transport header + 0 => reg 1 ]
+ [ cmp eq reg 1 0x0000000e ]
+ [ immediate reg 0 accept ]
+
+# icmp type info-request accept
+ip test-ip4 input
+ [ payload load 1b @ network header + 9 => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+ [ payload load 1b @ transport header + 0 => reg 1 ]
+ [ cmp eq reg 1 0x0000000f ]
+ [ immediate reg 0 accept ]
+
+# icmp type info-reply accept
+ip test-ip4 input
+ [ payload load 1b @ network header + 9 => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+ [ payload load 1b @ transport header + 0 => reg 1 ]
+ [ cmp eq reg 1 0x00000010 ]
+ [ immediate reg 0 accept ]
+
+# icmp type address-mask-request accept
+ip test-ip4 input
+ [ payload load 1b @ network header + 9 => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+ [ payload load 1b @ transport header + 0 => reg 1 ]
+ [ cmp eq reg 1 0x00000011 ]
+ [ immediate reg 0 accept ]
+
+# icmp type address-mask-reply accept
+ip test-ip4 input
+ [ payload load 1b @ network header + 9 => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+ [ payload load 1b @ transport header + 0 => reg 1 ]
+ [ cmp eq reg 1 0x00000012 ]
+ [ immediate reg 0 accept ]
+
+# icmp type {echo-reply, destination-unreachable, source-quench, redirect, echo-request, time-exceeded, parameter-problem, timestamp-request, timestamp-reply, info-request, info-reply, address-mask-request, address-mask-reply} accept
+set%d test-ip4 3
+set%d test-ip4 0
+ element 00000000 : 0 [end] element 00000003 : 0 [end] element 00000004 : 0 [end] element 00000005 : 0 [end] element 00000008 : 0 [end] element 0000000b : 0 [end] element 0000000c : 0 [end] element 0000000d : 0 [end] element 0000000e : 0 [end] element 0000000f : 0 [end] element 00000010 : 0 [end] element 00000011 : 0 [end] element 00000012 : 0 [end]
+ip test-ip4 input
+ [ payload load 1b @ network header + 9 => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+ [ payload load 1b @ transport header + 0 => reg 1 ]
+ [ lookup reg 1 set set%d ]
+ [ immediate reg 0 accept ]
+
+# icmp code 111 accept
+ip test-ip4 input
+ [ payload load 1b @ network header + 9 => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+ [ payload load 1b @ transport header + 1 => reg 1 ]
+ [ cmp eq reg 1 0x0000006f ]
+ [ immediate reg 0 accept ]
+
+# icmp code != 111 accept
+ip test-ip4 input
+ [ payload load 1b @ network header + 9 => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+ [ payload load 1b @ transport header + 1 => reg 1 ]
+ [ cmp neq reg 1 0x0000006f ]
+ [ immediate reg 0 accept ]
+
+# icmp code 33-55
+ip test-ip4 input
+ [ payload load 1b @ network header + 9 => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+ [ payload load 1b @ transport header + 1 => reg 1 ]
+ [ cmp gte reg 1 0x00000021 ]
+ [ cmp lte reg 1 0x00000037 ]
+
+# icmp code != 33-55
+ip test-ip4 input
+ [ payload load 1b @ network header + 9 => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+ [ payload load 1b @ transport header + 1 => reg 1 ]
+ [ cmp lt reg 1 0x00000021 ]
+ [ cmp gt reg 1 0x00000037 ]
+
+# icmp code { 33-55}
+set%d test-ip4 7
+set%d test-ip4 0
+ element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end]
+ip test-ip4 input
+ [ payload load 1b @ network header + 9 => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+ [ payload load 1b @ transport header + 1 => reg 1 ]
+ [ lookup reg 1 set set%d ]
+
+# icmp code { 2, 4, 54, 33, 56}
+set%d test-ip4 3
+set%d test-ip4 0
+ element 00000002 : 0 [end] element 00000004 : 0 [end] element 00000036 : 0 [end] element 00000021 : 0 [end] element 00000038 : 0 [end]
+ip test-ip4 input
+ [ payload load 1b @ network header + 9 => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+ [ payload load 1b @ transport header + 1 => reg 1 ]
+ [ lookup reg 1 set set%d ]
+
+# icmp checksum 12343 accept
+ip test-ip4 input
+ [ payload load 1b @ network header + 9 => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ cmp eq reg 1 0x00003730 ]
+ [ immediate reg 0 accept ]
+
+# icmp checksum != 12343 accept
+ip test-ip4 input
+ [ payload load 1b @ network header + 9 => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ cmp neq reg 1 0x00003730 ]
+ [ immediate reg 0 accept ]
+
+# icmp checksum 11-343 accept
+ip test-ip4 input
+ [ payload load 1b @ network header + 9 => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ cmp gte reg 1 0x00000b00 ]
+ [ cmp lte reg 1 0x00005701 ]
+ [ immediate reg 0 accept ]
+
+# icmp checksum != 11-343 accept
+ip test-ip4 input
+ [ payload load 1b @ network header + 9 => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ cmp lt reg 1 0x00000b00 ]
+ [ cmp gt reg 1 0x00005701 ]
+ [ immediate reg 0 accept ]
+
+# icmp checksum { 11-343} accept
+set%d test-ip4 7
+set%d test-ip4 0
+ element 00000000 : 1 [end] element 00000b00 : 0 [end] element 00005801 : 1 [end]
+ip test-ip4 input
+ [ payload load 1b @ network header + 9 => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ lookup reg 1 set set%d ]
+ [ immediate reg 0 accept ]
+
+# icmp checksum { 1111, 222, 343} accept
+set%d test-ip4 3
+set%d test-ip4 0
+ element 00005704 : 0 [end] element 0000de00 : 0 [end] element 00005701 : 0 [end]
+ip test-ip4 input
+ [ payload load 1b @ network header + 9 => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ lookup reg 1 set set%d ]
+ [ immediate reg 0 accept ]
+
+# icmp id 1245 log
+ip test-ip4 input
+ [ payload load 1b @ network header + 9 => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+ [ payload load 2b @ transport header + 4 => reg 1 ]
+ [ cmp eq reg 1 0x0000dd04 ]
+ [ log prefix (null) ]
+
+# icmp id 22
+ip test-ip4 input
+ [ payload load 1b @ network header + 9 => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+ [ payload load 2b @ transport header + 4 => reg 1 ]
+ [ cmp eq reg 1 0x00001600 ]
+
+# icmp id != 233
+ip test-ip4 input
+ [ payload load 1b @ network header + 9 => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+ [ payload load 2b @ transport header + 4 => reg 1 ]
+ [ cmp neq reg 1 0x0000e900 ]
+
+# icmp id 33-45
+ip test-ip4 input
+ [ payload load 1b @ network header + 9 => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+ [ payload load 2b @ transport header + 4 => reg 1 ]
+ [ cmp gte reg 1 0x00002100 ]
+ [ cmp lte reg 1 0x00002d00 ]
+
+# icmp id != 33-45
+ip test-ip4 input
+ [ payload load 1b @ network header + 9 => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+ [ payload load 2b @ transport header + 4 => reg 1 ]
+ [ cmp lt reg 1 0x00002100 ]
+ [ cmp gt reg 1 0x00002d00 ]
+
+# icmp id { 33-55}
+set%d test-ip4 7
+set%d test-ip4 0
+ element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end]
+ip test-ip4 input
+ [ payload load 1b @ network header + 9 => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+ [ payload load 2b @ transport header + 4 => reg 1 ]
+ [ lookup reg 1 set set%d ]
+
+# icmp id { 22, 34, 333}
+set%d test-ip4 3
+set%d test-ip4 0
+ element 00001600 : 0 [end] element 00002200 : 0 [end] element 00004d01 : 0 [end]
+ip test-ip4 input
+ [ payload load 1b @ network header + 9 => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+ [ payload load 2b @ transport header + 4 => reg 1 ]
+ [ lookup reg 1 set set%d ]
+
+# icmp sequence 22
+ip test-ip4 input
+ [ payload load 1b @ network header + 9 => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+ [ payload load 2b @ transport header + 6 => reg 1 ]
+ [ cmp eq reg 1 0x00001600 ]
+
+# icmp sequence != 233
+ip test-ip4 input
+ [ payload load 1b @ network header + 9 => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+ [ payload load 2b @ transport header + 6 => reg 1 ]
+ [ cmp neq reg 1 0x0000e900 ]
+
+# icmp sequence 33-45
