diff options
Diffstat (limited to 'tests/py')
252 files changed, 10484 insertions, 6409 deletions
diff --git a/tests/py/README b/tests/py/README index ed5dc58b..864a966e 100644 --- a/tests/py/README +++ b/tests/py/README @@ -163,4 +163,35 @@ G) Acknowledgements Thanks to the Outreach Program for Women (OPW) for sponsoring this test infrastructure and my mentor Pablo Neira. +H) JSON (-j) Mode + +This mode is supposed to repeat the same tests using JSON syntax. For each test +file example.t, there is supposed to be a file example.t.json holding the JSON +equivalents of each rule in example.t. The file's syntax is similar to payload +files: An initial comment identifies the rule belonging to the following JSON +equivalent. Pairs of comment and JSON are separated by a single blank line. + +If the example.t.json file does not exist, the test script will warn and create +(or append to) example.t.json.got. The JSON equivalent written is generated by +applying the rule in standard syntax and listing the ruleset in JSON format. +After thorough review, it may be renamed to example.t.json. + +One common case for editing the content in example.t.json.got is expected +differences between input and output. The generated content will match the +output while it is supposed to match the input. + +If a rule is expected to differ in output, the expected output must be recorded +in example.t.json.output. Its syntax is identical to example.t.json, i.e. pairs +of comment identifying the rule (in standard syntax) and JSON (output) format +separated by blank lines. Note: the comment states the rule as in input, not +output. + +If the example.t.json.output file does not exist and output differs from input, +the file example.t.json.output.got is created with the actual output recorded. + +JSON mode will also check the payload created for the rule in JSON syntax by +comparing it to the recorded one in example.t.payload. Should it differ, it +will be recorded in example.t.json.payload.got. This is always a bug: A rule's +JSON equivalent must turn into the same bytecode as the rule itself. + -EOF- diff --git a/tests/py/any/counter.t b/tests/py/any/counter.t new file mode 100644 index 00000000..1c72742c --- /dev/null +++ b/tests/py/any/counter.t @@ -0,0 +1,14 @@ +:input;type filter hook input priority 0 +:ingress;type filter hook ingress device lo priority 0 + +*ip;test-ip4;input +*ip6;test-ip6;input +*inet;test-inet;input +*arp;test-arp;input +*bridge;test-bridge;input +*netdev;test-netdev;ingress + +counter;ok +counter packets 0 bytes 0;ok;counter +counter packets 2 bytes 1;ok;counter +counter bytes 1024 packets 1;ok;counter diff --git a/tests/py/any/counter.t.json b/tests/py/any/counter.t.json new file mode 100644 index 00000000..2d1eaa99 --- /dev/null +++ b/tests/py/any/counter.t.json @@ -0,0 +1,39 @@ +# counter +[ + { + "counter": { + "bytes": 0, + "packets": 0 + } + } +] + +# counter packets 0 bytes 0 +[ + { + "counter": { + "bytes": 0, + "packets": 0 + } + } +] + +# counter packets 2 bytes 1 +[ + { + "counter": { + "bytes": 1, + "packets": 2 + } + } +] + +# counter bytes 1024 packets 1 +[ + { + "counter": { + "bytes": 1024, + "packets": 1 + } + } +] diff --git a/tests/py/any/counter.t.json.output b/tests/py/any/counter.t.json.output new file mode 100644 index 00000000..6a62ffb0 --- /dev/null +++ b/tests/py/any/counter.t.json.output @@ -0,0 +1,28 @@ +# counter +[ + { + "counter": null + } +] + +# counter packets 0 bytes 0 +[ + { + "counter": null + } +] + +# counter packets 2 bytes 1 +[ + { + "counter": null + } +] + +# counter bytes 1024 packets 1 +[ + { + "counter": null + } +] + diff --git a/tests/py/any/counter.t.payload b/tests/py/any/counter.t.payload new file mode 100644 index 00000000..23e96bae --- /dev/null +++ b/tests/py/any/counter.t.payload @@ -0,0 +1,15 @@ +# counter +ip + [ counter pkts 0 bytes 0 ] + +# counter packets 0 bytes 0 +ip + [ counter pkts 0 bytes 0 ] + +# counter packets 2 bytes 1 +ip + [ counter pkts 2 bytes 1 ] + +# counter bytes 1024 packets 1 +ip + [ counter pkts 1 bytes 1024 ] diff --git a/tests/py/any/ct.t b/tests/py/any/ct.t index a44142ac..f73fa4e7 100644 --- a/tests/py/any/ct.t +++ b/tests/py/any/ct.t @@ -69,7 +69,7 @@ ct event set {new, related, destroy, label};fail ct expiration 30s;ok ct expiration 30000ms;ok;ct expiration 30s -ct expiration 1m-1h;ok +ct expiration 1m-1h;ok;ct expiration 60s-3600s ct expiration 1d-1h;fail ct expiration > 4d23h59m59s;ok ct expiration != 233;ok;ct expiration != 3m53s @@ -77,8 +77,8 @@ ct expiration 33-45;ok;ct expiration 33s-45s ct expiration != 33-45;ok;ct expiration != 33s-45s ct expiration {33, 55, 67, 88};ok;ct expiration { 1m7s, 33s, 55s, 1m28s} ct expiration != {33, 55, 67, 88};ok;ct expiration != { 1m7s, 33s, 55s, 1m28s} -ct expiration {33-55, 66-88};ok;ct expiration { 33s-55s, 1m6s-1m28s} -ct expiration != {33-55, 66-88};ok;ct expiration != { 33s-55s, 1m6s-1m28s} +ct expiration {33-55, 66-88};ok;ct expiration { 33s-55s, 66s-88s} +ct expiration != {33-55, 66-88};ok;ct expiration != { 33s-55s, 66s-88s} ct helper "ftp";ok ct helper "12345678901234567";fail @@ -144,3 +144,6 @@ ct set invalid original 42;fail ct set invalid 42;fail notrack;ok + +ct count 3;ok +ct count over 3;ok diff --git a/tests/py/any/ct.t.json b/tests/py/any/ct.t.json index d429ae73..a2a06025 100644 --- a/tests/py/any/ct.t.json +++ b/tests/py/any/ct.t.json @@ -387,6 +387,21 @@ } ] +# ct status ! dnat +[ + { + "match": { + "left": { + "ct": { + "key": "status" + } + }, + "op": "!", + "right": "dnat" + } + } +] + # ct mark 0 [ { @@ -1487,3 +1502,22 @@ } ] +# ct count 3 +[ + { + "ct count": { + "val": 3 + } + } +] + +# ct count over 3 +[ + { + "ct count": { + "inv": true, + "val": 3 + } + } +] + diff --git a/tests/py/any/ct.t.payload b/tests/py/any/ct.t.payload index a80e5a8d..ed868e53 100644 --- a/tests/py/any/ct.t.payload +++ b/tests/py/any/ct.t.payload @@ -485,7 +485,7 @@ ip test-ip4 output # ct state . ct mark vmap { new . 0x12345678 : drop, established . 0x87654321 : accept} __map%d test-ip4 b size 2 __map%d test-ip4 0 - element 00000008 12345678 : 0 [end] element 00000002 87654321 : 0 [end] + element 00000008 12345678 : drop 0 [end] element 00000002 87654321 : accept 0 [end] ip test-ip4 output [ ct load state => reg 1 ] [ ct load mark => reg 9 ] @@ -508,3 +508,11 @@ ip6 [ bitwise reg 1 = ( reg 1 & 0x00000020 ) ^ 0x00000000 ] [ cmp eq reg 1 0x00000000 ] +# ct count 3 +ip test-ip4 output + [ connlimit count 3 flags 0 ] + +# ct count over 3 +ip test-ip4 output + [ connlimit count 3 flags 1 ] + diff --git a/tests/py/any/icmpX.t.netdev b/tests/py/any/icmpX.t.netdev index a327ce6a..cf402428 100644 --- a/tests/py/any/icmpX.t.netdev +++ b/tests/py/any/icmpX.t.netdev @@ -1,6 +1,7 @@ :ingress;type filter hook ingress device lo priority 0 +:egress;type filter hook egress device lo priority 0 -*netdev;test-netdev;ingress +*netdev;test-netdev;ingress,egress ip protocol icmp icmp type echo-request;ok;icmp type echo-request icmp type echo-request;ok diff --git a/tests/py/any/last.t b/tests/py/any/last.t new file mode 100644 index 00000000..5c530461 --- /dev/null +++ b/tests/py/any/last.t @@ -0,0 +1,13 @@ +:input;type filter hook input priority 0 +:ingress;type filter hook ingress device lo priority 0 + +*ip;test-ip4;input +*ip6;test-ip6;input +*inet;test-inet;input +*arp;test-arp;input +*bridge;test-bridge;input +*netdev;test-netdev;ingress + +last;ok +last used 300s;ok;last +last used foo;fail diff --git a/tests/py/any/last.t.json b/tests/py/any/last.t.json new file mode 100644 index 00000000..2a2b9e72 --- /dev/null +++ b/tests/py/any/last.t.json @@ -0,0 +1,16 @@ +# last +[ + { + "last": null + } +] + +# last used 300s +[ + { + "last": { + "used": 300000 + } + } +] + diff --git a/tests/py/any/last.t.json.output b/tests/py/any/last.t.json.output new file mode 100644 index 00000000..e8ec4f47 --- /dev/null +++ b/tests/py/any/last.t.json.output @@ -0,0 +1,7 @@ +# last used 300s +[ + { + "last": null + } +] + diff --git a/tests/py/any/last.t.payload b/tests/py/any/last.t.payload new file mode 100644 index 00000000..ed47d0f3 --- /dev/null +++ b/tests/py/any/last.t.payload @@ -0,0 +1,8 @@ +# last +ip + [ last never ] + +# last used 300s +ip + [ last 300000 ] + diff --git a/tests/py/any/limit.t b/tests/py/any/limit.t index ef7f9313..2a84e3f5 100644 --- a/tests/py/any/limit.t +++ b/tests/py/any/limit.t @@ -1,18 +1,19 @@ :output;type filter hook output priority 0 :ingress;type filter hook ingress device lo priority 0 +:egress;type filter hook egress device lo priority 0 *ip;test-ip4;output *ip6;test-ip6;output *inet;test-inet;output *arp;test-arp;output *bridge;test-bridge;output -*netdev;test-netdev;ingress +*netdev;test-netdev;ingress,egress -limit rate 400/minute;ok -limit rate 20/second;ok -limit rate 400/hour;ok -limit rate 40/day;ok -limit rate 400/week;ok +limit rate 400/minute;ok;limit rate 400/minute burst 5 packets +limit rate 20/second;ok;limit rate 20/second burst 5 packets +limit rate 400/hour;ok;limit rate 400/hour burst 5 packets +limit rate 40/day;ok;limit rate 40/day burst 5 packets +limit rate 400/week;ok;limit rate 400/week burst 5 packets limit rate 1023/second burst 10 packets;ok limit rate 1023/second burst 10 bytes;fail @@ -21,19 +22,22 @@ limit rate 2 kbytes/second;ok limit rate 1025 kbytes/second;ok limit rate 1023 mbytes/second;ok limit rate 10230 mbytes/second;ok -limit rate 1023000 mbytes/second;ok limit rate 512 kbytes/second burst 5 packets;fail +limit rate 1 bytes / second;ok;limit rate 1 bytes/second +limit rate 1 kbytes / second;ok;limit rate 1 kbytes/second +limit rate 1 mbytes / second;ok;limit rate 1 mbytes/second +limit rate 1 gbytes / second;fail + limit rate 1025 bytes/second burst 512 bytes;ok limit rate 1025 kbytes/second burst 1023 kbytes;ok limit rate 1025 mbytes/second burst 1025 kbytes;ok -limit rate 1025000 mbytes/second burst 1023 mbytes;ok -limit rate over 400/minute;ok -limit rate over 20/second;ok -limit rate over 400/hour;ok -limit rate over 40/day;ok -limit rate over 400/week;ok +limit rate over 400/minute;ok;limit rate over 400/minute burst 5 packets +limit rate over 20/second;ok;limit rate over 20/second burst 5 packets +limit rate over 400/hour;ok;limit rate over 400/hour burst 5 packets +limit rate over 40/day;ok;limit rate over 40/day burst 5 packets +limit rate over 400/week;ok;limit rate over 400/week burst 5 packets limit rate over 1023/second burst 10 packets;ok limit rate over 1 kbytes/second;ok @@ -41,9 +45,7 @@ limit rate over 2 kbytes/second;ok limit rate over 1025 kbytes/second;ok limit rate over 1023 mbytes/second;ok limit rate over 10230 mbytes/second;ok -limit rate over 1023000 mbytes/second;ok limit rate over 1025 bytes/second burst 512 bytes;ok limit rate over 1025 kbytes/second burst 1023 kbytes;ok limit rate over 1025 mbytes/second burst 1025 kbytes;ok -limit rate over 1025000 mbytes/second burst 1023 mbytes;ok diff --git a/tests/py/any/limit.t.json b/tests/py/any/limit.t.json index 8bab7e3d..73160b27 100644 --- a/tests/py/any/limit.t.json +++ b/tests/py/any/limit.t.json @@ -114,12 +114,40 @@ } ] -# limit rate 1023000 mbytes/second +# limit rate 1 bytes / second [ { "limit": { + "burst": 0, + "burst_unit": "bytes", + "per": "second", + "rate": 1, + "rate_unit": "bytes" + } + } +] + +# limit rate 1 kbytes / second +[ + { + "limit": { + "burst": 0, + "burst_unit": "bytes", + "per": "second", + "rate": 1, + "rate_unit": "kbytes" + } + } +] + +# limit rate 1 mbytes / second +[ + { + "limit": { + "burst": 0, + "burst_unit": "bytes", "per": "second", - "rate": 1023000, + "rate": 1, "rate_unit": "mbytes" } } @@ -164,19 +192,6 @@ } ] -# limit rate 1025000 mbytes/second burst 1023 mbytes -[ - { - "limit": { - "burst": 1023, - "burst_unit": "mbytes", - "per": "second", - "rate": 1025000, - "rate_unit": "mbytes" - } - } -] - # limit rate over 400/minute [ { @@ -304,18 +319,6 @@ } ] -# limit rate over 1023000 mbytes/second -[ - { - "limit": { - "inv": true, - "per": "second", - "rate": 1023000, - "rate_unit": "mbytes" - } - } -] - # limit rate over 1025 bytes/second burst 512 bytes [ { @@ -357,18 +360,3 @@ } } ] - -# limit rate over 1025000 mbytes/second burst 1023 mbytes -[ - { - "limit": { - "burst": 1023, - "burst_unit": "mbytes", - "inv": true, - "per": "second", - "rate": 1025000, - "rate_unit": "mbytes" - } - } -] - diff --git a/tests/py/any/limit.t.json.output b/tests/py/any/limit.t.json.output index e6f26496..2c94d2de 100644 --- a/tests/py/any/limit.t.json.output +++ b/tests/py/any/limit.t.json.output @@ -57,7 +57,7 @@ [ { "limit": { - "burst": 5, + "burst": 0, "burst_unit": "bytes", "per": "second", "rate": 1, @@ -70,7 +70,7 @@ [ { "limit": { - "burst": 5, + "burst": 0, "burst_unit": "bytes", "per": "second", "rate": 2, @@ -83,7 +83,7 @@ [ { "limit": { - "burst": 5, + "burst": 0, "burst_unit": "bytes", "per": "second", "rate": 1025, @@ -96,7 +96,7 @@ [ { "limit": { - "burst": 5, + "burst": 0, "burst_unit": "bytes", "per": "second", "rate": 1023, @@ -109,7 +109,7 @@ [ { "limit": { - "burst": 5, + "burst": 0, "burst_unit": "bytes", "per": "second", "rate": 10230, @@ -118,19 +118,6 @@ } ] -# limit rate 1023000 mbytes/second -[ - { - "limit": { - "burst": 5, - "burst_unit": "bytes", - "per": "second", - "rate": 1023000, - "rate_unit": "mbytes" - } - } -] - # limit rate over 400/minute [ { @@ -195,7 +182,7 @@ [ { "limit": { - "burst": 5, + "burst": 0, "burst_unit": "bytes", "inv": true, "per": "second", @@ -209,7 +196,7 @@ [ { "limit": { - "burst": 5, + "burst": 0, "burst_unit": "bytes", "inv": true, "per": "second", @@ -223,7 +210,7 @@ [ { "limit": { - "burst": 5, + "burst": 0, "burst_unit": "bytes", "inv": true, "per": "second", @@ -237,7 +224,7 @@ [ { "limit": { - "burst": 5, + "burst": 0, "burst_unit": "bytes", "inv": true, "per": "second", @@ -251,7 +238,7 @@ [ { "limit": { - "burst": 5, + "burst": 0, "burst_unit": "bytes", "inv": true, "per": "second", @@ -260,18 +247,3 @@ } } ] - -# limit rate over 1023000 mbytes/second -[ - { - "limit": { - "burst": 5, - "burst_unit": "bytes", - "inv": true, - "per": "second", - "rate": 1023000, - "rate_unit": "mbytes" - } - } -] - diff --git a/tests/py/any/limit.t.payload b/tests/py/any/limit.t.payload index dc6cea9b..dc6701b3 100644 --- a/tests/py/any/limit.t.payload +++ b/tests/py/any/limit.t.payload @@ -24,27 +24,36 @@ ip test-ip4 output # limit rate 1 kbytes/second ip test-ip4 output - [ limit rate 1024/second burst 5 type bytes flags 0x0 ] + [ limit rate 1024/second burst 0 type bytes flags 0x0 ] # limit rate 2 kbytes/second ip test-ip4 output - [ limit rate 2048/second burst 5 type bytes flags 0x0 ] + [ limit rate 2048/second burst 0 type bytes flags 0x0 ] # limit rate 1025 kbytes/second ip test-ip4 output - [ limit rate 1049600/second burst 5 type bytes flags 0x0 ] + [ limit rate 1049600/second burst 0 type bytes flags 0x0 ] # limit rate 1023 mbytes/second ip test-ip4 output - [ limit rate 1072693248/second burst 5 type bytes flags 0x0 ] + [ limit rate 1072693248/second burst 0 type bytes flags 0x0 ] # limit rate 10230 mbytes/second ip test-ip4 output - [ limit rate 10726932480/second burst 5 type bytes flags 0x0 ] + [ limit rate 10726932480/second burst 0 type bytes flags 0x0 ] + +# limit rate 1 bytes / second +ip + [ limit rate 1/second burst 0 type bytes flags 0x0 ] + +# limit rate 1 kbytes / second +ip + [ limit rate 1024/second burst 0 type bytes flags 0x0 ] + +# limit rate 1 mbytes / second +ip + [ limit rate 1048576/second burst 0 type bytes flags 0x0 ] -# limit rate 1023000 mbytes/second -ip test-ip4 output - [ limit rate 1072693248000/second burst 5 type bytes flags 0x0 ] # limit rate 1025 bytes/second burst 512 bytes ip test-ip4 output @@ -58,10 +67,6 @@ ip test-ip4 output ip test-ip4 output [ limit rate 1074790400/second burst 1049600 type bytes flags 0x0 ] -# limit rate 1025000 mbytes/second burst 1023 mbytes -ip test-ip4 output - [ limit rate 1074790400000/second burst 1072693248 type bytes flags 0x0 ] - # limit rate over 400/minute ip test-ip4 output [ limit rate 400/minute burst 5 type packets flags 0x1 ] @@ -88,27 +93,23 @@ ip test-ip4 output # limit rate over 1 kbytes/second ip test-ip4 output - [ limit rate 1024/second burst 5 type bytes flags 0x1 ] + [ limit rate 1024/second burst 0 type bytes flags 0x1 ] # limit rate over 2 kbytes/second ip test-ip4 output - [ limit rate 2048/second burst 5 type bytes flags 0x1 ] + [ limit rate 2048/second burst 0 type bytes flags 0x1 ] # limit rate over 1025 kbytes/second ip test-ip4 output - [ limit rate 1049600/second burst 5 type bytes flags 0x1 ] + [ limit rate 1049600/second burst 0 type bytes flags 0x1 ] # limit rate over 1023 mbytes/second ip test-ip4 output - [ limit rate 1072693248/second burst 5 type bytes flags 0x1 ] + [ limit rate 1072693248/second burst 0 type bytes flags 0x1 ] # limit rate over 10230 mbytes/second ip test-ip4 output - [ limit rate 10726932480/second burst 5 type bytes flags 0x1 ] - -# limit rate over 1023000 mbytes/second -ip test-ip4 output - [ limit rate 1072693248000/second burst 5 type bytes flags 0x1 ] + [ limit rate 10726932480/second burst 0 type bytes flags 0x1 ] # limit rate over 1025 bytes/second burst 512 bytes ip test-ip4 output @@ -121,8 +122,3 @@ ip test-ip4 output # limit rate over 1025 mbytes/second burst 1025 kbytes ip test-ip4 output [ limit rate 1074790400/second burst 1049600 type bytes flags 0x1 ] - -# limit rate over 1025000 mbytes/second burst 1023 mbytes -ip test-ip4 output - [ limit rate 1074790400000/second burst 1072693248 type bytes flags 0x1 ] - diff --git a/tests/py/any/meta.t b/tests/py/any/meta.t index 7b582505..bd10c56d 100644 --- a/tests/py/any/meta.t +++ b/tests/py/any/meta.t @@ -1,12 +1,13 @@ :input;type filter hook input priority 0 :ingress;type filter hook ingress device lo priority 0 +:egress;type filter hook egress device lo priority 0 *ip;test-ip4;input *ip6;test-ip6;input *inet;test-inet;input *arp;test-arp;input *bridge;test-bridge;input -*netdev;test-netdev;ingress +*netdev;test-netdev;ingress,egress meta length 1000;ok meta length 22;ok @@ -20,8 +21,8 @@ meta length != { 33, 55, 67, 88};ok meta length { 33-55, 66-88};ok meta length != { 33-55, 66-88};ok -meta protocol { ip, arp, ip6, vlan };ok;meta protocol { ip6, ip, vlan, arp} -meta protocol != {ip, arp, ip6, vlan};ok +meta protocol { ip, arp, ip6, vlan };ok;meta protocol { ip6, ip, 8021q, arp} +meta protocol != {ip, arp, ip6, 8021q};ok meta protocol ip;ok meta protocol != ip;ok @@ -55,6 +56,7 @@ meta mark and 0x03 == 0x01;ok;meta mark & 0x00000003 == 0x00000001 meta mark and 0x03 != 0x01;ok;meta mark & 0x00000003 != 0x00000001 meta mark 0x10;ok;meta mark 0x00000010 meta mark != 0x10;ok;meta mark != 0x00000010 +meta mark 0xffffff00/24;ok;meta mark & 0xffffff00 == 0xffffff00 meta mark or 0x03 == 0x01;ok;meta mark | 0x00000003 == 0x00000001 meta mark or 0x03 != 0x01;ok;meta mark | 0x00000003 != 0x00000001 @@ -115,8 +117,6 @@ meta skgid gt 3000 accept;ok;meta skgid > 3000 accept meta skgid eq 3000 accept;ok;meta skgid 3000 accept meta skgid 2001-2005 accept;ok meta skgid != 2001-2005 accept;ok -meta skgid { 2001-2005} accept;ok -meta skgid != { 2001-2005} accept;ok # BUG: meta nftrace 2 and meta nftrace 1 # $ sudo nft add rule ip test input meta nftrace 2 @@ -194,8 +194,6 @@ meta cgroup { 1048577, 1048578 };ok meta cgroup != { 1048577, 1048578};ok meta cgroup 1048577-1048578;ok meta cgroup != 1048577-1048578;ok -meta cgroup {1048577-1048578};ok -meta cgroup != { 1048577-1048578};ok meta iif . meta oif { "lo" . "lo" };ok;iif . oif { "lo" . "lo" } meta iif . meta oif . meta mark { "lo" . "lo" . 0x0000000a };ok;iif . oif . meta mark { "lo" . "lo" . 0x0000000a } @@ -210,6 +208,8 @@ meta time "2019-06-21 17:00:00" drop;ok meta time "2019-07-01 00:00:00" drop;ok meta time "2019-07-01 00:01:00" drop;ok meta time "2019-07-01 00:00:01" drop;ok +meta time < "2022-07-01 11:00:00" accept;ok +meta time > "2022-07-01 11:00:00" accept;ok meta day "Saturday" drop;ok meta day 6 drop;ok;meta day "Saturday" drop meta day "Satturday" drop;fail @@ -218,7 +218,13 @@ meta hour "17:00:00" drop;ok;meta hour "17:00" drop meta hour "17:00:01" drop;ok meta hour "00:00" drop;ok meta hour "00:01" drop;ok +time < "2022-07-01 11:00:00" accept;ok;meta time < "2022-07-01 11:00:00" accept +time > "2022-07-01 11:00:00" accept;ok;meta time > "2022-07-01 11:00:00" accept meta time "meh";fail meta hour "24:00" drop;fail meta day 7 drop;fail + +meta mark set vlan id map { 1 : 0x00000001, 4095 : 0x00004095 };ok +!map1 typeof vlan id : meta mark;ok +meta mark set vlan id map @map1;ok diff --git a/tests/py/any/meta.t.json b/tests/py/any/meta.t.json index 47dc0724..676affea 100644 --- a/tests/py/any/meta.t.json +++ b/tests/py/any/meta.t.json @@ -199,7 +199,7 @@ } ] -# meta protocol != {ip, arp, ip6, vlan} +# meta protocol != {ip, arp, ip6, 8021q} [ { "match": { @@ -212,7 +212,7 @@ "ip", "arp", "ip6", - "vlan" + "8021q" ] } } @@ -662,6 +662,26 @@ } ] +# meta mark 0xffffff00/24 +[ + { + "match": { + "left": { + "&": [ + { + "meta": { + "key": "mark" + } + }, + 4294967040 + ] + }, + "op": "==", + "right": 4294967040 + } + } +] + # meta mark or 0x03 == 0x01 [ { @@ -1476,46 +1496,6 @@ } ] -# meta skgid { 2001-2005} accept -[ - { - "match": { - "left": { - "meta": { "key": "skgid" } - }, - "op": "==", - "right": { - "set": [ - { "range": [ 2001, 2005 ] } - ] - } - } - }, - { - "accept": null - } -] - -# meta skgid != { 2001-2005} accept -[ - { - "match": { - "left": { - "meta": { "key": "skgid" } - }, - "op": "!=", - "right": { - "set": [ - { "range": [ 2001, 2005 ] } - ] - } - } - }, - { - "accept": null - } -] - # meta mark set 0xffffffc8 xor 0x16 [ { @@ -2581,6 +2561,42 @@ } ] +# meta time < "2022-07-01 11:00:00" accept +[ + { + "match": { + "left": { + "meta": { + "key": "time" + } + }, + "op": "<", + "right": "2022-07-01 11:00:00" + } + }, + { + "accept": null + } +] + +# meta time > "2022-07-01 11:00:00" accept +[ + { + "match": { + "left": { + "meta": { + "key": "time" + } + }, + "op": ">", + "right": "2022-07-01 11:00:00" + } + }, + { + "accept": null + } +] + # meta day "Saturday" drop [ { @@ -2645,7 +2661,7 @@ } }, "op": "==", - "right": "17:00" + "right": "17:00:00" } }, { @@ -2706,3 +2722,99 @@ "drop": null } ] + +# time < "2022-07-01 11:00:00" accept +[ + { + "match": { + "left": { + "meta": { + "key": "time" + } + }, + "op": "<", + "right": "2022-07-01 11:00:00" + } + }, + { + "accept": null + } +] + +# time > "2022-07-01 11:00:00" accept +[ + { + "match": { + "left": { + "meta": { + "key": "time" + } + }, + "op": ">", + "right": "2022-07-01 11:00:00" + } + }, + { + "accept": null + } +] + +# meta mark set vlan id map { 1 : 0x00000001, 4095 : 0x00004095 } +[ + { + "mangle": { + "key": { + "meta": { + "key": "mark" + } + }, + "value": { + "map": { + "data": { + "set": [ + [ + 1, + 1 + ], + [ + 4095, + 16533 + ] + ] + }, + "key": { + "payload": { + "field": "id", + "protocol": "vlan" + } + } + } + } + } + } +] + +# meta mark set vlan id map @map1 +[ + { + "mangle": { + "key": { + "meta": { + "key": "mark" + } + }, + "value": { + "map": { + "data": "@map1", + "key": { + "payload": { + "field": "id", + "protocol": "vlan" + } + } + } + } + } + } +] + diff --git a/tests/py/any/meta.t.json.output b/tests/py/any/meta.t.json.output index 74b934b8..d46935de 100644 --- a/tests/py/any/meta.t.json.output +++ b/tests/py/any/meta.t.json.output @@ -10,7 +10,7 @@ "set": [ "ip", "arp", - "vlan", + "8021q", "ip6" ] } @@ -18,7 +18,7 @@ } ] -# meta protocol != {ip, arp, ip6, vlan} +# meta protocol != {ip, arp, ip6, 8021q} [ { "match": { @@ -30,7 +30,7 @@ "set": [ "ip", "arp", - "vlan", + "8021q", "ip6" ] } @@ -592,24 +592,6 @@ } ] -# meta time "1970-05-23 21:07:14" drop -[ - { - "match": { - "left": { - "meta": { - "key": "time" - } - }, - "op": "==", - "right": "1970-05-23 21:07:14" - } - }, - { - "drop": null - } -] - # meta time 12341234 drop [ { @@ -628,96 +610,6 @@ } ] -# meta time "2019-06-21 17:00:00" drop -[ - { - "match": { - "left": { - "meta": { - "key": "time" - } - }, - "op": "==", - "right": "2019-06-21 17:00:00" - } - }, - { - "drop": null - } -] - -# meta time "2019-07-01 00:00:00" drop -[ - { - "match": { - "left": { - "meta": { - "key": "time" - } - }, - "op": "==", - "right": "2019-07-01 00:00:00" - } - }, - { - "drop": null - } -] - -# meta time "2019-07-01 00:01:00" drop -[ - { - "match": { - "left": { - "meta": { - "key": "time" - } - }, - "op": "==", - "right": "2019-07-01 00:01:00" - } - }, - { - "drop": null - } -] - -# meta time "2019-07-01 00:00:01" drop -[ - { - "match": { - "left": { - "meta": { - "key": "time" - } - }, - "op": "==", - "right": "2019-07-01 00:00:01" - } - }, - { - "drop": null - } -] - -# meta day "Saturday" drop -[ - { - "match": { - "left": { - "meta": { - "key": "day" - } - }, - "op": "==", - "right": "Saturday" - } - }, - { - "drop": null - } -] - # meta day 6 drop [ { @@ -736,24 +628,6 @@ } ] -# meta hour "17:00" drop -[ - { - "match": { - "left": { - "meta": { - "key": "hour" - } - }, - "op": "==", - "right": "17:00" - } - }, - { - "drop": null - } -] - # meta hour "17:00:00" drop [ { @@ -772,57 +646,3 @@ } ] -# meta hour "17:00:01" drop -[ - { - "match": { - "left": { - "meta": { - "key": "hour" - } - }, - "op": "==", - "right": "17:00:01" - } - }, - { - "drop": null - } -] - -# meta hour "00:00" drop -[ - { - "match": { - "left": { - "meta": { - "key": "hour" - } - }, - "op": "==", - "right": "00:00" - } - }, - { - "drop": null - } -] - -# meta hour "00:01" drop -[ - { - "match": { - "left": { - "meta": { - "key": "hour" - } - }, - "op": "==", - "right": "00:01" - } - }, - { - "drop": null - } -] - diff --git a/tests/py/any/meta.t.payload b/tests/py/any/meta.t.payload index c3664525..49dd729b 100644 --- a/tests/py/any/meta.t.payload +++ b/tests/py/any/meta.t.payload @@ -68,7 +68,7 @@ ip test-ip4 input [ meta load protocol => reg 1 ] [ lookup reg 1 set __set%d ] -# meta protocol != {ip, arp, ip6, vlan} +# meta protocol != {ip, arp, ip6, 8021q} __set%d test-ip4 3 __set%d test-ip4 0 element 00000008 : 0 [end] element 00000608 : 0 [end] element 0000dd86 : 0 [end] element 00000081 : 0 [end] @@ -155,6 +155,12 @@ ip test-ip4 input [ meta load mark => reg 1 ] [ cmp neq reg 1 0x00000010 ] +# meta mark 0xffffff00/24 +ip test-ip4 input + [ meta load mark => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0xffffff00 ) ^ 0x00000000 ] + [ cmp eq reg 1 0xffffff00 ] + # meta mark or 0x03 == 0x01 ip test-ip4 input [ meta load mark => reg 1 ] @@ -728,7 +734,7 @@ ip test-ip4 output # meta iif . meta oif vmap { "lo" . "lo" : drop } __map%d test-ip4 b __map%d test-ip4 0 - element 00000001 00000001 : 0 [end] + element 00000001 00000001 : drop 0 [end] ip test-ip4 output [ meta load iif => reg 1 ] [ meta load oif => reg 9 ] @@ -961,44 +967,6 @@ ip test-ip4 input [ meta load oifgroup => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# meta skgid { 2001-2005} accept -__set%d test-ip4 7 size 3 -__set%d test-ip4 0 - element 00000000 : 1 [end] element d1070000 : 0 [end] element d6070000 : 1 [end] -ip test-ip4 input - [ meta load skgid => reg 1 ] - [ byteorder reg 1 = hton(reg 1, 4, 4) ] - [ lookup reg 1 set __set%d ] - [ immediate reg 0 accept ] - -# meta skgid != { 2001-2005} accept -__set%d test-ip4 7 size 3 -__set%d test-ip4 0 - element 00000000 : 1 [end] element d1070000 : 0 [end] element d6070000 : 1 [end] -ip test-ip4 input - [ meta load skgid => reg 1 ] - [ byteorder reg 1 = hton(reg 1, 4, 4) ] - [ lookup reg 1 set __set%d 0x1 ] - [ immediate reg 0 accept ] - -# meta cgroup {1048577-1048578} -__set%d test-ip4 7 size 3 -__set%d test-ip4 0 - element 00000000 : 1 [end] element 01001000 : 0 [end] element 03001000 : 1 [end] -ip test-ip4 input - [ meta load cgroup => reg 1 ] - [ byteorder reg 1 = hton(reg 1, 4, 4) ] - [ lookup reg 1 set __set%d ] - -# meta cgroup != { 1048577-1048578} -__set%d test-ip4 7 size 3 -__set%d test-ip4 0 - element 00000000 : 1 [end] element 01001000 : 0 [end] element 03001000 : 1 [end] -ip test-ip4 input - [ meta load cgroup => reg 1 ] - [ byteorder reg 1 = hton(reg 1, 4, 4) ] - [ lookup reg 1 set __set%d 0x1 ] - # meta time "1970-05-23 21:07:14" drop ip meta-test input [ meta load time => reg 1 ] @@ -1035,6 +1003,20 @@ ip meta-test input [ cmp eq reg 1 0x22eb8a00 0x15ad18e1 ] [ immediate reg 0 drop ] +# meta time < "2022-07-01 11:00:00" accept +ip test-ip4 input + [ meta load time => reg 1 ] + [ byteorder reg 1 = hton(reg 1, 8, 8) ] + [ cmp lt reg 1 0xf3a8fd16 0x00a07719 ] + [ immediate reg 0 accept ] + +# meta time > "2022-07-01 11:00:00" accept +ip test-ip4 input + [ meta load time => reg 1 ] + [ byteorder reg 1 = hton(reg 1, 8, 8) ] + [ cmp gt reg 1 0xf3a8fd16 0x00a07719 ] + [ immediate reg 0 accept ] + # meta day "Saturday" drop ip test-ip4 input [ meta load day => reg 1 ] @@ -1076,3 +1058,42 @@ ip meta-test input [ meta load hour => reg 1 ] [ cmp eq reg 1 0x0001359c ] [ immediate reg 0 drop ] + +# time < "2022-07-01 11:00:00" accept +ip test-ip4 input + [ meta load time => reg 1 ] + [ byteorder reg 1 = hton(reg 1, 8, 8) ] + [ cmp lt reg 1 0xf3a8fd16 0x00a07719 ] + [ immediate reg 0 accept ] + +# time > "2022-07-01 11:00:00" accept +ip test-ip4 input + [ meta load time => reg 1 ] + [ byteorder reg 1 = hton(reg 1, 8, 8) ] + [ cmp gt reg 1 0xf3a8fd16 0x00a07719 ] + [ immediate reg 0 accept ] + +# meta mark set vlan id map { 1 : 0x00000001, 4095 : 0x00004095 } +__map%d test-ip4 b size 2 +__map%d test-ip4 0 + element 00000100 : 00000001 0 [end] element 0000ff0f : 00004095 0 [end] +ip test-ip4 input + [ meta load iiftype => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ payload load 2b @ link header + 12 => reg 1 ] + [ cmp eq reg 1 0x00000081 ] + [ payload load 2b @ link header + 14 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ] + [ lookup reg 1 set __map%d dreg 1 ] + [ meta set mark with reg 1 ] + +# meta mark set vlan id map @map1 +ip test-ip4 input + [ meta load iiftype => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ payload load 2b @ link header + 12 => reg 1 ] + [ cmp eq reg 1 0x00000081 ] + [ payload load 2b @ link header + 14 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ] + [ lookup reg 1 set map1 dreg 1 ] + [ meta set mark with reg 1 ] diff --git a/tests/py/any/meta.t.payload.bridge b/tests/py/any/meta.t.payload.bridge new file mode 100644 index 00000000..5997ccc7 --- /dev/null +++ b/tests/py/any/meta.t.payload.bridge @@ -0,0 +1,20 @@ +# meta mark set vlan id map { 1 : 0x00000001, 4095 : 0x00004095 } +__map%d test-bridge b size 2 +__map%d test-bridge 0 + element 00000100 : 00000001 0 [end] element 0000ff0f : 00004095 0 [end] +bridge test-bridge input + [ payload load 2b @ link header + 12 => reg 1 ] + [ cmp eq reg 1 0x00000081 ] + [ payload load 2b @ link header + 14 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ] + [ lookup reg 1 set __map%d dreg 1 ] + [ meta set mark with reg 1 ] + +# meta mark set vlan id map @map1 +bridge test-bridge input + [ payload load 2b @ link header + 12 => reg 1 ] + [ cmp eq reg 1 0x00000081 ] + [ payload load 2b @ link header + 14 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ] + [ lookup reg 1 set map1 dreg 1 ] + [ meta set mark with reg 1 ] diff --git a/tests/py/any/objects.t b/tests/py/any/objects.t index 89a9545f..7b51f918 100644 --- a/tests/py/any/objects.t +++ b/tests/py/any/objects.t @@ -1,12 +1,13 @@ :output;type filter hook output priority 0 :ingress;type filter hook ingress device lo priority 0 +:egress;type filter hook egress device lo priority 0 *ip;test-ip4;output *ip6;test-ip6;output *inet;test-inet;output *arp;test-arp;output *bridge;test-bridge;output -*netdev;test-netdev;ingress +*netdev;test-netdev;ingress,egress %cnt1 type counter;ok %qt1 type quota 25 mbytes;ok diff --git a/tests/py/any/queue.t b/tests/py/any/queue.t index 75c071dd..2e511362 100644 --- a/tests/py/any/queue.t +++ b/tests/py/any/queue.t @@ -3,16 +3,31 @@ *ip;test-ip4;output *ip6;test-ip6;output *inet;test-inet;output -*arp;test-arp;output *bridge;test-bridge;output -queue;ok;queue num 0 -queue num 2;ok -queue num 65535;ok +queue;ok;queue to 0 +queue num 2;ok;queue to 2 +queue num 65535;ok;queue to 65535 queue num 65536;fail -queue num 2-3;ok -queue num 1-65535;ok -- queue num {3, 4, 6};ok -queue num 4-5 fanout bypass;ok;queue num 4-5 bypass,fanout -queue num 4-5 fanout;ok -queue num 4-5 bypass;ok +queue num 2-3;ok;queue to 2-3 +queue num 1-65535;ok;queue to 1-65535 +queue num 4-5 fanout bypass;ok;queue flags bypass,fanout to 4-5 +queue num 4-5 fanout;ok;queue flags fanout to 4-5 +queue num 4-5 bypass;ok;queue flags bypass to 4-5 + +queue to symhash mod 2 offset 65536;fail +queue num symhash mod 65536;fail +queue to symhash mod 65536;ok +queue flags fanout to symhash mod 65536;fail +queue flags bypass,fanout to symhash mod 65536;fail +queue flags bypass to numgen inc mod 65536;ok +queue to jhash oif . meta mark mod 32;ok +queue to 2;ok +queue to 65535;ok +queue flags bypass to 65535;ok +queue flags bypass to 1-65535;ok +queue flags bypass,fanout to 1-65535;ok +queue to 1-65535;ok +queue to oif;fail +queue num oif;fail +queue flags bypass to oifname map { "eth0" : 0, "ppp0" : 2, "eth1" : 2 };ok diff --git a/tests/py/any/queue.t.json b/tests/py/any/queue.t.json index 48e86727..5f7f9014 100644 --- a/tests/py/any/queue.t.json +++ b/tests/py/any/queue.t.json @@ -84,3 +84,168 @@ } ] +# queue to symhash mod 65536 +[ + { + "queue": { + "num": { + "symhash": { + "mod": 65536 + } + } + } + } +] + +# queue flags bypass to numgen inc mod 65536 +[ + { + "queue": { + "flags": "bypass", + "num": { + "numgen": { + "mod": 65536, + "mode": "inc", + "offset": 0 + } + } + } + } +] + +# queue to jhash oif . meta mark mod 32 +[ + { + "queue": { + "num": { + "jhash": { + "expr": { + "concat": [ + { + "meta": { + "key": "oif" + } + }, + { + "meta": { + "key": "mark" + } + } + ] + }, + "mod": 32 + } + } + } + } +] + +# queue flags bypass to oifname map { "eth0" : 0, "ppp0" : 2, "eth1" : 2 } +[ + { + "queue": { + "flags": "bypass", + "num": { + "map": { + "data": { + "set": [ + [ + "eth0", + 0 + ], + [ + "ppp0", + 2 + ], + [ + "eth1", + 2 + ] + ] + }, + "key": { + "meta": { + "key": "oifname" + } + } + } + } + } + } +] + +# queue to 2 +[ + { + "queue": { + "num": 2 + } + } +] + +# queue to 65535 +[ + { + "queue": { + "num": 65535 + } + } +] + +# queue flags bypass to 65535 +[ + { + "queue": { + "flags": "bypass", + "num": 65535 + } + } +] + +# queue flags bypass to 1-65535 +[ + { + "queue": { + "flags": "bypass", + "num": { + "range": [ + 1, + 65535 + ] + } + } + } +] + +# queue flags bypass,fanout to 1-65535 +[ + { + "queue": { + "flags": [ + "bypass", + "fanout" + ], + "num": { + "range": [ + 1, + 65535 + ] + } + } + } +] + +# queue to 1-65535 +[ + { + "queue": { + "num": { + "range": [ + 1, + 65535 + ] + } + } + } +] + diff --git a/tests/py/any/queue.t.payload b/tests/py/any/queue.t.payload index 78d939c6..2f221930 100644 --- a/tests/py/any/queue.t.payload +++ b/tests/py/any/queue.t.payload @@ -30,3 +30,52 @@ ip test-ip4 output ip test-ip4 output [ queue num 4-5 bypass ] +# queue to symhash mod 65536 +ip + [ hash reg 1 = symhash() % mod 65536 ] + [ queue sreg_qnum 1 ] + +# queue to jhash oif . meta mark mod 32 +ip + [ meta load oif => reg 2 ] + [ meta load mark => reg 13 ] + [ hash reg 1 = jhash(reg 2, 8, 0x0) % mod 32 ] + [ queue sreg_qnum 1 ] + +# queue flags bypass to numgen inc mod 65536 +ip + [ numgen reg 1 = inc mod 65536 ] + [ queue sreg_qnum 1 bypass ] + +# queue flags bypass to oifname map { "eth0" : 0, "ppp0" : 2, "eth1" : 2 } +__map%d test-ip4 b size 3 +__map%d test-ip4 0 + element 30687465 00000000 00000000 00000000 : 00000000 0 [end] element 30707070 00000000 00000000 00000000 : 00000002 0 [end] element 31687465 00000000 00000000 00000000 : 00000002 0 [end] +ip + [ meta load oifname => reg 1 ] + [ lookup reg 1 set __map%d dreg 1 ] + [ queue sreg_qnum 1 bypass ] + +# queue to 2 +ip + [ queue num 2 ] + +# queue to 65535 +ip + [ queue num 65535 ] + +# queue flags bypass to 65535 +ip + [ queue num 65535 bypass ] + +# queue flags bypass to 1-65535 +ip + [ queue num 1-65535 bypass ] + +# queue flags bypass,fanout to 1-65535 +ip + [ queue num 1-65535 bypass fanout ] + +# queue to 1-65535 +ip + [ queue num 1-65535 ] diff --git a/tests/py/any/quota.t b/tests/py/any/quota.t index 9a8db114..79dd7654 100644 --- a/tests/py/any/quota.t +++ b/tests/py/any/quota.t @@ -1,12 +1,13 @@ :output;type filter hook output priority 0 :ingress;type filter hook ingress device lo priority 0 +:egress;type filter hook egress device lo priority 0 *ip;test-ip4;output *ip6;test-ip6;output *inet;test-inet;output *arp;test-arp;output *bridge;test-bridge;output -*netdev;test-netdev;ingress +*netdev;test-netdev;ingress,egress quota 1025 bytes;ok quota 1 kbytes;ok diff --git a/tests/py/any/rawpayload.t b/tests/py/any/rawpayload.t index c3382a96..5bc9d35f 100644 --- a/tests/py/any/rawpayload.t +++ b/tests/py/any/rawpayload.t @@ -1,19 +1,24 @@ :input;type filter hook input priority 0 :ingress;type filter hook ingress device lo priority 0 +:egress;type filter hook egress device lo priority 0 *inet;test-inet;input -*netdev;test-netdev;ingress +*netdev;test-netdev;ingress,egress meta l4proto { tcp, udp, sctp} @th,16,16 { 22, 23, 80 };ok;meta l4proto { 6, 17, 132} th dport { 22, 23, 80} meta l4proto tcp @th,16,16 { 22, 23, 80};ok;tcp dport { 22, 23, 80} -@nh,8,8 255;ok -@nh,8,16 0;ok +@nh,8,8 0xff;ok +@nh,8,16 0x0;ok # out of range (0-1) @th,16,1 2;fail @ll,0,0 2;fail @ll,0,1;fail -@ll,0,1 1;ok;@ll,0,8 & 128 == 128 -@ll,0,8 and 0x80 eq 0x80;ok;@ll,0,8 & 128 == 128 -@ll,0,128 0xfedcba987654321001234567890abcde;ok;@ll,0,128 338770000845734292516042252062074518750 +@ll,0,1 1;ok;@ll,0,8 & 0x80 == 0x80 +@ll,0,8 & 0x80 == 0x80;ok +@ll,0,128 0xfedcba987654321001234567890abcde;ok + +meta l4proto 91 @th,400,16 0x0 accept;ok + +@ih,32,32 0x14000000;ok diff --git a/tests/py/any/rawpayload.t.json b/tests/py/any/rawpayload.t.json index 22028ad8..4cae4d49 100644 --- a/tests/py/any/rawpayload.t.json +++ b/tests/py/any/rawpayload.t.json @@ -66,7 +66,7 @@ } ] -# @nh,8,8 255 +# @nh,8,8 0xff [ { "match": { @@ -78,12 +78,12 @@ } }, "op": "==", - "right": 255 + "right": "0xff" } } ] -# @nh,8,16 0 +# @nh,8,16 0x0 [ { "match": { @@ -117,7 +117,7 @@ } ] -# @ll,0,8 and 0x80 eq 0x80 +# @ll,0,8 & 0x80 == 0x80 [ { "match": { @@ -156,3 +156,51 @@ } ] +# meta l4proto 91 @th,400,16 0x0 accept +[ + { + "match": { + "left": { + "meta": { + "key": "l4proto" + } + }, + "op": "==", + "right": 91 + } + }, + { + "match": { + "left": { + "payload": { + "base": "th", + "len": 16, + "offset": 400 + } + }, + "op": "==", + "right": 0 + } + }, + { + "accept": null + } +] + +# @ih,32,32 0x14000000 +[ + { + "match": { + "left": { + "payload": { + "base": "ih", + "len": 32, + "offset": 32 + } + }, + "op": "==", + "right": 335544320 + } + } +] + diff --git a/tests/py/any/rawpayload.t.json.output b/tests/py/any/rawpayload.t.json.output index ccadbc57..291b237a 100644 --- a/tests/py/any/rawpayload.t.json.output +++ b/tests/py/any/rawpayload.t.json.output @@ -79,7 +79,7 @@ } ] -# @ll,0,8 and 0x80 eq 0x80 +# @ll,0,8 & 0x80 == 0x80 [ { "match": { @@ -101,3 +101,19 @@ } ] +# @nh,8,8 0xff +[ + { + "match": { + "left": { + "payload": { + "base": "nh", + "len": 8, + "offset": 8 + } + }, + "op": "==", + "right": 255 + } + } +] diff --git a/tests/py/any/rawpayload.t.payload b/tests/py/any/rawpayload.t.payload index b3ca919f..fe2377e6 100644 --- a/tests/py/any/rawpayload.t.payload +++ b/tests/py/any/rawpayload.t.payload @@ -21,12 +21,12 @@ inet test-inet input [ payload load 2b @ transport header + 2 => reg 1 ] [ lookup reg 1 set __set%d ] -# @nh,8,8 255 +# @nh,8,8 0xff inet test-inet input [ payload load 1b @ network header + 1 => reg 1 ] [ cmp eq reg 1 0x000000ff ] -# @nh,8,16 0 +# @nh,8,16 0x0 inet test-inet input [ payload load 2b @ network header + 1 => reg 1 ] [ cmp eq reg 1 0x00000000 ] @@ -37,7 +37,7 @@ inet test-inet input [ bitwise reg 1 = ( reg 1 & 0x00000080 ) ^ 0x00000000 ] [ cmp eq reg 1 0x00000080 ] -# @ll,0,8 and 0x80 eq 0x80 +# @ll,0,8 & 0x80 == 0x80 inet test-inet input [ payload load 1b @ link header + 0 => reg 1 ] [ bitwise reg 1 = ( reg 1 & 0x00000080 ) ^ 0x00000000 ] @@ -47,3 +47,17 @@ inet test-inet input inet test-inet input [ payload load 16b @ link header + 0 => reg 1 ] [ cmp eq reg 1 0x98badcfe 0x10325476 0x67452301 0xdebc0a89 ] + +# meta l4proto 91 @th,400,16 0x0 accept +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x0000005b ] + [ payload load 2b @ transport header + 50 => reg 1 ] + [ cmp eq reg 1 0x00000000 ] + [ immediate reg 0 accept ] + +# @ih,32,32 0x14000000 +inet test-inet input + [ payload load 4b @ inner header + 4 => reg 1 ] + [ cmp eq reg 1 0x00000014 ] + diff --git a/tests/py/any/tcpopt.t b/tests/py/any/tcpopt.t index f17a20b5..177f01c4 100644 --- a/tests/py/any/tcpopt.t +++ b/tests/py/any/tcpopt.t @@ -4,17 +4,16 @@ *ip6;test-ip6;input *inet;test-inet;input -tcp option eol kind 1;ok -tcp option nop kind 1;ok -tcp option maxseg kind 1;ok +tcp option eol exists;ok +tcp option nop exists;ok +tcp option maxseg exists;ok tcp option maxseg length 1;ok tcp option maxseg size 1;ok -tcp option window kind 1;ok tcp option window length 1;ok tcp option window count 1;ok -tcp option sack-perm kind 1;ok +tcp option sack-perm exists;ok tcp option sack-perm length 1;ok -tcp option sack kind 1;ok +tcp option sack exists;ok tcp option sack length 1;ok tcp option sack left 1;ok tcp option sack0 left 1;ok;tcp option sack left 1 @@ -26,11 +25,12 @@ tcp option sack0 right 1;ok;tcp option sack right 1 tcp option sack1 right 1;ok tcp option sack2 right 1;ok tcp option sack3 right 1;ok -tcp option timestamp kind 1;ok +tcp option timestamp exists;ok tcp option timestamp length 1;ok tcp option timestamp tsval 1;ok tcp option timestamp tsecr 1;ok tcp option 255 missing;ok +tcp option 6 exists;ok tcp option @255,8,8 255;ok tcp option foobar;fail @@ -46,3 +46,17 @@ tcp option window exists;ok tcp option window missing;ok tcp option maxseg size set 1360;ok + +tcp option md5sig exists;ok +tcp option fastopen exists;ok +tcp option mptcp exists;ok + +tcp option mptcp subtype 0;ok +tcp option mptcp subtype 1;ok +tcp option mptcp subtype { 0, 2};ok + +reset tcp option mptcp;ok +reset tcp option 2;ok;reset tcp option maxseg +reset tcp option 123;ok +reset tcp option meh;fail +reset tcp option 256;fail diff --git a/tests/py/any/tcpopt.t.json b/tests/py/any/tcpopt.t.json index 139e97d8..87074b9d 100644 --- a/tests/py/any/tcpopt.t.json +++ b/tests/py/any/tcpopt.t.json @@ -1,47 +1,44 @@ -# tcp option eol kind 1 +# tcp option eol exists [ { "match": { "left": { "tcp option": { - "field": "kind", "name": "eol" } }, "op": "==", - "right": 1 + "right": true } } ] -# tcp option nop kind 1 +# tcp option nop exists [ { "match": { "left": { "tcp option": { - "field": "kind", "name": "nop" } }, "op": "==", - "right": 1 + "right": true } } ] -# tcp option maxseg kind 1 +# tcp option maxseg exists [ { "match": { "left": { "tcp option": { - "field": "kind", "name": "maxseg" } }, "op": "==", - "right": 1 + "right": true } } ] @@ -78,22 +75,6 @@ } ] -# tcp option window kind 1 -[ - { - "match": { - "left": { - "tcp option": { - "field": "kind", - "name": "window" - } - }, - "op": "==", - "right": 1 - } - } -] - # tcp option window length 1 [ { @@ -126,18 +107,17 @@ } ] -# tcp option sack-perm kind 1 +# tcp option sack-perm exists [ { "match": { "left": { "tcp option": { - "field": "kind", "name": "sack-perm" } }, "op": "==", - "right": 1 + "right": true } } ] @@ -158,18 +138,17 @@ } ] -# tcp option sack kind 1 +# tcp option sack exists [ { "match": { "left": { "tcp option": { - "field": "kind", "name": "sack" } }, "op": "==", - "right": 1 + "right": true } } ] @@ -350,18 +329,17 @@ } ] -# tcp option timestamp kind 1 +# tcp option timestamp exists [ { "match": { "left": { "tcp option": { - "field": "kind", "name": "timestamp" } }, "op": "==", - "right": 1 + "right": true } } ] @@ -431,6 +409,23 @@ } ] +# tcp option 6 exists +[ + { + "match": { + "left": { + "tcp option": { + "base": 6, + "len": 8, + "offset": 0 + } + }, + "op": "==", + "right": true + } + } +] + # tcp option @255,8,8 255 [ { @@ -493,3 +488,135 @@ } ] +# tcp option md5sig exists +[ + { + "match": { + "left": { + "tcp option": { + "name": "md5sig" + } + }, + "op": "==", + "right": true + } + } +] + +# tcp option fastopen exists +[ + { + "match": { + "left": { + "tcp option": { + "name": "fastopen" + } + }, + "op": "==", + "right": true + } + } +] + +# tcp option mptcp exists +[ + { + "match": { + "left": { + "tcp option": { + "name": "mptcp" + } + }, + "op": "==", + "right": true + } + } +] + +# tcp option mptcp subtype 0 +[ + { + "match": { + "left": { + "tcp option": { + "field": "subtype", + "name": "mptcp" + } + }, + "op": "==", + "right": 0 + } + } +] + +# tcp option mptcp subtype 1 +[ + { + "match": { + "left": { + "tcp option": { + "field": "subtype", + "name": "mptcp" + } + }, + "op": "==", + "right": 1 + } + } +] + +# tcp option mptcp subtype { 0, 2} +[ + { + "match": { + "left": { + "tcp option": { + "field": "subtype", + "name": "mptcp" + } + }, + "op": "==", + "right": { + "set": [ + 0, + 2 + ] + } + } + } +] + +# reset tcp option mptcp +[ + { + "reset": { + "tcp option": { + "name": "mptcp" + } + } + } +] + +# reset tcp option 2 +[ + { + "reset": { + "tcp option": { + "name": "maxseg" + } + } + } +] + +# reset tcp option 123 +[ + { + "reset": { + "tcp option": { + "base": 123, + "len": 0, + "offset": 0 + } + } + } +] diff --git a/tests/py/any/tcpopt.t.payload b/tests/py/any/tcpopt.t.payload index 1005df32..99b8985f 100644 --- a/tests/py/any/tcpopt.t.payload +++ b/tests/py/any/tcpopt.t.payload @@ -1,16 +1,16 @@ -# tcp option eol kind 1 +# tcp option eol exists inet - [ exthdr load tcpopt 1b @ 0 + 0 => reg 1 ] + [ exthdr load tcpopt 1b @ 0 + 0 present => reg 1 ] [ cmp eq reg 1 0x00000001 ] -# tcp option nop kind 1 +# tcp option nop exists inet - [ exthdr load tcpopt 1b @ 1 + 0 => reg 1 ] + [ exthdr load tcpopt 1b @ 1 + 0 present => reg 1 ] [ cmp eq reg 1 0x00000001 ] -# tcp option maxseg kind 1 +# tcp option maxseg exists inet - [ exthdr load tcpopt 1b @ 2 + 0 => reg 1 ] + [ exthdr load tcpopt 1b @ 2 + 0 present => reg 1 ] [ cmp eq reg 1 0x00000001 ] # tcp option maxseg length 1 @@ -23,11 +23,6 @@ inet [ exthdr load tcpopt 2b @ 2 + 2 => reg 1 ] [ cmp eq reg 1 0x00000100 ] -# tcp option window kind 1 -inet - [ exthdr load tcpopt 1b @ 3 + 0 => reg 1 ] - [ cmp eq reg 1 0x00000001 ] - # tcp option window length 1 inet [ exthdr load tcpopt 1b @ 3 + 1 => reg 1 ] @@ -38,9 +33,9 @@ inet [ exthdr load tcpopt 1b @ 3 + 2 => reg 1 ] [ cmp eq reg 1 0x00000001 ] -# tcp option sack-perm kind 1 +# tcp option sack-perm exists inet - [ exthdr load tcpopt 1b @ 4 + 0 => reg 1 ] + [ exthdr load tcpopt 1b @ 4 + 0 present => reg 1 ] [ cmp eq reg 1 0x00000001 ] # tcp option sack-perm length 1 @@ -48,9 +43,9 @@ inet [ exthdr load tcpopt 1b @ 4 + 1 => reg 1 ] [ cmp eq reg 1 0x00000001 ] -# tcp option sack kind 1 +# tcp option sack exists inet - [ exthdr load tcpopt 1b @ 5 + 0 => reg 1 ] + [ exthdr load tcpopt 1b @ 5 + 0 present => reg 1 ] [ cmp eq reg 1 0x00000001 ] # tcp option sack length 1 @@ -108,9 +103,9 @@ inet [ exthdr load tcpopt 4b @ 5 + 30 => reg 1 ] [ cmp eq reg 1 0x01000000 ] -# tcp option timestamp kind 1 +# tcp option timestamp exists inet - [ exthdr load tcpopt 1b @ 8 + 0 => reg 1 ] + [ exthdr load tcpopt 1b @ 8 + 0 present => reg 1 ] [ cmp eq reg 1 0x00000001 ] # tcp option timestamp length 1 @@ -133,6 +128,11 @@ inet [ exthdr load tcpopt 1b @ 255 + 0 present => reg 1 ] [ cmp eq reg 1 0x00000000 ] +# tcp option 6 exists +inet + [ exthdr load tcpopt 1b @ 6 + 0 present => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + # tcp option @255,8,8 255 inet [ exthdr load tcpopt 1b @ 255 + 1 => reg 1 ] @@ -153,3 +153,50 @@ inet [ immediate reg 1 0x00005005 ] [ exthdr write tcpopt reg 1 => 2b @ 2 + 2 ] +# tcp option md5sig exists +inet + [ exthdr load tcpopt 1b @ 19 + 0 present => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + +# tcp option fastopen exists +inet + [ exthdr load tcpopt 1b @ 34 + 0 present => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + +# tcp option mptcp exists +inet + [ exthdr load tcpopt 1b @ 30 + 0 present => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + +# tcp option mptcp subtype 0 +inet + [ exthdr load tcpopt 1b @ 30 + 2 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x000000f0 ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000000 ] + +# tcp option mptcp subtype 1 +inet + [ exthdr load tcpopt 1b @ 30 + 2 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x000000f0 ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000010 ] + +# tcp option mptcp subtype { 0, 2} +__set%d test-inet 3 size 2 +__set%d test-inet 0 + element 00000000 : 0 [end] element 00000020 : 0 [end] +inet + [ exthdr load tcpopt 1b @ 30 + 2 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x000000f0 ) ^ 0x00000000 ] + [ lookup reg 1 set __set%d ] + +# reset tcp option mptcp +ip test-ip4 input + [ exthdr reset tcpopt 30 ] + +# reset tcp option 2 +ip test-ip4 input + [ exthdr reset tcpopt 2 ] + +# reset tcp option 123 +ip test-ip4 input + [ exthdr reset tcpopt 123 ] diff --git a/tests/py/arp/arp.t b/tests/py/arp/arp.t index 2eee7838..222b91cf 100644 --- a/tests/py/arp/arp.t +++ b/tests/py/arp/arp.t @@ -1,9 +1,10 @@ # filter chains available are: input, output, forward :input;type filter hook input priority 0 :ingress;type filter hook ingress device lo priority 0 +:egress;type filter hook egress device lo priority 0 *arp;test-arp;input -*netdev;test-netdev;ingress +*netdev;test-netdev;ingress,egress arp htype 1;ok arp htype != 1;ok @@ -13,8 +14,6 @@ arp htype 33-45;ok arp htype != 33-45;ok arp htype { 33, 55, 67, 88};ok arp htype != { 33, 55, 67, 88};ok -arp htype { 33-55};ok -arp htype != { 33-55};ok arp ptype 0x0800;ok;arp ptype ip @@ -24,8 +23,6 @@ arp hlen 33-45;ok arp hlen != 33-45;ok arp hlen { 33, 55, 67, 88};ok arp hlen != { 33, 55, 67, 88};ok -arp hlen { 33-55};ok -arp hlen != { 33-55};ok arp plen 22;ok arp plen != 233;ok @@ -33,8 +30,6 @@ arp plen 33-45;ok arp plen != 33-45;ok arp plen { 33, 55, 67, 88};ok arp plen != { 33, 55, 67, 88};ok -arp plen { 33-55};ok -arp plen != {33-55};ok arp operation {nak, inreply, inrequest, rreply, rrequest, reply, request};ok arp operation != {nak, inreply, inrequest, rreply, rrequest, reply, request};ok diff --git a/tests/py/arp/arp.t.json b/tests/py/arp/arp.t.json index 73224f7e..7ce76095 100644 --- a/tests/py/arp/arp.t.json +++ b/tests/py/arp/arp.t.json @@ -144,46 +144,6 @@ } ] -# arp htype { 33-55} -[ - { - "match": { - "left": { - "payload": { - "field": "htype", - "protocol": "arp" - } - }, - "op": "==", - "right": { - "set": [ - { "range": [ 33, 55 ] } - ] - } - } - } -] - -# arp htype != { 33-55} -[ - { - "match": { - "left": { - "payload": { - "field": "htype", - "protocol": "arp" - } - }, - "op": "!=", - "right": { - "set": [ - { "range": [ 33, 55 ] } - ] - } - } - } -] - # arp ptype 0x0800 [ { @@ -314,46 +274,6 @@ } ] -# arp hlen { 33-55} -[ - { - "match": { - "left": { - "payload": { - "field": "hlen", - "protocol": "arp" - } - }, - "op": "==", - "right": { - "set": [ - { "range": [ 33, 55 ] } - ] - } - } - } -] - -# arp hlen != { 33-55} -[ - { - "match": { - "left": { - "payload": { - "field": "hlen", - "protocol": "arp" - } - }, - "op": "!=", - "right": { - "set": [ - { "range": [ 33, 55 ] } - ] - } - } - } -] - # arp plen 22 [ { @@ -468,46 +388,6 @@ } ] -# arp plen { 33-55} -[ - { - "match": { - "left": { - "payload": { - "field": "plen", - "protocol": "arp" - } - }, - "op": "==", - "right": { - "set": [ - { "range": [ 33, 55 ] } - ] - } - } - } -] - -# arp plen != {33-55} -[ - { - "match": { - "left": { - "payload": { - "field": "plen", - "protocol": "arp" - } - }, - "op": "!=", - "right": { - "set": [ - { "range": [ 33, 55 ] } - ] - } - } - } -] - # arp operation {nak, inreply, inrequest, rreply, rrequest, reply, request} [ { diff --git a/tests/py/arp/arp.t.payload b/tests/py/arp/arp.t.payload index a95c834e..d56927b5 100644 --- a/tests/py/arp/arp.t.payload +++ b/tests/py/arp/arp.t.payload @@ -45,22 +45,6 @@ arp test-arp input [ payload load 2b @ network header + 0 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# arp htype { 33-55} -__set%d test-arp 7 -__set%d test-arp 0 - element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] -arp test-arp input - [ payload load 2b @ network header + 0 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# arp htype != { 33-55} -__set%d test-arp 7 -__set%d test-arp 0 - element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] -arp test-arp input - [ payload load 2b @ network header + 0 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # arp ptype 0x0800 arp test-arp input [ payload load 2b @ network header + 2 => reg 1 ] @@ -103,22 +87,6 @@ arp test-arp input [ payload load 1b @ network header + 4 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# arp hlen { 33-55} -__set%d test-arp 7 -__set%d test-arp 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end] -arp test-arp input - [ payload load 1b @ network header + 4 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# arp hlen != { 33-55} -__set%d test-arp 7 -__set%d test-arp 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end] -arp test-arp input - [ payload load 1b @ network header + 4 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # arp plen 22 arp test-arp input [ payload load 1b @ network header + 5 => reg 1 ] @@ -156,22 +124,6 @@ arp test-arp input [ payload load 1b @ network header + 5 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# arp plen { 33-55} -__set%d test-arp 7 -__set%d test-arp 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end] -arp test-arp input - [ payload load 1b @ network header + 5 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# arp plen != {33-55} -__set%d test-arp 7 -__set%d test-arp 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end] -arp test-arp input - [ payload load 1b @ network header + 5 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # arp operation {nak, inreply, inrequest, rreply, rrequest, reply, request} __set%d test-arp 3 __set%d test-arp 0 diff --git a/tests/py/arp/arp.t.payload.netdev b/tests/py/arp/arp.t.payload.netdev index ac985a9a..92df2400 100644 --- a/tests/py/arp/arp.t.payload.netdev +++ b/tests/py/arp/arp.t.payload.netdev @@ -61,26 +61,6 @@ netdev test-netdev ingress [ payload load 2b @ network header + 0 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# arp htype { 33-55} -__set%d test-netdev 7 -__set%d test-netdev 0 - element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] -netdev test-netdev ingress - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x00000608 ] - [ payload load 2b @ network header + 0 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# arp htype != { 33-55} -__set%d test-netdev 7 -__set%d test-netdev 0 - element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] -netdev test-netdev ingress - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x00000608 ] - [ payload load 2b @ network header + 0 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # arp ptype 0x0800 netdev test-netdev ingress [ meta load protocol => reg 1 ] @@ -137,26 +117,6 @@ netdev test-netdev ingress [ payload load 1b @ network header + 4 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# arp hlen { 33-55} -__set%d test-netdev 7 -__set%d test-netdev 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end] -netdev test-netdev ingress - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x00000608 ] - [ payload load 1b @ network header + 4 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# arp hlen != { 33-55} -__set%d test-netdev 7 -__set%d test-netdev 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end] -netdev test-netdev ingress - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x00000608 ] - [ payload load 1b @ network header + 4 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # arp plen 22 netdev test-netdev ingress [ meta load protocol => reg 1 ] @@ -206,26 +166,6 @@ netdev test-netdev ingress [ payload load 1b @ network header + 5 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# arp plen { 33-55} -__set%d test-netdev 7 -__set%d test-netdev 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end] -netdev test-netdev ingress - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x00000608 ] - [ payload load 1b @ network header + 5 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# arp plen != {33-55} -__set%d test-netdev 7 -__set%d test-netdev 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end] -netdev test-netdev ingress - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x00000608 ] - [ payload load 1b @ network header + 5 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # arp operation {nak, inreply, inrequest, rreply, rrequest, reply, request} __set%d test-netdev 3 __set%d test-netdev 0 diff --git a/tests/py/bridge/meta.t b/tests/py/bridge/meta.t index 94525f29..171aa610 100644 --- a/tests/py/bridge/meta.t +++ b/tests/py/bridge/meta.t @@ -4,5 +4,10 @@ meta obrname "br0";ok meta ibrname "br0";ok -meta ibrvproto vlan;ok +meta ibrvproto vlan;ok;meta ibrvproto 8021q meta ibrpvid 100;ok + +meta protocol ip udp dport 67;ok +meta protocol ip6 udp dport 67;ok + +meta broute set 1;fail diff --git a/tests/py/bridge/meta.t.json b/tests/py/bridge/meta.t.json index a7a180c2..d7dc9d7b 100644 --- a/tests/py/bridge/meta.t.json +++ b/tests/py/bridge/meta.t.json @@ -32,7 +32,7 @@ "meta": { "key": "ibrvproto" } }, "op": "==", - "right": "vlan" + "right": "8021q" } } ] @@ -49,3 +49,57 @@ } } ] + +# meta protocol ip udp dport 67 +[ + { + "match": { + "left": { + "meta": { + "key": "protocol" + } + }, + "op": "==", + "right": "ip" + } + }, + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 67 + } + } +] + +# meta protocol ip6 udp dport 67 +[ + { + "match": { + "left": { + "meta": { + "key": "protocol" + } + }, + "op": "==", + "right": "ip6" + } + }, + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 67 + } + } +] diff --git a/tests/py/bridge/meta.t.payload b/tests/py/bridge/meta.t.payload index aa8c994b..0a39842a 100644 --- a/tests/py/bridge/meta.t.payload +++ b/tests/py/bridge/meta.t.payload @@ -17,3 +17,21 @@ bridge test-bridge input bridge test-bridge input [ meta load bri_iifpvid => reg 1 ] [ cmp eq reg 1 0x00000064 ] + +# meta protocol ip udp dport 67 +bridge test-bridge input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x00004300 ] + +# meta protocol ip6 udp dport 67 +bridge test-bridge input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x0000dd86 ] + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x00004300 ] diff --git a/tests/py/bridge/redirect.t b/tests/py/bridge/redirect.t new file mode 100644 index 00000000..5181e799 --- /dev/null +++ b/tests/py/bridge/redirect.t @@ -0,0 +1,5 @@ +:prerouting;type filter hook prerouting priority 0 + +*bridge;test-bridge;prerouting + +meta broute set 1;ok diff --git a/tests/py/bridge/redirect.t.json b/tests/py/bridge/redirect.t.json new file mode 100644 index 00000000..7e32b329 --- /dev/null +++ b/tests/py/bridge/redirect.t.json @@ -0,0 +1,12 @@ +# meta broute set 1 +[ + { + "mangle": { + "key": { + "meta": { "key": "broute" } + }, + "value": 1 + } + } +] + diff --git a/tests/py/bridge/redirect.t.payload b/tests/py/bridge/redirect.t.payload new file mode 100644 index 00000000..1fcfa5f1 --- /dev/null +++ b/tests/py/bridge/redirect.t.payload @@ -0,0 +1,4 @@ +# meta broute set 1 +bridge test-bridge prerouting + [ immediate reg 1 0x00000001 ] + [ meta set broute with reg 1 ] diff --git a/tests/py/bridge/reject.t b/tests/py/bridge/reject.t index ee33af77..336b51bb 100644 --- a/tests/py/bridge/reject.t +++ b/tests/py/bridge/reject.t @@ -3,40 +3,40 @@ *bridge;test-bridge;input # The output is specific for bridge family -reject with icmp type host-unreachable;ok -reject with icmp type net-unreachable;ok -reject with icmp type prot-unreachable;ok -reject with icmp type port-unreachable;ok -reject with icmp type net-prohibited;ok -reject with icmp type host-prohibited;ok -reject with icmp type admin-prohibited;ok - -reject with icmpv6 type no-route;ok -reject with icmpv6 type admin-prohibited;ok -reject with icmpv6 type addr-unreachable;ok -reject with icmpv6 type port-unreachable;ok +reject with icmp host-unreachable;ok +reject with icmp net-unreachable;ok +reject with icmp prot-unreachable;ok +reject with icmp port-unreachable;ok +reject with icmp net-prohibited;ok +reject with icmp host-prohibited;ok +reject with icmp admin-prohibited;ok + +reject with icmpv6 no-route;ok +reject with icmpv6 admin-prohibited;ok +reject with icmpv6 addr-unreachable;ok +reject with icmpv6 port-unreachable;ok mark 12345 ip protocol tcp reject with tcp reset;ok;meta mark 0x00003039 ip protocol 6 reject with tcp reset reject;ok -ether type ip reject;ok;reject with icmp type port-unreachable -ether type ip6 reject;ok;reject with icmpv6 type port-unreachable - -reject with icmpx type host-unreachable;ok -reject with icmpx type no-route;ok -reject with icmpx type admin-prohibited;ok -reject with icmpx type port-unreachable;ok;reject - -ether type ipv6 reject with icmp type host-unreachable;fail -ether type ip6 reject with icmp type host-unreachable;fail -ether type ip reject with icmpv6 type no-route;fail -ether type vlan reject;ok +ether type ip reject;ok;reject with icmp port-unreachable +ether type ip6 reject;ok;reject with icmpv6 port-unreachable + +reject with icmpx host-unreachable;ok +reject with icmpx no-route;ok +reject with icmpx admin-prohibited;ok +reject with icmpx port-unreachable;ok;reject + +ether type ipv6 reject with icmp host-unreachable;fail +ether type ip6 reject with icmp host-unreachable;fail +ether type ip reject with icmpv6 no-route;fail +ether type vlan reject;ok;ether type 8021q reject ether type arp reject;fail -ether type vlan reject with tcp reset;ok;meta l4proto 6 ether type vlan reject with tcp reset +ether type vlan reject with tcp reset;ok;meta l4proto 6 ether type 8021q reject with tcp reset ether type arp reject with tcp reset;fail ip protocol udp reject with tcp reset;fail -ether type ip reject with icmpx type admin-prohibited;ok -ether type ip6 reject with icmpx type admin-prohibited;ok -ether type vlan reject with icmpx type admin-prohibited;ok -ether type arp reject with icmpx type admin-prohibited;fail +ether type ip reject with icmpx admin-prohibited;ok +ether type ip6 reject with icmpx admin-prohibited;ok +ether type 8021q reject with icmpx admin-prohibited;ok +ether type arp reject with icmpx admin-prohibited;fail diff --git a/tests/py/bridge/reject.t.json b/tests/py/bridge/reject.t.json index aea871f7..9f9e6c1e 100644 --- a/tests/py/bridge/reject.t.json +++ b/tests/py/bridge/reject.t.json @@ -1,4 +1,4 @@ -# reject with icmp type host-unreachable +# reject with icmp host-unreachable [ { "reject": { @@ -8,7 +8,7 @@ } ] -# reject with icmp type net-unreachable +# reject with icmp net-unreachable [ { "reject": { @@ -18,7 +18,7 @@ } ] -# reject with icmp type prot-unreachable +# reject with icmp prot-unreachable [ { "reject": { @@ -28,7 +28,7 @@ } ] -# reject with icmp type port-unreachable +# reject with icmp port-unreachable [ { "reject": { @@ -38,7 +38,7 @@ } ] -# reject with icmp type net-prohibited +# reject with icmp net-prohibited [ { "reject": { @@ -48,7 +48,7 @@ } ] -# reject with icmp type host-prohibited +# reject with icmp host-prohibited [ { "reject": { @@ -58,7 +58,7 @@ } ] -# reject with icmp type admin-prohibited +# reject with icmp admin-prohibited [ { "reject": { @@ -68,7 +68,7 @@ } ] -# reject with icmpv6 type no-route +# reject with icmpv6 no-route [ { "reject": { @@ -78,7 +78,7 @@ } ] -# reject with icmpv6 type admin-prohibited +# reject with icmpv6 admin-prohibited [ { "reject": { @@ -88,7 +88,7 @@ } ] -# reject with icmpv6 type addr-unreachable +# reject with icmpv6 addr-unreachable [ { "reject": { @@ -98,7 +98,7 @@ } ] -# reject with icmpv6 type port-unreachable +# reject with icmpv6 port-unreachable [ { "reject": { @@ -183,7 +183,7 @@ } ] -# reject with icmpx type host-unreachable +# reject with icmpx host-unreachable [ { "reject": { @@ -193,7 +193,7 @@ } ] -# reject with icmpx type no-route +# reject with icmpx no-route [ { "reject": { @@ -203,7 +203,7 @@ } ] -# reject with icmpx type admin-prohibited +# reject with icmpx admin-prohibited [ { "reject": { @@ -213,7 +213,7 @@ } ] -# reject with icmpx type port-unreachable +# reject with icmpx port-unreachable [ { "reject": { @@ -223,7 +223,7 @@ } ] -# ether type ip reject with icmpx type admin-prohibited +# ether type ip reject with icmpx admin-prohibited [ { "match": { @@ -245,7 +245,7 @@ } ] -# ether type ip6 reject with icmpx type admin-prohibited +# ether type ip6 reject with icmpx admin-prohibited [ { "match": { @@ -289,7 +289,7 @@ } }, "op": "==", - "right": "vlan" + "right": "8021q" } }, { @@ -318,7 +318,7 @@ } ] -# ether type vlan reject with icmpx type admin-prohibited +# ether type 8021q reject with icmpx admin-prohibited [ { "match": { @@ -329,7 +329,7 @@ } }, "op": "==", - "right": "vlan" + "right": "8021q" } }, { diff --git a/tests/py/bridge/reject.t.json.output b/tests/py/bridge/reject.t.json.output index e01a63af..b8a44f0e 100644 --- a/tests/py/bridge/reject.t.json.output +++ b/tests/py/bridge/reject.t.json.output @@ -71,7 +71,7 @@ } }, "op": "==", - "right": "vlan" + "right": "8021q" } }, { @@ -81,4 +81,3 @@ } } ] - diff --git a/tests/py/bridge/reject.t.payload b/tests/py/bridge/reject.t.payload index 7deb6fbf..bad9adc0 100644 --- a/tests/py/bridge/reject.t.payload +++ b/tests/py/bridge/reject.t.payload @@ -1,64 +1,64 @@ -# reject with icmp type host-unreachable +# reject with icmp host-unreachable bridge test-bridge input [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x00000008 ] [ reject type 0 code 1 ] -# reject with icmp type net-unreachable +# reject with icmp net-unreachable bridge test-bridge input [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x00000008 ] [ reject type 0 code 0 ] -# reject with icmp type prot-unreachable +# reject with icmp prot-unreachable bridge test-bridge input [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x00000008 ] [ reject type 0 code 2 ] -# reject with icmp type port-unreachable +# reject with icmp port-unreachable bridge test-bridge input [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x00000008 ] [ reject type 0 code 3 ] -# reject with icmp type net-prohibited +# reject with icmp net-prohibited bridge test-bridge input [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x00000008 ] [ reject type 0 code 9 ] -# reject with icmp type host-prohibited +# reject with icmp host-prohibited bridge test-bridge input [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x00000008 ] [ reject type 0 code 10 ] -# reject with icmp type admin-prohibited +# reject with icmp admin-prohibited bridge test-bridge input [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x00000008 ] [ reject type 0 code 13 ] -# reject with icmpv6 type no-route +# reject with icmpv6 no-route bridge test-bridge input [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x0000dd86 ] [ reject type 0 code 0 ] -# reject with icmpv6 type admin-prohibited +# reject with icmpv6 admin-prohibited bridge test-bridge input [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x0000dd86 ] [ reject type 0 code 1 ] -# reject with icmpv6 type addr-unreachable +# reject with icmpv6 addr-unreachable bridge test-bridge input [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x0000dd86 ] [ reject type 0 code 3 ] -# reject with icmpv6 type port-unreachable +# reject with icmpv6 port-unreachable bridge test-bridge input [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x0000dd86 ] @@ -90,29 +90,29 @@ bridge test-bridge input [ cmp eq reg 1 0x0000dd86 ] [ reject type 0 code 4 ] -# reject with icmpx type host-unreachable +# reject with icmpx host-unreachable bridge test-bridge input [ reject type 2 code 2 ] -# reject with icmpx type no-route +# reject with icmpx no-route bridge test-bridge input [ reject type 2 code 0 ] -# reject with icmpx type admin-prohibited +# reject with icmpx admin-prohibited bridge test-bridge input [ reject type 2 code 3 ] -# reject with icmpx type port-unreachable +# reject with icmpx port-unreachable bridge test-bridge input [ reject type 2 code 1 ] -# ether type ip reject with icmpx type admin-prohibited +# ether type ip reject with icmpx admin-prohibited bridge test-bridge input [ payload load 2b @ link header + 12 => reg 1 ] [ cmp eq reg 1 0x00000008 ] [ reject type 2 code 3 ] -# ether type ip6 reject with icmpx type admin-prohibited +# ether type ip6 reject with icmpx admin-prohibited bridge test-bridge input [ payload load 2b @ link header + 12 => reg 1 ] [ cmp eq reg 1 0x0000dd86 ] @@ -132,7 +132,7 @@ bridge [ cmp eq reg 1 0x00000081 ] [ reject type 1 code 0 ] -# ether type vlan reject with icmpx type admin-prohibited +# ether type 8021q reject with icmpx admin-prohibited bridge [ payload load 2b @ link header + 12 => reg 1 ] [ cmp eq reg 1 0x00000081 ] diff --git a/tests/py/bridge/vlan.t b/tests/py/bridge/vlan.t index 7a52a502..8fa90dac 100644 --- a/tests/py/bridge/vlan.t +++ b/tests/py/bridge/vlan.t @@ -1,27 +1,29 @@ :input;type filter hook input priority 0 :ingress;type filter hook ingress device lo priority 0 +:egress;type filter hook egress device lo priority 0 *bridge;test-bridge;input -*netdev;test-netdev;ingress +*netdev;test-netdev;ingress,egress vlan id 4094;ok vlan id 0;ok # bad vlan id vlan id 4096;fail -vlan id 4094 vlan cfi 0;ok -vlan id 4094 vlan cfi != 1;ok -vlan id 4094 vlan cfi 1;ok -# bad cfi -vlan id 4094 vlan cfi 2;fail -vlan id 4094 vlan cfi 1 vlan pcp 8;fail -vlan id 4094 vlan cfi 1 vlan pcp 7;ok -vlan id 4094 vlan cfi 1 vlan pcp 3;ok +vlan id 4094 vlan dei 0;ok +vlan id 4094 vlan dei 1;ok +vlan id 4094 vlan dei != 1;ok +vlan id 4094 vlan cfi 1;ok;vlan id 4094 vlan dei 1 +# bad dei +vlan id 4094 vlan dei 2;fail +vlan id 4094 vlan dei 1 vlan pcp 8;fail +vlan id 4094 vlan dei 1 vlan pcp 7;ok +vlan id 4094 vlan dei 1 vlan pcp 3;ok ether type vlan vlan id 4094;ok;vlan id 4094 ether type vlan vlan id 0;ok;vlan id 0 -ether type vlan vlan id 4094 vlan cfi 0;ok;vlan id 4094 vlan cfi 0 -ether type vlan vlan id 4094 vlan cfi 1;ok;vlan id 4094 vlan cfi 1 -ether type vlan vlan id 4094 vlan cfi 2;fail +ether type vlan vlan id 4094 vlan dei 0;ok;vlan id 4094 vlan dei 0 +ether type vlan vlan id 4094 vlan dei 1;ok;vlan id 4094 vlan dei 1 +ether type vlan vlan id 4094 vlan dei 2;fail vlan id 4094 tcp dport 22;ok vlan id 1 ip saddr 10.0.0.1;ok @@ -32,8 +34,23 @@ ether type vlan vlan id 1 ip saddr 10.0.0.0/23 udp dport 53;ok;vlan id 1 ip sadd vlan id { 1, 2, 4, 100, 4095 } vlan pcp 1-3;ok vlan id { 1, 2, 4, 100, 4096 };fail -ether type vlan ip protocol 1 accept;ok +ether type vlan ip protocol 1 accept;ok;ether type 8021q ip protocol 1 accept + +# IEEE 802.1AD +ether type 8021ad vlan id 1 ip protocol 6 accept;ok +ether type 8021ad vlan id 1 vlan type 8021q vlan id 2 vlan type ip counter;ok +ether type 8021ad vlan id 1 vlan type 8021q vlan id 2 vlan type ip ip protocol 6;ok;ether type 8021ad vlan id 1 vlan type 8021q vlan id 2 ip protocol 6 # illegal dependencies ether type ip vlan id 1;fail ether type ip vlan id 1 ip saddr 10.0.0.1;fail + +# mangling +vlan id 1 vlan id set 2;ok + +ether saddr 00:01:02:03:04:05 vlan id 1;ok +vlan id 2 ether saddr 0:1:2:3:4:6;ok;ether saddr 00:01:02:03:04:06 vlan id 2 + +ether saddr . vlan id { 0a:0b:0c:0d:0e:0f . 42, 0a:0b:0c:0d:0e:0f . 4095 };ok + +ether saddr 00:11:22:33:44:55 counter ether type 8021q;ok diff --git a/tests/py/bridge/vlan.t.json b/tests/py/bridge/vlan.t.json index 3fb2e4f7..7dfcdb4b 100644 --- a/tests/py/bridge/vlan.t.json +++ b/tests/py/bridge/vlan.t.json @@ -30,7 +30,7 @@ } ] -# vlan id 4094 vlan cfi 0 +# vlan id 4094 vlan dei 0 [ { "match": { @@ -48,7 +48,7 @@ "match": { "left": { "payload": { - "field": "cfi", + "field": "dei", "protocol": "vlan" } }, @@ -58,7 +58,7 @@ } ] -# vlan id 4094 vlan cfi != 1 +# vlan id 4094 vlan dei 1 [ { "match": { @@ -76,7 +76,35 @@ "match": { "left": { "payload": { - "field": "cfi", + "field": "dei", + "protocol": "vlan" + } + }, + "op": "==", + "right": 1 + } + } +] + +# vlan id 4094 vlan dei != 1 +[ + { + "match": { + "left": { + "payload": { + "field": "id", + "protocol": "vlan" + } + }, + "op": "==", + "right": 4094 + } + }, + { + "match": { + "left": { + "payload": { + "field": "dei", "protocol": "vlan" } }, @@ -104,7 +132,7 @@ "match": { "left": { "payload": { - "field": "cfi", + "field": "dei", "protocol": "vlan" } }, @@ -114,7 +142,7 @@ } ] -# vlan id 4094 vlan cfi 1 vlan pcp 7 +# vlan id 4094 vlan dei 1 vlan pcp 7 [ { "match": { @@ -132,7 +160,7 @@ "match": { "left": { "payload": { - "field": "cfi", + "field": "dei", "protocol": "vlan" } }, @@ -154,7 +182,7 @@ } ] -# vlan id 4094 vlan cfi 1 vlan pcp 3 +# vlan id 4094 vlan dei 1 vlan pcp 3 [ { "match": { @@ -172,7 +200,7 @@ "match": { "left": { "payload": { - "field": "cfi", + "field": "dei", "protocol": "vlan" } }, @@ -226,7 +254,7 @@ } ] -# ether type vlan vlan id 4094 vlan cfi 0 +# ether type vlan vlan id 4094 vlan dei 0 [ { "match": { @@ -244,7 +272,7 @@ "match": { "left": { "payload": { - "field": "cfi", + "field": "dei", "protocol": "vlan" } }, @@ -254,7 +282,7 @@ } ] -# ether type vlan vlan id 4094 vlan cfi 1 +# ether type vlan vlan id 4094 vlan dei 1 [ { "match": { @@ -272,7 +300,7 @@ "match": { "left": { "payload": { - "field": "cfi", + "field": "dei", "protocol": "vlan" } }, @@ -530,3 +558,337 @@ } ] +# ether type 8021ad vlan id 1 ip protocol 6 accept +[ + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "ether" + } + }, + "op": "==", + "right": "8021ad" + } + }, + { + "match": { + "left": { + "payload": { + "field": "id", + "protocol": "vlan" + } + }, + "op": "==", + "right": 1 + } + }, + { + "match": { + "left": { + "payload": { + "field": "protocol", + "protocol": "ip" + } + }, + "op": "==", + "right": "tcp" + } + }, + { + "accept": null + } +] + +# ether type 8021ad vlan id 1 vlan type 8021q vlan id 2 vlan type ip counter +[ + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "ether" + } + }, + "op": "==", + "right": "8021ad" + } + }, + { + "match": { + "left": { + "payload": { + "field": "id", + "protocol": "vlan" + } + }, + "op": "==", + "right": 1 + } + }, + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "vlan" + } + }, + "op": "==", + "right": "8021q" + } + }, + { + "match": { + "left": { + "payload": { + "field": "id", + "protocol": "vlan" + } + }, + "op": "==", + "right": 2 + } + }, + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "vlan" + } + }, + "op": "==", + "right": "ip" + } + }, + { + "counter": { + "bytes": 0, + "packets": 0 + } + } +] + +# ether type 8021ad vlan id 1 vlan type 8021q vlan id 2 vlan type ip ip protocol 6 +[ + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "ether" + } + }, + "op": "==", + "right": "8021ad" + } + }, + { + "match": { + "left": { + "payload": { + "field": "id", + "protocol": "vlan" + } + }, + "op": "==", + "right": 1 + } + }, + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "vlan" + } + }, + "op": "==", + "right": "8021q" + } + }, + { + "match": { + "left": { + "payload": { + "field": "id", + "protocol": "vlan" + } + }, + "op": "==", + "right": 2 + } + }, + { + "match": { + "left": { + "payload": { + "field": "protocol", + "protocol": "ip" + } + }, + "op": "==", + "right": "tcp" + } + } +] + +# vlan id 1 vlan id set 2 +[ + { + "match": { + "left": { + "payload": { + "field": "id", + "protocol": "vlan" + } + }, + "op": "==", + "right": 1 + } + }, + { + "mangle": { + "key": { + "payload": { + "field": "id", + "protocol": "vlan" + } + }, + "value": 2 + } + } +] + +# ether saddr 00:01:02:03:04:05 vlan id 1 +[ + { + "match": { + "left": { + "payload": { + "field": "saddr", + "protocol": "ether" + } + }, + "op": "==", + "right": "00:01:02:03:04:05" + } + }, + { + "match": { + "left": { + "payload": { + "field": "id", + "protocol": "vlan" + } + }, + "op": "==", + "right": 1 + } + } +] + +# vlan id 2 ether saddr 0:1:2:3:4:6 +[ + { + "match": { + "left": { + "payload": { + "field": "saddr", + "protocol": "ether" + } + }, + "op": "==", + "right": "00:01:02:03:04:06" + } + }, + { + "match": { + "left": { + "payload": { + "field": "id", + "protocol": "vlan" + } + }, + "op": "==", + "right": 2 + } + } +] + +# ether saddr . vlan id { 0a:0b:0c:0d:0e:0f . 42, 0a:0b:0c:0d:0e:0f . 4095 } +[ + { + "match": { + "left": { + "concat": [ + { + "payload": { + "field": "saddr", + "protocol": "ether" + } + }, + { + "payload": { + "field": "id", + "protocol": "vlan" + } + } + ] + }, + "op": "==", + "right": { + "set": [ + { + "concat": [ + "0a:0b:0c:0d:0e:0f", + 42 + ] + }, + { + "concat": [ + "0a:0b:0c:0d:0e:0f", + 4095 + ] + } + ] + } + } + } +] + +# ether saddr 00:11:22:33:44:55 counter ether type 8021q +[ + { + "match": { + "left": { + "payload": { + "field": "saddr", + "protocol": "ether" + } + }, + "op": "==", + "right": "00:11:22:33:44:55" + } + }, + { + "counter": { + "bytes": 0, + "packets": 0 + } + }, + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "ether" + } + }, + "op": "==", + "right": "8021q" + } + } +] diff --git a/tests/py/bridge/vlan.t.json.output b/tests/py/bridge/vlan.t.json.output index 8f27ec0e..eea2d411 100644 --- a/tests/py/bridge/vlan.t.json.output +++ b/tests/py/bridge/vlan.t.json.output @@ -9,7 +9,7 @@ } }, "op": "==", - "right": "vlan" + "right": "8021q" } }, { @@ -29,3 +29,207 @@ } ] +# ether type 8021ad vlan id 1 ip protocol 6 accept +[ + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "ether" + } + }, + "op": "==", + "right": "8021ad" + } + }, + { + "match": { + "left": { + "payload": { + "field": "id", + "protocol": "vlan" + } + }, + "op": "==", + "right": 1 + } + }, + { + "match": { + "left": { + "payload": { + "field": "protocol", + "protocol": "ip" + } + }, + "op": "==", + "right": 6 + } + }, + { + "accept": null + } +] + +# ether type 8021ad vlan id 1 vlan type 8021q vlan id 2 vlan type ip counter +[ + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "ether" + } + }, + "op": "==", + "right": "8021ad" + } + }, + { + "match": { + "left": { + "payload": { + "field": "id", + "protocol": "vlan" + } + }, + "op": "==", + "right": 1 + } + }, + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "vlan" + } + }, + "op": "==", + "right": "8021q" + } + }, + { + "match": { + "left": { + "payload": { + "field": "id", + "protocol": "vlan" + } + }, + "op": "==", + "right": 2 + } + }, + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "vlan" + } + }, + "op": "==", + "right": "ip" + } + }, + { + "counter": null + } +] + +# ether type 8021ad vlan id 1 vlan type 8021q vlan id 2 vlan type ip ip protocol 6 +[ + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "ether" + } + }, + "op": "==", + "right": "8021ad" + } + }, + { + "match": { + "left": { + "payload": { + "field": "id", + "protocol": "vlan" + } + }, + "op": "==", + "right": 1 + } + }, + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "vlan" + } + }, + "op": "==", + "right": "8021q" + } + }, + { + "match": { + "left": { + "payload": { + "field": "id", + "protocol": "vlan" + } + }, + "op": "==", + "right": 2 + } + }, + { + "match": { + "left": { + "payload": { + "field": "protocol", + "protocol": "ip" + } + }, + "op": "==", + "right": 6 + } + } +] + +# ether saddr 00:11:22:33:44:55 counter ether type 8021q +[ + { + "match": { + "left": { + "payload": { + "field": "saddr", + "protocol": "ether" + } + }, + "op": "==", + "right": "00:11:22:33:44:55" + } + }, + { + "counter": null + }, + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "ether" + } + }, + "op": "==", + "right": "8021q" + } + } +] diff --git a/tests/py/bridge/vlan.t.payload b/tests/py/bridge/vlan.t.payload index 2f045d18..2592bb96 100644 --- a/tests/py/bridge/vlan.t.payload +++ b/tests/py/bridge/vlan.t.payload @@ -14,7 +14,18 @@ bridge test-bridge input [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ] [ cmp eq reg 1 0x00000000 ] -# vlan id 4094 vlan cfi 0 +# vlan id 4094 vlan cfi 1 +bridge + [ payload load 2b @ link header + 12 => reg 1 ] + [ cmp eq reg 1 0x00000081 ] + [ payload load 2b @ link header + 14 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ] + [ cmp eq reg 1 0x0000fe0f ] + [ payload load 1b @ link header + 14 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x00000010 ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000010 ] + +# vlan id 4094 vlan dei 0 bridge test-bridge input [ payload load 2b @ link header + 12 => reg 1 ] [ cmp eq reg 1 0x00000081 ] @@ -25,7 +36,7 @@ bridge test-bridge input [ bitwise reg 1 = ( reg 1 & 0x00000010 ) ^ 0x00000000 ] [ cmp eq reg 1 0x00000000 ] -# vlan id 4094 vlan cfi != 1 +# vlan id 4094 vlan dei != 1 bridge test-bridge input [ payload load 2b @ link header + 12 => reg 1 ] [ cmp eq reg 1 0x00000081 ] @@ -36,7 +47,7 @@ bridge test-bridge input [ bitwise reg 1 = ( reg 1 & 0x00000010 ) ^ 0x00000000 ] [ cmp neq reg 1 0x00000010 ] -# vlan id 4094 vlan cfi 1 +# vlan id 4094 vlan dei 1 bridge test-bridge input [ payload load 2b @ link header + 12 => reg 1 ] [ cmp eq reg 1 0x00000081 ] @@ -63,7 +74,7 @@ bridge test-bridge input [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ] [ cmp eq reg 1 0x00000000 ] -# ether type vlan vlan id 4094 vlan cfi 0 +# ether type vlan vlan id 4094 vlan dei 0 bridge test-bridge input [ payload load 2b @ link header + 12 => reg 1 ] [ cmp eq reg 1 0x00000081 ] @@ -74,7 +85,7 @@ bridge test-bridge input [ bitwise reg 1 = ( reg 1 & 0x00000010 ) ^ 0x00000000 ] [ cmp eq reg 1 0x00000000 ] -# ether type vlan vlan id 4094 vlan cfi 1 +# ether type vlan vlan id 4094 vlan dei 1 bridge test-bridge input [ payload load 2b @ link header + 12 => reg 1 ] [ cmp eq reg 1 0x00000081 ] @@ -156,7 +167,7 @@ bridge test-bridge input [ payload load 2b @ transport header + 2 => reg 1 ] [ cmp eq reg 1 0x00003500 ] -# vlan id 4094 vlan cfi 1 vlan pcp 7 +# vlan id 4094 vlan dei 1 vlan pcp 7 bridge test-bridge input [ payload load 2b @ link header + 12 => reg 1 ] [ cmp eq reg 1 0x00000081 ] @@ -170,7 +181,7 @@ bridge test-bridge input [ bitwise reg 1 = ( reg 1 & 0x000000e0 ) ^ 0x00000000 ] [ cmp eq reg 1 0x000000e0 ] -# vlan id 4094 vlan cfi 1 vlan pcp 3 +# vlan id 4094 vlan dei 1 vlan pcp 3 bridge test-bridge input [ payload load 2b @ link header + 12 => reg 1 ] [ cmp eq reg 1 0x00000081 ] @@ -209,3 +220,95 @@ bridge test-bridge input [ cmp eq reg 1 0x00000001 ] [ immediate reg 0 accept ] +# ether type 8021ad vlan id 1 ip protocol 6 accept +bridge + [ payload load 2b @ link header + 12 => reg 1 ] + [ cmp eq reg 1 0x0000a888 ] + [ payload load 2b @ link header + 14 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000100 ] + [ payload load 2b @ link header + 16 => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 1b @ network header + 9 => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ immediate reg 0 accept ] + +# ether type 8021ad vlan id 1 vlan type 8021q vlan id 2 vlan type ip counter +bridge + [ payload load 2b @ link header + 12 => reg 1 ] + [ cmp eq reg 1 0x0000a888 ] + [ payload load 2b @ link header + 14 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000100 ] + [ payload load 2b @ link header + 16 => reg 1 ] + [ cmp eq reg 1 0x00000081 ] + [ payload load 2b @ link header + 18 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000200 ] + [ payload load 2b @ link header + 20 => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ counter pkts 0 bytes 0 ] + +# ether type 8021ad vlan id 1 vlan type 8021q vlan id 2 vlan type ip ip protocol 6 +bridge + [ payload load 2b @ link header + 12 => reg 1 ] + [ cmp eq reg 1 0x0000a888 ] + [ payload load 2b @ link header + 14 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000100 ] + [ payload load 2b @ link header + 16 => reg 1 ] + [ cmp eq reg 1 0x00000081 ] + [ payload load 2b @ link header + 18 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000200 ] + [ payload load 2b @ link header + 20 => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 1b @ network header + 9 => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + +# vlan id 1 vlan id set 2 +bridge + [ payload load 2b @ link header + 12 => reg 1 ] + [ cmp eq reg 1 0x00000081 ] + [ payload load 2b @ link header + 14 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000100 ] + [ payload load 2b @ link header + 14 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x000000f0 ) ^ 0x00000200 ] + [ payload write reg 1 => 2b @ link header + 14 csum_type 0 csum_off 0 csum_flags 0x0 ] + +# ether saddr 00:01:02:03:04:05 vlan id 1 +bridge test-bridge input + [ payload load 8b @ link header + 6 => reg 1 ] + [ cmp eq reg 1 0x03020100 0x00810504 ] + [ payload load 2b @ link header + 14 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000100 ] + +# vlan id 2 ether saddr 0:1:2:3:4:6 +bridge test-bridge input + [ payload load 8b @ link header + 6 => reg 1 ] + [ cmp eq reg 1 0x03020100 0x00810604 ] + [ payload load 2b @ link header + 14 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000200 ] + +# ether saddr . vlan id { 0a:0b:0c:0d:0e:0f . 42, 0a:0b:0c:0d:0e:0f . 4095 } +__set%d test-bridge 3 size 2 +__set%d test-bridge 0 + element 0d0c0b0a 00000f0e 00002a00 : 0 [end] element 0d0c0b0a 00000f0e 0000ff0f : 0 [end] +bridge test-bridge input + [ payload load 2b @ link header + 12 => reg 1 ] + [ cmp eq reg 1 0x00000081 ] + [ payload load 6b @ link header + 6 => reg 1 ] + [ payload load 2b @ link header + 14 => reg 10 ] + [ bitwise reg 10 = ( reg 10 & 0x0000ff0f ) ^ 0x00000000 ] + [ lookup reg 1 set __set%d ] + +# ether saddr 00:11:22:33:44:55 counter ether type 8021q +bridge test-bridge input + [ payload load 6b @ link header + 6 => reg 1 ] + [ cmp eq reg 1 0x33221100 0x00005544 ] + [ counter pkts 0 bytes 0 ] + [ payload load 2b @ link header + 12 => reg 1 ] + [ cmp eq reg 1 0x00000081 ] diff --git a/tests/py/bridge/vlan.t.payload.netdev b/tests/py/bridge/vlan.t.payload.netdev index 9d1fe557..f3341947 100644 --- a/tests/py/bridge/vlan.t.payload.netdev +++ b/tests/py/bridge/vlan.t.payload.netdev @@ -18,7 +18,7 @@ netdev test-netdev ingress [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ] [ cmp eq reg 1 0x00000000 ] -# vlan id 4094 vlan cfi 0 +# vlan id 4094 vlan dei 0 netdev test-netdev ingress [ meta load iiftype => reg 1 ] [ cmp eq reg 1 0x00000001 ] @@ -31,7 +31,7 @@ netdev test-netdev ingress [ bitwise reg 1 = ( reg 1 & 0x00000010 ) ^ 0x00000000 ] [ cmp eq reg 1 0x00000000 ] -# vlan id 4094 vlan cfi != 1 +# vlan id 4094 vlan dei != 1 netdev test-netdev ingress [ meta load iiftype => reg 1 ] [ cmp eq reg 1 0x00000001 ] @@ -45,6 +45,19 @@ netdev test-netdev ingress [ cmp neq reg 1 0x00000010 ] # vlan id 4094 vlan cfi 1 +netdev + [ meta load iiftype => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ payload load 2b @ link header + 12 => reg 1 ] + [ cmp eq reg 1 0x00000081 ] + [ payload load 2b @ link header + 14 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ] + [ cmp eq reg 1 0x0000fe0f ] + [ payload load 1b @ link header + 14 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x00000010 ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000010 ] + +# vlan id 4094 vlan dei 1 netdev test-netdev ingress [ meta load iiftype => reg 1 ] [ cmp eq reg 1 0x00000001 ] @@ -77,7 +90,7 @@ netdev test-netdev ingress [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ] [ cmp eq reg 1 0x00000000 ] -# ether type vlan vlan id 4094 vlan cfi 0 +# ether type vlan vlan id 4094 vlan dei 0 netdev test-netdev ingress [ meta load iiftype => reg 1 ] [ cmp eq reg 1 0x00000001 ] @@ -90,7 +103,7 @@ netdev test-netdev ingress [ bitwise reg 1 = ( reg 1 & 0x00000010 ) ^ 0x00000000 ] [ cmp eq reg 1 0x00000000 ] -# ether type vlan vlan id 4094 vlan cfi 1 +# ether type vlan vlan id 4094 vlan dei 1 netdev test-netdev ingress [ meta load iiftype => reg 1 ] [ cmp eq reg 1 0x00000001 ] @@ -184,7 +197,7 @@ netdev test-netdev ingress [ payload load 2b @ transport header + 2 => reg 1 ] [ cmp eq reg 1 0x00003500 ] -# vlan id 4094 vlan cfi 1 vlan pcp 7 +# vlan id 4094 vlan dei 1 vlan pcp 7 netdev test-netdev ingress [ meta load iiftype => reg 1 ] [ cmp eq reg 1 0x00000001 ] @@ -200,7 +213,7 @@ netdev test-netdev ingress [ bitwise reg 1 = ( reg 1 & 0x000000e0 ) ^ 0x00000000 ] [ cmp eq reg 1 0x000000e0 ] -# vlan id 4094 vlan cfi 1 vlan pcp 3 +# vlan id 4094 vlan dei 1 vlan pcp 3 netdev test-netdev ingress [ meta load iiftype => reg 1 ] [ cmp eq reg 1 0x00000001 ] @@ -245,3 +258,111 @@ netdev test-netdev ingress [ cmp eq reg 1 0x00000001 ] [ immediate reg 0 accept ] +# ether type 8021ad vlan id 1 ip protocol 6 accept +netdev + [ meta load iiftype => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ payload load 2b @ link header + 12 => reg 1 ] + [ cmp eq reg 1 0x0000a888 ] + [ payload load 2b @ link header + 14 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000100 ] + [ payload load 2b @ link header + 16 => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 1b @ network header + 9 => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ immediate reg 0 accept ] + +# ether type 8021ad vlan id 1 vlan type 8021q vlan id 2 vlan type ip counter +netdev + [ meta load iiftype => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ payload load 2b @ link header + 12 => reg 1 ] + [ cmp eq reg 1 0x0000a888 ] + [ payload load 2b @ link header + 14 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000100 ] + [ payload load 2b @ link header + 16 => reg 1 ] + [ cmp eq reg 1 0x00000081 ] + [ payload load 2b @ link header + 18 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000200 ] + [ payload load 2b @ link header + 20 => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ counter pkts 0 bytes 0 ] + +# ether type 8021ad vlan id 1 vlan type 8021q vlan id 2 vlan type ip ip protocol 6 +netdev + [ meta load iiftype => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ payload load 2b @ link header + 12 => reg 1 ] + [ cmp eq reg 1 0x0000a888 ] + [ payload load 2b @ link header + 14 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000100 ] + [ payload load 2b @ link header + 16 => reg 1 ] + [ cmp eq reg 1 0x00000081 ] + [ payload load 2b @ link header + 18 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000200 ] + [ payload load 2b @ link header + 20 => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 1b @ network header + 9 => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + +# vlan id 1 vlan id set 2 +netdev + [ meta load iiftype => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ payload load 2b @ link header + 12 => reg 1 ] + [ cmp eq reg 1 0x00000081 ] + [ payload load 2b @ link header + 14 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000100 ] + [ payload load 2b @ link header + 14 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x000000f0 ) ^ 0x00000200 ] + [ payload write reg 1 => 2b @ link header + 14 csum_type 0 csum_off 0 csum_flags 0x0 ] + +# vlan id 2 ether saddr 0:1:2:3:4:6 +netdev test-netdev ingress + [ meta load iiftype => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ payload load 8b @ link header + 6 => reg 1 ] + [ cmp eq reg 1 0x03020100 0x00810604 ] + [ payload load 2b @ link header + 14 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000200 ] + +# ether saddr 00:01:02:03:04:05 vlan id 1 +netdev test-netdev ingress + [ meta load iiftype => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ payload load 8b @ link header + 6 => reg 1 ] + [ cmp eq reg 1 0x03020100 0x00810504 ] + [ payload load 2b @ link header + 14 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000100 ] + +# ether saddr . vlan id { 0a:0b:0c:0d:0e:0f . 42, 0a:0b:0c:0d:0e:0f . 4095 } +__set%d test-netdev 3 size 2 +__set%d test-netdev 0 + element 0d0c0b0a 00000f0e 00002a00 : 0 [end] element 0d0c0b0a 00000f0e 0000ff0f : 0 [end] +netdev test-netdev ingress + [ meta load iiftype => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ payload load 2b @ link header + 12 => reg 1 ] + [ cmp eq reg 1 0x00000081 ] + [ payload load 6b @ link header + 6 => reg 1 ] + [ payload load 2b @ link header + 14 => reg 10 ] + [ bitwise reg 10 = ( reg 10 & 0x0000ff0f ) ^ 0x00000000 ] + [ lookup reg 1 set __set%d ] + +# ether saddr 00:11:22:33:44:55 counter ether type 8021q +bridge test-bridge input + [ meta load iiftype => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ payload load 6b @ link header + 6 => reg 1 ] + [ cmp eq reg 1 0x33221100 0x00005544 ] + [ counter pkts 0 bytes 0 ] + [ payload load 2b @ link header + 12 => reg 1 ] + [ cmp eq reg 1 0x00000081 ] diff --git a/tests/py/inet/ah.t b/tests/py/inet/ah.t index 945db996..83b6202b 100644 --- a/tests/py/inet/ah.t +++ b/tests/py/inet/ah.t @@ -1,10 +1,11 @@ :input;type filter hook input priority 0 :ingress;type filter hook ingress device lo priority 0 +:egress;type filter hook egress device lo priority 0 *ip;test-ip4;input *ip6;test-ip6;input *inet;test-inet;input -*netdev;test-netdev;ingress +*netdev;test-netdev;ingress,egress - ah nexthdr esp;ok - ah nexthdr ah;ok @@ -20,8 +21,6 @@ ah hdrlength 11-23;ok ah hdrlength != 11-23;ok -ah hdrlength { 11-23};ok -ah hdrlength != { 11-23};ok ah hdrlength {11, 23, 44 };ok ah hdrlength != {11, 23, 44 };ok @@ -31,8 +30,6 @@ ah reserved 33-45;ok ah reserved != 33-45;ok ah reserved {23, 100};ok ah reserved != {23, 100};ok -ah reserved { 33-55};ok -ah reserved != { 33-55};ok ah spi 111;ok ah spi != 111;ok @@ -40,15 +37,11 @@ ah spi 111-222;ok ah spi != 111-222;ok ah spi {111, 122};ok ah spi != {111, 122};ok -ah spi { 111-122};ok -ah spi != { 111-122};ok # sequence ah sequence 123;ok ah sequence != 123;ok ah sequence {23, 25, 33};ok ah sequence != {23, 25, 33};ok -ah sequence { 23-33};ok -ah sequence != { 23-33};ok ah sequence 23-33;ok ah sequence != 23-33;ok diff --git a/tests/py/inet/ah.t.json b/tests/py/inet/ah.t.json index 4efdb0dd..217280b6 100644 --- a/tests/py/inet/ah.t.json +++ b/tests/py/inet/ah.t.json @@ -34,46 +34,6 @@ } ] -# ah hdrlength { 11-23} -[ - { - "match": { - "left": { - "payload": { - "field": "hdrlength", - "protocol": "ah" - } - }, - "op": "==", - "right": { - "set": [ - { "range": [ 11, 23 ] } - ] - } - } - } -] - -# ah hdrlength != { 11-23} -[ - { - "match": { - "left": { - "payload": { - "field": "hdrlength", - "protocol": "ah" - } - }, - "op": "!=", - "right": { - "set": [ - { "range": [ 11, 23 ] } - ] - } - } - } -] - # ah hdrlength {11, 23, 44 } [ { @@ -228,46 +188,6 @@ } ] -# ah reserved { 33-55} -[ - { - "match": { - "left": { - "payload": { - "field": "reserved", - "protocol": "ah" - } - }, - "op": "==", - "right": { - "set": [ - { "range": [ 33, 55 ] } - ] - } - } - } -] - -# ah reserved != { 33-55} -[ - { - "match": { - "left": { - "payload": { - "field": "reserved", - "protocol": "ah" - } - }, - "op": "!