+ip test-ip4 input
+ [ payload load 1b @ network header + 9 => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+ [ payload load 2b @ transport header + 6 => reg 1 ]
+ [ cmp gte reg 1 0x00002100 ]
+ [ cmp lte reg 1 0x00002d00 ]
+
+# icmp sequence != 33-45
+ip test-ip4 input
+ [ payload load 1b @ network header + 9 => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+ [ payload load 2b @ transport header + 6 => reg 1 ]
+ [ cmp lt reg 1 0x00002100 ]
+ [ cmp gt reg 1 0x00002d00 ]
+
+# icmp sequence { 33, 55, 67, 88}
+set%d test-ip4 3
+set%d test-ip4 0
+ element 00002100 : 0 [end] element 00003700 : 0 [end] element 00004300 : 0 [end] element 00005800 : 0 [end]
+ip test-ip4 input
+ [ payload load 1b @ network header + 9 => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+ [ payload load 2b @ transport header + 6 => reg 1 ]
+ [ lookup reg 1 set set%d ]
+
+# icmp sequence { 33-55}
+set%d test-ip4 7
+set%d test-ip4 0
+ element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end]
+ip test-ip4 input
+ [ payload load 1b @ network header + 9 => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+ [ payload load 2b @ transport header + 6 => reg 1 ]
+ [ lookup reg 1 set set%d ]
+
+# icmp mtu 33
+ip test-ip4 input
+ [ payload load 1b @ network header + 9 => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+ [ payload load 2b @ transport header + 6 => reg 1 ]
+ [ cmp eq reg 1 0x00002100 ]
+
+# icmp mtu 22-33
+ip test-ip4 input
+ [ payload load 1b @ network header + 9 => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+ [ payload load 2b @ transport header + 6 => reg 1 ]
+ [ cmp gte reg 1 0x00001600 ]
+ [ cmp lte reg 1 0x00002100 ]
+
+# icmp mtu { 22-33}
+set%d test-ip4 7
+set%d test-ip4 0
+ element 00000000 : 1 [end] element 00001600 : 0 [end] element 00002200 : 1 [end]
+ip test-ip4 input
+ [ payload load 1b @ network header + 9 => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+ [ payload load 2b @ transport header + 6 => reg 1 ]
+ [ lookup reg 1 set set%d ]
+
+# icmp mtu 22
+ip test-ip4 input
+ [ payload load 1b @ network header + 9 => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+ [ payload load 2b @ transport header + 6 => reg 1 ]
+ [ cmp eq reg 1 0x00001600 ]
+
+# icmp mtu != 233
+ip test-ip4 input
+ [ payload load 1b @ network header + 9 => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+ [ payload load 2b @ transport header + 6 => reg 1 ]
+ [ cmp neq reg 1 0x0000e900 ]
+
+# icmp mtu 33-45
+ip test-ip4 input
+ [ payload load 1b @ network header + 9 => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+ [ payload load 2b @ transport header + 6 => reg 1 ]
+ [ cmp gte reg 1 0x00002100 ]
+ [ cmp lte reg 1 0x00002d00 ]
+
+# icmp mtu != 33-45
+ip test-ip4 input
+ [ payload load 1b @ network header + 9 => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+ [ payload load 2b @ transport header + 6 => reg 1 ]
+ [ cmp lt reg 1 0x00002100 ]
+ [ cmp gt reg 1 0x00002d00 ]
+
+# icmp mtu { 33, 55, 67, 88}
+set%d test-ip4 3
+set%d test-ip4 0
+ element 00002100 : 0 [end] element 00003700 : 0 [end] element 00004300 : 0 [end] element 00005800 : 0 [end]
+ip test-ip4 input
+ [ payload load 1b @ network header + 9 => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+ [ payload load 2b @ transport header + 6 => reg 1 ]
+ [ lookup reg 1 set set%d ]
+
+# icmp mtu { 33-55}
+set%d test-ip4 7
+set%d test-ip4 0
+ element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end]
+ip test-ip4 input
+ [ payload load 1b @ network header + 9 => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+ [ payload load 2b @ transport header + 6 => reg 1 ]
+ [ lookup reg 1 set set%d ]
+
+# icmp gateway 22
+ip test-ip4 input
+ [ payload load 1b @ network header + 9 => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+ [ payload load 4b @ transport header + 4 => reg 1 ]
+ [ cmp eq reg 1 0x16000000 ]
+
+# icmp gateway != 233
+ip test-ip4 input
+ [ payload load 1b @ network header + 9 => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+ [ payload load 4b @ transport header + 4 => reg 1 ]
+ [ cmp neq reg 1 0xe9000000 ]
+
+# icmp gateway 33-45
+ip test-ip4 input
+ [ payload load 1b @ network header + 9 => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+ [ payload load 4b @ transport header + 4 => reg 1 ]
+ [ cmp gte reg 1 0x21000000 ]
+ [ cmp lte reg 1 0x2d000000 ]
+
+# icmp gateway != 33-45
+ip test-ip4 input
+ [ payload load 1b @ network header + 9 => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+ [ payload load 4b @ transport header + 4 => reg 1 ]
+ [ cmp lt reg 1 0x21000000 ]
+ [ cmp gt reg 1 0x2d000000 ]
+
+# icmp gateway { 33, 55, 67, 88}
+set%d test-ip4 3
+set%d test-ip4 0
+ element 21000000 : 0 [end] element 37000000 : 0 [end] element 43000000 : 0 [end] element 58000000 : 0 [end]
+ip test-ip4 input
+ [ payload load 1b @ network header + 9 => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+ [ payload load 4b @ transport header + 4 => reg 1 ]
+ [ lookup reg 1 set set%d ]
+
+# icmp gateway { 33-55}
+set%d test-ip4 7
+set%d test-ip4 0
+ element 00000000 : 1 [end] element 21000000 : 0 [end] element 38000000 : 1 [end]
+ip test-ip4 input
+ [ payload load 1b @ network header + 9 => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+ [ payload load 4b @ transport header + 4 => reg 1 ]
+ [ lookup reg 1 set set%d ]
+
+# icmp gateway != 34
+ip test-ip4 input
+ [ payload load 1b @ network header + 9 => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+ [ payload load 4b @ transport header + 4 => reg 1 ]
+ [ cmp neq reg 1 0x22000000 ]
+
diff --git a/tests/py/ip/ip.t b/tests/py/ip/ip.t
new file mode 100644
index 00000000..0339c2ac
--- /dev/null
+++ b/tests/py/ip/ip.t
@@ -0,0 +1,117 @@
+*ip;test-ip4
+*inet;test-inet
+:input;type filter hook input priority 0
+
+- ip version 2;ok
+
+# bug ip hdrlength
+- ip hdrlength 10;ok
+- ip hdrlength != 5;ok
+- ip hdrlength 5-8;ok
+- ip hdrlength != 3-13;ok
+- ip hdrlength {3, 5, 6, 8};ok
+- ip hdrlength != {3, 5, 7, 8};ok
+- ip hdrlength { 3-5};ok
+- ip hdrlength != { 3-59};ok
+# ip hdrlength 12
+# <cmdline>:1:1-38: Error: Could not process rule: Invalid argument
+# add rule ip test input ip hdrlength 12
+# ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+# <cmdline>:1:37-38: Error: Value 22 exceeds valid range 0-15
+# add rule ip test input ip hdrlength 22
+
+- ip dscp CS1;ok
+- ip dscp != CS1;ok
+- ip dscp 0x38;ok
+- ip dscp != 0x20;ok
+- ip dscp {CS1, CS2, CS3, CS4, CS5, CS6, CS7, BE, AF11, AF12, AF13, AF21, AF22, AF23, AF31, AF32, AF33, AF41, AF42, AF43, EF};ok
+- ip dscp {0x08, 0x10, 0x18, 0x20, 0x28, 0x30, 0x38, 0x00, 0x0a, 0x0c, 0x0e, 0x12, 0x14, 0x16, 0x1a, 0x1c, 0x1e, 0x22, 0x24, 0x26, 0x2e};ok
+- ip dscp != {CS0, CS3};ok
+
+ip length 232;ok
+ip length != 233;ok
+ip length 333-435;ok
+ip length != 333-453;ok
+ip length { 333, 553, 673, 838};ok
+- ip length != { 333, 535, 637, 883};ok
+ip length { 333-535};ok
+- ip length != { 333-553};ok
+
+ip id 22;ok
+ip id != 233;ok
+ip id 33-45;ok
+ip id != 33-45;ok
+ip id { 33, 55, 67, 88};ok
+- ip id != { 33, 55, 67, 88};ok
+ip id { 33-55};ok
+- ip id != { 33-55};ok
+
+ip frag-off 222 accept;ok
+ip frag-off != 233;ok
+ip frag-off 33-45;ok
+ip frag-off != 33-45;ok
+ip frag-off { 33, 55, 67, 88};ok
+- ip frag-off != { 33, 55, 67, 88};ok
+ip frag-off { 33-55};ok
+- ip frag-off != { 33-55};ok
+
+ip ttl 0 drop;ok
+ip ttl 233 log;ok
+ip ttl 33-55;ok
+ip ttl != 45-50;ok
+ip ttl {43, 53, 45 };ok
+- ip ttl != {46, 56, 93 };ok
+# BUG: ip ttl != {46, 56, 93 };ok
+# BUG: invalid expression type set
+# nft: src/evaluate.c:975: expr_evaluate_relational: Assertion '0' failed.
+ip ttl { 33-55};ok
+- ip ttl != { 33-55};ok
+
+ip protocol tcp log;ok;ip protocol 6 log
+ip protocol != tcp log;ok;ip protocol != 6 log
+ip protocol { icmp, esp, ah, comp, udp, udplite, tcp, dccp, sctp} accept;ok;ip protocol { 33, 136, 17, 51, 50, 6, 132, 1, 108} accept
+- ip protocol != { icmp, esp, ah, comp, udp, udplite, tcp, dccp, sctp} accept;ok
+
+ip checksum 13172 drop;ok
+ip checksum 22;ok
+ip checksum != 233;ok
+ip checksum 33-45;ok
+ip checksum != 33-45;ok
+ip checksum { 33, 55, 67, 88};ok
+- ip checksum != { 33, 55, 67, 88};ok
+ip checksum { 33-55};ok
+- ip checksum != { 33-55};ok
+
+ip saddr 192.168.2.0/24;ok
+ip saddr != 192.168.2.0/24;ok
+ip saddr 192.168.3.1 ip daddr 192.168.3.100;ok
+ip saddr != 1.1.1.1 log prefix giuseppe;ok;ip saddr != 1.1.1.1 log prefix "giuseppe"
+ip saddr 1.1.1.1 log prefix example group 1;ok;ip saddr 1.1.1.1 log prefix "example" group 1
+ip daddr 192.168.0.1-192.168.0.250;ok
+ip daddr 10.0.0.0-10.255.255.255;ok
+ip daddr 172.16.0.0-172.31.255.255;ok
+ip daddr 192.168.3.1-192.168.4.250;ok
+ip daddr != 192.168.0.1-192.168.0.250;ok
+ip daddr { 192.168.0.1-192.168.0.250};ok
+- ip daddr != { 192.168.0.1-192.168.0.250};ok
+ip daddr { 192.168.5.1, 192.168.5.2, 192.168.5.3 } accept;ok
+- ip daddr != { 192.168.5.1, 192.168.5.2, 192.168.5.3 } accept;ok
+
+ip daddr 192.168.1.2-192.168.1.55;ok
+ip daddr != 192.168.1.2-192.168.1.55;ok
+ip saddr 192.168.1.3-192.168.33.55;ok
+ip saddr != 192.168.1.3-192.168.33.55;ok
+
+ip daddr 192.168.0.1;ok
+ip daddr 192.168.0.1 drop;ok
+ip daddr 192.168.0.2 log;ok
+
+ip saddr \& 0xff == 1;ok;ip saddr & 0.0.0.255 == 0.0.0.1
+ip saddr \& 0.0.0.255 \< 0.0.0.127;ok;ip saddr & 0.0.0.255 < 0.0.0.127
+
+ip saddr \& 0xffff0000 == 0xffff0000;ok;ip saddr 255.255.0.0/16
+
+ip version 4 ip hdrlength 5;ok
+ip hdrlength 0;ok
+ip hdrlength 15;ok
+ip hdrlength 16;fail
diff --git a/tests/py/ip/ip.t.payload b/tests/py/ip/ip.t.payload
new file mode 100644
index 00000000..da2dc218
--- /dev/null
+++ b/tests/py/ip/ip.t.payload
@@ -0,0 +1,386 @@
+# ip length 232
+ip test-ip4 input
+ [ payload load 2b @ network header + 2 => reg 1 ]
+ [ cmp eq reg 1 0x0000e800 ]
+
+# ip length != 233
+ip test-ip4 input
+ [ payload load 2b @ network header + 2 => reg 1 ]
+ [ cmp neq reg 1 0x0000e900 ]
+
+# ip length 333-435
+ip test-ip4 input
+ [ payload load 2b @ network header + 2 => reg 1 ]
+ [ cmp gte reg 1 0x00004d01 ]
+ [ cmp lte reg 1 0x0000b301 ]
+
+# ip length != 333-453
+ip test-ip4 input
+ [ payload load 2b @ network header + 2 => reg 1 ]
+ [ cmp lt reg 1 0x00004d01 ]
+ [ cmp gt reg 1 0x0000c501 ]
+
+# ip length { 333, 553, 673, 838}
+set%d test-ip4 3
+set%d test-ip4 0
+ element 00004d01 : 0 [end] element 00002902 : 0 [end] element 0000a102 : 0 [end] element 00004603 : 0 [end]
+ip test-ip4 input
+ [ payload load 2b @ network header + 2 => reg 1 ]
+ [ lookup reg 1 set set%d ]
+
+# ip length { 333-535}
+set%d test-ip4 7
+set%d test-ip4 0
+ element 00000000 : 1 [end] element 00004d01 : 0 [end] element 00001802 : 1 [end]
+ip test-ip4 input
+ [ payload load 2b @ network header + 2 => reg 1 ]
+ [ lookup reg 1 set set%d ]
+
+# ip id 22
+ip test-ip4 input
+ [ payload load 2b @ network header + 4 => reg 1 ]
+ [ cmp eq reg 1 0x00001600 ]
+
+# ip id != 233
+ip test-ip4 input
+ [ payload load 2b @ network header + 4 => reg 1 ]
+ [ cmp neq reg 1 0x0000e900 ]
+
+# ip id 33-45
+ip test-ip4 input
+ [ payload load 2b @ network header + 4 => reg 1 ]
+ [ cmp gte reg 1 0x00002100 ]
+ [ cmp lte reg 1 0x00002d00 ]
+
+# ip id != 33-45
+ip test-ip4 input
+ [ payload load 2b @ network header + 4 => reg 1 ]
+ [ cmp lt reg 1 0x00002100 ]
+ [ cmp gt reg 1 0x00002d00 ]
+
+# ip id { 33, 55, 67, 88}
+set%d test-ip4 3
+set%d test-ip4 0
+ element 00002100 : 0 [end] element 00003700 : 0 [end] element 00004300 : 0 [end] element 00005800 : 0 [end]
+ip test-ip4 input
+ [ payload load 2b @ network header + 4 => reg 1 ]
+ [ lookup reg 1 set set%d ]
+
+# ip id { 33-55}
+set%d test-ip4 7
+set%d test-ip4 0
+ element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end]
+ip test-ip4 input
+ [ payload load 2b @ network header + 4 => reg 1 ]
+ [ lookup reg 1 set set%d ]
+
+# ip frag-off 222 accept
+ip test-ip4 input
+ [ payload load 2b @ network header + 6 => reg 1 ]
+ [ cmp eq reg 1 0x0000de00 ]
+ [ immediate reg 0 accept ]
+
+# ip frag-off != 233
+ip test-ip4 input
+ [ payload load 2b @ network header + 6 => reg 1 ]
+ [ cmp neq reg 1 0x0000e900 ]
+
+# ip frag-off 33-45
+ip test-ip4 input
+ [ payload load 2b @ network header + 6 => reg 1 ]
+ [ cmp gte reg 1 0x00002100 ]
+ [ cmp lte reg 1 0x00002d00 ]
+
+# ip frag-off != 33-45
+ip test-ip4 input
+ [ payload load 2b @ network header + 6 => reg 1 ]
+ [ cmp lt reg 1 0x00002100 ]
+ [ cmp gt reg 1 0x00002d00 ]
+
+# ip frag-off { 33, 55, 67, 88}
+set%d test-ip4 3
+set%d test-ip4 0
+ element 00002100 : 0 [end] element 00003700 : 0 [end] element 00004300 : 0 [end] element 00005800 : 0 [end]
+ip test-ip4 input
+ [ payload load 2b @ network header + 6 => reg 1 ]
+ [ lookup reg 1 set set%d ]
+
+# ip frag-off { 33-55}
+set%d test-ip4 7
+set%d test-ip4 0
+ element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end]
+ip test-ip4 input
+ [ payload load 2b @ network header + 6 => reg 1 ]
+ [ lookup reg 1 set set%d ]
+
+# ip ttl 0 drop
+ip test-ip4 input
+ [ payload load 1b @ network header + 8 => reg 1 ]
+ [ cmp eq reg 1 0x00000000 ]
+ [ immediate reg 0 drop ]
+
+# ip ttl 233 log
+ip test-ip4 input
+ [ payload load 1b @ network header + 8 => reg 1 ]
+ [ cmp eq reg 1 0x000000e9 ]
+ [ log prefix (null) ]
+
+# ip ttl 33-55
+ip test-ip4 input
+ [ payload load 1b @ network header + 8 => reg 1 ]
+ [ cmp gte reg 1 0x00000021 ]
+ [ cmp lte reg 1 0x00000037 ]
+
+# ip ttl != 45-50
+ip test-ip4 input
+ [ payload load 1b @ network header + 8 => reg 1 ]
+ [ cmp lt reg 1 0x0000002d ]
+ [ cmp gt reg 1 0x00000032 ]
+
+# ip ttl {43, 53, 45 }
+set%d test-ip4 3
+set%d test-ip4 0
+ element 0000002b : 0 [end] element 00000035 : 0 [end] element 0000002d : 0 [end]
+ip test-ip4 input
+ [ payload load 1b @ network header + 8 => reg 1 ]
+ [ lookup reg 1 set set%d ]
+
+# ip ttl { 33-55}
+set%d test-ip4 7
+set%d test-ip4 0
+ element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end]
+ip test-ip4 input
+ [ payload load 1b @ network header + 8 => reg 1 ]
+ [ lookup reg 1 set set%d ]
+
+# ip protocol tcp log
+ip test-ip4 input
+ [ payload load 1b @ network header + 9 => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ log prefix (null) ]
+
+# ip protocol != tcp log
+ip test-ip4 input
+ [ payload load 1b @ network header + 9 => reg 1 ]
+ [ cmp neq reg 1 0x00000006 ]
+ [ log prefix (null) ]
+
+# ip protocol { icmp, esp, ah, comp, udp, udplite, tcp, dccp, sctp} accept
+set%d test-ip4 3
+set%d test-ip4 0
+ element 00000001 : 0 [end] element 00000032 : 0 [end] element 00000033 : 0 [end] element 0000006c : 0 [end] element 00000011 : 0 [end] element 00000088 : 0 [end] element 00000006 : 0 [end] element 00000021 : 0 [end] element 00000084 : 0 [end]
+ip test-ip4 input
+ [ payload load 1b @ network header + 9 => reg 1 ]
+ [ lookup reg 1 set set%d ]
+ [ immediate reg 0 accept ]
+
+# ip checksum 13172 drop
+ip test-ip4 input
+ [ payload load 2b @ network header + 10 => reg 1 ]
+ [ cmp eq reg 1 0x00007433 ]
+ [ immediate reg 0 drop ]
+
+# ip checksum 22
+ip test-ip4 input
+ [ payload load 2b @ network header + 10 => reg 1 ]
+ [ cmp eq reg 1 0x00001600 ]
+
+# ip checksum != 233
+ip test-ip4 input
+ [ payload load 2b @ network header + 10 => reg 1 ]
+ [ cmp neq reg 1 0x0000e900 ]
+
+# ip checksum 33-45
+ip test-ip4 input
+ [ payload load 2b @ network header + 10 => reg 1 ]
+ [ cmp gte reg 1 0x00002100 ]
+ [ cmp lte reg 1 0x00002d00 ]
+
+# ip checksum != 33-45
+ip test-ip4 input
+ [ payload load 2b @ network header + 10 => reg 1 ]
+ [ cmp lt reg 1 0x00002100 ]
+ [ cmp gt reg 1 0x00002d00 ]
+
+# ip checksum { 33, 55, 67, 88}
+set%d test-ip4 3
+set%d test-ip4 0
+ element 00002100 : 0 [end] element 00003700 : 0 [end] element 00004300 : 0 [end] element 00005800 : 0 [end]
+ip test-ip4 input
+ [ payload load 2b @ network header + 10 => reg 1 ]
+ [ lookup reg 1 set set%d ]
+
+# ip checksum { 33-55}
+set%d test-ip4 7
+set%d test-ip4 0