=", - "right": { - "set": [ - { "range": [ 33, 55 ] } - ] - } - } - } -] - # ah spi 111 [ { @@ -378,46 +298,6 @@ } ] -# ah spi { 111-122} -[ - { - "match": { - "left": { - "payload": { - "field": "spi", - "protocol": "ah" - } - }, - "op": "==", - "right": { - "set": [ - { "range": [ 111, 122 ] } - ] - } - } - } -] - -# ah spi != { 111-122} -[ - { - "match": { - "left": { - "payload": { - "field": "spi", - "protocol": "ah" - } - }, - "op": "!=", - "right": { - "set": [ - { "range": [ 111, 122 ] } - ] - } - } - } -] - # ah sequence 123 [ { @@ -494,46 +374,6 @@ } ] -# ah sequence { 23-33} -[ - { - "match": { - "left": { - "payload": { - "field": "sequence", - "protocol": "ah" - } - }, - "op": "==", - "right": { - "set": [ - { "range": [ 23, 33 ] } - ] - } - } - } -] - -# ah sequence != { 23-33} -[ - { - "match": { - "left": { - "payload": { - "field": "sequence", - "protocol": "ah" - } - }, - "op": "!=", - "right": { - "set": [ - { "range": [ 23, 33 ] } - ] - } - } - } -] - # ah sequence 23-33 [ { diff --git a/tests/py/inet/ah.t.payload b/tests/py/inet/ah.t.payload index 5ec5fba1..7ddd72d5 100644 --- a/tests/py/inet/ah.t.payload +++ b/tests/py/inet/ah.t.payload @@ -13,26 +13,6 @@ inet test-inet input [ payload load 1b @ transport header + 1 => reg 1 ] [ range neq reg 1 0x0000000b 0x00000017 ] -# ah hdrlength { 11-23} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 0000000b : 0 [end] element 00000018 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000033 ] - [ payload load 1b @ transport header + 1 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# ah hdrlength != { 11-23} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 0000000b : 0 [end] element 00000018 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000033 ] - [ payload load 1b @ transport header + 1 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # ah hdrlength {11, 23, 44 } __set%d test-inet 3 __set%d test-inet 0 @@ -102,26 +82,6 @@ inet test-inet input [ payload load 2b @ transport header + 2 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# ah reserved { 33-55} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000033 ] - [ payload load 2b @ transport header + 2 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# ah reserved != { 33-55} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000033 ] - [ payload load 2b @ transport header + 2 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # ah spi 111 inet test-inet input [ meta load l4proto => reg 1 ] @@ -171,26 +131,6 @@ inet test-inet input [ payload load 4b @ transport header + 4 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# ah spi { 111-122} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 6f000000 : 0 [end] element 7b000000 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000033 ] - [ payload load 4b @ transport header + 4 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# ah spi != { 111-122} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 6f000000 : 0 [end] element 7b000000 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000033 ] - [ payload load 4b @ transport header + 4 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # ah sequence 123 inet test-inet input [ meta load l4proto => reg 1 ] @@ -225,26 +165,6 @@ inet test-inet input [ payload load 4b @ transport header + 8 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# ah sequence { 23-33} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 17000000 : 0 [end] element 22000000 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000033 ] - [ payload load 4b @ transport header + 8 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# ah sequence != { 23-33} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 17000000 : 0 [end] element 22000000 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000033 ] - [ payload load 4b @ transport header + 8 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # ah sequence 23-33 inet test-inet input [ meta load l4proto => reg 1 ] diff --git a/tests/py/inet/comp.t b/tests/py/inet/comp.t index 0df18139..2ef53820 100644 --- a/tests/py/inet/comp.t +++ b/tests/py/inet/comp.t @@ -1,10 +1,11 @@ :input;type filter hook input priority 0 :ingress;type filter hook ingress device lo priority 0 +:egress;type filter hook egress device lo priority 0 *ip;test-ip4;input *ip6;test-ip6;input *inet;test-inet;input -*netdev;test-netdev;ingress +*netdev;test-netdev;ingress,egress # BUG: nft: payload.c:88: payload_expr_pctx_update: Assertion `left->payload.base + 1 <= (__PROTO_BASE_MAX - 1)' failed. - comp nexthdr esp;ok;comp nexthdr 50 @@ -20,8 +21,6 @@ comp flags 0x33-0x45;ok comp flags != 0x33-0x45;ok comp flags {0x33, 0x55, 0x67, 0x88};ok comp flags != {0x33, 0x55, 0x67, 0x88};ok -comp flags { 0x33-0x55};ok -comp flags != { 0x33-0x55};ok comp cpi 22;ok comp cpi != 233;ok @@ -29,5 +28,3 @@ comp cpi 33-45;ok comp cpi != 33-45;ok comp cpi {33, 55, 67, 88};ok comp cpi != {33, 55, 67, 88};ok -comp cpi { 33-55};ok -comp cpi != { 33-55};ok diff --git a/tests/py/inet/comp.t.json b/tests/py/inet/comp.t.json index b9b24f98..c9f6fcac 100644 --- a/tests/py/inet/comp.t.json +++ b/tests/py/inet/comp.t.json @@ -128,46 +128,6 @@ } ] -# comp flags { 0x33-0x55} -[ - { - "match": { - "left": { - "payload": { - "field": "flags", - "protocol": "comp" - } - }, - "op": "==", - "right": { - "set": [ - { "range": [ "0x33", "0x55" ] } - ] - } - } - } -] - -# comp flags != { 0x33-0x55} -[ - { - "match": { - "left": { - "payload": { - "field": "flags", - "protocol": "comp" - } - }, - "op": "!=", - "right": { - "set": [ - { "range": [ "0x33", "0x55" ] } - ] - } - } - } -] - # comp cpi 22 [ { @@ -282,43 +242,3 @@ } ] -# comp cpi { 33-55} -[ - { - "match": { - "left": { - "payload": { - "field": "cpi", - "protocol": "comp" - } - }, - "op": "==", - "right": { - "set": [ - { "range": [ 33, 55 ] } - ] - } - } - } -] - -# comp cpi != { 33-55} -[ - { - "match": { - "left": { - "payload": { - "field": "cpi", - "protocol": "comp" - } - }, - "op": "!=", - "right": { - "set": [ - { "range": [ 33, 55 ] } - ] - } - } - } -] - diff --git a/tests/py/inet/comp.t.payload b/tests/py/inet/comp.t.payload index dec38aea..024e47cd 100644 --- a/tests/py/inet/comp.t.payload +++ b/tests/py/inet/comp.t.payload @@ -54,26 +54,6 @@ inet test-inet input [ payload load 1b @ transport header + 1 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# comp flags { 0x33-0x55} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00000033 : 0 [end] element 00000056 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x0000006c ] - [ payload load 1b @ transport header + 1 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# comp flags != { 0x33-0x55} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00000033 : 0 [end] element 00000056 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x0000006c ] - [ payload load 1b @ transport header + 1 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # comp cpi 22 inet test-inet input [ meta load l4proto => reg 1 ] @@ -123,23 +103,3 @@ inet test-inet input [ payload load 2b @ transport header + 2 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# comp cpi { 33-55} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x0000006c ] - [ payload load 2b @ transport header + 2 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# comp cpi != { 33-55} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x0000006c ] - [ payload load 2b @ transport header + 2 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - diff --git a/tests/py/inet/ct.t b/tests/py/inet/ct.t index 3d0dffad..5312b328 100644 --- a/tests/py/inet/ct.t +++ b/tests/py/inet/ct.t @@ -6,7 +6,7 @@ meta nfproto ipv4 ct original saddr 1.2.3.4;ok;ct original ip saddr 1.2.3.4 ct original ip6 saddr ::1;ok -ct original ip daddr {1.2.3.4} accept;ok +ct original ip daddr 1.2.3.4 accept;ok # missing protocol context ct original saddr ::1;fail diff --git a/tests/py/inet/ct.t.json b/tests/py/inet/ct.t.json index e7f928ca..223ac9e7 100644 --- a/tests/py/inet/ct.t.json +++ b/tests/py/inet/ct.t.json @@ -39,7 +39,7 @@ } ] -# ct original ip daddr {1.2.3.4} accept +# ct original ip daddr 1.2.3.4 accept [ { "match": { @@ -50,11 +50,7 @@ } }, "op": "==", - "right": { - "set": [ - "1.2.3.4" - ] - } + "right": "1.2.3.4" } }, { diff --git a/tests/py/inet/ct.t.payload b/tests/py/inet/ct.t.payload index 3b274f8c..f7a2ef27 100644 --- a/tests/py/inet/ct.t.payload +++ b/tests/py/inet/ct.t.payload @@ -10,11 +10,8 @@ inet test-inet input [ ct load src_ip6 => reg 1 , dir original ] [ cmp eq reg 1 0x00000000 0x00000000 0x00000000 0x01000000 ] -# ct original ip daddr {1.2.3.4} accept -__set%d test-inet 3 size 1 -__set%d test-inet 0 - element 04030201 : 0 [end] +# ct original ip daddr 1.2.3.4 accept inet test-inet input [ ct load dst_ip => reg 1 , dir original ] - [ lookup reg 1 set __set%d ] + [ cmp eq reg 1 0x04030201 ] [ immediate reg 0 accept ] diff --git a/tests/py/inet/dccp.t b/tests/py/inet/dccp.t index 9a81bb2e..99cddbe7 100644 --- a/tests/py/inet/dccp.t +++ b/tests/py/inet/dccp.t @@ -1,29 +1,30 @@ :input;type filter hook input priority 0 :ingress;type filter hook ingress device lo priority 0 +:egress;type filter hook egress device lo priority 0 *ip;test-ip4;input *ip6;test-ip6;input *inet;test-inet;input -*netdev;test-netdev;ingress +*netdev;test-netdev;ingress,egress dccp sport 21-35;ok dccp sport != 21-35;ok dccp sport {23, 24, 25};ok dccp sport != {23, 24, 25};ok -dccp sport { 20-50 };ok dccp sport 20-50;ok -dccp sport { 20-50};ok -dccp sport != { 20-50};ok # dccp dport 21-35;ok # dccp dport != 21-35;ok dccp dport {23, 24, 25};ok dccp dport != {23, 24, 25};ok -dccp dport { 20-50};ok -dccp dport != { 20-50};ok dccp type {request, response, data, ack, dataack, closereq, close, reset, sync, syncack};ok dccp type != {request, response, data, ack, dataack, closereq, close, reset, sync, syncack};ok dccp type request;ok dccp type != request;ok + +dccp option 0 exists;ok +dccp option 43 missing;ok +dccp option 255 exists;ok +dccp option 256 exists;fail diff --git a/tests/py/inet/dccp.t.json b/tests/py/inet/dccp.t.json index 97e33c14..9f47e97b 100644 --- a/tests/py/inet/dccp.t.json +++ b/tests/py/inet/dccp.t.json @@ -78,26 +78,6 @@ } ] -# dccp sport { 20-50 } -[ - { - "match": { - "left": { - "payload": { - "field": "sport", - "protocol": "dccp" - } - }, - "op": "==", - "right": { - "set": [ - { "range": [ 20, 50 ] } - ] - } - } - } -] - # dccp sport 20-50 [ { @@ -116,46 +96,6 @@ } ] -# dccp sport { 20-50} -[ - { - "match": { - "left": { - "payload": { - "field": "sport", - "protocol": "dccp" - } - }, - "op": "==", - "right": { - "set": [ - { "range": [ 20, 50 ] } - ] - } - } - } -] - -# dccp sport != { 20-50} -[ - { - "match": { - "left": { - "payload": { - "field": "sport", - "protocol": "dccp" - } - }, - "op": "!=", - "right": { - "set": [ - { "range": [ 20, 50 ] } - ] - } - } - } -] - # dccp dport {23, 24, 25} [ { @@ -200,46 +140,6 @@ } ] -# dccp dport { 20-50} -[ - { - "match": { - "left": { - "payload": { - "field": "dport", - "protocol": "dccp" - } - }, - "op": "==", - "right": { - "set": [ - { "range": [ 20, 50 ] } - ] - } - } - } -] - -# dccp dport != { 20-50} -[ - { - "match": { - "left": { - "payload": { - "field": "dport", - "protocol": "dccp" - } - }, - "op": "!=", - "right": { - "set": [ - { "range": [ 20, 50 ] } - ] - } - } - } -] - # dccp type {request, response, data, ack, dataack, closereq, close, reset, sync, syncack} [ { @@ -330,3 +230,47 @@ } ] +# dccp option 0 exists +[ + { + "match": { + "left": { + "dccp option": { + "type": 0 + } + }, + "op": "==", + "right": true + } + } +] + +# dccp option 43 missing +[ + { + "match": { + "left": { + "dccp option": { + "type": 43 + } + }, + "op": "==", + "right": false + } + } +] + +# dccp option 255 exists +[ + { + "match": { + "left": { + "dccp option": { + "type": 255 + } + }, + "op": "==", + "right": true + } + } +] diff --git a/tests/py/inet/dccp.t.payload b/tests/py/inet/dccp.t.payload index b252d829..c0b87be1 100644 --- a/tests/py/inet/dccp.t.payload +++ b/tests/py/inet/dccp.t.payload @@ -33,16 +33,6 @@ inet test-inet input [ payload load 2b @ transport header + 0 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# dccp sport { 20-50 } -__set%d test-ip4 7 -__set%d test-ip4 0 - element 00000000 : 1 [end] element 00001400 : 0 [end] element 00003300 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000021 ] - [ payload load 2b @ transport header + 0 => reg 1 ] - [ lookup reg 1 set __set%d ] - # dccp sport 20-50 inet test-inet input [ meta load l4proto => reg 1 ] @@ -51,26 +41,6 @@ inet test-inet input [ cmp gte reg 1 0x00001400 ] [ cmp lte reg 1 0x00003200 ] -# dccp sport { 20-50} -__set%d test-ip4 7 -__set%d test-ip4 0 - element 00000000 : 1 [end] element 00001400 : 0 [end] element 00003300 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000021 ] - [ payload load 2b @ transport header + 0 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# dccp sport != { 20-50} -__set%d test-ip4 7 -__set%d test-ip4 0 - element 00000000 : 1 [end] element 00001400 : 0 [end] element 00003300 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000021 ] - [ payload load 2b @ transport header + 0 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # dccp dport {23, 24, 25} __set%d test-ip4 3 __set%d test-ip4 0 @@ -91,26 +61,6 @@ inet test-inet input [ payload load 2b @ transport header + 2 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# dccp dport { 20-50} -__set%d test-ip4 7 -__set%d test-ip4 0 - element 00000000 : 1 [end] element 00001400 : 0 [end] element 00003300 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000021 ] - [ payload load 2b @ transport header + 2 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# dccp dport != { 20-50} -__set%d test-ip4 7 -__set%d test-ip4 0 - element 00000000 : 1 [end] element 00001400 : 0 [end] element 00003300 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000021 ] - [ payload load 2b @ transport header + 2 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # dccp type {request, response, data, ack, dataack, closereq, close, reset, sync, syncack} __set%d test-inet 3 __set%d test-inet 0 @@ -149,3 +99,17 @@ inet test-inet input [ bitwise reg 1 = ( reg 1 & 0x0000001e ) ^ 0x00000000 ] [ cmp neq reg 1 0x00000000 ] +# dccp option 0 exists +ip test-inet input + [ exthdr load 1b @ 0 + 0 present => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + +# dccp option 43 missing +ip test-inet input + [ exthdr load 1b @ 43 + 0 present => reg 1 ] + [ cmp eq reg 1 0x00000000 ] + +# dccp option 255 exists +ip test-inet input + [ exthdr load 1b @ 255 + 0 present => reg 1 ] + [ cmp eq reg 1 0x00000001 ] diff --git a/tests/py/inet/dnat.t b/tests/py/inet/dnat.t index b460af39..e4e169f2 100644 --- a/tests/py/inet/dnat.t +++ b/tests/py/inet/dnat.t @@ -6,6 +6,7 @@ iifname "foo" tcp dport 80 redirect to :8080;ok iifname "eth0" tcp dport 443 dnat ip to 192.168.3.2;ok iifname "eth0" tcp dport 443 dnat ip6 to [dead::beef]:4443;ok +meta l4proto tcp dnat to :80;ok;meta l4proto 6 dnat to :80 dnat ip to ct mark map { 0x00000014 : 1.2.3.4};ok dnat ip to ct mark . ip daddr map { 0x00000014 . 1.1.1.1 : 1.2.3.4};ok diff --git a/tests/py/inet/dnat.t.json b/tests/py/inet/dnat.t.json index 1b8aba62..c341a045 100644 --- a/tests/py/inet/dnat.t.json +++ b/tests/py/inet/dnat.t.json @@ -219,3 +219,23 @@ } ] +# meta l4proto tcp dnat to :80 +[ + { + "match": { + "left": { + "meta": { + "key": "l4proto" + } + }, + "op": "==", + "right": 6 + } + }, + { + "dnat": { + "port": 80 + } + } +] + diff --git a/tests/py/inet/dnat.t.payload b/tests/py/inet/dnat.t.payload index a741b9cb..ce1601ab 100644 --- a/tests/py/inet/dnat.t.payload +++ b/tests/py/inet/dnat.t.payload @@ -18,7 +18,7 @@ inet test-inet prerouting [ payload load 2b @ transport header + 2 => reg 1 ] [ cmp eq reg 1 0x0000bb01 ] [ immediate reg 1 0x0203a8c0 ] - [ nat dnat ip addr_min reg 1 addr_max reg 0 ] + [ nat dnat ip addr_min reg 1 ] # iifname "eth0" tcp dport 443 dnat ip6 to [dead::beef]:4443 inet test-inet prerouting @@ -30,7 +30,7 @@ inet test-inet prerouting [ cmp eq reg 1 0x0000bb01 ] [ immediate reg 1 0x0000adde 0x00000000 0x00000000 0xefbe0000 ] [ immediate reg 2 0x00005b11 ] - [ nat dnat ip6 addr_min reg 1 addr_max reg 0 proto_min reg 2 proto_max reg 0 flags 0x2 ] + [ nat dnat ip6 addr_min reg 1 proto_min reg 2 flags 0x2 ] # dnat ip to ct mark map { 0x00000014 : 1.2.3.4} __map%d test-inet b size 1 @@ -39,7 +39,7 @@ __map%d test-inet 0 inet test-inet prerouting [ ct load mark => reg 1 ] [ lookup reg 1 set __map%d dreg 1 ] - [ nat dnat ip addr_min reg 1 addr_max reg 0 ] + [ nat dnat ip addr_min reg 1 ] # dnat ip to ct mark . ip daddr map { 0x00000014 . 1.1.1.1 : 1.2.3.4} __map%d test-inet b size 1 @@ -51,7 +51,7 @@ inet test-inet prerouting [ ct load mark => reg 1 ] [ payload load 4b @ network header + 16 => reg 9 ] [ lookup reg 1 set __map%d dreg 1 ] - [ nat dnat ip addr_min reg 1 addr_max reg 0 ] + [ nat dnat ip addr_min reg 1 ] # meta l4proto { tcp, udp } dnat ip to 1.1.1.1:80 __set%d test-inet 3 @@ -62,7 +62,7 @@ inet [ lookup reg 1 set __set%d ] [ immediate reg 1 0x01010101 ] [ immediate reg 2 0x00005000 ] - [ nat dnat ip addr_min reg 1 addr_max reg 0 proto_min reg 2 proto_max reg 0 flags 0x2 ] + [ nat dnat ip addr_min reg 1 proto_min reg 2 flags 0x2 ] # ip protocol { tcp, udp } dnat ip to 1.1.1.1:80 __set%d test-inet 3 @@ -75,5 +75,12 @@ inet [ lookup reg 1 set __set%d ] [ immediate reg 1 0x01010101 ] [ immediate reg 2 0x00005000 ] - [ nat dnat ip addr_min reg 1 addr_max reg 0 proto_min reg 2 proto_max reg 0 flags 0x2 ] + [ nat dnat ip addr_min reg 1 proto_min reg 2 flags 0x2 ] + +# meta l4proto tcp dnat to :80 +inet + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ immediate reg 1 0x00005000 ] + [ nat dnat inet proto_min reg 1 flags 0x2 ] diff --git a/tests/py/inet/esp.t b/tests/py/inet/esp.t index ebba7d87..536260cf 100644 --- a/tests/py/inet/esp.t +++ b/tests/py/inet/esp.t @@ -1,10 +1,11 @@ :input;type filter hook input priority 0 :ingress;type filter hook ingress device lo priority 0 +:egress;type filter hook egress device lo priority 0 *ip;test-ip4;input *ip6;test-ip6;input *inet;test-inet;input -*netdev;test-netdev;ingress +*netdev;test-netdev;ingress,egress esp spi 100;ok esp spi != 100;ok @@ -12,14 +13,9 @@ esp spi 111-222;ok esp spi != 111-222;ok esp spi { 100, 102};ok esp spi != { 100, 102};ok -esp spi { 100-102};ok -esp spi != { 100-102};ok -- esp spi {100-102};ok esp sequence 22;ok esp sequence 22-24;ok esp sequence != 22-24;ok esp sequence { 22, 24};ok esp sequence != { 22, 24};ok -esp sequence { 22-25};ok -esp sequence != { 22-25};ok diff --git a/tests/py/inet/esp.t.json b/tests/py/inet/esp.t.json index ee690f96..a9dedd6f 100644 --- a/tests/py/inet/esp.t.json +++ b/tests/py/inet/esp.t.json @@ -108,46 +108,6 @@ } ] -# esp spi { 100-102} -[ - { - "match": { - "left": { - "payload": { - "field": "spi", - "protocol": "esp" - } - }, - "op": "==", - "right": { - "set": [ - { "range": [ 100, 102 ] } - ] - } - } - } -] - -# esp spi != { 100-102} -[ - { - "match": { - "left": { - "payload": { - "field": "spi", - "protocol": "esp" - } - }, - "op": "!=", - "right": { - "set": [ - { "range": [ 100, 102 ] } - ] - } - } - } -] - # esp sequence 22 [ { @@ -242,43 +202,3 @@ } ] -# esp sequence { 22-25} -[ - { - "match": { - "left": { - "payload": { - "field": "sequence", - "protocol": "esp" - } - }, - "op": "==", - "right": { - "set": [ - { "range": [ 22, 25 ] } - ] - } - } - } -] - -# esp sequence != { 22-25} -[ - { - "match": { - "left": { - "payload": { - "field": "sequence", - "protocol": "esp" - } - }, - "op": "!=", - "right": { - "set": [ - { "range": [ 22, 25 ] } - ] - } - } - } -] - diff --git a/tests/py/inet/esp.t.payload b/tests/py/inet/esp.t.payload index ad68530b..0353b056 100644 --- a/tests/py/inet/esp.t.payload +++ b/tests/py/inet/esp.t.payload @@ -47,26 +47,6 @@ inet test-inet input [ payload load 4b @ transport header + 0 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# esp spi { 100-102} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 64000000 : 0 [end] element 67000000 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000032 ] - [ payload load 4b @ transport header + 0 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# esp spi != { 100-102} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 64000000 : 0 [end] element 67000000 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000032 ] - [ payload load 4b @ transport header + 0 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # esp sequence 22 inet test-inet input [ meta load l4proto => reg 1 ] @@ -109,23 +89,3 @@ inet test-inet input [ payload load 4b @ transport header + 4 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# esp sequence { 22-25} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 16000000 : 0 [end] element 1a000000 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000032 ] - [ payload load 4b @ transport header + 4 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# esp sequence != { 22-25} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 16000000 : 0 [end] element 1a000000 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000032 ] - [ payload load 4b @ transport header + 4 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - diff --git a/tests/py/inet/ether-ip.t b/tests/py/inet/ether-ip.t index 0c8c7f9d..759124de 100644 --- a/tests/py/inet/ether-ip.t +++ b/tests/py/inet/ether-ip.t @@ -1,8 +1,9 @@ :input;type filter hook input priority 0 :ingress;type filter hook ingress device lo priority 0 +:egress;type filter hook egress device lo priority 0 *inet;test-inet;input -*netdev;test-netdev;ingress +*netdev;test-netdev;ingress,egress tcp dport 22 iiftype ether ip daddr 1.2.3.4 ether saddr 00:0f:54:0c:11:4 accept;ok;tcp dport 22 ether saddr 00:0f:54:0c:11:04 ip daddr 1.2.3.4 accept tcp dport 22 ip daddr 1.2.3.4 ether saddr 00:0f:54:0c:11:04;ok diff --git a/tests/py/inet/ether.t b/tests/py/inet/ether.t index afdf8b89..8625f70b 100644 --- a/tests/py/inet/ether.t +++ b/tests/py/inet/ether.t @@ -1,13 +1,20 @@ :input;type filter hook input priority 0 :ingress;type filter hook ingress device lo priority 0 +:egress;type filter hook egress device lo priority 0 *ip;test-ip4;input *ip6;test-ip6;input *inet;test-inet;input *bridge;test-bridge;input -*netdev;test-netdev;ingress +*netdev;test-netdev;ingress,egress tcp dport 22 iiftype ether ether saddr 00:0f:54:0c:11:4 accept;ok;tcp dport 22 ether saddr 00:0f:54:0c:11:04 accept tcp dport 22 ether saddr 00:0f:54:0c:11:04 accept;ok ether saddr 00:0f:54:0c:11:04 accept;ok + +vlan id 1;ok +ether type vlan vlan id 2;ok;vlan id 2 + +# invalid dependency +ether type ip vlan id 1;fail diff --git a/tests/py/inet/ether.t.json b/tests/py/inet/ether.t.json index 84b184c7..c7a7f886 100644 --- a/tests/py/inet/ether.t.json +++ b/tests/py/inet/ether.t.json @@ -88,3 +88,35 @@ } ] +# vlan id 1 +[ + { + "match": { + "left": { + "payload": { + "field": "id", + "protocol": "vlan" + } + }, + "op": "==", + "right": 1 + } + } +] + +# ether type vlan vlan id 2 +[ + { + "match": { + "left": { + "payload": { + "field": "id", + "protocol": "vlan" + } + }, + "op": "==", + "right": 2 + } + } +] + diff --git a/tests/py/inet/ether.t.payload b/tests/py/inet/ether.t.payload index 53648413..8b74a781 100644 --- a/tests/py/inet/ether.t.payload +++ b/tests/py/inet/ether.t.payload @@ -30,3 +30,23 @@ inet test-inet input [ cmp eq reg 1 0x0c540f00 0x00000411 ] [ immediate reg 0 accept ] +# vlan id 1 +netdev test-netdev ingress + [ meta load iiftype => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ payload load 2b @ link header + 12 => reg 1 ] + [ cmp eq reg 1 0x00000081 ] + [ payload load 2b @ link header + 14 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000100 ] + +# ether type vlan vlan id 2 +netdev test-netdev ingress + [ meta load iiftype => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ payload load 2b @ link header + 12 => reg 1 ] + [ cmp eq reg 1 0x00000081 ] + [ payload load 2b @ link header + 14 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000200 ] + diff --git a/tests/py/inet/ether.t.payload.bridge b/tests/py/inet/ether.t.payload.bridge index e9208008..0128d5f0 100644 --- a/tests/py/inet/ether.t.payload.bridge +++ b/tests/py/inet/ether.t.payload.bridge @@ -26,3 +26,19 @@ bridge test-bridge input [ cmp eq reg 1 0x0c540f00 0x00000411 ] [ immediate reg 0 accept ] +# vlan id 1 +bridge test-bridge input + [ payload load 2b @ link header + 12 => reg 1 ] + [ cmp eq reg 1 0x00000081 ] + [ payload load 2b @ link header + 14 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000100 ] + +# ether type vlan vlan id 2 +bridge test-bridge input + [ payload load 2b @ link header + 12 => reg 1 ] + [ cmp eq reg 1 0x00000081 ] + [ payload load 2b @ link header + 14 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000200 ] + diff --git a/tests/py/inet/ether.t.payload.ip b/tests/py/inet/ether.t.payload.ip index a604f603..7c91f412 100644 --- a/tests/py/inet/ether.t.payload.ip +++ b/tests/py/inet/ether.t.payload.ip @@ -30,3 +30,23 @@ ip test-ip4 input [ cmp eq reg 1 0x0c540f00 0x00000411 ] [ immediate reg 0 accept ] +# vlan id 1 +ip test-ip4 input + [ meta load iiftype => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ payload load 2b @ link header + 12 => reg 1 ] + [ cmp eq reg 1 0x00000081 ] + [ payload load 2b @ link header + 14 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000100 ] + +# ether type vlan vlan id 2 +ip test-ip4 input + [ meta load iiftype => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ payload load 2b @ link header + 12 => reg 1 ] + [ cmp eq reg 1 0x00000081 ] + [ payload load 2b @ link header + 14 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000200 ] + diff --git a/tests/py/inet/fib.t.payload b/tests/py/inet/fib.t.payload index 1d4c3d94..050857d9 100644 --- a/tests/py/inet/fib.t.payload +++ b/tests/py/inet/fib.t.payload @@ -16,7 +16,7 @@ ip test-ip prerouting # fib daddr . iif type vmap { blackhole : drop, prohibit : drop, unicast : accept } __map%d test-ip b __map%d test-ip 0 - element 00000006 : 0 [end] element 00000008 : 0 [end] element 00000001 : 0 [end] + element 00000006 : drop 0 [end] element 00000008 : drop 0 [end] element 00000001 : accept 0 [end] ip test-ip prerouting [ fib daddr . iif type => reg 1 ] [ lookup reg 1 set __map%d dreg 0 ] diff --git a/tests/py/inet/geneve.t b/tests/py/inet/geneve.t new file mode 100644 index 00000000..101f6dfc --- /dev/null +++ b/tests/py/inet/geneve.t @@ -0,0 +1,23 @@ +:input;type filter hook input priority 0 +:ingress;type filter hook ingress device lo priority 0 +:egress;type filter hook egress device lo priority 0 + +*ip;test-ip4;input +*ip6;test-ip6;input +*inet;test-inet;input +*netdev;test-netdev;ingress,egress + +geneve vni 10;fail +udp dport 6081 geneve vni 10;ok +udp dport 6081 geneve ip saddr 10.141.11.2;ok +udp dport 6081 geneve ip saddr 10.141.11.0/24;ok +udp dport 6081 geneve ip protocol 1;ok +udp dport 6081 geneve udp sport 8888;ok +udp dport 6081 geneve icmp type echo-reply;ok +udp dport 6081 geneve ether saddr 62:87:4d:d6:19:05;ok +udp dport 6081 geneve vlan id 10;ok +udp dport 6081 geneve ip dscp 0x02;ok +udp dport 6081 geneve ip dscp 0x02;ok +udp dport 6081 geneve ip saddr . geneve ip daddr { 1.2.3.4 . 4.3.2.1 };ok + +udp dport 6081 geneve ip saddr set 1.2.3.4;fail diff --git a/tests/py/inet/geneve.t.json b/tests/py/inet/geneve.t.json new file mode 100644 index 00000000..a299fcd2 --- /dev/null +++ b/tests/py/inet/geneve.t.json @@ -0,0 +1,344 @@ +# udp dport 6081 geneve vni 10 +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 6081 + } + }, + { + "match": { + "left": { + "payload": { + "field": "vni", + "protocol": "geneve", + "tunnel": "geneve" + } + }, + "op": "==", + "right": 10 + } + } +] + +# udp dport 6081 geneve ip saddr 10.141.11.2 +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 6081 + } + }, + { + "match": { + "left": { + "payload": { + "field": "saddr", + "protocol": "ip", + "tunnel": "geneve" + } + }, + "op": "==", + "right": "10.141.11.2" + } + } +] + +# udp dport 6081 geneve ip saddr 10.141.11.0/24 +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 6081 + } + }, + { + "match": { + "left": { + "payload": { + "field": "saddr", + "protocol": "ip", + "tunnel": "geneve" + } + }, + "op": "==", + "right": { + "prefix": { + "addr": "10.141.11.0", + "len": 24 + } + } + } + } +] + +# udp dport 6081 geneve ip protocol 1 +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 6081 + } + }, + { + "match": { + "left": { + "payload": { + "field": "protocol", + "protocol": "ip", + "tunnel": "geneve" + } + }, + "op": "==", + "right": 1 + } + } +] + +# udp dport 6081 geneve udp sport 8888 +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 6081 + } + }, + { + "match": { + "left": { + "payload": { + "field": "sport", + "protocol": "udp", + "tunnel": "geneve" + } + }, + "op": "==", + "right": 8888 + } + } +] + +# udp dport 6081 geneve icmp type echo-reply +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 6081 + } + }, + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "icmp", + "tunnel": "geneve" + } + }, + "op": "==", + "right": "echo-reply" + } + } +] + +# udp dport 6081 geneve ether saddr 62:87:4d:d6:19:05 +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 6081 + } + }, + { + "match": { + "left": { + "payload": { + "field": "saddr", + "protocol": "ether", + "tunnel": "geneve" + } + }, + "op": "==", + "right": "62:87:4d:d6:19:05" + } + } +] + +# udp dport 6081 geneve vlan id 10 +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 6081 + } + }, + { + "match": { + "left": { + "payload": { + "field": "id", + "protocol": "vlan", + "tunnel": "geneve" + } + }, + "op": "==", + "right": 10 + } + } +] + +# udp dport 6081 geneve ip dscp 0x02 +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 6081 + } + }, + { + "match": { + "left": { + "payload": { + "field": "dscp", + "protocol": "ip", + "tunnel": "geneve" + } + }, + "op": "==", + "right": 2 + } + } +] + +# udp dport 6081 geneve ip dscp 0x02 +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 6081 + } + }, + { + "match": { + "left": { + "payload": { + "field": "dscp", + "protocol": "ip", + "tunnel": "geneve" + } + }, + "op": "==", + "right": 2 + } + } +] + +# udp dport 6081 geneve ip saddr . geneve ip daddr { 1.2.3.4 . 4.3.2.1 } +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 6081 + } + }, + { + "match": { + "left": { + "concat": [ + { + "payload": { + "field": "saddr", + "protocol": "ip", + "tunnel": "geneve" + } + }, + { + "payload": { + "field": "daddr", + "protocol": "ip", + "tunnel": "geneve" + } + } + ] + }, + "op": "==", + "right": { + "set": [ + { + "concat": [ + "1.2.3.4", + "4.3.2.1" + ] + } + ] + } + } + } +] + diff --git a/tests/py/inet/geneve.t.payload b/tests/py/inet/geneve.t.payload new file mode 100644 index 00000000..1ce54de6 --- /dev/null +++ b/tests/py/inet/geneve.t.payload @@ -0,0 +1,114 @@ +# udp dport 6081 geneve vni 10 +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x0000c117 ] + [ inner type 2 hdrsize 8 flags f [ payload load 3b @ unknown header + 4 => reg 1 ] ] + [ cmp eq reg 1 0x000a0000 ] + +# udp dport 6081 geneve ip saddr 10.141.11.2 +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x0000c117 ] + [ inner type 2 hdrsize 8 flags f [ meta load protocol => reg 1 ] ] + [ cmp eq reg 1 0x00000008 ] + [ inner type 2 hdrsize 8 flags f [ payload load 4b @ network header + 12 => reg 1 ] ] + [ cmp eq reg 1 0x020b8d0a ] + +# udp dport 6081 geneve ip saddr 10.141.11.0/24 +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x0000c117 ] + [ inner type 2 hdrsize 8 flags f [ meta load protocol => reg 1 ] ] + [ cmp eq reg 1 0x00000008 ] + [ inner type 2 hdrsize 8 flags f [ payload load 3b @ network header + 12 => reg 1 ] ] + [ cmp eq reg 1 0x000b8d0a ] + +# udp dport 6081 geneve ip protocol 1 +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x0000c117 ] + [ inner type 2 hdrsize 8 flags f [ meta load protocol => reg 1 ] ] + [ cmp eq reg 1 0x00000008 ] + [ inner type 2 hdrsize 8 flags f [ payload load 1b @ network header + 9 => reg 1 ] ] + [ cmp eq reg 1 0x00000001 ] + +# udp dport 6081 geneve udp sport 8888 +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x0000c117 ] + [ inner type 2 hdrsize 8 flags f [ meta load l4proto => reg 1 ] ] + [ cmp eq reg 1 0x00000011 ] + [ inner type 2 hdrsize 8 flags f [ payload load 2b @ transport header + 0 => reg 1 ] ] + [ cmp eq reg 1 0x0000b822 ] + +# udp dport 6081 geneve icmp type echo-reply +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x0000c117 ] + [ inner type 2 hdrsize 8 flags f [ payload load 2b @ link header + 12 => reg 1 ] ] + [ cmp eq reg 1 0x00000008 ] + [ inner type 2 hdrsize 8 flags f [ meta load l4proto => reg 1 ] ] + [ cmp eq reg 1 0x00000001 ] + [ inner type 2 hdrsize 8 flags f [ payload load 1b @ transport header + 0 => reg 1 ] ] + [ cmp eq reg 1 0x00000000 ] + +# udp dport 6081 geneve ether saddr 62:87:4d:d6:19:05 +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x0000c117 ] + [ inner type 2 hdrsize 8 flags f [ payload load 6b @ link header + 6 => reg 1 ] ] + [ cmp eq reg 1 0xd64d8762 0x00000519 ] + +# udp dport 6081 geneve vlan id 10 +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x0000c117 ] + [ inner type 2 hdrsize 8 flags f [ payload load 2b @ link header + 12 => reg 1 ] ] + [ cmp eq reg 1 0x00000081 ] + [ inner type 2 hdrsize 8 flags f [ payload load 2b @ link header + 14 => reg 1 ] ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000a00 ] + +# udp dport 6081 geneve ip dscp 0x02 +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x0000c117 ] + [ inner type 2 hdrsize 8 flags f [ meta load protocol => reg 1 ] ] + [ cmp eq reg 1 0x00000008 ] + [ inner type 2 hdrsize 8 flags f [ payload load 1b @ network header + 1 => reg 1 ] ] + [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000008 ] + +# udp dport 6081 geneve ip saddr . geneve ip daddr { 1.2.3.4 . 4.3.2.1 } +__set%d test-ip4 3 size 1 +__set%d test-ip4 0 + element 04030201 01020304 : 0 [end] +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x0000c117 ] + [ inner type 2 hdrsize 8 flags f [ meta load protocol => reg 1 ] ] + [ cmp eq reg 1 0x00000008 ] + [ inner type 2 hdrsize 8 flags f [ payload load 4b @ network header + 12 => reg 1 ] ] + [ inner type 2 hdrsize 8 flags f [ payload load 4b @ network header + 16 => reg 9 ] ] + [ lookup reg 1 set __set%d ] + diff --git a/tests/py/inet/gre.t b/tests/py/inet/gre.t new file mode 100644 index 00000000..a3e046a1 --- /dev/null +++ b/tests/py/inet/gre.t @@ -0,0 +1,22 @@ +:input;type filter hook input priority 0 +:ingress;type filter hook ingress device lo priority 0 +:egress;type filter hook egress device lo priority 0 + +*ip;test-ip4;input +*ip6;test-ip6;input +*inet;test-inet;input +*netdev;test-netdev;ingress,egress + +gre version 0;ok +gre ip saddr 10.141.11.2;ok +gre ip saddr 10.141.11.0/24;ok +gre ip protocol 1;ok +gre udp sport 8888;ok +gre icmp type echo-reply;ok +gre ether saddr 62:87:4d:d6:19:05;fail +gre vlan id 10;fail +gre ip dscp 0x02;ok +gre ip dscp 0x02;ok +gre ip saddr . gre ip daddr { 1.2.3.4 . 4.3.2.1 };ok + +gre ip saddr set 1.2.3.4;fail diff --git a/tests/py/inet/gre.t.json b/tests/py/inet/gre.t.json new file mode 100644 index 00000000..c4431764 --- /dev/null +++ b/tests/py/inet/gre.t.json @@ -0,0 +1,177 @@ +# gre version 0 +[ + { + "match": { + "left": { + "payload": { + "field": "version", + "protocol": "gre" + } + }, + "op": "==", + "right": 0 + } + } +] + +# gre ip saddr 10.141.11.2 +[ + { + "match": { + "left": { + "payload": { + "field": "saddr", + "protocol": "ip", + "tunnel": "gre" + } + }, + "op": "==", + "right": "10.141.11.2" + } + } +] + +# gre ip saddr 10.141.11.0/24 +[ + { + "match": { + "left": { + "payload": { + "field": "saddr", + "protocol": "ip", + "tunnel": "gre" + } + }, + "op": "==", + "right": { + "prefix": { + "addr": "10.141.11.0", + "len": 24 + } + } + } + } +] + +# gre ip protocol 1 +[ + { + "match": { + "left": { + "payload": { + "field": "protocol", + "protocol": "ip", + "tunnel": "gre" + } + }, + "op": "==", + "right": 1 + } + } +] + +# gre udp sport 8888 +[ + { + "match": { + "left": { + "payload": { + "field": "sport", + "protocol": "udp", + "tunnel": "gre" + } + }, + "op": "==", + "right": 8888 + } + } +] + +# gre icmp type echo-reply +[ + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "icmp", + "tunnel": "gre" + } + }, + "op": "==", + "right": "echo-reply" + } + } +] + +# gre ip dscp 0x02 +[ + { + "match": { + "left": { + "payload": { + "field": "dscp", + "protocol": "ip", + "tunnel": "gre" + } + }, + "op": "==", + "right": 2 + } + } +] + +# gre ip dscp 0x02 +[ + { + "match": { + "left": { + "payload": { + "field": "dscp", + "protocol": "ip", + "tunnel": "gre" + } + }, + "op": "==", + "right": 2 + } + } +] + +# gre ip saddr . gre ip daddr { 1.2.3.4 . 4.3.2.1 } +[ + { + "match": { + "left": { + "concat": [ + { + "payload": { + "field": "saddr", + "protocol": "ip", + "tunnel": "gre" + } + }, + { + "payload": { + "field": "daddr", + "protocol": "ip", + "tunnel": "gre" + } + } + ] + }, + "op": "==", + "right": { + "set": [ + { + "concat": [ + "1.2.3.4", + "4.3.2.1" + ] + } + ] + } + } + } +] + diff --git a/tests/py/inet/gre.t.payload b/tests/py/inet/gre.t.payload new file mode 100644 index 00000000..333133ed --- /dev/null +++ b/tests/py/inet/gre.t.payload @@ -0,0 +1,78 @@ +# gre version 0 +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x0000002f ] + [ payload load 1b @ transport header + 1 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x00000007 ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000000 ] + +# gre ip saddr 10.141.11.2 +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x0000002f ] + [ inner type 3 hdrsize 4 flags c [ meta load protocol => reg 1 ] ] + [ cmp eq reg 1 0x00000008 ] + [ inner type 3 hdrsize 4 flags c [ payload load 4b @ network header + 12 => reg 1 ] ] + [ cmp eq reg 1 0x020b8d0a ] + +# gre ip saddr 10.141.11.0/24 +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x0000002f ] + [ inner type 3 hdrsize 4 flags c [ meta load protocol => reg 1 ] ] + [ cmp eq reg 1 0x00000008 ] + [ inner type 3 hdrsize 4 flags c [ payload load 3b @ network header + 12 => reg 1 ] ] + [ cmp eq reg 1 0x000b8d0a ] + +# gre ip protocol 1 +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x0000002f ] + [ inner type 3 hdrsize 4 flags c [ meta load protocol => reg 1 ] ] + [ cmp eq reg 1 0x00000008 ] + [ inner type 3 hdrsize 4 flags c [ payload load 1b @ network header + 9 => reg 1 ] ] + [ cmp eq reg 1 0x00000001 ] + +# gre udp sport 8888 +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x0000002f ] + [ inner type 3 hdrsize 4 flags c [ meta load l4proto => reg 1 ] ] + [ cmp eq reg 1 0x00000011 ] + [ inner type 3 hdrsize 4 flags c [ payload load 2b @ transport header + 0 => reg 1 ] ] + [ cmp eq reg 1 0x0000b822 ] + +# gre icmp type echo-reply +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x0000002f ] + [ inner type 3 hdrsize 4 flags c [ meta load protocol => reg 1 ] ] + [ cmp eq reg 1 0x00000008 ] + [ inner type 3 hdrsize 4 flags c [ meta load l4proto => reg 1 ] ] + [ cmp eq reg 1 0x00000001 ] + [ inner type 3 hdrsize 4 flags c [ payload load 1b @ transport header + 0 => reg 1 ] ] + [ cmp eq reg 1 0x00000000 ] + +# gre ip dscp 0x02 +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x0000002f ] + [ inner type 3 hdrsize 4 flags c [ meta load protocol => reg 1 ] ] + [ cmp eq reg 1 0x00000008 ] + [ inner type 3 hdrsize 4 flags c [ payload load 1b @ network header + 1 => reg 1 ] ] + [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000008 ] + +# gre ip saddr . gre ip daddr { 1.2.3.4 . 4.3.2.1 } +__set%d test-ip4 3 size 1 +__set%d test-ip4 0 + element 04030201 01020304 : 0 [end] +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x0000002f ] + [ inner type 3 hdrsize 4 flags c [ meta load protocol => reg 1 ] ] + [ cmp eq reg 1 0x00000008 ] + [ inner type 3 hdrsize 4 flags c [ payload load 4b @ network header + 12 => reg 1 ] ] + [ inner type 3 hdrsize 4 flags c [ payload load 4b @ network header + 16 => reg 9 ] ] + [ lookup reg 1 set __set%d ] + diff --git a/tests/py/inet/gretap.t b/tests/py/inet/gretap.t new file mode 100644 index 00000000..cd7ee215 --- /dev/null +++ b/tests/py/inet/gretap.t @@ -0,0 +1,21 @@ +:input;type filter hook input priority 0 +:ingress;type filter hook ingress device lo priority 0 +:egress;type filter hook egress device lo priority 0 + +*ip;test-ip4;input +*ip6;test-ip6;input +*inet;test-inet;input +*netdev;test-netdev;ingress,egress + +gretap ip saddr 10.141.11.2;ok +gretap ip saddr 10.141.11.0/24;ok +gretap ip protocol 1;ok +gretap udp sport 8888;ok +gretap icmp type echo-reply;ok +gretap ether saddr 62:87:4d:d6:19:05;ok +gretap vlan id 10;ok +gretap ip dscp 0x02;ok +gretap ip dscp 0x02;ok +gretap ip saddr . gretap ip daddr { 1.2.3.4 . 4.3.2.1 };ok + +gretap ip saddr set 1.2.3.4;fail diff --git a/tests/py/inet/gretap.t.json b/tests/py/inet/gretap.t.json new file mode 100644 index 00000000..36fa9782 --- /dev/null +++ b/tests/py/inet/gretap.t.json @@ -0,0 +1,195 @@ +# gretap ip saddr 10.141.11.2 +[ + { + "match": { + "left": { + "payload": { + "field": "saddr", + "protocol": "ip", + "tunnel": "gretap" + } + }, + "op": "==", + "right": "10.141.11.2" + } + } +] + +# gretap ip saddr 10.141.11.0/24 +[ + { + "match": { + "left": { + "payload": { + "field": "saddr", + "protocol": "ip", + "tunnel": "gretap" + } + }, + "op": "==", + "right": { + "prefix": { + "addr": "10.141.11.0", + "len": 24 + } + } + } + } +] + +# gretap ip protocol 1 +[ + { + "match": { + "left": { + "payload": { + "field": "protocol", + "protocol": "ip", + "tunnel": "gretap" + } + }, + "op": "==", + "right": 1 + } + } +] + +# gretap udp sport 8888 +[ + { + "match": { + "left": { + "payload": { + "field": "sport", + "protocol": "udp", + "tunnel": "gretap" + } + }, + "op": "==", + "right": 8888 + } + } +] + +# gretap icmp type echo-reply +[ + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "icmp", + "tunnel": "gretap" + } + }, + "op": "==", + "right": "echo-reply" + } + } +] + +# gretap ether saddr 62:87:4d:d6:19:05 +[ + { + "match": { + "left": { + "payload": { + "field": "saddr", + "protocol": "ether", + "tunnel": "gretap" + } + }, + "op": "==", + "right": "62:87:4d:d6:19:05" + } + } +] + +# gretap vlan id 10 +[ + { + "match": { + "left": { + "payload": { + "field": "id", + "protocol": "vlan", + "tunnel": "gretap" + } + }, + "op": "==", + "right": 10 + } + } +] + +# gretap ip dscp 0x02 +[ + { + "match": { + "left": { + "payload": { + "field": "dscp", + "protocol": "ip", + "tunnel": "gretap" + } + }, + "op": "==", + "right": 2 + } + } +] + +# gretap ip dscp 0x02 +[ + { + "match": { + "left": { + "payload": { + "field": "dscp", + "protocol": "ip", + "tunnel": "gretap" + } + }, + "op": "==", + "right": 2 + } + } +] + +# gretap ip saddr . gretap ip daddr { 1.2.3.4 . 4.3.2.1 } +[ + { + "match": { + "left": { + "concat": [ + { + "payload": { + "field": "saddr", + "protocol": "ip", + "tunnel": "gretap" + } + }, + { + "payload": { + "field": "daddr", + "protocol": "ip", + "tunnel": "gretap" + } + } + ] + }, + "op": "==", + "right": { + "set": [ + { + "concat": [ + "1.2.3.4", + "4.3.2.1" + ] + } + ] + } + } + } +] + diff --git a/tests/py/inet/gretap.t.payload b/tests/py/inet/gretap.t.payload new file mode 100644 index 00000000..654c71e4 --- /dev/null +++ b/tests/py/inet/gretap.t.payload @@ -0,0 +1,87 @@ +# gretap ip saddr 10.141.11.2 +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x0000002f ] + [ inner type 4 hdrsize 4 flags e [ meta load protocol => reg 1 ] ] + [ cmp eq reg 1 0x00000008 ] + [ inner type 4 hdrsize 4 flags e [ payload load 4b @ network header + 12 => reg 1 ] ] + [ cmp eq reg 1 0x020b8d0a ] + +# gretap ip saddr 10.141.11.0/24 +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x0000002f ] + [ inner type 4 hdrsize 4 flags e [ meta load protocol => reg 1 ] ] + [ cmp eq reg 1 0x00000008 ] + [ inner type 4 hdrsize 4 flags e [ payload load 3b @ network header + 12 => reg 1 ] ] + [ cmp eq reg 1 0x000b8d0a ] + +# gretap ip protocol 1 +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x0000002f ] + [ inner type 4 hdrsize 4 flags e [ meta load protocol => reg 1 ] ] + [ cmp eq reg 1 0x00000008 ] + [ inner type 4 hdrsize 4 flags e [ payload load 1b @ network header + 9 => reg 1 ] ] + [ cmp eq reg 1 0x00000001 ] + +# gretap udp sport 8888 +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x0000002f ] + [ inner type 4 hdrsize 4 flags e [ meta load l4proto => reg 1 ] ] + [ cmp eq reg 1 0x00000011 ] + [ inner type 4 hdrsize 4 flags e [ payload load 2b @ transport header + 0 => reg 1 ] ] + [ cmp eq reg 1 0x0000b822 ] + +# gretap icmp type echo-reply +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x0000002f ] + [ inner type 4 hdrsize 4 flags e [ payload load 2b @ link header + 12 => reg 1 ] ] + [ cmp eq reg 1 0x00000008 ] + [ inner type 4 hdrsize 4 flags e [ meta load l4proto => reg 1 ] ] + [ cmp eq reg 1 0x00000001 ] + [ inner type 4 hdrsize 4 flags e [ payload load 1b @ transport header + 0 => reg 1 ] ] + [ cmp eq reg 1 0x00000000 ] + +# gretap ether saddr 62:87:4d:d6:19:05 +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x0000002f ] + [ inner type 4 hdrsize 4 flags e [ payload load 6b @ link header + 6 => reg 1 ] ] + [ cmp eq reg 1 0xd64d8762 0x00000519 ] + +# gretap vlan id 10 +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x0000002f ] + [ inner type 4 hdrsize 4 flags e [ payload load 2b @ link header + 12 => reg 1 ] ] + [ cmp eq reg 1 0x00000081 ] + [ inner type 4 hdrsize 4 flags e [ payload load 2b @ link header + 14 => reg 1 ] ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000a00 ] + +# gretap ip dscp 0x02 +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x0000002f ] + [ inner type 4 hdrsize 4 flags e [ meta load protocol => reg 1 ] ] + [ cmp eq reg 1 0x00000008 ] + [ inner type 4 hdrsize 4 flags e [ payload load 1b @ network header + 1 => reg 1 ] ] + [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000008 ] + +# gretap ip saddr . gretap ip daddr { 1.2.3.4 . 4.3.2.1 } +__set%d test-ip4 3 size 1 +__set%d test-ip4 0 + element 04030201 01020304 : 0 [end] +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x0000002f ] + [ inner type 4 hdrsize 4 flags e [ meta load protocol => reg 1 ] ] + [ cmp eq reg 1 0x00000008 ] + [ inner type 4 hdrsize 4 flags e [ payload load 4b @ network header + 12 => reg 1 ] ] + [ inner type 4 hdrsize 4 flags e [ payload load 4b @ network header + 16 => reg 9 ] ] + [ lookup reg 1 set __set%d ] + diff --git a/tests/py/inet/icmpX.t b/tests/py/inet/icmpX.t index 97ff96d0..9430b3d3 100644 --- a/tests/py/inet/icmpX.t +++ b/tests/py/inet/icmpX.t @@ -7,4 +7,4 @@ icmp type echo-request;ok ip6 nexthdr icmpv6 icmpv6 type echo-request;ok;ip6 nexthdr 58 icmpv6 type echo-request icmpv6 type echo-request;ok # must not remove 'ip protocol' dependency, this explicitly matches icmpv6-in-ipv4. -ip protocol ipv6-icmp meta l4proto ipv6-icmp icmpv6 type 1;ok;ip protocol 58 meta l4proto 58 icmpv6 type destination-unreachable +ip protocol ipv6-icmp meta l4proto ipv6-icmp icmpv6 type 1;ok;ip protocol 58 icmpv6 type destination-unreachable diff --git a/tests/py/inet/icmpX.t.json.output b/tests/py/inet/icmpX.t.json.output index 9b0bf9f7..7765cd90 100644 --- a/tests/py/inet/icmpX.t.json.output +++ b/tests/py/inet/icmpX.t.json.output @@ -71,15 +71,6 @@ { "match": { "left": { - "meta": { "key": "l4proto" } - }, - "op": "==", - "right": 58 - } - }, - { - "match": { - "left": { "payload": { "field": "type", "protocol": "icmpv6" diff --git a/tests/py/inet/ip.t b/tests/py/inet/ip.t index 86604a63..bdb3330c 100644 --- a/tests/py/inet/ip.t +++ b/tests/py/inet/ip.t @@ -1,11 +1,12 @@ :input;type filter hook input priority 0 :ingress;type filter hook ingress device lo priority 0 +:egress;type filter hook egress device lo priority 0 *ip;test-ip4;input *inet;test-inet;input *bridge;test-bridge;input -*netdev;test-netdev;ingress +*netdev;test-netdev;ingress,egress ip saddr . ip daddr . ether saddr { 1.1.1.1 . 2.2.2.2 . ca:fe:ca:fe:ca:fe };ok ip saddr vmap { 10.0.1.0-10.0.1.255 : accept, 10.0.1.1-10.0.2.255 : drop };fail -ip saddr vmap { 1.1.1.1-1.1.1.255 : accept, 1.1.1.0-1.1.2.1 : drop};fail +ip saddr vmap { 3.3.3.3-3.3.3.4 : accept, 1.1.1.1-1.1.1.255 : accept, 1.1.1.0-1.1.2.1 : drop};fail diff --git a/tests/py/inet/ip.t.payload.bridge b/tests/py/inet/ip.t.payload.bridge index a422ed76..57dbc9eb 100644 --- a/tests/py/inet/ip.t.payload.bridge +++ b/tests/py/inet/ip.t.payload.bridge @@ -3,7 +3,7 @@ __set%d test-bridge 3 __set%d test-bridge 0 element 01010101 02020202 fecafeca 0000feca : 0 [end] bridge test-bridge input - [ payload load 2b @ link header + 12 => reg 1 ] + [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x00000008 ] [ payload load 4b @ network header + 12 => reg 1 ] [ payload load 4b @ network header + 16 => reg 9 ] diff --git a/tests/py/inet/ip_tcp.t b/tests/py/inet/ip_tcp.t index f2a28ebd..03bafc09 100644 --- a/tests/py/inet/ip_tcp.t +++ b/tests/py/inet/ip_tcp.t @@ -1,15 +1,16 @@ :input;type filter hook input priority 0 :ingress;type filter hook ingress device lo priority 0 +:egress;type filter hook egress device lo priority 0 *inet;test-inet;input *bridge;test-bridge;input -*netdev;test-netdev;ingress +*netdev;test-netdev;ingress,egress # must not remove ip dependency -- ONLY ipv4 packets should be matched ip protocol tcp tcp dport 22;ok;ip protocol 6 tcp dport 22 -# can remove it here, ip protocol is implied via saddr. -ip protocol tcp ip saddr 1.2.3.4 tcp dport 22;ok;ip saddr 1.2.3.4 tcp dport 22 +# could in principle remove it here since ipv4 is implied via saddr. +ip protocol tcp ip saddr 1.2.3.4 tcp dport 22;ok;ip protocol 6 ip saddr 1.2.3.4 tcp dport 22 # but not here. ip protocol tcp counter ip saddr 1.2.3.4 tcp dport 22;ok;ip protocol 6 counter ip saddr 1.2.3.4 tcp dport 22 diff --git a/tests/py/inet/ip_tcp.t.json.output b/tests/py/inet/ip_tcp.t.json.output index 4a6a05d7..acad8b1f 100644 --- a/tests/py/inet/ip_tcp.t.json.output +++ b/tests/py/inet/ip_tcp.t.json.output @@ -32,6 +32,18 @@ "match": { "left": { "payload": { + "field": "protocol", + "protocol": "ip" + } + }, + "op": "==", + "right": 6 + } + }, + { + "match": { + "left": { + "payload": { "field": "saddr", "protocol": "ip" } diff --git a/tests/py/inet/ipsec.t b/tests/py/inet/ipsec.t index e924e9bc..b18df395 100644 --- a/tests/py/inet/ipsec.t +++ b/tests/py/inet/ipsec.t @@ -19,3 +19,5 @@ ipsec in ip6 daddr dead::beef;ok ipsec out ip6 saddr dead::feed;ok ipsec in spnum 256 reqid 1;fail + +counter ipsec out ip daddr 192.168.1.2;ok diff --git a/tests/py/inet/ipsec.t.json b/tests/py/inet/ipsec.t.json index d7d3a03c..18a64f35 100644 --- a/tests/py/inet/ipsec.t.json +++ b/tests/py/inet/ipsec.t.json @@ -134,3 +134,24 @@ } } ] + +# counter ipsec out ip daddr 192.168.1.2 +[ + { + "counter": null + }, + { + "match": { + "left": { + "ipsec": { + "dir": "out", + "family": "ip", + "key": "daddr", + "spnum": 0 + } + }, + "op": "==", + "right": "192.168.1.2" + } + } +] diff --git a/tests/py/inet/ipsec.t.payload b/tests/py/inet/ipsec.t.payload index c46a2263..9648255d 100644 --- a/tests/py/inet/ipsec.t.payload +++ b/tests/py/inet/ipsec.t.payload @@ -37,3 +37,9 @@ ip ipsec-ip4 ipsec-forw [ xfrm load out 0 saddr6 => reg 1 ] [ cmp eq reg 1 0x0000adde 0x00000000 0x00000000 0xedfe0000 ] +# counter ipsec out ip daddr 192.168.1.2 +ip ipsec-ip4 ipsec-forw + [ counter pkts 0 bytes 0 ] + [ xfrm load out 0 daddr4 => reg 1 ] + [ cmp eq reg 1 0x0201a8c0 ] + diff --git a/tests/py/inet/map.t b/tests/py/inet/map.t index e83490a8..5a7161b7 100644 --- a/tests/py/inet/map.t +++ b/tests/py/inet/map.t @@ -1,9 +1,10 @@ :input;type filter hook input priority 0 :ingress;type filter hook ingress device lo priority 0 +:egress;type filter hook egress device lo priority 0 *ip;test-ip4;input *inet;test-inet;input -*netdev;test-netdev;ingress +*netdev;test-netdev;ingress,egress mark set ip saddr map { 10.2.3.2 : 0x0000002a, 10.2.3.1 : 0x00000017};ok;meta mark set ip saddr map { 10.2.3.1 : 0x00000017, 10.2.3.2 : 0x0000002a} mark set ip hdrlength map { 5 : 0x00000017, 4 : 0x00000001};ok;meta mark set ip hdrlength map { 4 : 0x00000001, 5 : 0x00000017} diff --git a/tests/py/inet/meta.t b/tests/py/inet/meta.t index 3638898b..7d2515c9 100644 --- a/tests/py/inet/meta.t +++ b/tests/py/inet/meta.t @@ -12,8 +12,22 @@ meta nfproto ipv4 tcp dport 22;ok meta nfproto ipv4 ip saddr 1.2.3.4;ok;ip saddr 1.2.3.4 meta nfproto ipv6 meta l4proto tcp;ok;meta nfproto ipv6 meta l4proto 6 meta nfproto ipv4 counter ip saddr 1.2.3.4;ok + +meta protocol ip udp dport 67;ok +meta protocol ip6 udp dport 67;ok + meta ipsec exists;ok meta secpath missing;ok;meta ipsec missing meta ibrname "br0";fail meta obrname "br0";fail meta mark set ct mark >> 8;ok + +meta mark . tcp dport { 0x0000000a-0x00000014 . 80-90, 0x00100000-0x00100123 . 100-120 };ok +ip saddr . meta mark { 1.2.3.4 . 0x00000100 , 1.2.3.6-1.2.3.8 . 0x00000200-0x00000300 };ok +ip saddr . meta mark { 1.2.3.4 . 0x00000100 , 5.6.7.8 . 0x00000200 };ok +ip saddr . ether saddr . meta l4proto { 1.2.3.4 . aa:bb:cc:dd:ee:ff . 6 };ok + +meta mark set ip dscp;ok +meta mark set ip dscp | 0x40;ok +meta mark set ip6 dscp;ok +meta mark set ip6 dscp | 0x40;ok diff --git a/tests/py/inet/meta.t.json b/tests/py/inet/meta.t.json index 5c0e7d2e..0fee165f 100644 --- a/tests/py/inet/meta.t.json +++ b/tests/py/inet/meta.t.json @@ -235,3 +235,335 @@ } } ] + +# meta protocol ip udp dport 67 +[ + { + "match": { + "left": { + "meta": { + "key": "protocol" + } + }, + "op": "==", + "right": "ip" + } + }, + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 67 + } + } +] + +# meta protocol ip6 udp dport 67 +[ + { + "match": { + "left": { + "meta": { + "key": "protocol" + } + }, + "op": "==", + "right": "ip6" + } + }, + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 67 + } + } +] + +# meta mark . tcp dport { 0x0000000a-0x00000014 . 80-90, 0x00100000-0x00100123 . 100-120 } +[ + { + "match": { + "left": { + "concat": [ + { + "meta": { + "key": "mark" + } + }, + { + "payload": { + "field": "dport", + "protocol": "tcp" + } + } + ] + }, + "op": "==", + "right": { + "set": [ + { + "concat": [ + { + "range": [ + 10, + 20 + ] + }, + { + "range": [ + 80, + 90 + ] + } + ] + }, + { + "concat": [ + { + "range": [ + 1048576, + 1048867 + ] + }, + { + "range": [ + 100, + 120 + ] + } + ] + } + ] + } + } + } +] + +# ip saddr . meta mark { 1.2.3.4 . 0x00000100 , 1.2.3.6-1.2.3.8 . 0x00000200-0x00000300 } +[ + { + "match": { + "left": { + "concat": [ + { + "payload": { + "field": "saddr", + "protocol": "ip" + } + }, + { + "meta": { + "key": "mark" + } + } + ] + }, + "op": "==", + "right": { + "set": [ + { + "concat": [ + "1.2.3.4", + 256 + ] + }, + { + "concat": [ + { + "range": [ + "1.2.3.6", + "1.2.3.8" + ] + }, + { + "range": [ + 512, + 768 + ] + } + ] + } + ] + } + } + } +] + +# ip saddr . meta mark { 1.2.3.4 . 0x00000100 , 5.6.7.8 . 0x00000200 } +[ + { + "match": { + "left": { + "concat": [ + { + "payload": { + "field": "saddr", + "protocol": "ip" + } + }, + { + "meta": { + "key": "mark" + } + } + ] + }, + "op": "==", + "right": { + "set": [ + { + "concat": [ + "1.2.3.4", + 256 + ] + }, + { + "concat": [ + "5.6.7.8", + 512 + ] + } + ] + } + } + } +] + +# meta mark set ip dscp +[ + { + "mangle": { + "key": { + "meta": { + "key": "mark" + } + }, + "value": { + "payload": { + "field": "dscp", + "protocol": "ip" + } + } + } + } +] + +# meta mark set ip dscp | 0x40 +[ + { + "mangle": { + "key": { + "meta": { + "key": "mark" + } + }, + "value": { + "|": [ + { + "payload": { + "field": "dscp", + "protocol": "ip" + } + }, + 64 + ] + } + } + } +] + +# meta mark set ip6 dscp +[ + { + "mangle": { + "key": { + "meta": { + "key": "mark" + } + }, + "value": { + "payload": { + "field": "dscp", + "protocol": "ip6" + } + } + } + } +] + +# meta mark set ip6 dscp | 0x40 +[ + { + "mangle": { + "key": { + "meta": { + "key": "mark" + } + }, + "value": { + "|": [ + { + "payload": { + "field": "dscp", + "protocol": "ip6" + } + }, + 64 + ] + } + } + } +] + +# ip saddr . ether saddr . meta l4proto { 1.2.3.4 . aa:bb:cc:dd:ee:ff . 6 } +[ + { + "match": { + "left": { + "concat": [ + { + "payload": { + "field": "saddr", + "protocol": "ip" + } + }, + { + "payload": { + "field": "saddr", + "protocol": "ether" + } + }, + { + "meta": { + "key": "l4proto" + } + } + ] + }, + "op": "==", + "right": { + "set": [ + { + "concat": [ + "1.2.3.4", + "aa:bb:cc:dd:ee:ff", + "tcp" + ] + } + ] + } + } + } +] + diff --git a/tests/py/inet/meta.t.json.output b/tests/py/inet/meta.t.json.output index 3e7dd214..8697d5a2 100644 --- a/tests/py/inet/meta.t.json.output +++ b/tests/py/inet/meta.t.json.output @@ -51,3 +51,44 @@ } ] +# ip saddr . ether saddr . meta l4proto { 1.2.3.4 . aa:bb:cc:dd:ee:ff . 6 } +[ + { + "match": { + "left": { + "concat": [ + { + "payload": { + "field": "saddr", + "protocol": "ip" + } + }, + { + "payload": { + "field": "saddr", + "protocol": "ether" + } + }, + { + "meta": { + "key": "l4proto" + } + } + ] + }, + "op": "==", + "right": { + "set": [ + { + "concat": [ + "1.2.3.4", + "aa:bb:cc:dd:ee:ff", + 6 + ] + } + ] + } + } + } +] + diff --git a/tests/py/inet/meta.t.payload b/tests/py/inet/meta.t.payload index 6ccf6d24..7184fa0c 100644 --- a/tests/py/inet/meta.t.payload +++ b/tests/py/inet/meta.t.payload @@ -79,3 +79,111 @@ inet test-inet input [ ct load mark => reg 1 ] [ bitwise reg 1 = ( reg 1 >> 0x00000008 ) ] [ meta set mark with reg 1 ] + +# meta protocol ip udp dport 67 +inet test-inet input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x00004300 ] + +# meta protocol ip6 udp dport 67 +inet test-inet input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x0000dd86 ] + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x00004300 ] + +# meta mark . tcp dport { 0x0000000a-0x00000014 . 80-90, 0x00100000-0x00100123 . 100-120 } +__set%d test-inet 87 size 1 +__set%d test-inet 0 + element 0a000000 00005000 - 14000000 00005a00 : 0 [end] element 00001000 00006400 - 23011000 00007800 : 0 [end] +ip test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ meta load mark => reg 1 ] + [ byteorder reg 1 = hton(reg 1, 4, 4) ] + [ payload load 2b @ transport header + 2 => reg 9 ] + [ lookup reg 1 set __set%d ] + +# ip saddr . meta mark { 1.2.3.4 . 0x00000100 , 1.2.3.6-1.2.3.8 . 0x00000200-0x00000300 } +__set%d test-inet 87 size 2 +__set%d test-inet 0 + element 04030201 00010000 - 04030201 00010000 : 0 [end] element 06030201 00020000 - 08030201 00030000 : 0 [end] +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ meta load mark => reg 9 ] + [ byteorder reg 9 = hton(reg 9, 4, 4) ] + [ lookup reg 1 set __set%d ] + +# ip saddr . meta mark { 1.2.3.4 . 0x00000100 , 5.6.7.8 . 0x00000200 } +__set%d test-inet 3 size 2 +__set%d test-inet 0 + element 04030201 00000100 : 0 [end] element 08070605 00000200 : 0 [end] +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ meta load mark => reg 9 ] + [ lookup reg 1 set __set%d ] + +# meta mark set ip dscp +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 1b @ network header + 1 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 >> 0x00000002 ) ] + [ meta set mark with reg 1 ] + +# meta mark set ip dscp | 0x40 +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 1b @ network header + 1 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 >> 0x00000002 ) ] + [ bitwise reg 1 = ( reg 1 & 0xffffffbf ) ^ 0x00000040 ] + [ meta set mark with reg 1 ] + +# meta mark set ip6 dscp +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x0000000a ] + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000c00f ) ^ 0x00000000 ] + [ byteorder reg 1 = ntoh(reg 1, 2, 2) ] + [ bitwise reg 1 = ( reg 1 >> 0x00000006 ) ] + [ meta set mark with reg 1 ] + +# meta mark set ip6 dscp | 0x40 +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x0000000a ] + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000c00f ) ^ 0x00000000 ] + [ byteorder reg 1 = ntoh(reg 1, 2, 2) ] + [ bitwise reg 1 = ( reg 1 >> 0x00000006 ) ] + [ bitwise reg 1 = ( reg 1 & 0xffffffbf ) ^ 0x00000040 ] + [ meta set mark with reg 1 ] + +# ip saddr . ether saddr . meta l4proto { 1.2.3.4 . aa:bb:cc:dd:ee:ff . 6 } +__set%d test-inet 3 size 1 +__set%d test-inet 0 + element 04030201 ddccbbaa 0000ffee 00000006 : 0 [end] +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ meta load iiftype => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ payload load 6b @ link header + 6 => reg 9 ] + [ meta load l4proto => reg 11 ] + [ lookup reg 1 set __set%d ] + diff --git a/tests/py/inet/payloadmerge.t b/tests/py/inet/payloadmerge.t new file mode 100644 index 00000000..04ba1ce6 --- /dev/null +++ b/tests/py/inet/payloadmerge.t @@ -0,0 +1,14 @@ +:input;type filter hook input priority 0 + +*ip;test-ip4;input +*ip6;test-ip6;input +*inet;test-inet;input + +tcp sport 1 tcp dport 2;ok +tcp sport != 1 tcp dport != 2;ok +tcp sport 1 tcp dport != 2;ok +tcp sport != 1 tcp dport 2;ok +meta l4proto != 6 th dport 2;ok +meta l4proto 6 tcp dport 22;ok;tcp dport 22 +tcp sport > 1 tcp dport > 2;ok +tcp sport 1 tcp dport > 2;ok diff --git a/tests/py/inet/payloadmerge.t.json b/tests/py/inet/payloadmerge.t.json new file mode 100644 index 00000000..e5b66cf9 --- /dev/null +++ b/tests/py/inet/payloadmerge.t.json @@ -0,0 +1,211 @@ +# tcp sport 1 tcp dport 2 +[ + { + "match": { + "left": { + "payload": { + "field": "sport", + "protocol": "tcp" + } + }, + "op": "==", + "right": 1 + } + }, + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "tcp" + } + }, + "op": "==", + "right": 2 + } + } +] + +# tcp sport != 1 tcp dport != 2 +[ + { + "match": { + "left": { + "payload": { + "field": "sport", + "protocol": "tcp" + } + }, + "op": "!=", + "right": 1 + } + }, + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "tcp" + } + }, + "op": "!=", + "right": 2 + } + } +] + +# tcp sport 1 tcp dport != 2 +[ + { + "match": { + "left": { + "payload": { + "field": "sport", + "protocol": "tcp" + } + }, + "op": "==", + "right": 1 + } + }, + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "tcp" + } + }, + "op": "!=", + "right": 2 + } + } +] + +# tcp sport != 1 tcp dport 2 +[ + { + "match": { + "left": { + "payload": { + "field": "sport", + "protocol": "tcp" + } + }, + "op": "!=", + "right": 1 + } + }, + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "tcp" + } + }, + "op": "==", + "right": 2 + } + } +] + +# meta l4proto != 6 th dport 2 +[ + { + "match": { + "left": { + "meta": { + "key": "l4proto" + } + }, + "op": "!