+ element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end]
+ip test-ip4 input
+ [ payload load 2b @ network header + 10 => reg 1 ]
+ [ lookup reg 1 set set%d ]
+
+# ip saddr 192.168.2.0/24
+ip test-ip4 input
+ [ payload load 4b @ network header + 12 => reg 1 ]
+ [ bitwise reg 1 = (reg=1 & 0x00ffffff ) ^ 0x00000000 ]
+ [ cmp eq reg 1 0x0002a8c0 ]
+
+# ip saddr != 192.168.2.0/24
+ip test-ip4 input
+ [ payload load 4b @ network header + 12 => reg 1 ]
+ [ bitwise reg 1 = (reg=1 & 0x00ffffff ) ^ 0x00000000 ]
+ [ cmp neq reg 1 0x0002a8c0 ]
+
+# ip saddr 192.168.3.1 ip daddr 192.168.3.100
+ip test-ip4 input
+ [ payload load 8b @ network header + 12 => reg 1 ]
+ [ cmp eq reg 1 0x0103a8c0 0x6403a8c0 ]
+
+# ip saddr != 1.1.1.1 log prefix giuseppe
+ip test-ip4 input
+ [ payload load 4b @ network header + 12 => reg 1 ]
+ [ cmp neq reg 1 0x01010101 ]
+ [ log prefix giuseppe ]
+
+# ip saddr 1.1.1.1 log prefix example group 1
+ip test-ip4 input
+ [ payload load 4b @ network header + 12 => reg 1 ]
+ [ cmp eq reg 1 0x01010101 ]
+ [ log prefix example group 1 snaplen 0 qthreshold 0]
+
+# ip daddr 192.168.0.1-192.168.0.250
+ip test-ip4 input
+ [ payload load 4b @ network header + 16 => reg 1 ]
+ [ cmp gte reg 1 0x0100a8c0 ]
+ [ cmp lte reg 1 0xfa00a8c0 ]
+
+# ip daddr 10.0.0.0-10.255.255.255
+ip test-ip4 input
+ [ payload load 4b @ network header + 16 => reg 1 ]
+ [ cmp gte reg 1 0x0000000a ]
+ [ cmp lte reg 1 0xffffff0a ]
+
+# ip daddr 172.16.0.0-172.31.255.255
+ip test-ip4 input
+ [ payload load 4b @ network header + 16 => reg 1 ]
+ [ cmp gte reg 1 0x000010ac ]
+ [ cmp lte reg 1 0xffff1fac ]
+
+# ip daddr 192.168.3.1-192.168.4.250
+ip test-ip4 input
+ [ payload load 4b @ network header + 16 => reg 1 ]
+ [ cmp gte reg 1 0x0103a8c0 ]
+ [ cmp lte reg 1 0xfa04a8c0 ]
+
+# ip daddr != 192.168.0.1-192.168.0.250
+ip test-ip4 input
+ [ payload load 4b @ network header + 16 => reg 1 ]
+ [ cmp lt reg 1 0x0100a8c0 ]
+ [ cmp gt reg 1 0xfa00a8c0 ]
+
+# ip daddr { 192.168.0.1-192.168.0.250}
+set%d test-ip4 7
+set%d test-ip4 0
+ element 00000000 : 1 [end] element 0100a8c0 : 0 [end] element fb00a8c0 : 1 [end]
+ip test-ip4 input
+ [ payload load 4b @ network header + 16 => reg 1 ]
+ [ lookup reg 1 set set%d ]
+
+# ip daddr { 192.168.5.1, 192.168.5.2, 192.168.5.3 } accept
+set%d test-ip4 3
+set%d test-ip4 0
+ element 0105a8c0 : 0 [end] element 0205a8c0 : 0 [end] element 0305a8c0 : 0 [end]
+ip test-ip4 input
+ [ payload load 4b @ network header + 16 => reg 1 ]
+ [ lookup reg 1 set set%d ]
+ [ immediate reg 0 accept ]
+
+# ip daddr 192.168.1.2-192.168.1.55
+ip test-ip4 input
+ [ payload load 4b @ network header + 16 => reg 1 ]
+ [ cmp gte reg 1 0x0201a8c0 ]
+ [ cmp lte reg 1 0x3701a8c0 ]
+
+# ip daddr != 192.168.1.2-192.168.1.55
+ip test-ip4 input
+ [ payload load 4b @ network header + 16 => reg 1 ]
+ [ cmp lt reg 1 0x0201a8c0 ]
+ [ cmp gt reg 1 0x3701a8c0 ]
+
+# ip saddr 192.168.1.3-192.168.33.55
+ip test-ip4 input
+ [ payload load 4b @ network header + 12 => reg 1 ]
+ [ cmp gte reg 1 0x0301a8c0 ]
+ [ cmp lte reg 1 0x3721a8c0 ]
+
+# ip saddr != 192.168.1.3-192.168.33.55
+ip test-ip4 input
+ [ payload load 4b @ network header + 12 => reg 1 ]
+ [ cmp lt reg 1 0x0301a8c0 ]
+ [ cmp gt reg 1 0x3721a8c0 ]
+
+# ip daddr 192.168.0.1
+ip test-ip4 input
+ [ payload load 4b @ network header + 16 => reg 1 ]
+ [ cmp eq reg 1 0x0100a8c0 ]
+
+# ip daddr 192.168.0.1 drop
+ip test-ip4 input
+ [ payload load 4b @ network header + 16 => reg 1 ]
+ [ cmp eq reg 1 0x0100a8c0 ]
+ [ immediate reg 0 drop ]
+
+# ip daddr 192.168.0.2 log
+ip test-ip4 input
+ [ payload load 4b @ network header + 16 => reg 1 ]
+ [ cmp eq reg 1 0x0200a8c0 ]
+ [ log prefix (null) ]
+
+# ip saddr \& 0xff == 1
+ip test-ip4 input
+ [ payload load 4b @ network header + 12 => reg 1 ]
+ [ bitwise reg 1 = (reg=1 & 0xff000000 ) ^ 0x00000000 ]
+ [ cmp eq reg 1 0x01000000 ]
+
+# ip saddr \& 0.0.0.255 \< 0.0.0.127
+ip test-ip4 input
+ [ payload load 4b @ network header + 12 => reg 1 ]
+ [ bitwise reg 1 = (reg=1 & 0xff000000 ) ^ 0x00000000 ]
+ [ cmp lt reg 1 0x7f000000 ]
+
+# ip saddr \& 0xffff0000 == 0xffff0000
+ip test-ip4 input
+ [ payload load 4b @ network header + 12 => reg 1 ]
+ [ bitwise reg 1 = (reg=1 & 0x0000ffff ) ^ 0x00000000 ]
+ [ cmp eq reg 1 0x0000ffff ]
+
+# ip saddr . ip daddr . ip protocol { 1.1.1.1 . 2.2.2.2 . tcp, 1.1.1.1 . 3.3.3.3 . udp}
+set%d test-ip 3
+set%d test-ip 0
+ element 01010101 02020202 00000006 : 0 [end] element 01010101 03030303 00000011 : 0 [end]
+ip test-ip input
+ [ payload load 4b @ network header + 12 => reg 1 ]
+ [ payload load 4b @ network header + 16 => reg 9 ]
+ [ payload load 1b @ network header + 9 => reg 10 ]
+ [ lookup reg 1 set set%d ]
+
+# ip version 4 ip hdrlength 5
+ip test-ip4 input
+ [ payload load 1b @ network header + 0 => reg 1 ]
+ [ bitwise reg 1 = (reg=1 & 0x000000f0 ) ^ 0x00000000 ]
+ [ cmp eq reg 1 0x00000040 ]
+ [ payload load 1b @ network header + 0 => reg 1 ]
+ [ bitwise reg 1 = (reg=1 & 0x0000000f ) ^ 0x00000000 ]
+ [ cmp eq reg 1 0x00000005 ]
+
+# ip hdrlength 0
+ip test-ip4 input
+ [ payload load 1b @ network header + 0 => reg 1 ]
+ [ bitwise reg 1 = (reg=1 & 0x0000000f ) ^ 0x00000000 ]
+ [ cmp eq reg 1 0x00000000 ]
+
+# ip hdrlength 15
+ip test-ip4 input
+ [ payload load 1b @ network header + 0 => reg 1 ]
+ [ bitwise reg 1 = (reg=1 & 0x0000000f ) ^ 0x00000000 ]
+ [ cmp eq reg 1 0x0000000f ]
+
diff --git a/tests/py/ip/ip.t.payload.inet b/tests/py/ip/ip.t.payload.inet
new file mode 100644
index 00000000..35f73ff7
--- /dev/null
+++ b/tests/py/ip/ip.t.payload.inet
@@ -0,0 +1,506 @@
+# ip length 232
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x00000002 ]
+ [ payload load 2b @ network header + 2 => reg 1 ]
+ [ cmp eq reg 1 0x0000e800 ]
+
+# ip length != 233
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x00000002 ]
+ [ payload load 2b @ network header + 2 => reg 1 ]
+ [ cmp neq reg 1 0x0000e900 ]
+
+# ip length 333-435
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x00000002 ]
+ [ payload load 2b @ network header + 2 => reg 1 ]
+ [ cmp gte reg 1 0x00004d01 ]
+ [ cmp lte reg 1 0x0000b301 ]
+
+# ip length != 333-453
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x00000002 ]
+ [ payload load 2b @ network header + 2 => reg 1 ]
+ [ cmp lt reg 1 0x00004d01 ]
+ [ cmp gt reg 1 0x0000c501 ]
+
+# ip length { 333, 553, 673, 838}
+set%d test-inet 3
+set%d test-inet 0
+ element 00004d01 : 0 [end] element 00002902 : 0 [end] element 0000a102 : 0 [end] element 00004603 : 0 [end]
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x00000002 ]
+ [ payload load 2b @ network header + 2 => reg 1 ]
+ [ lookup reg 1 set set%d ]
+
+# ip length { 333-535}
+set%d test-inet 7
+set%d test-inet 0
+ element 00000000 : 1 [end] element 00004d01 : 0 [end] element 00001802 : 1 [end]
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x00000002 ]
+ [ payload load 2b @ network header + 2 => reg 1 ]
+ [ lookup reg 1 set set%d ]
+
+# ip id 22
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x00000002 ]
+ [ payload load 2b @ network header + 4 => reg 1 ]
+ [ cmp eq reg 1 0x00001600 ]
+
+# ip id != 233
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x00000002 ]
+ [ payload load 2b @ network header + 4 => reg 1 ]
+ [ cmp neq reg 1 0x0000e900 ]
+
+# ip id 33-45
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x00000002 ]
+ [ payload load 2b @ network header + 4 => reg 1 ]
+ [ cmp gte reg 1 0x00002100 ]
+ [ cmp lte reg 1 0x00002d00 ]
+
+# ip id != 33-45
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x00000002 ]
+ [ payload load 2b @ network header + 4 => reg 1 ]
+ [ cmp lt reg 1 0x00002100 ]
+ [ cmp gt reg 1 0x00002d00 ]
+
+# ip id { 33, 55, 67, 88}
+set%d test-inet 3
+set%d test-inet 0
+ element 00002100 : 0 [end] element 00003700 : 0 [end] element 00004300 : 0 [end] element 00005800 : 0 [end]
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x00000002 ]
+ [ payload load 2b @ network header + 4 => reg 1 ]
+ [ lookup reg 1 set set%d ]
+
+# ip id { 33-55}
+set%d test-inet 7
+set%d test-inet 0
+ element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end]
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x00000002 ]
+ [ payload load 2b @ network header + 4 => reg 1 ]
+ [ lookup reg 1 set set%d ]
+
+# ip frag-off 222 accept
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x00000002 ]
+ [ payload load 2b @ network header + 6 => reg 1 ]
+ [ cmp eq reg 1 0x0000de00 ]
+ [ immediate reg 0 accept ]
+
+# ip frag-off != 233
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x00000002 ]
+ [ payload load 2b @ network header + 6 => reg 1 ]
+ [ cmp neq reg 1 0x0000e900 ]
+
+# ip frag-off 33-45
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x00000002 ]
+ [ payload load 2b @ network header + 6 => reg 1 ]
+ [ cmp gte reg 1 0x00002100 ]
+ [ cmp lte reg 1 0x00002d00 ]
+
+# ip frag-off != 33-45
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x00000002 ]
+ [ payload load 2b @ network header + 6 => reg 1 ]
+ [ cmp lt reg 1 0x00002100 ]
+ [ cmp gt reg 1 0x00002d00 ]
+
+# ip frag-off { 33, 55, 67, 88}
+set%d test-inet 3
+set%d test-inet 0
+ element 00002100 : 0 [end] element 00003700 : 0 [end] element 00004300 : 0 [end] element 00005800 : 0 [end]
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x00000002 ]
+ [ payload load 2b @ network header + 6 => reg 1 ]
+ [ lookup reg 1 set set%d ]
+
+# ip frag-off { 33-55}
+set%d test-inet 7
+set%d test-inet 0
+ element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end]
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x00000002 ]
+ [ payload load 2b @ network header + 6 => reg 1 ]
+ [ lookup reg 1 set set%d ]
+
+# ip ttl 0 drop
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x00000002 ]
+ [ payload load 1b @ network header + 8 => reg 1 ]
+ [ cmp eq reg 1 0x00000000 ]
+ [ immediate reg 0 drop ]
+
+# ip ttl 233 log
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x00000002 ]
+ [ payload load 1b @ network header + 8 => reg 1 ]
+ [ cmp eq reg 1 0x000000e9 ]
+ [ log prefix (null) ]
+
+# ip ttl 33-55
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x00000002 ]
+ [ payload load 1b @ network header + 8 => reg 1 ]
+ [ cmp gte reg 1 0x00000021 ]
+ [ cmp lte reg 1 0x00000037 ]
+
+# ip ttl != 45-50
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x00000002 ]
+ [ payload load 1b @ network header + 8 => reg 1 ]
+ [ cmp lt reg 1 0x0000002d ]
+ [ cmp gt reg 1 0x00000032 ]
+
+# ip ttl {43, 53, 45 }
+set%d test-inet 3
+set%d test-inet 0
+ element 0000002b : 0 [end] element 00000035 : 0 [end] element 0000002d : 0 [end]
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x00000002 ]
+ [ payload load 1b @ network header + 8 => reg 1 ]
+ [ lookup reg 1 set set%d ]
+
+# ip ttl { 33-55}
+set%d test-inet 7
+set%d test-inet 0
+ element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end]
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x00000002 ]
+ [ payload load 1b @ network header + 8 => reg 1 ]
+ [ lookup reg 1 set set%d ]
+
+# ip protocol tcp log
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x00000002 ]
+ [ payload load 1b @ network header + 9 => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ log prefix (null) ]
+
+# ip protocol != tcp log
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x00000002 ]
+ [ payload load 1b @ network header + 9 => reg 1 ]
+ [ cmp neq reg 1 0x00000006 ]
+ [ log prefix (null) ]
+
+# ip protocol { icmp, esp, ah, comp, udp, udplite, tcp, dccp, sctp} accept
+set%d test-inet 3
+set%d test-inet 0
+ element 00000001 : 0 [end] element 00000032 : 0 [end] element 00000033 : 0 [end] element 0000006c : 0 [end] element 00000011 : 0 [end] element 00000088 : 0 [end] element 00000006 : 0 [end] element 00000021 : 0 [end] element 00000084 : 0 [end]
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x00000002 ]
+ [ payload load 1b @ network header + 9 => reg 1 ]
+ [ lookup reg 1 set set%d ]
+ [ immediate reg 0 accept ]
+
+# ip checksum 13172 drop
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x00000002 ]
+ [ payload load 2b @ network header + 10 => reg 1 ]
+ [ cmp eq reg 1 0x00007433 ]
+ [ immediate reg 0 drop ]
+
+# ip checksum 22
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x00000002 ]
+ [ payload load 2b @ network header + 10 => reg 1 ]
+ [ cmp eq reg 1 0x00001600 ]
+
+# ip checksum != 233
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x00000002 ]
+ [ payload load 2b @ network header + 10 => reg 1 ]
+ [ cmp neq reg 1 0x0000e900 ]
+
+# ip checksum 33-45
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x00000002 ]
+ [ payload load 2b @ network header + 10 => reg 1 ]
+ [ cmp gte reg 1 0x00002100 ]
+ [ cmp lte reg 1 0x00002d00 ]
+
+# ip checksum != 33-45
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x00000002 ]
+ [ payload load 2b @ network header + 10 => reg 1 ]
+ [ cmp lt reg 1 0x00002100 ]
+ [ cmp gt reg 1 0x00002d00 ]
+
+# ip checksum { 33, 55, 67, 88}
+set%d test-inet 3
+set%d test-inet 0
+ element 00002100 : 0 [end] element 00003700 : 0 [end] element 00004300 : 0 [end] element 00005800 : 0 [end]
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x00000002 ]
+ [ payload load 2b @ network header + 10 => reg 1 ]
+ [ lookup reg 1 set set%d ]
+
+# ip checksum { 33-55}
+set%d test-inet 7
+set%d test-inet 0
+ element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end]
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x00000002 ]
+ [ payload load 2b @ network header + 10 => reg 1 ]
+ [ lookup reg 1 set set%d ]
+
+# ip saddr 192.168.2.0/24
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x00000002 ]
+ [ payload load 4b @ network header + 12 => reg 1 ]
+ [ bitwise reg 1 = (reg=1 & 0x00ffffff ) ^ 0x00000000 ]
+ [ cmp eq reg 1 0x0002a8c0 ]
+
+# ip saddr != 192.168.2.0/24
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x00000002 ]
+ [ payload load 4b @ network header + 12 => reg 1 ]
+ [ bitwise reg 1 = (reg=1 & 0x00ffffff ) ^ 0x00000000 ]
+ [ cmp neq reg 1 0x0002a8c0 ]
+
+# ip saddr 192.168.3.1 ip daddr 192.168.3.100
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x00000002 ]
+ [ payload load 8b @ network header + 12 => reg 1 ]
+ [ cmp eq reg 1 0x0103a8c0 0x6403a8c0 ]
+
+# ip saddr != 1.1.1.1 log prefix giuseppe
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x00000002 ]
+ [ payload load 4b @ network header + 12 => reg 1 ]
+ [ cmp neq reg 1 0x01010101 ]
+ [ log prefix giuseppe ]
+
+# ip saddr 1.1.1.1 log prefix example group 1
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x00000002 ]
+ [ payload load 4b @ network header + 12 => reg 1 ]
+ [ cmp eq reg 1 0x01010101 ]
+ [ log prefix example group 1 snaplen 0 qthreshold 0]
+
+# ip daddr 192.168.0.1-192.168.0.250
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x00000002 ]
+ [ payload load 4b @ network header + 16 => reg 1 ]
+ [ cmp gte reg 1 0x0100a8c0 ]
+ [ cmp lte reg 1 0xfa00a8c0 ]
+
+# ip daddr 10.0.0.0-10.255.255.255
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x00000002 ]
+ [ payload load 4b @ network header + 16 => reg 1 ]
+ [ cmp gte reg 1 0x0000000a ]
+ [ cmp lte reg 1 0xffffff0a ]
+
+# ip daddr 172.16.0.0-172.31.255.255
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x00000002 ]
+ [ payload load 4b @ network header + 16 => reg 1 ]
+ [ cmp gte reg 1 0x000010ac ]
+ [ cmp lte reg 1 0xffff1fac ]
+
+# ip daddr 192.168.3.1-192.168.4.250
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x00000002 ]
+ [ payload load 4b @ network header + 16 => reg 1 ]
+ [ cmp gte reg 1 0x0103a8c0 ]
+ [ cmp lte reg 1 0xfa04a8c0 ]
+
+# ip daddr != 192.168.0.1-192.168.0.250
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x00000002 ]
+ [ payload load 4b @ network header + 16 => reg 1 ]
+ [ cmp lt reg 1 0x0100a8c0 ]
+ [ cmp gt reg 1 0xfa00a8c0 ]
+
+# ip daddr { 192.168.0.1-192.168.0.250}
+set%d test-inet 7
+set%d test-inet 0
+ element 00000000 : 1 [end] element 0100a8c0 : 0 [end] element fb00a8c0 : 1 [end]
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x00000002 ]
+ [ payload load 4b @ network header + 16 => reg 1 ]
+ [ lookup reg 1 set set%d ]
+
+# ip daddr { 192.168.5.1, 192.168.5.2, 192.168.5.3 } accept
+set%d test-inet 3
+set%d test-inet 0
+ element 0105a8c0 : 0 [end] element 0205a8c0 : 0 [end] element 0305a8c0 : 0 [end]
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x00000002 ]
+ [ payload load 4b @ network header + 16 => reg 1 ]
+ [ lookup reg 1 set set%d ]