=", + "right": 6 + } + }, + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "th" + } + }, + "op": "==", + "right": 2 + } + } +] + +# meta l4proto 6 tcp dport 22 +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "tcp" + } + }, + "op": "==", + "right": 22 + } + } +] + +# tcp sport > 1 tcp dport > 2 +[ + { + "match": { + "left": { + "payload": { + "field": "sport", + "protocol": "tcp" + } + }, + "op": ">", + "right": 1 + } + }, + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "tcp" + } + }, + "op": ">", + "right": 2 + } + } +] + +# tcp sport 1 tcp dport > 2 +[ + { + "match": { + "left": { + "payload": { + "field": "sport", + "protocol": "tcp" + } + }, + "op": "==", + "right": 1 + } + }, + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "tcp" + } + }, + "op": ">", + "right": 2 + } + } +] + diff --git a/tests/py/inet/payloadmerge.t.payload b/tests/py/inet/payloadmerge.t.payload new file mode 100644 index 00000000..a0465cdd --- /dev/null +++ b/tests/py/inet/payloadmerge.t.payload @@ -0,0 +1,66 @@ +# tcp sport 1 tcp dport 2 +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 4b @ transport header + 0 => reg 1 ] + [ cmp eq reg 1 0x02000100 ] + +# tcp sport != 1 tcp dport != 2 +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 0 => reg 1 ] + [ cmp neq reg 1 0x00000100 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp neq reg 1 0x00000200 ] + +# tcp sport 1 tcp dport != 2 +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 0 => reg 1 ] + [ cmp eq reg 1 0x00000100 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp neq reg 1 0x00000200 ] + +# tcp sport != 1 tcp dport 2 +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 0 => reg 1 ] + [ cmp neq reg 1 0x00000100 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x00000200 ] + +# meta l4proto != 6 th dport 2 +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp neq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x00000200 ] + +# meta l4proto 6 tcp dport 22 +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x00001600 ] + +# tcp sport > 1 tcp dport > 2 +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 0 => reg 1 ] + [ cmp gt reg 1 0x00000100 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp gt reg 1 0x00000200 ] + +# tcp sport 1 tcp dport > 2 +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 0 => reg 1 ] + [ cmp eq reg 1 0x00000100 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp gt reg 1 0x00000200 ] + diff --git a/tests/py/inet/reject.t b/tests/py/inet/reject.t index a9ecd2ea..61a6d556 100644 --- a/tests/py/inet/reject.t +++ b/tests/py/inet/reject.t @@ -2,37 +2,40 @@ *inet;test-inet;input -reject with icmp type host-unreachable;ok -reject with icmp type net-unreachable;ok -reject with icmp type prot-unreachable;ok -reject with icmp type port-unreachable;ok -reject with icmp type net-prohibited;ok -reject with icmp type host-prohibited;ok -reject with icmp type admin-prohibited;ok - -reject with icmpv6 type no-route;ok -reject with icmpv6 type admin-prohibited;ok -reject with icmpv6 type addr-unreachable;ok -reject with icmpv6 type port-unreachable;ok +reject with icmp host-unreachable;ok +reject with icmp net-unreachable;ok +reject with icmp prot-unreachable;ok +reject with icmp port-unreachable;ok +reject with icmp net-prohibited;ok +reject with icmp host-prohibited;ok +reject with icmp admin-prohibited;ok + +reject with icmpv6 no-route;ok +reject with icmpv6 admin-prohibited;ok +reject with icmpv6 addr-unreachable;ok +reject with icmpv6 port-unreachable;ok mark 12345 reject with tcp reset;ok;meta l4proto 6 meta mark 0x00003039 reject with tcp reset reject;ok -meta nfproto ipv4 reject;ok;reject with icmp type port-unreachable -meta nfproto ipv6 reject;ok;reject with icmpv6 type port-unreachable +meta nfproto ipv4 reject;ok;reject with icmp port-unreachable +meta nfproto ipv6 reject;ok;reject with icmpv6 port-unreachable -reject with icmpx type host-unreachable;ok -reject with icmpx type no-route;ok -reject with icmpx type admin-prohibited;ok -reject with icmpx type port-unreachable;ok;reject +reject with icmpx host-unreachable;ok +reject with icmpx no-route;ok +reject with icmpx admin-prohibited;ok +reject with icmpx port-unreachable;ok;reject +reject with icmpx 3;ok;reject with icmpx admin-prohibited -meta nfproto ipv4 reject with icmp type host-unreachable;ok;reject with icmp type host-unreachable -meta nfproto ipv6 reject with icmpv6 type no-route;ok;reject with icmpv6 type no-route +meta nfproto ipv4 reject with icmp host-unreachable;ok;reject with icmp host-unreachable +meta nfproto ipv6 reject with icmpv6 no-route;ok;reject with icmpv6 no-route -meta nfproto ipv6 reject with icmp type host-unreachable;fail -meta nfproto ipv4 ip protocol icmp reject with icmpv6 type no-route;fail -meta nfproto ipv6 ip protocol icmp reject with icmp type host-unreachable;fail +meta nfproto ipv6 reject with icmp host-unreachable;fail +meta nfproto ipv4 ip protocol icmp reject with icmpv6 no-route;fail +meta nfproto ipv6 ip protocol icmp reject with icmp host-unreachable;fail meta l4proto udp reject with tcp reset;fail -meta nfproto ipv4 reject with icmpx type admin-prohibited;ok -meta nfproto ipv6 reject with icmpx type admin-prohibited;ok +meta nfproto ipv4 reject with icmpx admin-prohibited;ok +meta nfproto ipv6 reject with icmpx admin-prohibited;ok + +ether saddr aa:bb:cc:dd:ee:ff ip daddr 192.168.0.1 reject;ok;ether saddr aa:bb:cc:dd:ee:ff ip daddr 192.168.0.1 reject with icmp port-unreachable diff --git a/tests/py/inet/reject.t.json b/tests/py/inet/reject.t.json index bfa94f84..02ac9007 100644 --- a/tests/py/inet/reject.t.json +++ b/tests/py/inet/reject.t.json @@ -1,4 +1,4 @@ -# reject with icmp type host-unreachable +# reject with icmp host-unreachable [ { "reject": { @@ -8,7 +8,7 @@ } ] -# reject with icmp type net-unreachable +# reject with icmp net-unreachable [ { "reject": { @@ -18,7 +18,7 @@ } ] -# reject with icmp type prot-unreachable +# reject with icmp prot-unreachable [ { "reject": { @@ -28,7 +28,7 @@ } ] -# reject with icmp type port-unreachable +# reject with icmp port-unreachable [ { "reject": { @@ -38,7 +38,7 @@ } ] -# reject with icmp type net-prohibited +# reject with icmp net-prohibited [ { "reject": { @@ -48,7 +48,7 @@ } ] -# reject with icmp type host-prohibited +# reject with icmp host-prohibited [ { "reject": { @@ -58,7 +58,7 @@ } ] -# reject with icmp type admin-prohibited +# reject with icmp admin-prohibited [ { "reject": { @@ -68,7 +68,7 @@ } ] -# reject with icmpv6 type no-route +# reject with icmpv6 no-route [ { "reject": { @@ -78,7 +78,7 @@ } ] -# reject with icmpv6 type admin-prohibited +# reject with icmpv6 admin-prohibited [ { "reject": { @@ -88,7 +88,7 @@ } ] -# reject with icmpv6 type addr-unreachable +# reject with icmpv6 addr-unreachable [ { "reject": { @@ -98,7 +98,7 @@ } ] -# reject with icmpv6 type port-unreachable +# reject with icmpv6 port-unreachable [ { "reject": { @@ -165,7 +165,7 @@ } ] -# reject with icmpx type host-unreachable +# reject with icmpx host-unreachable [ { "reject": { @@ -175,7 +175,7 @@ } ] -# reject with icmpx type no-route +# reject with icmpx no-route [ { "reject": { @@ -185,7 +185,7 @@ } ] -# reject with icmpx type admin-prohibited +# reject with icmpx admin-prohibited [ { "reject": { @@ -195,7 +195,7 @@ } ] -# reject with icmpx type port-unreachable +# reject with icmpx port-unreachable [ { "reject": { @@ -205,7 +205,17 @@ } ] -# meta nfproto ipv4 reject with icmp type host-unreachable +# reject with icmpx 3 +[ + { + "reject": { + "expr": "admin-prohibited", + "type": "icmpx" + } + } +] + +# meta nfproto ipv4 reject with icmp host-unreachable [ { "match": { @@ -224,7 +234,7 @@ } ] -# meta nfproto ipv6 reject with icmpv6 type no-route +# meta nfproto ipv6 reject with icmpv6 no-route [ { "match": { @@ -243,7 +253,7 @@ } ] -# meta nfproto ipv4 reject with icmpx type admin-prohibited +# meta nfproto ipv4 reject with icmpx admin-prohibited [ { "match": { @@ -264,7 +274,7 @@ } ] -# meta nfproto ipv6 reject with icmpx type admin-prohibited +# meta nfproto ipv6 reject with icmpx admin-prohibited [ { "match": { @@ -285,3 +295,37 @@ } ] +# ether saddr aa:bb:cc:dd:ee:ff ip daddr 192.168.0.1 reject +[ + { + "match": { + "left": { + "payload": { + "field": "saddr", + "protocol": "ether" + } + }, + "op": "==", + "right": "aa:bb:cc:dd:ee:ff" + } + }, + { + "match": { + "left": { + "payload": { + "field": "daddr", + "protocol": "ip" + } + }, + "op": "==", + "right": "192.168.0.1" + } + }, + { + "reject": { + "expr": "port-unreachable", + "type": "icmp" + } + } +] + diff --git a/tests/py/inet/reject.t.json.output b/tests/py/inet/reject.t.json.output index 043617a7..496ce557 100644 --- a/tests/py/inet/reject.t.json.output +++ b/tests/py/inet/reject.t.json.output @@ -55,7 +55,7 @@ } ] -# meta nfproto ipv4 reject with icmp type host-unreachable +# meta nfproto ipv4 reject with icmp host-unreachable [ { "reject": { @@ -65,7 +65,7 @@ } ] -# meta nfproto ipv6 reject with icmpv6 type no-route +# meta nfproto ipv6 reject with icmpv6 no-route [ { "reject": { diff --git a/tests/py/inet/reject.t.payload.inet b/tests/py/inet/reject.t.payload.inet index 3f220282..828cb839 100644 --- a/tests/py/inet/reject.t.payload.inet +++ b/tests/py/inet/reject.t.payload.inet @@ -1,64 +1,64 @@ -# reject with icmp type host-unreachable +# reject with icmp host-unreachable inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ reject type 0 code 1 ] -# reject with icmp type net-unreachable +# reject with icmp net-unreachable inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ reject type 0 code 0 ] -# reject with icmp type prot-unreachable +# reject with icmp prot-unreachable inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ reject type 0 code 2 ] -# reject with icmp type port-unreachable +# reject with icmp port-unreachable inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ reject type 0 code 3 ] -# reject with icmp type net-prohibited +# reject with icmp net-prohibited inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ reject type 0 code 9 ] -# reject with icmp type host-prohibited +# reject with icmp host-prohibited inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ reject type 0 code 10 ] -# reject with icmp type admin-prohibited +# reject with icmp admin-prohibited inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ reject type 0 code 13 ] -# reject with icmpv6 type no-route +# reject with icmpv6 no-route inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x0000000a ] [ reject type 0 code 0 ] -# reject with icmpv6 type admin-prohibited +# reject with icmpv6 admin-prohibited inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x0000000a ] [ reject type 0 code 1 ] -# reject with icmpv6 type addr-unreachable +# reject with icmpv6 addr-unreachable inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x0000000a ] [ reject type 0 code 3 ] -# reject with icmpv6 type port-unreachable +# reject with icmpv6 port-unreachable inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x0000000a ] @@ -88,43 +88,57 @@ inet test-inet input [ cmp eq reg 1 0x0000000a ] [ reject type 0 code 4 ] -# reject with icmpx type host-unreachable +# reject with icmpx host-unreachable inet test-inet input [ reject type 2 code 2 ] -# reject with icmpx type no-route +# reject with icmpx no-route inet test-inet input [ reject type 2 code 0 ] -# reject with icmpx type admin-prohibited +# reject with icmpx admin-prohibited inet test-inet input [ reject type 2 code 3 ] -# reject with icmpx type port-unreachable +# reject with icmpx port-unreachable inet test-inet input [ reject type 2 code 1 ] -# meta nfproto ipv4 reject with icmp type host-unreachable +# reject with icmpx 3 +inet test-inet input + [ reject type 2 code 3 ] + +# meta nfproto ipv4 reject with icmp host-unreachable inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ reject type 0 code 1 ] -# meta nfproto ipv6 reject with icmpv6 type no-route +# meta nfproto ipv6 reject with icmpv6 no-route inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x0000000a ] [ reject type 0 code 0 ] -# meta nfproto ipv4 reject with icmpx type admin-prohibited +# meta nfproto ipv4 reject with icmpx admin-prohibited inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ reject type 2 code 3 ] -# meta nfproto ipv6 reject with icmpx type admin-prohibited +# meta nfproto ipv6 reject with icmpx admin-prohibited inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x0000000a ] [ reject type 2 code 3 ] +# ether saddr aa:bb:cc:dd:ee:ff ip daddr 192.168.0.1 reject +inet test-inet input + [ meta load iiftype => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ payload load 8b @ link header + 6 => reg 1 ] + [ cmp eq reg 1 0xddccbbaa 0x0008ffee ] + [ payload load 4b @ network header + 16 => reg 1 ] + [ cmp eq reg 1 0x0100a8c0 ] + [ reject type 0 code 3 ] + diff --git a/tests/py/inet/sctp.t b/tests/py/inet/sctp.t index 5188b57e..016173b9 100644 --- a/tests/py/inet/sctp.t +++ b/tests/py/inet/sctp.t @@ -1,10 +1,11 @@ :input;type filter hook input priority 0 :ingress;type filter hook ingress device lo priority 0 +:egress;type filter hook egress device lo priority 0 *ip;test-ip4;input *ip6;test-ip6;input *inet;test-inet;input -*netdev;test-netdev;ingress +*netdev;test-netdev;ingress,egress sctp sport 23;ok sctp sport != 23;ok @@ -12,8 +13,6 @@ sctp sport 23-44;ok sctp sport != 23-44;ok sctp sport { 23, 24, 25};ok sctp sport != { 23, 24, 25};ok -sctp sport { 23-44};ok -sctp sport != { 23-44};ok sctp dport 23;ok sctp dport != 23;ok @@ -21,8 +20,6 @@ sctp dport 23-44;ok sctp dport != 23-44;ok sctp dport { 23, 24, 25};ok sctp dport != { 23, 24, 25};ok -sctp dport { 23-44};ok -sctp dport != { 23-44};ok sctp checksum 1111;ok sctp checksum != 11;ok @@ -30,8 +27,6 @@ sctp checksum 21-333;ok sctp checksum != 32-111;ok sctp checksum { 22, 33, 44};ok sctp checksum != { 22, 33, 44};ok -sctp checksum { 22-44};ok -sctp checksum != { 22-44};ok sctp vtag 22;ok sctp vtag != 233;ok @@ -39,5 +34,40 @@ sctp vtag 33-45;ok sctp vtag != 33-45;ok sctp vtag {33, 55, 67, 88};ok sctp vtag != {33, 55, 67, 88};ok -sctp vtag { 33-55};ok -sctp vtag != { 33-55};ok + +# assert all chunk types are recognized +sctp chunk data exists;ok +sctp chunk init exists;ok +sctp chunk init-ack exists;ok +sctp chunk sack exists;ok +sctp chunk heartbeat exists;ok +sctp chunk heartbeat-ack exists;ok +sctp chunk abort exists;ok +sctp chunk shutdown exists;ok +sctp chunk shutdown-ack exists;ok +sctp chunk error exists;ok +sctp chunk cookie-echo exists;ok +sctp chunk cookie-ack exists;ok +sctp chunk ecne exists;ok +sctp chunk cwr exists;ok +sctp chunk shutdown-complete exists;ok +sctp chunk asconf-ack exists;ok +sctp chunk forward-tsn exists;ok +sctp chunk asconf exists;ok + +# test common header fields in random chunk types +sctp chunk data type 0;ok +sctp chunk init flags 23;ok +sctp chunk init-ack length 42;ok + +# test one custom field in every applicable chunk type +sctp chunk data stream 1337;ok +sctp chunk init initial-tsn 5;ok +sctp chunk init-ack num-outbound-streams 3;ok +sctp chunk sack a-rwnd 1;ok +sctp chunk shutdown cum-tsn-ack 65535;ok +sctp chunk ecne lowest-tsn 5;ok +sctp chunk cwr lowest-tsn 8;ok +sctp chunk asconf-ack seqno 12345;ok +sctp chunk forward-tsn new-cum-tsn 31337;ok +sctp chunk asconf seqno 12345;ok diff --git a/tests/py/inet/sctp.t.json b/tests/py/inet/sctp.t.json index 2684b034..75a9b01c 100644 --- a/tests/py/inet/sctp.t.json +++ b/tests/py/inet/sctp.t.json @@ -110,46 +110,6 @@ } ] -# sctp sport { 23-44} -[ - { - "match": { - "left": { - "payload": { - "field": "sport", - "protocol": "sctp" - } - }, - "op": "==", - "right": { - "set": [ - { "range": [ 23, 44 ] } - ] - } - } - } -] - -# sctp sport != { 23-44} -[ - { - "match": { - "left": { - "payload": { - "field": "sport", - "protocol": "sctp" - } - }, - "op": "!=", - "right": { - "set": [ - { "range": [ 23, 44 ] } - ] - } - } - } -] - # sctp dport 23 [ { @@ -262,46 +222,6 @@ } ] -# sctp dport { 23-44} -[ - { - "match": { - "left": { - "payload": { - "field": "dport", - "protocol": "sctp" - } - }, - "op": "==", - "right": { - "set": [ - { "range": [ 23, 44 ] } - ] - } - } - } -] - -# sctp dport != { 23-44} -[ - { - "match": { - "left": { - "payload": { - "field": "dport", - "protocol": "sctp" - } - }, - "op": "!=", - "right": { - "set": [ - { "range": [ 23, 44 ] } - ] - } - } - } -] - # sctp checksum 1111 [ { @@ -414,46 +334,6 @@ } ] -# sctp checksum { 22-44} -[ - { - "match": { - "left": { - "payload": { - "field": "checksum", - "protocol": "sctp" - } - }, - "op": "==", - "right": { - "set": [ - { "range": [ 22, 44 ] } - ] - } - } - } -] - -# sctp checksum != { 22-44} -[ - { - "match": { - "left": { - "payload": { - "field": "checksum", - "protocol": "sctp" - } - }, - "op": "!=", - "right": { - "set": [ - { "range": [ 22, 44 ] } - ] - } - } - } -] - # sctp vtag 22 [ { @@ -568,42 +448,480 @@ } ] -# sctp vtag { 33-55} +# sctp chunk data exists [ { "match": { "left": { - "payload": { - "field": "vtag", - "protocol": "sctp" + "sctp chunk": { + "name": "data" } }, - "op": "==", - "right": { - "set": [ - { "range": [ 33, 55 ] } - ] - } + "op": "==", + "right": true } } ] -# sctp vtag != { 33-55} +# sctp chunk init exists [ { "match": { "left": { - "payload": { - "field": "vtag", - "protocol": "sctp" + "sctp chunk": { + "name": "init" } }, - "op": "!=", - "right": { - "set": [ - { "range": [ 33, 55 ] } - ] - } + "op": "==", + "right": true + } + } +] + +# sctp chunk init-ack exists +[ + { + "match": { + "left": { + "sctp chunk": { + "name": "init-ack" + } + }, + "op": "==", + "right": true + } + } +] + +# sctp chunk sack exists +[ + { + "match": { + "left": { + "sctp chunk": { + "name": "sack" + } + }, + "op": "==", + "right": true + } + } +] + +# sctp chunk heartbeat exists +[ + { + "match": { + "left": { + "sctp chunk": { + "name": "heartbeat" + } + }, + "op": "==", + "right": true + } + } +] + +# sctp chunk heartbeat-ack exists +[ + { + "match": { + "left": { + "sctp chunk": { + "name": "heartbeat-ack" + } + }, + "op": "==", + "right": true + } + } +] + +# sctp chunk abort exists +[ + { + "match": { + "left": { + "sctp chunk": { + "name": "abort" + } + }, + "op": "==", + "right": true + } + } +] + +# sctp chunk shutdown exists +[ + { + "match": { + "left": { + "sctp chunk": { + "name": "shutdown" + } + }, + "op": "==", + "right": true + } + } +] + +# sctp chunk shutdown-ack exists +[ + { + "match": { + "left": { + "sctp chunk": { + "name": "shutdown-ack" + } + }, + "op": "==", + "right": true + } + } +] + +# sctp chunk error exists +[ + { + "match": { + "left": { + "sctp chunk": { + "name": "error" + } + }, + "op": "==", + "right": true + } + } +] + +# sctp chunk cookie-echo exists +[ + { + "match": { + "left": { + "sctp chunk": { + "name": "cookie-echo" + } + }, + "op": "==", + "right": true + } + } +] + +# sctp chunk cookie-ack exists +[ + { + "match": { + "left": { + "sctp chunk": { + "name": "cookie-ack" + } + }, + "op": "==", + "right": true + } + } +] + +# sctp chunk ecne exists +[ + { + "match": { + "left": { + "sctp chunk": { + "name": "ecne" + } + }, + "op": "==", + "right": true + } + } +] + +# sctp chunk cwr exists +[ + { + "match": { + "left": { + "sctp chunk": { + "name": "cwr" + } + }, + "op": "==", + "right": true + } + } +] + +# sctp chunk shutdown-complete exists +[ + { + "match": { + "left": { + "sctp chunk": { + "name": "shutdown-complete" + } + }, + "op": "==", + "right": true + } + } +] + +# sctp chunk asconf-ack exists +[ + { + "match": { + "left": { + "sctp chunk": { + "name": "asconf-ack" + } + }, + "op": "==", + "right": true + } + } +] + +# sctp chunk forward-tsn exists +[ + { + "match": { + "left": { + "sctp chunk": { + "name": "forward-tsn" + } + }, + "op": "==", + "right": true + } + } +] + +# sctp chunk asconf exists +[ + { + "match": { + "left": { + "sctp chunk": { + "name": "asconf" + } + }, + "op": "==", + "right": true + } + } +] + +# sctp chunk data type 0 +[ + { + "match": { + "left": { + "sctp chunk": { + "field": "type", + "name": "data" + } + }, + "op": "==", + "right": 0 + } + } +] + +# sctp chunk init flags 23 +[ + { + "match": { + "left": { + "sctp chunk": { + "field": "flags", + "name": "init" + } + }, + "op": "==", + "right": 23 + } + } +] + +# sctp chunk init-ack length 42 +[ + { + "match": { + "left": { + "sctp chunk": { + "field": "length", + "name": "init-ack" + } + }, + "op": "==", + "right": 42 + } + } +] + +# sctp chunk data stream 1337 +[ + { + "match": { + "left": { + "sctp chunk": { + "field": "stream", + "name": "data" + } + }, + "op": "==", + "right": 1337 + } + } +] + +# sctp chunk init initial-tsn 5 +[ + { + "match": { + "left": { + "sctp chunk": { + "field": "initial-tsn", + "name": "init" + } + }, + "op": "==", + "right": 5 + } + } +] + +# sctp chunk init-ack num-outbound-streams 3 +[ + { + "match": { + "left": { + "sctp chunk": { + "field": "num-outbound-streams", + "name": "init-ack" + } + }, + "op": "==", + "right": 3 + } + } +] + +# sctp chunk sack a-rwnd 1 +[ + { + "match": { + "left": { + "sctp chunk": { + "field": "a-rwnd", + "name": "sack" + } + }, + "op": "==", + "right": 1 + } + } +] + +# sctp chunk shutdown cum-tsn-ack 65535 +[ + { + "match": { + "left": { + "sctp chunk": { + "field": "cum-tsn-ack", + "name": "shutdown" + } + }, + "op": "==", + "right": 65535 + } + } +] + +# sctp chunk ecne lowest-tsn 5 +[ + { + "match": { + "left": { + "sctp chunk": { + "field": "lowest-tsn", + "name": "ecne" + } + }, + "op": "==", + "right": 5 + } + } +] + +# sctp chunk cwr lowest-tsn 8 +[ + { + "match": { + "left": { + "sctp chunk": { + "field": "lowest-tsn", + "name": "cwr" + } + }, + "op": "==", + "right": 8 + } + } +] + +# sctp chunk asconf-ack seqno 12345 +[ + { + "match": { + "left": { + "sctp chunk": { + "field": "seqno", + "name": "asconf-ack" + } + }, + "op": "==", + "right": 12345 + } + } +] + +# sctp chunk forward-tsn new-cum-tsn 31337 +[ + { + "match": { + "left": { + "sctp chunk": { + "field": "new-cum-tsn", + "name": "forward-tsn" + } + }, + "op": "==", + "right": 31337 + } + } +] + +# sctp chunk asconf seqno 12345 +[ + { + "match": { + "left": { + "sctp chunk": { + "field": "seqno", + "name": "asconf" + } + }, + "op": "==", + "right": 12345 } } ] diff --git a/tests/py/inet/sctp.t.payload b/tests/py/inet/sctp.t.payload index ecfcc725..7337e2ea 100644 --- a/tests/py/inet/sctp.t.payload +++ b/tests/py/inet/sctp.t.payload @@ -47,26 +47,6 @@ inet test-inet input [ payload load 2b @ transport header + 0 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# sctp sport { 23-44} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00001700 : 0 [end] element 00002d00 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000084 ] - [ payload load 2b @ transport header + 0 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# sctp sport != { 23-44} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00001700 : 0 [end] element 00002d00 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000084 ] - [ payload load 2b @ transport header + 0 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # sctp dport 23 inet test-inet input [ meta load l4proto => reg 1 ] @@ -116,26 +96,6 @@ inet test-inet input [ payload load 2b @ transport header + 2 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# sctp dport { 23-44} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00001700 : 0 [end] element 00002d00 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000084 ] - [ payload load 2b @ transport header + 2 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# sctp dport != { 23-44} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00001700 : 0 [end] element 00002d00 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000084 ] - [ payload load 2b @ transport header + 2 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # sctp checksum 1111 inet test-inet input [ meta load l4proto => reg 1 ] @@ -185,26 +145,6 @@ inet test-inet input [ payload load 4b @ transport header + 8 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# sctp checksum { 22-44} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 16000000 : 0 [end] element 2d000000 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000084 ] - [ payload load 4b @ transport header + 8 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# sctp checksum != { 22-44} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 16000000 : 0 [end] element 2d000000 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000084 ] - [ payload load 4b @ transport header + 8 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # sctp vtag 22 inet test-inet input [ meta load l4proto => reg 1 ] @@ -254,23 +194,158 @@ inet test-inet input [ payload load 4b @ transport header + 4 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# sctp vtag { 33-55} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 21000000 : 0 [end] element 38000000 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000084 ] - [ payload load 4b @ transport header + 4 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# sctp vtag != { 33-55} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 21000000 : 0 [end] element 38000000 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000084 ] - [ payload load 4b @ transport header + 4 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] +# sctp chunk data exists +ip + [ exthdr load 1b @ 0 + 0 present => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + +# sctp chunk init exists +ip + [ exthdr load 1b @ 1 + 0 present => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + +# sctp chunk init-ack exists +ip + [ exthdr load 1b @ 2 + 0 present => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + +# sctp chunk sack exists +ip + [ exthdr load 1b @ 3 + 0 present => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + +# sctp chunk heartbeat exists +ip + [ exthdr load 1b @ 4 + 0 present => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + +# sctp chunk heartbeat-ack exists +ip + [ exthdr load 1b @ 5 + 0 present => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + +# sctp chunk abort exists +ip + [ exthdr load 1b @ 6 + 0 present => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + +# sctp chunk shutdown exists +ip + [ exthdr load 1b @ 7 + 0 present => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + +# sctp chunk shutdown-ack exists +ip + [ exthdr load 1b @ 8 + 0 present => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + +# sctp chunk error exists +ip + [ exthdr load 1b @ 9 + 0 present => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + +# sctp chunk cookie-echo exists +ip + [ exthdr load 1b @ 10 + 0 present => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + +# sctp chunk cookie-ack exists +ip + [ exthdr load 1b @ 11 + 0 present => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + +# sctp chunk ecne exists +ip + [ exthdr load 1b @ 12 + 0 present => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + +# sctp chunk cwr exists +ip + [ exthdr load 1b @ 13 + 0 present => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + +# sctp chunk shutdown-complete exists +ip + [ exthdr load 1b @ 14 + 0 present => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + +# sctp chunk asconf-ack exists +ip + [ exthdr load 1b @ 128 + 0 present => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + +# sctp chunk forward-tsn exists +ip + [ exthdr load 1b @ 192 + 0 present => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + +# sctp chunk asconf exists +ip + [ exthdr load 1b @ 193 + 0 present => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + +# sctp chunk data type 0 +ip + [ exthdr load 1b @ 0 + 0 => reg 1 ] + [ cmp eq reg 1 0x00000000 ] + +# sctp chunk init flags 23 +ip + [ exthdr load 1b @ 1 + 1 => reg 1 ] + [ cmp eq reg 1 0x00000017 ] + +# sctp chunk init-ack length 42 +ip + [ exthdr load 2b @ 2 + 2 => reg 1 ] + [ cmp eq reg 1 0x00002a00 ] + +# sctp chunk data stream 1337 +ip + [ exthdr load 2b @ 0 + 8 => reg 1 ] + [ cmp eq reg 1 0x00003905 ] + +# sctp chunk init initial-tsn 5 +ip + [ exthdr load 4b @ 1 + 16 => reg 1 ] + [ cmp eq reg 1 0x05000000 ] + +# sctp chunk init-ack num-outbound-streams 3 +ip + [ exthdr load 2b @ 2 + 12 => reg 1 ] + [ cmp eq reg 1 0x00000300 ] + +# sctp chunk sack a-rwnd 1 +ip + [ exthdr load 4b @ 3 + 8 => reg 1 ] + [ cmp eq reg 1 0x01000000 ] + +# sctp chunk shutdown cum-tsn-ack 65535 +ip + [ exthdr load 4b @ 7 + 4 => reg 1 ] + [ cmp eq reg 1 0xffff0000 ] + +# sctp chunk ecne lowest-tsn 5 +ip + [ exthdr load 4b @ 12 + 4 => reg 1 ] + [ cmp eq reg 1 0x05000000 ] + +# sctp chunk cwr lowest-tsn 8 +ip + [ exthdr load 4b @ 13 + 4 => reg 1 ] + [ cmp eq reg 1 0x08000000 ] + +# sctp chunk asconf-ack seqno 12345 +ip + [ exthdr load 4b @ 128 + 4 => reg 1 ] + [ cmp eq reg 1 0x39300000 ] + +# sctp chunk forward-tsn new-cum-tsn 31337 +ip + [ exthdr load 4b @ 192 + 4 => reg 1 ] + [ cmp eq reg 1 0x697a0000 ] + +# sctp chunk asconf seqno 12345 +ip + [ exthdr load 4b @ 193 + 4 => reg 1 ] + [ cmp eq reg 1 0x39300000 ] diff --git a/tests/py/inet/sets.t b/tests/py/inet/sets.t index 1c6f3235..5b22e1fe 100644 --- a/tests/py/inet/sets.t +++ b/tests/py/inet/sets.t @@ -1,9 +1,10 @@ :input;type filter hook input priority 0 :ingress;type filter hook ingress device lo priority 0 +:egress;type filter hook egress device lo priority 0 *inet;test-inet;input *bridge;test-inet;input -*netdev;test-netdev;ingress +*netdev;test-netdev;ingress,egress !set1 type ipv4_addr timeout 60s;ok ?set1 192.168.3.4 timeout 30s, 10.2.1.1;ok diff --git a/tests/py/inet/sets.t.json b/tests/py/inet/sets.t.json index ef0cedca..b44ffc20 100644 --- a/tests/py/inet/sets.t.json +++ b/tests/py/inet/sets.t.json @@ -76,17 +76,6 @@ { "match": { "left": { - "meta": { - "key": "nfproto" - } - }, - "op": "==", - "right": "ipv4" - } - }, - { - "match": { - "left": { "concat": [ { "payload": { diff --git a/tests/py/inet/sets.t.payload.netdev b/tests/py/inet/sets.t.payload.netdev index 9d6f6bbd..e31aeb92 100644 --- a/tests/py/inet/sets.t.payload.netdev +++ b/tests/py/inet/sets.t.payload.netdev @@ -15,9 +15,9 @@ netdev test-netdev ingress [ immediate reg 0 accept ] # ip saddr . ip daddr . tcp dport @set3 accept -inet - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x00000002 ] +netdev + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000006 ] [ payload load 4b @ network header + 12 => reg 1 ] diff --git a/tests/py/inet/snat.t.payload b/tests/py/inet/snat.t.payload index 00bb937f..50519c6b 100644 --- a/tests/py/inet/snat.t.payload +++ b/tests/py/inet/snat.t.payload @@ -7,7 +7,7 @@ inet test-inet postrouting [ payload load 2b @ transport header + 2 => reg 1 ] [ cmp eq reg 1 0x00005100 ] [ immediate reg 1 0x0203a8c0 ] - [ nat snat ip addr_min reg 1 addr_max reg 0 ] + [ nat snat ip addr_min reg 1 ] # iifname "eth0" tcp dport 81 ip saddr 10.1.1.1 snat to 192.168.3.2 inet test-inet postrouting @@ -22,7 +22,7 @@ inet test-inet postrouting [ payload load 4b @ network header + 12 => reg 1 ] [ cmp eq reg 1 0x0101010a ] [ immediate reg 1 0x0203a8c0 ] - [ nat snat ip addr_min reg 1 addr_max reg 0 ] + [ nat snat ip addr_min reg 1 ] # iifname "eth0" tcp dport 81 snat ip6 to dead::beef inet test-inet postrouting @@ -33,7 +33,7 @@ inet test-inet postrouting [ payload load 2b @ transport header + 2 => reg 1 ] [ cmp eq reg 1 0x00005100 ] [ immediate reg 1 0x0000adde 0x00000000 0x00000000 0xefbe0000 ] - [ nat snat ip6 addr_min reg 1 addr_max reg 0 ] + [ nat snat ip6 addr_min reg 1 ] # iifname "foo" masquerade random inet test-inet postrouting diff --git a/tests/py/inet/tcp.t b/tests/py/inet/tcp.t index 29f06f5a..f4bdac17 100644 --- a/tests/py/inet/tcp.t +++ b/tests/py/inet/tcp.t @@ -1,10 +1,11 @@ :input;type filter hook input priority 0 :ingress;type filter hook ingress device lo priority 0 +:egress;type filter hook egress device lo priority 0 *ip;test-ip4;input *ip6;test-ip6;input *inet;test-inet;input -*netdev;test-netdev;ingress +*netdev;test-netdev;ingress,egress tcp dport set {1, 2, 3};fail @@ -14,8 +15,6 @@ tcp dport 33-45;ok tcp dport != 33-45;ok tcp dport { 33, 55, 67, 88};ok tcp dport != { 33, 55, 67, 88};ok -tcp dport { 33-55};ok -tcp dport != { 33-55};ok tcp dport {telnet, http, https} accept;ok;tcp dport { 443, 23, 80} accept tcp dport vmap { 22 : accept, 23 : drop };ok tcp dport vmap { 25:accept, 28:drop };ok @@ -30,8 +29,6 @@ tcp sport 33-45;ok tcp sport != 33-45;ok tcp sport { 33, 55, 67, 88};ok tcp sport != { 33, 55, 67, 88};ok -tcp sport { 33-55};ok -tcp sport != { 33-55};ok tcp sport vmap { 25:accept, 28:drop };ok tcp sport 8080 drop;ok @@ -47,8 +44,6 @@ tcp sequence 33-45;ok tcp sequence != 33-45;ok tcp sequence { 33, 55, 67, 88};ok tcp sequence != { 33, 55, 67, 88};ok -tcp sequence { 33-55};ok -tcp sequence != { 33-55};ok tcp ackseq 42949672 drop;ok tcp ackseq 22;ok @@ -57,8 +52,6 @@ tcp ackseq 33-45;ok tcp ackseq != 33-45;ok tcp ackseq { 33, 55, 67, 88};ok tcp ackseq != { 33, 55, 67, 88};ok -tcp ackseq { 33-55};ok -tcp ackseq != { 33-55};ok - tcp doff 22;ok - tcp doff != 233;ok @@ -66,8 +59,6 @@ tcp ackseq != { 33-55};ok - tcp doff != 33-45;ok - tcp doff { 33, 55, 67, 88};ok - tcp doff != { 33, 55, 67, 88};ok -- tcp doff { 33-55};ok -- tcp doff != { 33-55};ok # BUG reserved # BUG: It is accepted but it is not shown then. tcp reserver @@ -77,10 +68,26 @@ tcp flags != { fin, urg, ecn, cwr} drop;ok tcp flags cwr;ok tcp flags != cwr;ok tcp flags == syn;ok -tcp flags & (syn|fin) == (syn|fin);ok;tcp flags & (fin | syn) == fin | syn +tcp flags fin,syn / fin,syn;ok;tcp flags & (fin | syn) == fin | syn +tcp flags != syn / fin,syn;ok;tcp flags & (fin | syn) != syn +tcp flags & syn != 0;ok;tcp flags syn +tcp flags & syn == 0;ok;tcp flags ! syn +tcp flags & (syn | ack) != 0;ok;tcp flags syn,ack +tcp flags & (syn | ack) == 0;ok;tcp flags ! syn,ack +# it should be possible to transform this to: tcp flags syn +tcp flags & syn == syn;ok +tcp flags & syn != syn;ok +tcp flags & (fin | syn | rst | ack) syn;ok;tcp flags & (fin | syn | rst | ack) == syn +tcp flags & (fin | syn | rst | ack) == syn;ok +tcp flags & (fin | syn | rst | ack) != syn;ok +tcp flags & (fin | syn | rst | ack) == syn | ack;ok +tcp flags & (fin | syn | rst | ack) != syn | ack;ok +tcp flags & (syn | ack) == syn | ack;ok tcp flags & (fin | syn | rst | psh | ack | urg | ecn | cwr) == fin | syn | rst | psh | ack | urg | ecn | cwr;ok;tcp flags == 0xff tcp flags { syn, syn | ack };ok tcp flags & (fin | syn | rst | psh | ack | urg) == { fin, ack, psh | ack, fin | psh | ack };ok +tcp flags ! fin,rst;ok +tcp flags & (fin | syn | rst | ack) ! syn;fail tcp window 22222;ok tcp window 22;ok @@ -89,8 +96,6 @@ tcp window 33-45;ok tcp window != 33-45;ok tcp window { 33, 55, 67, 88};ok tcp window != { 33, 55, 67, 88};ok -tcp window { 33-55};ok -tcp window != { 33-55};ok tcp checksum 22;ok tcp checksum != 233;ok @@ -98,8 +103,6 @@ tcp checksum 33-45;ok tcp checksum != 33-45;ok tcp checksum { 33, 55, 67, 88};ok tcp checksum != { 33, 55, 67, 88};ok -tcp checksum { 33-55};ok -tcp checksum != { 33-55};ok tcp urgptr 1234 accept;ok tcp urgptr 22;ok @@ -108,7 +111,5 @@ tcp urgptr 33-45;ok tcp urgptr != 33-45;ok tcp urgptr { 33, 55, 67, 88};ok tcp urgptr != { 33, 55, 67, 88};ok -tcp urgptr { 33-55};ok -tcp urgptr != { 33-55};ok tcp doff 8;ok diff --git a/tests/py/inet/tcp.t.json b/tests/py/inet/tcp.t.json index 70225182..28dd4341 100644 --- a/tests/py/inet/tcp.t.json +++ b/tests/py/inet/tcp.t.json @@ -112,46 +112,6 @@ } ] -# tcp dport { 33-55} -[ - { - "match": { - "left": { - "payload": { - "field": "dport", - "protocol": "tcp" - } - }, - "op": "==", - "right": { - "set": [ - { "range": [ 33, 55 ] } - ] - } - } - } -] - -# tcp dport != { 33-55} -[ - { - "match": { - "left": { - "payload": { - "field": "dport", - "protocol": "tcp" - } - }, - "op": "!