+ [ immediate reg 0 accept ]
+
+# ip daddr 192.168.1.2-192.168.1.55
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x00000002 ]
+ [ payload load 4b @ network header + 16 => reg 1 ]
+ [ cmp gte reg 1 0x0201a8c0 ]
+ [ cmp lte reg 1 0x3701a8c0 ]
+
+# ip daddr != 192.168.1.2-192.168.1.55
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x00000002 ]
+ [ payload load 4b @ network header + 16 => reg 1 ]
+ [ cmp lt reg 1 0x0201a8c0 ]
+ [ cmp gt reg 1 0x3701a8c0 ]
+
+# ip saddr 192.168.1.3-192.168.33.55
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x00000002 ]
+ [ payload load 4b @ network header + 12 => reg 1 ]
+ [ cmp gte reg 1 0x0301a8c0 ]
+ [ cmp lte reg 1 0x3721a8c0 ]
+
+# ip saddr != 192.168.1.3-192.168.33.55
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x00000002 ]
+ [ payload load 4b @ network header + 12 => reg 1 ]
+ [ cmp lt reg 1 0x0301a8c0 ]
+ [ cmp gt reg 1 0x3721a8c0 ]
+
+# ip daddr 192.168.0.1
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x00000002 ]
+ [ payload load 4b @ network header + 16 => reg 1 ]
+ [ cmp eq reg 1 0x0100a8c0 ]
+
+# ip daddr 192.168.0.1 drop
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x00000002 ]
+ [ payload load 4b @ network header + 16 => reg 1 ]
+ [ cmp eq reg 1 0x0100a8c0 ]
+ [ immediate reg 0 drop ]
+
+# ip daddr 192.168.0.2 log
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x00000002 ]
+ [ payload load 4b @ network header + 16 => reg 1 ]
+ [ cmp eq reg 1 0x0200a8c0 ]
+ [ log prefix (null) ]
+
+# ip saddr \& 0xff == 1
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x00000002 ]
+ [ payload load 4b @ network header + 12 => reg 1 ]
+ [ bitwise reg 1 = (reg=1 & 0xff000000 ) ^ 0x00000000 ]
+ [ cmp eq reg 1 0x01000000 ]
+
+# ip saddr \& 0.0.0.255 \< 0.0.0.127
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x00000002 ]
+ [ payload load 4b @ network header + 12 => reg 1 ]
+ [ bitwise reg 1 = (reg=1 & 0xff000000 ) ^ 0x00000000 ]
+ [ cmp lt reg 1 0x7f000000 ]
+
+# ip saddr \& 0xffff0000 == 0xffff0000
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x00000002 ]
+ [ payload load 4b @ network header + 12 => reg 1 ]
+ [ bitwise reg 1 = (reg=1 & 0x0000ffff ) ^ 0x00000000 ]
+ [ cmp eq reg 1 0x0000ffff ]
+
+# ip saddr . ip daddr . ip protocol { 1.1.1.1 . 2.2.2.2 . tcp, 1.1.1.1 . 3.3.3.3 . udp}
+set%d test-ip 3
+set%d test-ip 0
+ element 01010101 02020202 00000006 : 0 [end] element 01010101 03030303 00000011 : 0 [end]
+inet test-ip input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x00000002 ]
+ [ payload load 4b @ network header + 12 => reg 1 ]
+ [ payload load 4b @ network header + 16 => reg 9 ]
+ [ payload load 1b @ network header + 9 => reg 10 ]
+ [ lookup reg 1 set set%d ]
+
+# ip version 4 ip hdrlength 5
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x00000002 ]
+ [ payload load 1b @ network header + 0 => reg 1 ]
+ [ bitwise reg 1 = (reg=1 & 0x000000f0 ) ^ 0x00000000 ]
+ [ cmp eq reg 1 0x00000040 ]
+ [ payload load 1b @ network header + 0 => reg 1 ]
+ [ bitwise reg 1 = (reg=1 & 0x0000000f ) ^ 0x00000000 ]
+ [ cmp eq reg 1 0x00000005 ]
+
+# ip hdrlength 0
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x00000002 ]
+ [ payload load 1b @ network header + 0 => reg 1 ]
+ [ bitwise reg 1 = (reg=1 & 0x0000000f ) ^ 0x00000000 ]
+ [ cmp eq reg 1 0x00000000 ]
+
+# ip hdrlength 15
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x00000002 ]
+ [ payload load 1b @ network header + 0 => reg 1 ]
+ [ bitwise reg 1 = (reg=1 & 0x0000000f ) ^ 0x00000000 ]
+ [ cmp eq reg 1 0x0000000f ]
+
diff --git a/tests/py/ip/masquerade.t b/tests/py/ip/masquerade.t
new file mode 100644
index 00000000..35001f37
--- /dev/null
+++ b/tests/py/ip/masquerade.t
@@ -0,0 +1,25 @@
+*ip;test-ip4
+:postrouting;type nat hook postrouting priority 0
+
+# nf_nat flags combination
+udp dport 53 masquerade;ok
+udp dport 53 masquerade random;ok
+udp dport 53 masquerade random,persistent;ok
+udp dport 53 masquerade random,persistent,fully-random;ok;udp dport 53 masquerade random,fully-random,persistent
+udp dport 53 masquerade random,fully-random;ok
+udp dport 53 masquerade random,fully-random,persistent;ok
+udp dport 53 masquerade persistent;ok
+udp dport 53 masquerade persistent,random;ok;udp dport 53 masquerade random,persistent
+udp dport 53 masquerade persistent,random,fully-random;ok;udp dport 53 masquerade random,fully-random,persistent
+udp dport 53 masquerade persistent,fully-random;ok;udp dport 53 masquerade fully-random,persistent
+udp dport 53 masquerade persistent,fully-random,random;ok;udp dport 53 masquerade random,fully-random,persistent
+
+# masquerade is a terminal statement
+tcp dport 22 masquerade counter packets 0 bytes 0 accept;fail
+tcp sport 22 masquerade accept;fail
+ip saddr 10.1.1.1 masquerade drop;fail
+
+# masquerade with sets
+tcp dport { 1,2,3,4,5,6,7,8,101,202,303,1001,2002,3003} masquerade;ok
+ip daddr 10.0.0.0-10.2.3.4 udp dport 53 counter packets 0 bytes 0 masquerade;ok
+iifname eth0 ct state new,established tcp dport vmap {22 : drop, 222 : drop } masquerade;ok
diff --git a/tests/py/ip/masquerade.t.payload b/tests/py/ip/masquerade.t.payload
new file mode 100644
index 00000000..9390f0cf
--- /dev/null
+++ b/tests/py/ip/masquerade.t.payload
@@ -0,0 +1,127 @@
+# udp dport 53 masquerade
+ip test-ip4 postrouting
+ [ payload load 1b @ network header + 9 => reg 1 ]
+ [ cmp eq reg 1 0x00000011 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ cmp eq reg 1 0x00003500 ]
+ [ masq ]
+
+# udp dport 53 masquerade random
+ip test-ip4 postrouting
+ [ payload load 1b @ network header + 9 => reg 1 ]
+ [ cmp eq reg 1 0x00000011 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ cmp eq reg 1 0x00003500 ]
+ [ masq flags 0x4 ]
+
+# udp dport 53 masquerade random,persistent
+ip test-ip4 postrouting
+ [ payload load 1b @ network header + 9 => reg 1 ]
+ [ cmp eq reg 1 0x00000011 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ cmp eq reg 1 0x00003500 ]
+ [ masq flags 0xc ]
+
+# udp dport 53 masquerade random,persistent,fully-random
+ip test-ip4 postrouting
+ [ payload load 1b @ network header + 9 => reg 1 ]
+ [ cmp eq reg 1 0x00000011 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ cmp eq reg 1 0x00003500 ]
+ [ masq flags 0x1c ]
+
+# udp dport 53 masquerade random,fully-random
+ip test-ip4 postrouting
+ [ payload load 1b @ network header + 9 => reg 1 ]
+ [ cmp eq reg 1 0x00000011 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ cmp eq reg 1 0x00003500 ]
+ [ masq flags 0x14 ]
+
+# udp dport 53 masquerade random,fully-random,persistent
+ip test-ip4 postrouting
+ [ payload load 1b @ network header + 9 => reg 1 ]
+ [ cmp eq reg 1 0x00000011 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ cmp eq reg 1 0x00003500 ]
+ [ masq flags 0x1c ]
+
+# udp dport 53 masquerade persistent
+ip test-ip4 postrouting
+ [ payload load 1b @ network header + 9 => reg 1 ]
+ [ cmp eq reg 1 0x00000011 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ cmp eq reg 1 0x00003500 ]
+ [ masq flags 0x8 ]
+
+# udp dport 53 masquerade persistent,random
+ip test-ip4 postrouting
+ [ payload load 1b @ network header + 9 => reg 1 ]
+ [ cmp eq reg 1 0x00000011 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ cmp eq reg 1 0x00003500 ]
+ [ masq flags 0xc ]
+
+# udp dport 53 masquerade persistent,random,fully-random
+ip test-ip4 postrouting
+ [ payload load 1b @ network header + 9 => reg 1 ]
+ [ cmp eq reg 1 0x00000011 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ cmp eq reg 1 0x00003500 ]
+ [ masq flags 0x1c ]
+
+# udp dport 53 masquerade persistent,fully-random
+ip test-ip4 postrouting
+ [ payload load 1b @ network header + 9 => reg 1 ]
+ [ cmp eq reg 1 0x00000011 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ cmp eq reg 1 0x00003500 ]
+ [ masq flags 0x18 ]
+
+# udp dport 53 masquerade persistent,fully-random,random
+ip test-ip4 postrouting
+ [ payload load 1b @ network header + 9 => reg 1 ]
+ [ cmp eq reg 1 0x00000011 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ cmp eq reg 1 0x00003500 ]
+ [ masq flags 0x1c ]
+
+# tcp dport { 1,2,3,4,5,6,7,8,101,202,303,1001,2002,3003} masquerade
+set%d test-ip4 3
+set%d test-ip4 0