=", - "right": { - "set": [ - { "range": [ 33, 55 ] } - ] - } - } - } -] - # tcp dport {telnet, http, https} accept [ { @@ -397,46 +357,6 @@ } ] -# tcp sport { 33-55} -[ - { - "match": { - "left": { - "payload": { - "field": "sport", - "protocol": "tcp" - } - }, - "op": "==", - "right": { - "set": [ - { "range": [ 33, 55 ] } - ] - } - } - } -] - -# tcp sport != { 33-55} -[ - { - "match": { - "left": { - "payload": { - "field": "sport", - "protocol": "tcp" - } - }, - "op": "!=", - "right": { - "set": [ - { "range": [ 33, 55 ] } - ] - } - } - } -] - # tcp sport vmap { 25:accept, 28:drop } [ { @@ -753,46 +673,6 @@ } ] -# tcp sequence { 33-55} -[ - { - "match": { - "left": { - "payload": { - "field": "sequence", - "protocol": "tcp" - } - }, - "op": "==", - "right": { - "set": [ - { "range": [ 33, 55 ] } - ] - } - } - } -] - -# tcp sequence != { 33-55} -[ - { - "match": { - "left": { - "payload": { - "field": "sequence", - "protocol": "tcp" - } - }, - "op": "!=", - "right": { - "set": [ - { "range": [ 33, 55 ] } - ] - } - } - } -] - # tcp ackseq 42949672 drop [ { @@ -926,46 +806,6 @@ } ] -# tcp ackseq { 33-55} -[ - { - "match": { - "left": { - "payload": { - "field": "ackseq", - "protocol": "tcp" - } - }, - "op": "==", - "right": { - "set": [ - { "range": [ 33, 55 ] } - ] - } - } - } -] - -# tcp ackseq != { 33-55} -[ - { - "match": { - "left": { - "payload": { - "field": "ackseq", - "protocol": "tcp" - } - }, - "op": "!=", - "right": { - "set": [ - { "range": [ 33, 55 ] } - ] - } - } - } -] - # tcp flags { fin, syn, rst, psh, ack, urg, ecn, cwr} drop [ { @@ -1114,12 +954,12 @@ } }, { - "|": [ "fin", { "|": [ "syn", { "|": [ "rst", { "|": [ "psh", { "|": [ "ack", { "|": [ "urg", { "|": [ "ecn", "cwr" ] } ] } ] } ] } ] } ] } ] + "|": [ "fin", "syn", "rst", "psh", "ack", "urg", "ecn", "cwr" ] } ] }, "op": "==", - "right": { "|": [ "fin", { "|": [ "syn", { "|": [ "rst", { "|": [ "psh", { "|": [ "ack", { "|": [ "urg", { "|": [ "ecn", "cwr" ] } ] } ] } ] } ] } ] } ] } + "right": { "|": [ "fin", "syn", "rst", "psh", "ack", "urg", "ecn", "cwr" ] } } } ] @@ -1254,46 +1094,6 @@ } ] -# tcp window { 33-55} -[ - { - "match": { - "left": { - "payload": { - "field": "window", - "protocol": "tcp" - } - }, - "op": "==", - "right": { - "set": [ - { "range": [ 33, 55 ] } - ] - } - } - } -] - -# tcp window != { 33-55} -[ - { - "match": { - "left": { - "payload": { - "field": "window", - "protocol": "tcp" - } - }, - "op": "!=", - "right": { - "set": [ - { "range": [ 33, 55 ] } - ] - } - } - } -] - # tcp checksum 22 [ { @@ -1408,46 +1208,6 @@ } ] -# tcp checksum { 33-55} -[ - { - "match": { - "left": { - "payload": { - "field": "checksum", - "protocol": "tcp" - } - }, - "op": "==", - "right": { - "set": [ - { "range": [ 33, 55 ] } - ] - } - } - } -] - -# tcp checksum != { 33-55} -[ - { - "match": { - "left": { - "payload": { - "field": "checksum", - "protocol": "tcp" - } - }, - "op": "!=", - "right": { - "set": [ - { "range": [ 33, 55 ] } - ] - } - } - } -] - # tcp urgptr 1234 accept [ { @@ -1581,63 +1341,169 @@ } ] -# tcp urgptr { 33-55} +# tcp doff 8 [ { "match": { "left": { "payload": { - "field": "urgptr", + "field": "doff", "protocol": "tcp" } }, "op": "==", + "right": 8 + } + } +] + +# tcp flags { syn, syn | ack } +[ + { + "match": { + "left": { + "payload": { + "field": "flags", + "protocol": "tcp" + } + }, + "op": "==", "right": { "set": [ - { "range": [ 33, 55 ] } + "syn", + { + "|": [ + "syn", + "ack" + ] + } ] } } } ] -# tcp urgptr != { 33-55} +# tcp flags & (fin | syn | rst | psh | ack | urg) == { fin, ack, psh | ack, fin | psh | ack } [ { "match": { "left": { + "&": [ + { + "payload": { + "field": "flags", + "protocol": "tcp" + } + }, + { "|": [ "fin", "syn", "rst", "psh", "ack", "urg" ] } + ] + }, + "op": "==", + "right": { + "set": [ + "fin", + "ack", + { "|": [ "psh", "ack" ] }, + { "|": [ "fin", "psh", "ack" ] } + ] + } + } + } +] + +# tcp flags ! fin,rst +[ + { + "match": { + "op": "!", + "left": { "payload": { - "field": "urgptr", - "protocol": "tcp" + "protocol": "tcp", + "field": "flags" } }, - "op": "!=", + "right": [ + "fin", + "rst" + ] + } + } +] + +# tcp flags fin,syn / fin,syn +[ + { + "match": { + "left": { + "&": [ + { + "payload": { + "field": "flags", + "protocol": "tcp" + } + }, + { + "|": [ + "fin", + "syn" + ] + } + ] + }, + "op": "==", "right": { - "set": [ - { "range": [ 33, 55 ] } + "|": [ + "fin", + "syn" ] } } } ] -# tcp doff 8 +# tcp flags != syn / fin,syn +[ + { + "match": { + "left": { + "&": [ + { + "payload": { + "field": "flags", + "protocol": "tcp" + } + }, + { + "|": [ + "fin", + "syn" + ] + } + ] + }, + "op": "!=", + "right": "syn" + } + } +] + +# tcp flags & syn == 0 [ { "match": { "left": { "payload": { - "field": "doff", + "field": "flags", "protocol": "tcp" } }, - "op": "==", - "right": 8 + "op": "!", + "right": "syn" } } ] -# tcp flags { syn, syn | ack } +# tcp flags & syn != 0 [ { "match": { @@ -1647,23 +1513,121 @@ "protocol": "tcp" } }, + "op": "in", + "right": "syn" + } + } +] + +# tcp flags & (syn | ack) != 0 +[ + { + "match": { + "left": { + "payload": { + "field": "flags", + "protocol": "tcp" + } + }, + "op": "in", + "right": [ + "syn", + "ack" + ] + } + } +] + +# tcp flags & (syn | ack) == 0 +[ + { + "match": { + "left": { + "payload": { + "field": "flags", + "protocol": "tcp" + } + }, + "op": "!", + "right": [ + "syn", + "ack" + ] + } + } +] + +# tcp flags & syn == syn +[ + { + "match": { + "left": { + "&": [ + { + "payload": { + "field": "flags", + "protocol": "tcp" + } + }, + "syn" + ] + }, "op": "==", - "right": { - "set": [ + "right": "syn" + } + } +] + +# tcp flags & syn != syn +[ + { + "match": { + "left": { + "&": [ + { + "payload": { + "field": "flags", + "protocol": "tcp" + } + }, + "syn" + ] + }, + "op": "!=", + "right": "syn" + } + } +] + +# tcp flags & (fin | syn | rst | ack) syn +[ + { + "match": { + "left": { + "&": [ + { + "payload": { + "field": "flags", + "protocol": "tcp" + } + }, { "|": [ + "fin", "syn", + "rst", "ack" ] - }, - "syn" + } ] - } + }, + "op": "==", + "right": "syn" } } ] -# tcp flags & (fin | syn | rst | psh | ack | urg) == { fin, ack, psh | ack, fin | psh | ack } +# tcp flags & (fin | syn | rst | ack) == syn [ { "match": { @@ -1677,56 +1641,136 @@ }, { "|": [ - { - "|": [ - { - "|": [ - { - "|": [ - { - "|": [ - "fin", - "syn" - ] - }, - "rst" - ] - }, - "psh" - ] - }, - "ack" - ] - }, - "urg" + "fin", + "syn", + "rst", + "ack" ] } ] }, "op": "==", - "right": { - "set": [ + "right": "syn" + } + } +] + + +# tcp flags & (fin | syn | rst | ack) != syn +[ + { + "match": { + "left": { + "&": [ + { + "payload": { + "field": "flags", + "protocol": "tcp" + } + }, + { + "|": [ + "fin", + "syn", + "rst", + "ack" + ] + } + ] + }, + "op": "!=", + "right": "syn" + } + } +] + +# tcp flags & (fin | syn | rst | ack) == syn | ack +[ + { + "match": { + "left": { + "&": [ + { + "payload": { + "field": "flags", + "protocol": "tcp" + } + }, { "|": [ - { - "|": [ - "fin", - "psh" - ] - }, + "fin", + "syn", + "rst", "ack" ] + } + ] + }, + "op": "==", + "right": { + "|": [ + "syn", + "ack" + ] + } + } + } +] + +# tcp flags & (syn | ack) == syn | ack +[ + { + "match": { + "left": { + "&": [ + { + "payload": { + "field": "flags", + "protocol": "tcp" + } }, - "fin", { "|": [ - "psh", + "syn", "ack" ] + } + ] + }, + "op": "==", + "right": { + "|": [ + "syn", + "ack" + ] + } + } + } +] + +# tcp flags & (fin | syn | rst | ack) != syn | ack +[ + { + "match": { + "left": { + "&": [ + { + "payload": { + "field": "flags", + "protocol": "tcp" + } }, + { "|": [ "fin", "syn", "rst", "ack" ] } + ] + }, + "op": "!=", + "right": { + "|": [ + "syn", "ack" ] } } } ] + diff --git a/tests/py/inet/tcp.t.json.output b/tests/py/inet/tcp.t.json.output index c471e8d8..d487a8f1 100644 --- a/tests/py/inet/tcp.t.json.output +++ b/tests/py/inet/tcp.t.json.output @@ -115,32 +115,6 @@ } ] -# tcp flags { syn, syn | ack } -[ - { - "match": { - "left": { - "payload": { - "field": "flags", - "protocol": "tcp" - } - }, - "op": "==", - "right": { - "set": [ - "syn", - { - "|": [ - "syn", - "ack" - ] - } - ] - } - } - } -] - # tcp flags & (fin | syn | rst | psh | ack | urg) == { fin, ack, psh | ack, fin | psh | ack } [ { @@ -155,27 +129,11 @@ }, { "|": [ - { - "|": [ - { - "|": [ - { - "|": [ - { - "|": [ - "fin", - "syn" - ] - }, - "rst" - ] - }, - "psh" - ] - }, - "ack" - ] - }, + "fin", + "syn", + "rst", + "psh", + "ack", "urg" ] } @@ -187,12 +145,8 @@ "fin", { "|": [ - { - "|": [ - "fin", - "psh" - ] - }, + "fin", + "psh", "ack" ] }, diff --git a/tests/py/inet/tcp.t.payload b/tests/py/inet/tcp.t.payload index 3b7a4468..bc6bb989 100644 --- a/tests/py/inet/tcp.t.payload +++ b/tests/py/inet/tcp.t.payload @@ -47,26 +47,6 @@ inet test-inet input [ payload load 2b @ transport header + 2 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# tcp dport { 33-55} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ payload load 2b @ transport header + 2 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# tcp dport != { 33-55} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ payload load 2b @ transport header + 2 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # tcp dport {telnet, http, https} accept __set%d test-inet 3 __set%d test-inet 0 @@ -81,7 +61,7 @@ inet test-inet input # tcp dport vmap { 22 : accept, 23 : drop } __map%d test-inet b __map%d test-inet 0 - element 00001600 : 0 [end] element 00001700 : 0 [end] + element 00001600 : accept 0 [end] element 00001700 : drop 0 [end] inet test-inet input [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000006 ] @@ -91,7 +71,7 @@ inet test-inet input # tcp dport vmap { 25:accept, 28:drop } __map%d test-inet b __map%d test-inet 0 - element 00001900 : 0 [end] element 00001c00 : 0 [end] + element 00001900 : accept 0 [end] element 00001c00 : drop 0 [end] inet test-inet input [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000006 ] @@ -167,30 +147,10 @@ inet test-inet input [ payload load 2b @ transport header + 0 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# tcp sport { 33-55} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ payload load 2b @ transport header + 0 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# tcp sport != { 33-55} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ payload load 2b @ transport header + 0 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # tcp sport vmap { 25:accept, 28:drop } __map%d test-inet b __map%d test-inet 0 - element 00001900 : 0 [end] element 00001c00 : 0 [end] + element 00001900 : accept 0 [end] element 00001c00 : drop 0 [end] inet test-inet input [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000006 ] @@ -293,26 +253,6 @@ inet test-inet input [ payload load 4b @ transport header + 4 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# tcp sequence { 33-55} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 21000000 : 0 [end] element 38000000 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ payload load 4b @ transport header + 4 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# tcp sequence != { 33-55} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 21000000 : 0 [end] element 38000000 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ payload load 4b @ transport header + 4 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # tcp ackseq 42949672 drop inet test-inet input [ meta load l4proto => reg 1 ] @@ -370,26 +310,6 @@ inet test-inet input [ payload load 4b @ transport header + 8 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# tcp ackseq { 33-55} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 21000000 : 0 [end] element 38000000 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ payload load 4b @ transport header + 8 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# tcp ackseq != { 33-55} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 21000000 : 0 [end] element 38000000 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ payload load 4b @ transport header + 8 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # tcp flags { fin, syn, rst, psh, ack, urg, ecn, cwr} drop __set%d test-inet 3 __set%d test-inet 0 @@ -434,7 +354,7 @@ inet test-inet input [ payload load 1b @ transport header + 13 => reg 1 ] [ cmp eq reg 1 0x00000002 ] -# tcp flags & (syn|fin) == (syn|fin) +# tcp flags fin,syn / fin,syn inet test-inet input [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000006 ] @@ -442,6 +362,110 @@ inet test-inet input [ bitwise reg 1 = ( reg 1 & 0x00000003 ) ^ 0x00000000 ] [ cmp eq reg 1 0x00000003 ] +# tcp flags != syn / fin,syn +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 1b @ transport header + 13 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x00000003 ) ^ 0x00000000 ] + [ cmp neq reg 1 0x00000002 ] + +# tcp flags & syn != 0 +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 1b @ transport header + 13 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x00000002 ) ^ 0x00000000 ] + [ cmp neq reg 1 0x00000000 ] + +# tcp flags & syn == 0 +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 1b @ transport header + 13 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x00000002 ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000000 ] + +# tcp flags & (syn | ack) != 0 +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 1b @ transport header + 13 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x00000012 ) ^ 0x00000000 ] + [ cmp neq reg 1 0x00000000 ] + +# tcp flags & (syn | ack) == 0 +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 1b @ transport header + 13 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x00000012 ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000000 ] + +# tcp flags & syn == syn +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 1b @ transport header + 13 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x00000002 ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000002 ] + +# tcp flags & syn != syn +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 1b @ transport header + 13 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x00000002 ) ^ 0x00000000 ] + [ cmp neq reg 1 0x00000002 ] + +# tcp flags & (fin | syn | rst | ack) syn +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 1b @ transport header + 13 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x00000017 ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000002 ] + +# tcp flags & (fin | syn | rst | ack) == syn +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 1b @ transport header + 13 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x00000017 ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000002 ] + +# tcp flags & (fin | syn | rst | ack) != syn +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 1b @ transport header + 13 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x00000017 ) ^ 0x00000000 ] + [ cmp neq reg 1 0x00000002 ] + +# tcp flags & (fin | syn | rst | ack) == syn | ack +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 1b @ transport header + 13 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x00000017 ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000012 ] + +# tcp flags & (fin | syn | rst | ack) != syn | ack +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 1b @ transport header + 13 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x00000017 ) ^ 0x00000000 ] + [ cmp neq reg 1 0x00000012 ] + +# tcp flags & (syn | ack) == syn | ack +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 1b @ transport header + 13 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x00000012 ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000012 ] + # tcp flags & (fin | syn | rst | psh | ack | urg | ecn | cwr) == fin | syn | rst | psh | ack | urg | ecn | cwr inet test-inet input [ meta load l4proto => reg 1 ] @@ -506,26 +530,6 @@ inet test-inet input [ payload load 2b @ transport header + 14 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# tcp window { 33-55} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ payload load 2b @ transport header + 14 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# tcp window != { 33-55} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ payload load 2b @ transport header + 14 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # tcp checksum 22 inet test-inet input [ meta load l4proto => reg 1 ] @@ -575,26 +579,6 @@ inet test-inet input [ payload load 2b @ transport header + 16 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# tcp checksum { 33-55} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ payload load 2b @ transport header + 16 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# tcp checksum != { 33-55} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ payload load 2b @ transport header + 16 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # tcp urgptr 1234 accept inet test-inet input [ meta load l4proto => reg 1 ] @@ -652,26 +636,6 @@ inet test-inet input [ payload load 2b @ transport header + 18 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# tcp urgptr { 33-55} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ payload load 2b @ transport header + 18 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# tcp urgptr != { 33-55} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000006 ] - [ payload load 2b @ transport header + 18 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # tcp doff 8 inet test-inet input [ meta load l4proto => reg 1 ] @@ -701,3 +665,10 @@ inet [ payload load 1b @ transport header + 13 => reg 1 ] [ lookup reg 1 set __set%d ] +# tcp flags ! fin,rst +inet + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 1b @ transport header + 13 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x00000005 ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000000 ] diff --git a/tests/py/inet/tproxy.t b/tests/py/inet/tproxy.t index d23bbcb5..9901df75 100644 --- a/tests/py/inet/tproxy.t +++ b/tests/py/inet/tproxy.t @@ -19,3 +19,5 @@ meta l4proto 17 tproxy ip to :50080;ok meta l4proto 17 tproxy ip6 to :50080;ok meta l4proto 17 tproxy to :50080;ok ip daddr 0.0.0.0/0 meta l4proto 6 tproxy ip to :2000;ok + +meta l4proto 6 tproxy ip to 127.0.0.1:symhash mod 2 map { 0 : 23, 1 : 42 };ok diff --git a/tests/py/inet/tproxy.t.json b/tests/py/inet/tproxy.t.json index 7b3b11c4..71b6fd2f 100644 --- a/tests/py/inet/tproxy.t.json +++ b/tests/py/inet/tproxy.t.json @@ -183,3 +183,38 @@ } } ] + +# meta l4proto 6 tproxy ip to 127.0.0.1:symhash mod 2 map { 0 : 23, 1 : 42 } +[ + { + "match": { + "left": { + "meta": { + "key": "l4proto" + } + }, + "op": "==", + "right": 6 + } + }, + { + "tproxy": { + "addr": "127.0.0.1", + "family": "ip", + "port": { + "map": { + "data": { + "set": [ + [ 0, 23 ], + [ 1, 42 ] + ] + }, + "key": { + "symhash": { "mod": 2 } + } + } + } + } + } +] + diff --git a/tests/py/inet/tproxy.t.payload b/tests/py/inet/tproxy.t.payload index 24bf8f60..2f419042 100644 --- a/tests/py/inet/tproxy.t.payload +++ b/tests/py/inet/tproxy.t.payload @@ -61,3 +61,15 @@ inet x y [ immediate reg 1 0x0000d007 ] [ tproxy ip port reg 1 ] +# meta l4proto 6 tproxy ip to 127.0.0.1:symhash mod 2 map { 0 : 23, 1 : 42 } +__map%d x b size 2 +__map%d x 0 + element 00000000 : 00001700 0 [end] element 00000001 : 00002a00 0 [end] +inet x y + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ immediate reg 1 0x0100007f ] + [ hash reg 2 = symhash() % mod 2 ] + [ lookup reg 2 set __map%d dreg 2 ] + [ tproxy ip addr reg 1 port reg 2 ] + diff --git a/tests/py/inet/udp.t b/tests/py/inet/udp.t index 4e3eaa51..7f21c8ed 100644 --- a/tests/py/inet/udp.t +++ b/tests/py/inet/udp.t @@ -1,10 +1,11 @@ :input;type filter hook input priority 0 :ingress;type filter hook ingress device lo priority 0 +:egress;type filter hook egress device lo priority 0 *ip;test-ip4;input *ip6;test-ip6;input *inet;test-inet;input -*netdev;test-netdev;ingress +*netdev;test-netdev;ingress,egress udp sport 80 accept;ok udp sport != 60 accept;ok @@ -12,8 +13,6 @@ udp sport 50-70 accept;ok udp sport != 50-60 accept;ok udp sport { 49, 50} drop;ok udp sport != { 50, 60} accept;ok -udp sport { 12-40};ok -udp sport != { 13-24};ok udp dport set {1, 2, 3};fail @@ -23,8 +22,6 @@ udp dport 70-75 accept;ok udp dport != 50-60 accept;ok udp dport { 49, 50} drop;ok udp dport != { 50, 60} accept;ok -udp dport { 70-75} accept;ok -udp dport != { 50-60} accept;ok udp length 6666;ok udp length != 6666;ok @@ -32,8 +29,6 @@ udp length 50-65 accept;ok udp length != 50-65 accept;ok udp length { 50, 65} accept;ok udp length != { 50, 65} accept;ok -udp length { 35-50};ok -udp length != { 35-50};ok udp checksum 6666 drop;ok udp checksum != { 444, 555} accept;ok @@ -44,8 +39,6 @@ udp checksum 33-45;ok udp checksum != 33-45;ok udp checksum { 33, 55, 67, 88};ok udp checksum != { 33, 55, 67, 88};ok -udp checksum { 33-55};ok -udp checksum != { 33-55};ok # limit impact to lo iif "lo" udp checksum set 0;ok diff --git a/tests/py/inet/udp.t.json b/tests/py/inet/udp.t.json index f8826640..665998ec 100644 --- a/tests/py/inet/udp.t.json +++ b/tests/py/inet/udp.t.json @@ -126,46 +126,6 @@ } ] -# udp sport { 12-40} -[ - { - "match": { - "left": { - "payload": { - "field": "sport", - "protocol": "udp" - } - }, - "op": "==", - "right": { - "set": [ - { "range": [ 12, 40 ] } - ] - } - } - } -] - -# udp sport != { 13-24} -[ - { - "match": { - "left": { - "payload": { - "field": "sport", - "protocol": "udp" - } - }, - "op": "!=", - "right": { - "set": [ - { "range": [ 13, 24 ] } - ] - } - } - } -] - # udp dport 80 accept [ { @@ -294,52 +254,6 @@ } ] -# udp dport { 70-75} accept -[ - { - "match": { - "left": { - "payload": { - "field": "dport", - "protocol": "udp" - } - }, - "op": "==", - "right": { - "set": [ - { "range": [ 70, 75 ] } - ] - } - } - }, - { - "accept": null - } -] - -# udp dport != { 50-60} accept -[ - { - "match": { - "left": { - "payload": { - "field": "dport", - "protocol": "udp" - } - }, - "op": "!=", - "right": { - "set": [ - { "range": [ 50, 60 ] } - ] - } - } - }, - { - "accept": null - } -] - # udp length 6666 [ { @@ -462,46 +376,6 @@ } ] -# udp length { 35-50} -[ - { - "match": { - "left": { - "payload": { - "field": "length", - "protocol": "udp" - } - }, - "op": "==", - "right": { - "set": [ - { "range": [ 35, 50 ] } - ] - } - } - } -] - -# udp length != { 35-50} -[ - { - "match": { - "left": { - "payload": { - "field": "length", - "protocol": "udp" - } - }, - "op": "!=", - "right": { - "set": [ - { "range": [ 35, 50 ] } - ] - } - } - } -] - # udp checksum 6666 drop [ { @@ -659,46 +533,6 @@ } ] -# udp checksum { 33-55} -[ - { - "match": { - "left": { - "payload": { - "field": "checksum", - "protocol": "udp" - } - }, - "op": "==", - "right": { - "set": [ - { "range": [ 33, 55 ] } - ] - } - } - } -] - -# udp checksum != { 33-55} -[ - { - "match": { - "left": { - "payload": { - "field": "checksum", - "protocol": "udp" - } - }, - "op": "!=", - "right": { - "set": [ - { "range": [ 33, 55 ] } - ] - } - } - } -] - # iif "lo" udp checksum set 0 [ { diff --git a/tests/py/inet/udp.t.payload b/tests/py/inet/udp.t.payload index d91eb784..e6beda7f 100644 --- a/tests/py/inet/udp.t.payload +++ b/tests/py/inet/udp.t.payload @@ -53,26 +53,6 @@ inet test-inet input [ lookup reg 1 set __set%d 0x1 ] [ immediate reg 0 accept ] -# udp sport { 12-40} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00000c00 : 0 [end] element 00002900 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000011 ] - [ payload load 2b @ transport header + 0 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# udp sport != { 13-24} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00000d00 : 0 [end] element 00001900 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000011 ] - [ payload load 2b @ transport header + 0 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # udp dport 80 accept inet test-inet input [ meta load l4proto => reg 1 ] @@ -128,28 +108,6 @@ inet test-inet input [ lookup reg 1 set __set%d 0x1 ] [ immediate reg 0 accept ] -# udp dport { 70-75} accept -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00004600 : 0 [end] element 00004c00 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000011 ] - [ payload load 2b @ transport header + 2 => reg 1 ] - [ lookup reg 1 set __set%d ] - [ immediate reg 0 accept ] - -# udp dport != { 50-60} accept -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00003200 : 0 [end] element 00003d00 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000011 ] - [ payload load 2b @ transport header + 2 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - [ immediate reg 0 accept ] - # udp length 6666 inet test-inet input [ meta load l4proto => reg 1 ] @@ -203,26 +161,6 @@ inet test-inet input [ lookup reg 1 set __set%d 0x1 ] [ immediate reg 0 accept ] -# udp length { 35-50} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00002300 : 0 [end] element 00003300 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000011 ] - [ payload load 2b @ transport header + 4 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# udp length != { 35-50} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00002300 : 0 [end] element 00003300 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000011 ] - [ payload load 2b @ transport header + 4 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # udp checksum 6666 drop inet test-inet input [ meta load l4proto => reg 1 ] @@ -291,26 +229,6 @@ inet test-inet input [ payload load 2b @ transport header + 6 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# udp checksum { 33-55} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000011 ] - [ payload load 2b @ transport header + 6 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# udp checksum != { 33-55} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000011 ] - [ payload load 2b @ transport header + 6 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # iif "lo" udp checksum set 0 inet test-inet input [ meta load iif => reg 1 ] diff --git a/tests/py/inet/udplite.t b/tests/py/inet/udplite.t index 7c22acb9..6a54709c 100644 --- a/tests/py/inet/udplite.t +++ b/tests/py/inet/udplite.t @@ -1,10 +1,11 @@ :input;type filter hook input priority 0 :ingress;type filter hook ingress device lo priority 0 +:egress;type filter hook egress device lo priority 0 *ip;test-ip4;input *ip6;test-ip6;input *inet;test-inet;input -*netdev;test-netdev;ingress +*netdev;test-netdev;ingress,egress udplite sport 80 accept;ok udplite sport != 60 accept;ok @@ -12,8 +13,6 @@ udplite sport 50-70 accept;ok udplite sport != 50-60 accept;ok udplite sport { 49, 50} drop;ok udplite sport != { 49, 50} accept;ok -udplite sport { 12-40};ok -udplite sport != { 12-40};ok udplite dport 80 accept;ok udplite dport != 60 accept;ok @@ -21,8 +20,6 @@ udplite dport 70-75 accept;ok udplite dport != 50-60 accept;ok udplite dport { 49, 50} drop;ok udplite dport != { 49, 50} accept;ok -udplite dport { 70-75} accept;ok -udplite dport != { 70-75} accept;ok - udplite csumcov 6666;ok - udplite csumcov != 6666;ok @@ -30,8 +27,6 @@ udplite dport != { 70-75} accept;ok - udplite csumcov != 50-65 accept;ok - udplite csumcov { 50, 65} accept;ok - udplite csumcov != { 50, 65} accept;ok -- udplite csumcov { 35-50};ok -- udplite csumcov != { 35-50};ok udplite checksum 6666 drop;ok udplite checksum != { 444, 555} accept;ok @@ -41,5 +36,3 @@ udplite checksum 33-45;ok udplite checksum != 33-45;ok udplite checksum { 33, 55, 67, 88};ok udplite checksum != { 33, 55, 67, 88};ok -udplite checksum { 33-55};ok -udplite checksum != { 33-55};ok diff --git a/tests/py/inet/udplite.t.json b/tests/py/inet/udplite.t.json index f56bee47..713a534f 100644 --- a/tests/py/inet/udplite.t.json +++ b/tests/py/inet/udplite.t.json @@ -126,46 +126,6 @@ } ] -# udplite sport { 12-40} -[ - { - "match": { - "left": { - "payload": { - "field": "sport", - "protocol": "udplite" - } - }, - "op": "==", - "right": { - "set": [ - { "range": [ 12, 40 ] } - ] - } - } - } -] - -# udplite sport != { 12-40} -[ - { - "match": { - "left": { - "payload": { - "field": "sport", - "protocol": "udplite" - } - }, - "op": "!