+ element 00000100 : 0 [end] element 00000200 : 0 [end] element 00000300 : 0 [end] element 00000400 : 0 [end] element 00000500 : 0 [end] element 00000600 : 0 [end] element 00000700 : 0 [end] element 00000800 : 0 [end] element 00006500 : 0 [end] element 0000ca00 : 0 [end] element 00002f01 : 0 [end] element 0000e903 : 0 [end] element 0000d207 : 0 [end] element 0000bb0b : 0 [end]
+ip test-ip4 postrouting
+ [ payload load 1b @ network header + 9 => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ lookup reg 1 set set%d ]
+ [ masq ]
+
+# ip daddr 10.0.0.0-10.2.3.4 udp dport 53 counter packets 0 bytes 0 masquerade
+ip test-ip4 postrouting
+ [ payload load 4b @ network header + 16 => reg 1 ]
+ [ cmp gte reg 1 0x0000000a ]
+ [ cmp lte reg 1 0x0403020a ]
+ [ payload load 1b @ network header + 9 => reg 1 ]
+ [ cmp eq reg 1 0x00000011 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ cmp eq reg 1 0x00003500 ]
+ [ counter pkts 0 bytes 0 ]
+ [ masq ]
+
+# iifname eth0 ct state new,established tcp dport vmap {22 : drop, 222 : drop } masquerade
+map%d test-ip4 b
+map%d test-ip4 0
+ element 00001600 : 0 [end] element 0000de00 : 0 [end]
+ip test-ip4 postrouting
+ [ meta load iifname => reg 1 ]
+ [ cmp eq reg 1 0x30687465 0x00000000 0x00000000 0x00000000 ]
+ [ ct load state => reg 1 ]
+ [ bitwise reg 1 = (reg=1 & 0x0000000a ) ^ 0x00000000 ]
+ [ cmp neq reg 1 0x00000000 ]
+ [ payload load 1b @ network header + 9 => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ lookup reg 1 set map%d dreg 0 ]
+ [ masq ]
+
diff --git a/tests/py/ip/redirect.t b/tests/py/ip/redirect.t
new file mode 100644
index 00000000..b7eecb74
--- /dev/null
+++ b/tests/py/ip/redirect.t
@@ -0,0 +1,45 @@
+*ip;test-ip4
+:output;type nat hook output priority 0
+
+# without arguments
+udp dport 53 redirect;ok
+
+# nf_nat flags combination
+udp dport 53 redirect random;ok
+udp dport 53 redirect random,persistent;ok
+udp dport 53 redirect random,persistent,fully-random;ok;udp dport 53 redirect random,fully-random,persistent
+udp dport 53 redirect random,fully-random;ok
+udp dport 53 redirect random,fully-random,persistent;ok
+udp dport 53 redirect persistent;ok
+udp dport 53 redirect persistent,random;ok;udp dport 53 redirect random,persistent
+udp dport 53 redirect persistent,random,fully-random;ok;udp dport 53 redirect random,fully-random,persistent
+udp dport 53 redirect persistent,fully-random;ok;udp dport 53 redirect fully-random,persistent
+udp dport 53 redirect persistent,fully-random,random;ok;udp dport 53 redirect random,fully-random,persistent
+
+# port specification
+tcp dport 22 redirect to 22;ok
+udp dport 1234 redirect to 4321;ok
+ip daddr 172.16.0.1 udp dport 9998 redirect to 6515;ok
+tcp dport 39128 redirect to 993;ok
+redirect to 1234;fail
+redirect to 12341111;fail
+
+# both port and nf_nat flags
+tcp dport 9128 redirect to 993 random;ok
+tcp dport 9128 redirect to 993 fully-random;ok
+tcp dport 9128 redirect to 123 persistent;ok
+tcp dport 9128 redirect to 123 random,persistent;ok
+
+# nf_nat flags is the last argument
+udp dport 1234 redirect random to 123;fail
+udp dport 21234 redirect persistent,fully-random to 431;fail
+
+# redirect is a terminal statement
+tcp dport 22 redirect counter packets 0 bytes 0 accept;fail
+tcp sport 22 redirect accept;fail
+ip saddr 10.1.1.1 redirect drop;fail
+
+# redirect with sets
+tcp dport { 1, 2, 3, 4, 5, 6, 7, 8, 101, 202, 303, 1001, 2002, 3003} redirect;ok
+ip daddr 10.0.0.0-10.2.3.4 udp dport 53 counter packets 0 bytes 0 redirect;ok
+iifname eth0 ct state new,established tcp dport vmap {22 : drop, 222 : drop } redirect;ok
diff --git a/tests/py/ip/redirect.t.payload b/tests/py/ip/redirect.t.payload
new file mode 100644
index 00000000..ac718043
--- /dev/null
+++ b/tests/py/ip/redirect.t.payload
@@ -0,0 +1,201 @@
+# udp dport 53 redirect
+ip test-ip4 output
+ [ payload load 1b @ network header + 9 => reg 1 ]
+ [ cmp eq reg 1 0x00000011 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ cmp eq reg 1 0x00003500 ]
+ [ redir ]
+
+# udp dport 53 redirect random
+ip test-ip4 output
+ [ payload load 1b @ network header + 9 => reg 1 ]
+ [ cmp eq reg 1 0x00000011 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ cmp eq reg 1 0x00003500 ]
+ [ redir flags 0x4 ]
+
+# udp dport 53 redirect random,persistent
+ip test-ip4 output
+ [ payload load 1b @ network header + 9 => reg 1 ]
+ [ cmp eq reg 1 0x00000011 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ cmp eq reg 1 0x00003500 ]
+ [ redir flags 0xc ]
+
+# udp dport 53 redirect random,persistent,fully-random
+ip test-ip4 output
+ [ payload load 1b @ network header + 9 => reg 1 ]
+ [ cmp eq reg 1 0x00000011 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ cmp eq reg 1 0x00003500 ]
+ [ redir flags 0x1c ]
+
+# udp dport 53 redirect random,fully-random
+ip test-ip4 output
+ [ payload load 1b @ network header + 9 => reg 1 ]
+ [ cmp eq reg 1 0x00000011 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ cmp eq reg 1 0x00003500 ]
+ [ redir flags 0x14 ]
+
+# udp dport 53 redirect random,fully-random,persistent
+ip test-ip4 output
+ [ payload load 1b @ network header + 9 => reg 1 ]
+ [ cmp eq reg 1 0x00000011 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ cmp eq reg 1 0x00003500 ]
+ [ redir flags 0x1c ]
+
+# udp dport 53 redirect persistent
+ip test-ip4 output
+ [ payload load 1b @ network header + 9 => reg 1 ]
+ [ cmp eq reg 1 0x00000011 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ cmp eq reg 1 0x00003500 ]
+ [ redir flags 0x8 ]
+
+# udp dport 53 redirect persistent,random
+ip test-ip4 output
+ [ payload load 1b @ network header + 9 => reg 1 ]
+ [ cmp eq reg 1 0x00000011 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ cmp eq reg 1 0x00003500 ]
+ [ redir flags 0xc ]
+
+# udp dport 53 redirect persistent,random,fully-random
+ip test-ip4 output
+ [ payload load 1b @ network header + 9 => reg 1 ]
+ [ cmp eq reg 1 0x00000011 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ cmp eq reg 1 0x00003500 ]
+ [ redir flags 0x1c ]
+
+# udp dport 53 redirect persistent,fully-random
+ip test-ip4 output
+ [ payload load 1b @ network header + 9 => reg 1 ]
+ [ cmp eq reg 1 0x00000011 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ cmp eq reg 1 0x00003500 ]
+ [ redir flags 0x18 ]
+
+# udp dport 53 redirect persistent,fully-random,random
+ip test-ip4 output
+ [ payload load 1b @ network header + 9 => reg 1 ]
+ [ cmp eq reg 1 0x00000011 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ cmp eq reg 1 0x00003500 ]
+ [ redir flags 0x1c ]
+
+# tcp dport 22 redirect to 22
+ip test-ip4 output
+ [ payload load 1b @ network header + 9 => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ cmp eq reg 1 0x00001600 ]
+ [ immediate reg 1 0x00001600 ]
+ [ redir proto_min reg 1 ]
+
+# udp dport 1234 redirect to 4321
+ip test-ip4 output
+ [ payload load 1b @ network header + 9 => reg 1 ]
+ [ cmp eq reg 1 0x00000011 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ cmp eq reg 1 0x0000d204 ]
+ [ immediate reg 1 0x0000e110 ]
+ [ redir proto_min reg 1 ]
+
+# ip daddr 172.16.0.1 udp dport 9998 redirect to 6515
+ip test-ip4 output
+ [ payload load 4b @ network header + 16 => reg 1 ]
+ [ cmp eq reg 1 0x010010ac ]
+ [ payload load 1b @ network header + 9 => reg 1 ]
+ [ cmp eq reg 1 0x00000011 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ cmp eq reg 1 0x00000e27 ]
+ [ immediate reg 1 0x00007319 ]
+ [ redir proto_min reg 1 ]
+
+# tcp dport 39128 redirect to 993
+ip test-ip4 output
+ [ payload load 1b @ network header + 9 => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ cmp eq reg 1 0x0000d898 ]
+ [ immediate reg 1 0x0000e103 ]
+ [ redir proto_min reg 1 ]
+
+# tcp dport 9128 redirect to 993 random
+ip test-ip4 output
+ [ payload load 1b @ network header + 9 => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ cmp eq reg 1 0x0000a823 ]
+ [ immediate reg 1 0x0000e103 ]
+ [ redir proto_min reg 1 flags 0x4 ]
+
+# tcp dport 9128 redirect to 993 fully-random
+ip test-ip4 output
+ [ payload load 1b @ network header + 9 => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ cmp eq reg 1 0x0000a823 ]
+ [ immediate reg 1 0x0000e103 ]
+ [ redir proto_min reg 1 flags 0x10 ]
+
+# tcp dport 9128 redirect to 123 persistent
+ip test-ip4 output
+ [ payload load 1b @ network header + 9 => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ cmp eq reg 1 0x0000a823 ]
+ [ immediate reg 1 0x00007b00 ]
+ [ redir proto_min reg 1 flags 0x8 ]
+
+# tcp dport 9128 redirect to 123 random,persistent
+ip test-ip4 output
+ [ payload load 1b @ network header + 9 => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ cmp eq reg 1 0x0000a823 ]
+ [ immediate reg 1 0x00007b00 ]
+ [ redir proto_min reg 1 flags 0xc ]
+
+# tcp dport { 1, 2, 3, 4, 5, 6, 7, 8, 101, 202, 303, 1001, 2002, 3003} redirect
+set%d test-ip4 3
+set%d test-ip4 0
+ element 00000100 : 0 [end] element 00000200 : 0 [end] element 00000300 : 0 [end] element 00000400 : 0 [end] element 00000500 : 0 [end] element 00000600 : 0 [end] element 00000700 : 0 [end] element 00000800 : 0 [end] element 00006500 : 0 [end] element 0000ca00 : 0 [end] element 00002f01 : 0 [end] element 0000e903 : 0 [end] element 0000d207 : 0 [end] element 0000bb0b : 0 [end]
+ip test-ip4 output
+ [ payload load 1b @ network header + 9 => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ lookup reg 1 set set%d ]
+ [ redir ]
+
+# ip daddr 10.0.0.0-10.2.3.4 udp dport 53 counter packets 0 bytes 0 redirect
+ip test-ip4 output
+ [ payload load 4b @ network header + 16 => reg 1 ]
+ [ cmp gte reg 1 0x0000000a ]
+ [ cmp lte reg 1 0x0403020a ]
+ [ payload load 1b @ network header + 9 => reg 1 ]
+ [ cmp eq reg 1 0x00000011 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ cmp eq reg 1 0x00003500 ]
+ [ counter pkts 0 bytes 0 ]
+ [ redir ]
+
+# iifname eth0 ct state new,established tcp dport vmap {22 : drop, 222 : drop } redirect
+map%d test-ip4 b
+map%d test-ip4 0
+ element 00001600 : 0 [end] element 0000de00 : 0 [end]
+ip test-ip4 output
+ [ meta load iifname => reg 1 ]
+ [ cmp eq reg 1 0x30687465 0x00000000 0x00000000 0x00000000 ]
+ [ ct load state => reg 1 ]
+ [ bitwise reg 1 = (reg=1 & 0x0000000a ) ^ 0x00000000 ]
+ [ cmp neq reg 1 0x00000000 ]
+ [ payload load 1b @ network header + 9 => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ lookup reg 1 set map%d dreg 0 ]
+ [ redir ]
+
diff --git a/tests/py/ip/reject.t b/tests/py/ip/reject.t
new file mode 100644
index 00000000..70a63a0b
--- /dev/null
+++ b/tests/py/ip/reject.t
@@ -0,0 +1,14 @@
+*ip;test-ip4
+:output;type filter hook output priority 0
+
+reject;ok
+reject with icmp type host-unreachable;ok
+reject with icmp type net-unreachable;ok
+reject with icmp type prot-unreachable;ok
+reject with icmp type port-unreachable;ok;reject
+reject with icmp type net-prohibited;ok
+reject with icmp type host-prohibited;ok
+reject with icmp type admin-prohibited;ok
+
+reject with icmp type no-route;fail
+reject with icmpv6 type no-route;fail
diff --git a/tests/py/ip/reject.t.payload b/tests/py/ip/reject.t.payload
new file mode 100644
index 00000000..d5e87665
--- /dev/null
+++ b/tests/py/ip/reject.t.payload
@@ -0,0 +1,32 @@
+# reject
+ip test-ip4 output
+ [ reject type 0 code 3 ]
+
+# reject with icmp type host-unreachable
+ip test-ip4 output
+ [ reject type 0 code 1 ]
+
+# reject with icmp type net-unreachable
+ip test-ip4 output
+ [ reject type 0 code 0 ]
+
+# reject with icmp type prot-unreachable
+ip test-ip4 output
+ [ reject type 0 code 2 ]
+
+# reject with icmp type port-unreachable
+ip test-ip4 output
+ [ reject type 0 code 3 ]
+
+# reject with icmp type net-prohibited
+ip test-ip4 output
+ [ reject type 0 code 9 ]
+
+# reject with icmp type host-prohibited
+ip test-ip4 output
+ [ reject type 0 code 10 ]
+
+# reject with icmp type admin-prohibited
+ip test-ip4 output
+ [ reject type 0 code 13 ]
+
diff --git a/tests/py/ip/sets.t b/tests/py/ip/sets.t
new file mode 100644
index 00000000..c199dbd2
--- /dev/null
+++ b/tests/py/ip/sets.t
@@ -0,0 +1,30 @@
+*ip;test-ip4
+*inet;test-inet
+:input;type filter hook input priority 0
+
+!set_ipv4_add ipv4_addr;ok
+!set_inet inet_proto;ok
+!set_inet_serv inet_service;ok
+!set_time time;ok
+
+!set1 ipv4_addr;ok
+?set1 192.168.3.4;ok
+
+?set1 192.168.3.4;fail
+?set1 192.168.3.5 192.168.3.6;ok
+?set1 192.168.3.5 192.168.3.6;fail
+?set1 192.168.3.8 192.168.3.9;ok
+?set1 192.168.3.10 192.168.3.11;ok
+?set1 1234:1234:1234:1234:1234:1234:1234:1234;fail
+?set2 192.168.3.4;fail
+
+!set2 ipv4_addr;ok
+?set2 192.168.3.4;ok
+?set2 192.168.3.5 192.168.3.6;ok
+?set2 192.168.3.5 192.168.3.6;fail
+?set2 192.168.3.8 192.168.3.9;ok
+?set2 192.168.3.10 192.168.3.11;ok
+
+ip saddr @set1 drop;ok
+ip saddr @set2 drop;ok
+ip saddr @set33 drop;fail
diff --git a/tests/py/ip/sets.t.payload.inet b/tests/py/ip/sets.t.payload.inet
new file mode 100644
index 00000000..f8e97ccb
--- /dev/null
+++ b/tests/py/ip/sets.t.payload.inet
@@ -0,0 +1,16 @@
+# ip saddr @set1 drop
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x00000002 ]
+ [ payload load 4b @ network header + 12 => reg 1 ]
+ [ lookup reg 1 set set1 ]
+ [ immediate reg 0 drop ]
+
+# ip saddr @set2 drop
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x00000002 ]
+ [ payload load 4b @ network header + 12 => reg 1 ]
+ [ lookup reg 1 set set2 ]
+ [ immediate reg 0 drop ]
+
diff --git a/tests/py/ip/sets.t.payload.ip b/tests/py/ip/sets.t.payload.ip
new file mode 100644
index 00000000..ece63d0e
--- /dev/null
+++ b/tests/py/ip/sets.t.payload.ip
@@ -0,0 +1,12 @@
+# ip saddr @set1 drop
+ip test-ip4 input
+ [ payload load 4b @ network header + 12 => reg 1 ]
+ [ lookup reg 1 set set1 ]
+ [ immediate reg 0 drop ]
+
+# ip saddr @set2 drop
+ip test-ip4 input
+ [ payload load 4b @ network header + 12 => reg 1 ]
+ [ lookup reg 1 set set2 ]
+ [ immediate reg 0 drop ]
+
diff --git a/tests/py/ip/snat.t b/tests/py/ip/snat.t
new file mode 100644
index 00000000..1caf7c76
--- /dev/null
+++ b/tests/py/ip/snat.t
@@ -0,0 +1,12 @@
+*ip;test-ip4
+:postrouting;type nat hook postrouting priority 0
+
+iifname "eth0" tcp dport 80-90 snat 192.168.3.2;ok
+iifname "eth0" tcp dport != 80-90 snat 192.168.3.2;ok
+iifname "eth0" tcp dport {80, 90, 23} snat 192.168.3.2;ok
+- iifname "eth0" tcp dport != {80, 90, 23} snat 192.168.3.2;ok
+- iifname "eth0" tcp dport != {80, 90, 23} snat 192.168.3.2;ok
+# BUG: invalid expression type set
+# nft: src/evaluate.c:975: expr_evaluate_relational: Assertion '0' failed.
+
+iifname "eth0" tcp dport != 23-34 snat 192.168.3.2;ok
diff --git a/tests/py/ip/snat.t.payload b/tests/py/ip/snat.t.payload
new file mode 100644
index 00000000..32ba4fa8
--- /dev/null
+++ b/tests/py/ip/snat.t.payload
@@ -0,0 +1,50 @@
+# iifname "eth0" tcp dport 80-90 snat 192.168.3.2
+ip test-ip4 postrouting
+ [ meta load iifname => reg 1 ]
+ [ cmp eq reg 1 0x30687465 0x00000000 0x00000000 0x00000000 ]
+ [ payload load 1b @ network header + 9 => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ cmp gte reg 1 0x00005000 ]
+ [ cmp lte reg 1 0x00005a00 ]
+ [ immediate reg 1 0x0203a8c0 ]
+ [ nat snat ip addr_min reg 1 addr_max reg 0 ]
+
+# iifname "eth0" tcp dport != 80-90 snat 192.168.3.2
+ip test-ip4 postrouting
+ [ meta load iifname => reg 1 ]
+ [ cmp eq reg 1 0x30687465 0x00000000 0x00000000 0x00000000 ]
+ [ payload load 1b @ network header + 9 => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ cmp lt reg 1 0x00005000 ]
+ [ cmp gt reg 1 0x00005a00 ]
+ [ immediate reg 1 0x0203a8c0 ]
+ [ nat snat ip addr_min reg 1 addr_max reg 0 ]
+
+# iifname "eth0" tcp dport {80, 90, 23} snat 192.168.3.2
+set%d test-ip4 3
+set%d test-ip4 0
+ element 00005000 : 0 [end] element 00005a00 : 0 [end] element 00001700 : 0 [end]
+ip test-ip4 postrouting
+ [ meta load iifname => reg 1 ]
+ [ cmp eq reg 1 0x30687465 0x00000000 0x00000000 0x00000000 ]
+ [ payload load 1b @ network header + 9 => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ lookup reg 1 set set%d ]
+ [ immediate reg 1 0x0203a8c0 ]
+ [ nat snat ip addr_min reg 1 addr_max reg 0 ]
+
+# iifname "eth0" tcp dport != 23-34 snat 192.168.3.2
+ip test-ip4 postrouting
+ [ meta load iifname => reg 1 ]
+ [ cmp eq reg 1 0x30687465 0x00000000 0x00000000 0x00000000 ]
+ [ payload load 1b @ network header + 9 => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ cmp lt reg 1 0x00001700 ]
+ [ cmp gt reg 1 0x00002200 ]
+ [ immediate reg 1 0x0203a8c0 ]
+ [ nat snat ip addr_min reg 1 addr_max reg 0 ]
+