=", - "right": { - "set": [ - { "range": [ 12, 40 ] } - ] - } - } - } -] - # udplite dport 80 accept [ { @@ -294,52 +254,6 @@ } ] -# udplite dport { 70-75} accept -[ - { - "match": { - "left": { - "payload": { - "field": "dport", - "protocol": "udplite" - } - }, - "op": "==", - "right": { - "set": [ - { "range": [ 70, 75 ] } - ] - } - } - }, - { - "accept": null - } -] - -# udplite dport != { 70-75} accept -[ - { - "match": { - "left": { - "payload": { - "field": "dport", - "protocol": "udplite" - } - }, - "op": "!=", - "right": { - "set": [ - { "range": [ 70, 75 ] } - ] - } - } - }, - { - "accept": null - } -] - # udplite checksum 6666 drop [ { @@ -497,43 +411,3 @@ } ] -# udplite checksum { 33-55} -[ - { - "match": { - "left": { - "payload": { - "field": "checksum", - "protocol": "udplite" - } - }, - "op": "==", - "right": { - "set": [ - { "range": [ 33, 55 ] } - ] - } - } - } -] - -# udplite checksum != { 33-55} -[ - { - "match": { - "left": { - "payload": { - "field": "checksum", - "protocol": "udplite" - } - }, - "op": "!=", - "right": { - "set": [ - { "range": [ 33, 55 ] } - ] - } - } - } -] - diff --git a/tests/py/inet/udplite.t.payload b/tests/py/inet/udplite.t.payload index eb3dc075..de9d09ed 100644 --- a/tests/py/inet/udplite.t.payload +++ b/tests/py/inet/udplite.t.payload @@ -53,26 +53,6 @@ inet test-inet input [ lookup reg 1 set __set%d 0x1 ] [ immediate reg 0 accept ] -# udplite sport { 12-40} -__set%d test-ip4 7 -__set%d test-ip4 0 - element 00000000 : 1 [end] element 00000c00 : 0 [end] element 00002900 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000088 ] - [ payload load 2b @ transport header + 0 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# udplite sport != { 12-40} -__set%d test-ip4 7 -__set%d test-ip4 0 - element 00000000 : 1 [end] element 00000c00 : 0 [end] element 00002900 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000088 ] - [ payload load 2b @ transport header + 0 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # udplite dport 80 accept inet test-inet input [ meta load l4proto => reg 1 ] @@ -128,28 +108,6 @@ inet test-inet input [ lookup reg 1 set __set%d 0x1 ] [ immediate reg 0 accept ] -# udplite dport { 70-75} accept -__set%d test-ip4 7 -__set%d test-ip4 0 - element 00000000 : 1 [end] element 00004600 : 0 [end] element 00004c00 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000088 ] - [ payload load 2b @ transport header + 2 => reg 1 ] - [ lookup reg 1 set __set%d ] - [ immediate reg 0 accept ] - -# udplite dport != { 70-75} accept -__set%d test-ip4 7 -__set%d test-ip4 0 - element 00000000 : 1 [end] element 00004600 : 0 [end] element 00004c00 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000088 ] - [ payload load 2b @ transport header + 2 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - [ immediate reg 0 accept ] - # udplite checksum 6666 drop inet test-inet input [ meta load l4proto => reg 1 ] @@ -218,23 +176,3 @@ inet test-inet input [ payload load 2b @ transport header + 6 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# udplite checksum { 33-55} -__set%d test-ip4 7 -__set%d test-ip4 0 - element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000088 ] - [ payload load 2b @ transport header + 6 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# udplite checksum != { 33-55} -__set%d test-ip4 7 -__set%d test-ip4 0 - element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] -inet test-inet input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000088 ] - [ payload load 2b @ transport header + 6 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - diff --git a/tests/py/inet/vmap.t b/tests/py/inet/vmap.t new file mode 100644 index 00000000..0ac6e561 --- /dev/null +++ b/tests/py/inet/vmap.t @@ -0,0 +1,10 @@ +:input;type filter hook input priority 0 +:ingress;type filter hook ingress device lo priority 0 +:egress;type filter hook egress device lo priority 0 + +*inet;test-inet;input +*netdev;test-netdev;ingress,egress + +iifname . ip protocol . th dport vmap { "eth0" . tcp . 22 : accept, "eth1" . udp . 67 : drop };ok;iifname . ip protocol . th dport vmap { "eth0" . 6 . 22 : accept, "eth1" . 17 . 67 : drop } +ip saddr . @ih,32,32 { 1.1.1.1 . 0x14, 2.2.2.2 . 0x1e };ok +udp length . @th,160,128 vmap { 47-63 . 0xe373135363130333131303735353203 : accept };ok diff --git a/tests/py/inet/vmap.t.json b/tests/py/inet/vmap.t.json new file mode 100644 index 00000000..37472cc6 --- /dev/null +++ b/tests/py/inet/vmap.t.json @@ -0,0 +1,144 @@ +# iifname . ip protocol . th dport vmap { "eth0" . tcp . 22 : accept, "eth1" . udp . 67 : drop } +[ + { + "vmap": { + "data": { + "set": [ + [ + { + "concat": [ + "eth0", + 6, + 22 + ] + }, + { + "accept": null + } + ], + [ + { + "concat": [ + "eth1", + 17, + 67 + ] + }, + { + "drop": null + } + ] + ] + }, + "key": { + "concat": [ + { + "meta": { + "key": "iifname" + } + }, + { + "payload": { + "field": "protocol", + "protocol": "ip" + } + }, + { + "payload": { + "field": "dport", + "protocol": "th" + } + } + ] + } + } + } +] + +# ip saddr . @ih,32,32 { 1.1.1.1 . 0x14, 2.2.2.2 . 0x1e } +[ + { + "match": { + "left": { + "concat": [ + { + "payload": { + "field": "saddr", + "protocol": "ip" + } + }, + { + "payload": { + "base": "ih", + "len": 32, + "offset": 32 + } + } + ] + }, + "op": "==", + "right": { + "set": [ + { + "concat": [ + "1.1.1.1", + 20 + ] + }, + { + "concat": [ + "2.2.2.2", + 30 + ] + } + ] + } + } + } +] + +# udp length . @th,160,128 vmap { 47-63 . 0xe373135363130333131303735353203 : accept } +[ + { + "vmap": { + "data": { + "set": [ + [ + { + "concat": [ + { + "range": [ + 47, + 63 + ] + }, + "0xe373135363130333131303735353203" + ] + }, + { + "accept": null + } + ] + ] + }, + "key": { + "concat": [ + { + "payload": { + "field": "length", + "protocol": "udp" + } + }, + { + "payload": { + "base": "th", + "len": 128, + "offset": 160 + } + } + ] + } + } + } +] + diff --git a/tests/py/inet/vmap.t.payload b/tests/py/inet/vmap.t.payload new file mode 100644 index 00000000..29ec846d --- /dev/null +++ b/tests/py/inet/vmap.t.payload @@ -0,0 +1,34 @@ +# iifname . ip protocol . th dport vmap { "eth0" . tcp . 22 : accept, "eth1" . udp . 67 : drop } +__map%d test-inet b size 2 +__map%d test-inet 0 + element 30687465 00000000 00000000 00000000 00000006 00001600 : accept 0 [end] element 31687465 00000000 00000000 00000000 00000011 00004300 : drop 0 [end] +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ meta load iifname => reg 1 ] + [ payload load 1b @ network header + 9 => reg 2 ] + [ payload load 2b @ transport header + 2 => reg 13 ] + [ lookup reg 1 set __map%d dreg 0 ] + +# ip saddr . @ih,32,32 { 1.1.1.1 . 0x14, 2.2.2.2 . 0x1e } +__set%d test-inet 3 size 2 +__set%d test-inet 0 + element 01010101 14000000 : 0 [end] element 02020202 1e000000 : 0 [end] +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ payload load 4b @ inner header + 4 => reg 9 ] + [ lookup reg 1 set __set%d ] + +# udp length . @th,160,128 vmap { 47-63 . 0xe373135363130333131303735353203 : accept } +__map%d x 8f size 1 +__map%d x 0 + element 00002f00 3531370e 33303136 37303131 03323535 - 00003f00 3531370e 33303136 37303131 03323535 : accept 0 [end] +inet x y + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 4 => reg 1 ] + [ payload load 16b @ transport header + 20 => reg 9 ] + [ lookup reg 1 set __map%d dreg 0 ] + diff --git a/tests/py/inet/vmap.t.payload.netdev b/tests/py/inet/vmap.t.payload.netdev new file mode 100644 index 00000000..3f51bb33 --- /dev/null +++ b/tests/py/inet/vmap.t.payload.netdev @@ -0,0 +1,34 @@ +# iifname . ip protocol . th dport vmap { "eth0" . tcp . 22 : accept, "eth1" . udp . 67 : drop } +__map%d test-netdev b size 2 +__map%d test-netdev 0 + element 30687465 00000000 00000000 00000000 00000006 00001600 : accept 0 [end] element 31687465 00000000 00000000 00000000 00000011 00004300 : drop 0 [end] +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ meta load iifname => reg 1 ] + [ payload load 1b @ network header + 9 => reg 2 ] + [ payload load 2b @ transport header + 2 => reg 13 ] + [ lookup reg 1 set __map%d dreg 0 ] + +# ip saddr . @ih,32,32 { 1.1.1.1 . 0x14, 2.2.2.2 . 0x1e } +__set%d test-netdev 3 size 2 +__set%d test-netdev 0 + element 01010101 14000000 : 0 [end] element 02020202 1e000000 : 0 [end] +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ payload load 4b @ inner header + 4 => reg 9 ] + [ lookup reg 1 set __set%d ] + +# udp length . @th,160,128 vmap { 47-63 . 0xe373135363130333131303735353203 : accept } +__map%d test-netdev 8f size 1 +__map%d test-netdev 0 + element 00002f00 3531370e 33303136 37303131 03323535 - 00003f00 3531370e 33303136 37303131 03323535 : accept 0 [end] +netdev test-netdev ingress + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 4 => reg 1 ] + [ payload load 16b @ transport header + 20 => reg 9 ] + [ lookup reg 1 set __map%d dreg 0 ] + diff --git a/tests/py/inet/vxlan.t b/tests/py/inet/vxlan.t new file mode 100644 index 00000000..10cdb7a4 --- /dev/null +++ b/tests/py/inet/vxlan.t @@ -0,0 +1,23 @@ +:input;type filter hook input priority 0 +:ingress;type filter hook ingress device lo priority 0 +:egress;type filter hook egress device lo priority 0 + +*ip;test-ip4;input +*ip6;test-ip6;input +*inet;test-inet;input +*netdev;test-netdev;ingress,egress + +vxlan vni 10;fail +udp dport 4789 vxlan vni 10;ok +udp dport 4789 vxlan ip saddr 10.141.11.2;ok +udp dport 4789 vxlan ip saddr 10.141.11.0/24;ok +udp dport 4789 vxlan ip protocol 1;ok +udp dport 4789 vxlan udp sport 8888;ok +udp dport 4789 vxlan icmp type echo-reply;ok +udp dport 4789 vxlan ether saddr 62:87:4d:d6:19:05;ok +udp dport 4789 vxlan vlan id 10;ok +udp dport 4789 vxlan ip dscp 0x02;ok +udp dport 4789 vxlan ip dscp 0x02;ok +udp dport 4789 vxlan ip saddr . vxlan ip daddr { 1.2.3.4 . 4.3.2.1 };ok + +udp dport 4789 vxlan ip saddr set 1.2.3.4;fail diff --git a/tests/py/inet/vxlan.t.json b/tests/py/inet/vxlan.t.json new file mode 100644 index 00000000..91b3d294 --- /dev/null +++ b/tests/py/inet/vxlan.t.json @@ -0,0 +1,344 @@ +# udp dport 4789 vxlan vni 10 +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 4789 + } + }, + { + "match": { + "left": { + "payload": { + "field": "vni", + "protocol": "vxlan", + "tunnel": "vxlan" + } + }, + "op": "==", + "right": 10 + } + } +] + +# udp dport 4789 vxlan ip saddr 10.141.11.2 +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 4789 + } + }, + { + "match": { + "left": { + "payload": { + "field": "saddr", + "protocol": "ip", + "tunnel": "vxlan" + } + }, + "op": "==", + "right": "10.141.11.2" + } + } +] + +# udp dport 4789 vxlan ip saddr 10.141.11.0/24 +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 4789 + } + }, + { + "match": { + "left": { + "payload": { + "field": "saddr", + "protocol": "ip", + "tunnel": "vxlan" + } + }, + "op": "==", + "right": { + "prefix": { + "addr": "10.141.11.0", + "len": 24 + } + } + } + } +] + +# udp dport 4789 vxlan ip protocol 1 +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 4789 + } + }, + { + "match": { + "left": { + "payload": { + "field": "protocol", + "protocol": "ip", + "tunnel": "vxlan" + } + }, + "op": "==", + "right": 1 + } + } +] + +# udp dport 4789 vxlan udp sport 8888 +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 4789 + } + }, + { + "match": { + "left": { + "payload": { + "field": "sport", + "protocol": "udp", + "tunnel": "vxlan" + } + }, + "op": "==", + "right": 8888 + } + } +] + +# udp dport 4789 vxlan icmp type echo-reply +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 4789 + } + }, + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "icmp", + "tunnel": "vxlan" + } + }, + "op": "==", + "right": "echo-reply" + } + } +] + +# udp dport 4789 vxlan ether saddr 62:87:4d:d6:19:05 +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 4789 + } + }, + { + "match": { + "left": { + "payload": { + "field": "saddr", + "protocol": "ether", + "tunnel": "vxlan" + } + }, + "op": "==", + "right": "62:87:4d:d6:19:05" + } + } +] + +# udp dport 4789 vxlan vlan id 10 +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 4789 + } + }, + { + "match": { + "left": { + "payload": { + "field": "id", + "protocol": "vlan", + "tunnel": "vxlan" + } + }, + "op": "==", + "right": 10 + } + } +] + +# udp dport 4789 vxlan ip dscp 0x02 +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 4789 + } + }, + { + "match": { + "left": { + "payload": { + "field": "dscp", + "protocol": "ip", + "tunnel": "vxlan" + } + }, + "op": "==", + "right": 2 + } + } +] + +# udp dport 4789 vxlan ip dscp 0x02 +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 4789 + } + }, + { + "match": { + "left": { + "payload": { + "field": "dscp", + "protocol": "ip", + "tunnel": "vxlan" + } + }, + "op": "==", + "right": 2 + } + } +] + +# udp dport 4789 vxlan ip saddr . vxlan ip daddr { 1.2.3.4 . 4.3.2.1 } +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 4789 + } + }, + { + "match": { + "left": { + "concat": [ + { + "payload": { + "field": "saddr", + "protocol": "ip", + "tunnel": "vxlan" + } + }, + { + "payload": { + "field": "daddr", + "protocol": "ip", + "tunnel": "vxlan" + } + } + ] + }, + "op": "==", + "right": { + "set": [ + { + "concat": [ + "1.2.3.4", + "4.3.2.1" + ] + } + ] + } + } + } +] + diff --git a/tests/py/inet/vxlan.t.payload b/tests/py/inet/vxlan.t.payload new file mode 100644 index 00000000..cde8e56f --- /dev/null +++ b/tests/py/inet/vxlan.t.payload @@ -0,0 +1,114 @@ +# udp dport 4789 vxlan vni 10 +netdev test-netdev ingress + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x0000b512 ] + [ inner type 1 hdrsize 8 flags f [ payload load 3b @ unknown header + 4 => reg 1 ] ] + [ cmp eq reg 1 0x000a0000 ] + +# udp dport 4789 vxlan ip saddr 10.141.11.2 +netdev test-netdev ingress + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x0000b512 ] + [ inner type 1 hdrsize 8 flags f [ meta load protocol => reg 1 ] ] + [ cmp eq reg 1 0x00000008 ] + [ inner type 1 hdrsize 8 flags f [ payload load 4b @ network header + 12 => reg 1 ] ] + [ cmp eq reg 1 0x020b8d0a ] + +# udp dport 4789 vxlan ip saddr 10.141.11.0/24 +netdev test-netdev ingress + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x0000b512 ] + [ inner type 1 hdrsize 8 flags f [ meta load protocol => reg 1 ] ] + [ cmp eq reg 1 0x00000008 ] + [ inner type 1 hdrsize 8 flags f [ payload load 3b @ network header + 12 => reg 1 ] ] + [ cmp eq reg 1 0x000b8d0a ] + +# udp dport 4789 vxlan ip protocol 1 +netdev test-netdev ingress + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x0000b512 ] + [ inner type 1 hdrsize 8 flags f [ meta load protocol => reg 1 ] ] + [ cmp eq reg 1 0x00000008 ] + [ inner type 1 hdrsize 8 flags f [ payload load 1b @ network header + 9 => reg 1 ] ] + [ cmp eq reg 1 0x00000001 ] + +# udp dport 4789 vxlan udp sport 8888 +netdev test-netdev ingress + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x0000b512 ] + [ inner type 1 hdrsize 8 flags f [ meta load l4proto => reg 1 ] ] + [ cmp eq reg 1 0x00000011 ] + [ inner type 1 hdrsize 8 flags f [ payload load 2b @ transport header + 0 => reg 1 ] ] + [ cmp eq reg 1 0x0000b822 ] + +# udp dport 4789 vxlan icmp type echo-reply +netdev test-netdev ingress + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x0000b512 ] + [ inner type 1 hdrsize 8 flags f [ payload load 2b @ link header + 12 => reg 1 ] ] + [ cmp eq reg 1 0x00000008 ] + [ inner type 1 hdrsize 8 flags f [ meta load l4proto => reg 1 ] ] + [ cmp eq reg 1 0x00000001 ] + [ inner type 1 hdrsize 8 flags f [ payload load 1b @ transport header + 0 => reg 1 ] ] + [ cmp eq reg 1 0x00000000 ] + +# udp dport 4789 vxlan ether saddr 62:87:4d:d6:19:05 +netdev test-netdev ingress + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x0000b512 ] + [ inner type 1 hdrsize 8 flags f [ payload load 6b @ link header + 6 => reg 1 ] ] + [ cmp eq reg 1 0xd64d8762 0x00000519 ] + +# udp dport 4789 vxlan vlan id 10 +netdev test-netdev ingress + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x0000b512 ] + [ inner type 1 hdrsize 8 flags f [ payload load 2b @ link header + 12 => reg 1 ] ] + [ cmp eq reg 1 0x00000081 ] + [ inner type 1 hdrsize 8 flags f [ payload load 2b @ link header + 14 => reg 1 ] ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000a00 ] + +# udp dport 4789 vxlan ip dscp 0x02 +netdev test-netdev ingress + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x0000b512 ] + [ inner type 1 hdrsize 8 flags f [ meta load protocol => reg 1 ] ] + [ cmp eq reg 1 0x00000008 ] + [ inner type 1 hdrsize 8 flags f [ payload load 1b @ network header + 1 => reg 1 ] ] + [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000008 ] + +# udp dport 4789 vxlan ip saddr . vxlan ip daddr { 1.2.3.4 . 4.3.2.1 } +__set%d test-netdev 3 size 1 +__set%d test-netdev 0 + element 04030201 01020304 : 0 [end] +netdev test-netdev ingress + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x0000b512 ] + [ inner type 1 hdrsize 8 flags f [ meta load protocol => reg 1 ] ] + [ cmp eq reg 1 0x00000008 ] + [ inner type 1 hdrsize 8 flags f [ payload load 4b @ network header + 12 => reg 1 ] ] + [ inner type 1 hdrsize 8 flags f [ payload load 4b @ network header + 16 => reg 9 ] ] + [ lookup reg 1 set __set%d ] + diff --git a/tests/py/ip/ct.t b/tests/py/ip/ct.t index a387863e..a0a22289 100644 --- a/tests/py/ip/ct.t +++ b/tests/py/ip/ct.t @@ -28,3 +28,9 @@ meta mark set ct original saddr . meta mark map { 1.1.1.1 . 0x00000014 : 0x00000 meta mark set ct original ip saddr . meta mark map { 1.1.1.1 . 0x00000014 : 0x0000001e };ok ct original saddr . meta mark { 1.1.1.1 . 0x00000014 };fail ct original ip saddr . meta mark { 1.1.1.1 . 0x00000014 };ok +ct mark set ip dscp << 2 | 0x10;ok +ct mark set ip dscp << 26 | 0x10;ok +ct mark set ip dscp & 0x0f << 1;ok;ct mark set ip dscp & af33 +ct mark set ip dscp & 0x0f << 2;ok;ct mark set ip dscp & 0x3c +ct mark set ip dscp | 0x04;ok +ct mark set ip dscp | 1 << 20;ok;ct mark set ip dscp | 0x100000 diff --git a/tests/py/ip/ct.t.json b/tests/py/ip/ct.t.json index 3288413f..915632ae 100644 --- a/tests/py/ip/ct.t.json +++ b/tests/py/ip/ct.t.json @@ -325,3 +325,157 @@ } } ] + +# ct mark set ip dscp << 2 | 0x10 +[ + { + "mangle": { + "key": { + "ct": { + "key": "mark" + } + }, + "value": { + "|": [ + { + "<<": [ + { + "payload": { + "field": "dscp", + "protocol": "ip" + } + }, + 2 + ] + }, + 16 + ] + } + } + } +] + +# ct mark set ip dscp << 26 | 0x10 +[ + { + "mangle": { + "key": { + "ct": { + "key": "mark" + } + }, + "value": { + "|": [ + { + "<<": [ + { + "payload": { + "field": "dscp", + "protocol": "ip" + } + }, + 26 + ] + }, + 16 + ] + } + } + } +] + +# ct mark set ip dscp & 0x0f << 1 +[ + { + "mangle": { + "key": { + "ct": { + "key": "mark" + } + }, + "value": { + "&": [ + { + "payload": { + "field": "dscp", + "protocol": "ip" + } + }, + "af33" + ] + } + } + } +] + +# ct mark set ip dscp & 0x0f << 2 +[ + { + "mangle": { + "key": { + "ct": { + "key": "mark" + } + }, + "value": { + "&": [ + { + "payload": { + "field": "dscp", + "protocol": "ip" + } + }, + 60 + ] + } + } + } +] + +# ct mark set ip dscp | 0x04 +[ + { + "mangle": { + "key": { + "ct": { + "key": "mark" + } + }, + "value": { + "|": [ + { + "payload": { + "field": "dscp", + "protocol": "ip" + } + }, + 4 + ] + } + } + } +] + +# ct mark set ip dscp | 1 << 20 +[ + { + "mangle": { + "key": { + "ct": { + "key": "mark" + } + }, + "value": { + "|": [ + { + "payload": { + "field": "dscp", + "protocol": "ip" + } + }, + 1048576 + ] + } + } + } +] diff --git a/tests/py/ip/ct.t.payload b/tests/py/ip/ct.t.payload index 49f06a84..692011d0 100644 --- a/tests/py/ip/ct.t.payload +++ b/tests/py/ip/ct.t.payload @@ -84,3 +84,53 @@ ip [ ct load src_ip => reg 1 , dir original ] [ meta load mark => reg 9 ] [ lookup reg 1 set __set%d ] + +# ct mark set ip dscp << 2 | 0x10 +ip test-ip4 output + [ payload load 1b @ network header + 1 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 >> 0x00000002 ) ] + [ bitwise reg 1 = ( reg 1 << 0x00000002 ) ] + [ bitwise reg 1 = ( reg 1 & 0xffffffef ) ^ 0x00000010 ] + [ ct set mark with reg 1 ] + +# ct mark set ip dscp << 26 | 0x10 +ip + [ payload load 1b @ network header + 1 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 >> 0x00000002 ) ] + [ bitwise reg 1 = ( reg 1 << 0x0000001a ) ] + [ bitwise reg 1 = ( reg 1 & 0xffffffef ) ^ 0x00000010 ] + [ ct set mark with reg 1 ] + +# ct mark set ip dscp & 0x0f << 1 +ip test-ip4 output + [ payload load 1b @ network header + 1 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 >> 0x00000002 ) ] + [ bitwise reg 1 = ( reg 1 & 0x0000001e ) ^ 0x00000000 ] + [ ct set mark with reg 1 ] + +# ct mark set ip dscp & 0x0f << 2 +ip test-ip4 output + [ payload load 1b @ network header + 1 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 >> 0x00000002 ) ] + [ bitwise reg 1 = ( reg 1 & 0x0000003c ) ^ 0x00000000 ] + [ ct set mark with reg 1 ] + +# ct mark set ip dscp | 0x04 +ip test-ip4 output + [ payload load 1b @ network header + 1 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 >> 0x00000002 ) ] + [ bitwise reg 1 = ( reg 1 & 0xfffffffb ) ^ 0x00000004 ] + [ ct set mark with reg 1 ] + +# ct mark set ip dscp | 1 << 20 +ip test-ip4 output + [ payload load 1b @ network header + 1 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 >> 0x00000002 ) ] + [ bitwise reg 1 = ( reg 1 & 0xffefffff ) ^ 0x00100000 ] + [ ct set mark with reg 1 ] diff --git a/tests/py/ip/dnat.t b/tests/py/ip/dnat.t index 089017c8..881571db 100644 --- a/tests/py/ip/dnat.t +++ b/tests/py/ip/dnat.t @@ -8,6 +8,16 @@ iifname "eth0" tcp dport {80, 90, 23} dnat to 192.168.3.2;ok iifname "eth0" tcp dport != {80, 90, 23} dnat to 192.168.3.2;ok iifname "eth0" tcp dport != 23-34 dnat to 192.168.3.2;ok iifname "eth0" tcp dport 81 dnat to 192.168.3.2:8080;ok +iifname "eth0" tcp dport 81 dnat to 192.168.3.2:8080-8999;ok +iifname "eth0" tcp dport 81 dnat to 192.168.3.2-192.168.3.4:8080;ok +iifname "eth0" tcp dport 81 dnat to 192.168.3.2-192.168.3.4:8080-8999;ok dnat to ct mark map { 0x00000014 : 1.2.3.4};ok dnat to ct mark . ip daddr map { 0x00000014 . 1.1.1.1 : 1.2.3.4};ok + +dnat ip to ip saddr . tcp dport map { 192.168.1.2 . 80 : 10.141.10.0/24 . 8888 - 8999 };ok +dnat ip to ip saddr . tcp dport map { 192.168.1.2 . 80 : 10.141.10.0/24 . 80 };ok +dnat ip to ip saddr . tcp dport map { 192.168.1.2 . 80 : 10.141.10.2 . 8888 - 8999 };ok +ip daddr 192.168.0.1 dnat ip to tcp dport map { 443 : 10.141.10.4 . 8443, 80 : 10.141.10.4 . 8080 };ok +meta l4proto 6 dnat ip to iifname . ip saddr map { "enp2s0" . 10.1.1.136 : 1.1.2.69 . 22, "enp2s0" . 10.1.1.1-10.1.1.135 : 1.1.2.66-1.84.236.78 . 22 };ok +dnat ip to iifname . ip saddr map { "enp2s0" . 10.1.1.136 : 1.1.2.69/32, "enp2s0" . 10.1.1.1-10.1.1.135 : 1.1.2.66-1.84.236.78 };ok diff --git a/tests/py/ip/dnat.t.json b/tests/py/ip/dnat.t.json index 0481a368..fe15d072 100644 --- a/tests/py/ip/dnat.t.json +++ b/tests/py/ip/dnat.t.json @@ -262,3 +262,482 @@ } ] +# iifname "eth0" tcp dport 81 dnat to 192.168.3.2:8080-8999 +[ + { + "match": { + "left": { + "meta": { + "key": "iifname" + } + }, + "op": "==", + "right": "eth0" + } + }, + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "tcp" + } + }, + "op": "==", + "right": 81 + } + }, + { + "dnat": { + "addr": "192.168.3.2", + "port": { + "range": [ + 8080, + 8999 + ] + } + } + } +] + +# iifname "eth0" tcp dport 81 dnat to 192.168.3.2-192.168.3.4:8080-8999 +[ + { + "match": { + "left": { + "meta": { + "key": "iifname" + } + }, + "op": "==", + "right": "eth0" + } + }, + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "tcp" + } + }, + "op": "==", + "right": 81 + } + }, + { + "dnat": { + "addr": { + "range": [ + "192.168.3.2", + "192.168.3.4" + ] + }, + "port": { + "range": [ + 8080, + 8999 + ] + } + } + } +] + +# iifname "eth0" tcp dport 81 dnat to 192.168.3.2-192.168.3.4:8080 +[ + { + "match": { + "left": { + "meta": { + "key": "iifname" + } + }, + "op": "==", + "right": "eth0" + } + }, + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "tcp" + } + }, + "op": "==", + "right": 81 + } + }, + { + "dnat": { + "addr": { + "range": [ + "192.168.3.2", + "192.168.3.4" + ] + }, + "port": 8080 + } + } +] + +# dnat ip to ip saddr . tcp dport map { 192.168.1.2 . 80 : 10.141.10.2 . 8888 - 8999 } +[ + { + "dnat": { + "addr": { + "map": { + "data": { + "set": [ + [ + { + "concat": [ + "192.168.1.2", + 80 + ] + }, + { + "concat": [ + "10.141.10.2", + { + "range": [ + 8888, + 8999 + ] + } + ] + } + ] + ] + }, + "key": { + "concat": [ + { + "payload": { + "field": "saddr", + "protocol": "ip" + } + }, + { + "payload": { + "field": "dport", + "protocol": "tcp" + } + } + ] + } + } + }, + "family": "ip" + } + } +] + +# dnat ip to ip saddr . tcp dport map { 192.168.1.2 . 80 : 10.141.10.0/24 . 8888 - 8999 } +[ + { + "dnat": { + "addr": { + "map": { + "data": { + "set": [ + [ + { + "concat": [ + "192.168.1.2", + 80 + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "10.141.10.0", + "len": 24 + } + }, + { + "range": [ + 8888, + 8999 + ] + } + ] + } + ] + ] + }, + "key": { + "concat": [ + { + "payload": { + "field": "saddr", + "protocol": "ip" + } + }, + { + "payload": { + "field": "dport", + "protocol": "tcp" + } + } + ] + } + } + }, + "family": "ip" + } + } +] + +# dnat ip to ip saddr . tcp dport map { 192.168.1.2 . 80 : 10.141.10.0/24 . 80 } +[ + { + "dnat": { + "addr": { + "map": { + "data": { + "set": [ + [ + { + "concat": [ + "192.168.1.2", + 80 + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "10.141.10.0", + "len": 24 + } + }, + 80 + ] + } + ] + ] + }, + "key": { + "concat": [ + { + "payload": { + "field": "saddr", + "protocol": "ip" + } + }, + { + "payload": { + "field": "dport", + "protocol": "tcp" + } + } + ] + } + } + }, + "family": "ip" + } + } +] + +# ip daddr 192.168.0.1 dnat ip to tcp dport map { 443 : 10.141.10.4 . 8443, 80 : 10.141.10.4 . 8080 } +[ + { + "match": { + "left": { + "payload": { + "field": "daddr", + "protocol": "ip" + } + }, + "op": "==", + "right": "192.168.0.1" + } + }, + { + "dnat": { + "addr": { + "map": { + "data": { + "set": [ + [ + 80, + { + "concat": [ + "10.141.10.4", + 8080 + ] + } + ], + [ + 443, + { + "concat": [ + "10.141.10.4", + 8443 + ] + } + ] + ] + }, + "key": { + "payload": { + "field": "dport", + "protocol": "tcp" + } + } + } + }, + "family": "ip" + } + } +] + +# meta l4proto 6 dnat ip to iifname . ip saddr map { "enp2s0" . 10.1.1.136 : 1.1.2.69 . 22, "enp2s0" . 10.1.1.1-10.1.1.135 : 1.1.2.66-1.84.236.78 . 22 } +[ + { + "match": { + "left": { + "meta": { + "key": "l4proto" + } + }, + "op": "==", + "right": 6 + } + }, + { + "dnat": { + "addr": { + "map": { + "data": { + "set": [ + [ + { + "concat": [ + "enp2s0", + "10.1.1.136" + ] + }, + { + "concat": [ + "1.1.2.69", + 22 + ] + } + ], + [ + { + "concat": [ + "enp2s0", + { + "range": [ + "10.1.1.1", + "10.1.1.135" + ] + } + ] + }, + { + "concat": [ + { + "range": [ + "1.1.2.66", + "1.84.236.78" + ] + }, + 22 + ] + } + ] + ] + }, + "key": { + "concat": [ + { + "meta": { + "key": "iifname" + } + }, + { + "payload": { + "field": "saddr", + "protocol": "ip" + } + } + ] + } + } + }, + "family": "ip" + } + } +] + +# dnat ip to iifname . ip saddr map { "enp2s0" . 10.1.1.136 : 1.1.2.69/32, "enp2s0" . 10.1.1.1-10.1.1.135 : 1.1.2.66-1.84.236.78 } +[ + { + "dnat": { + "addr": { + "map": { + "data": { + "set": [ + [ + { + "concat": [ + "enp2s0", + "10.1.1.136" + ] + }, + { + "prefix": { + "addr": "1.1.2.69", + "len": 32 + } + } + ], + [ + { + "concat": [ + "enp2s0", + { + "range": [ + "10.1.1.1", + "10.1.1.135" + ] + } + ] + }, + { + "range": [ + "1.1.2.66", + "1.84.236.78" + ] + } + ] + ] + }, + "key": { + "concat": [ + { + "meta": { + "key": "iifname" + } + }, + { + "payload": { + "field": "saddr", + "protocol": "ip" + } + } + ] + } + } + }, + "family": "ip" + } + } +] + diff --git a/tests/py/ip/dnat.t.payload.ip b/tests/py/ip/dnat.t.payload.ip index 0acbefb6..439c6abe 100644 --- a/tests/py/ip/dnat.t.payload.ip +++ b/tests/py/ip/dnat.t.payload.ip @@ -8,7 +8,7 @@ ip test-ip4 prerouting [ cmp gte reg 1 0x00005000 ] [ cmp lte reg 1 0x00005a00 ] [ immediate reg 1 0x0203a8c0 ] - [ nat dnat ip addr_min reg 1 addr_max reg 0 ] + [ nat dnat ip addr_min reg 1 ] # iifname "eth0" tcp dport != 80-90 dnat to 192.168.3.2 ip test-ip4 prerouting @@ -19,7 +19,7 @@ ip test-ip4 prerouting [ payload load 2b @ transport header + 2 => reg 1 ] [ range neq reg 1 0x00005000 0x00005a00 ] [ immediate reg 1 0x0203a8c0 ] - [ nat dnat ip addr_min reg 1 addr_max reg 0 ] + [ nat dnat ip addr_min reg 1 ] # iifname "eth0" tcp dport {80, 90, 23} dnat to 192.168.3.2 __set%d test-ip4 3 @@ -33,7 +33,7 @@ ip test-ip4 prerouting [ payload load 2b @ transport header + 2 => reg 1 ] [ lookup reg 1 set __set%d ] [ immediate reg 1 0x0203a8c0 ] - [ nat dnat ip addr_min reg 1 addr_max reg 0 ] + [ nat dnat ip addr_min reg 1 ] # iifname "eth0" tcp dport != {80, 90, 23} dnat to 192.168.3.2 __set%d test-ip4 3 @@ -47,7 +47,7 @@ ip test-ip4 prerouting [ payload load 2b @ transport header + 2 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] [ immediate reg 1 0x0203a8c0 ] - [ nat dnat ip addr_min reg 1 addr_max reg 0 ] + [ nat dnat ip addr_min reg 1 ] # iifname "eth0" tcp dport != 23-34 dnat to 192.168.3.2 ip test-ip4 prerouting @@ -58,7 +58,7 @@ ip test-ip4 prerouting [ payload load 2b @ transport header + 2 => reg 1 ] [ range neq reg 1 0x00001700 0x00002200 ] [ immediate reg 1 0x0203a8c0 ] - [ nat dnat ip addr_min reg 1 addr_max reg 0 ] + [ nat dnat ip addr_min reg 1 ] # iifname "eth0" tcp dport 81 dnat to 192.168.3.2:8080 ip test-ip4 prerouting @@ -70,7 +70,7 @@ ip test-ip4 prerouting [ cmp eq reg 1 0x00005100 ] [ immediate reg 1 0x0203a8c0 ] [ immediate reg 2 0x0000901f ] - [ nat dnat ip addr_min reg 1 addr_max reg 0 proto_min reg 2 proto_max reg 0 flags 0x2 ] + [ nat dnat ip addr_min reg 1 proto_min reg 2 flags 0x2 ] # dnat to ct mark map { 0x00000014 : 1.2.3.4} __map%d test-ip4 b @@ -79,7 +79,7 @@ __map%d test-ip4 0 ip test-ip4 prerouting [ ct load mark => reg 1 ] [ lookup reg 1 set __map%d dreg 1 ] - [ nat dnat ip addr_min reg 1 addr_max reg 0 ] + [ nat dnat ip addr_min reg 1 ] # dnat to ct mark . ip daddr map { 0x00000014 . 1.1.1.1 : 1.2.3.4} __map%d test-ip4 b @@ -89,5 +89,116 @@ ip test-ip4 output [ ct load mark => reg 1 ] [ payload load 4b @ network header + 16 => reg 9 ] [ lookup reg 1 set __map%d dreg 1 ] - [ nat dnat ip addr_min reg 1 addr_max reg 0 ] + [ nat dnat ip addr_min reg 1 ] + +# dnat ip to ip saddr . tcp dport map { 192.168.1.2 . 80 : 10.141.10.0/24 . 8888 - 8999 } +__map%d test-ip4 b size 1 +__map%d test-ip4 0 + element 0201a8c0 00005000 : 000a8d0a 0000b822 ff0a8d0a 00002723 0 [end] +ip + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ payload load 2b @ transport header + 2 => reg 9 ] + [ lookup reg 1 set __map%d dreg 1 ] + [ nat dnat ip addr_min reg 1 addr_max reg 10 proto_min reg 9 proto_max reg 11 ] + +# dnat ip to ip saddr . tcp dport map { 192.168.1.2 . 80 : 10.141.10.0/24 . 80 } +__map%d test-ip4 b size 1 +__map%d test-ip4 0 + element 0201a8c0 00005000 : 000a8d0a 00005000 ff0a8d0a 00005000 0 [end] +ip + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ payload load 2b @ transport header + 2 => reg 9 ] + [ lookup reg 1 set __map%d dreg 1 ] + [ nat dnat ip addr_min reg 1 addr_max reg 10 proto_min reg 9 proto_max reg 11 ] + +# dnat ip to ip saddr . tcp dport map { 192.168.1.2 . 80 : 10.141.10.2 . 8888 - 8999 } +__map%d test-ip4 b size 1 +__map%d test-ip4 0 + element 0201a8c0 00005000 : 020a8d0a 0000b822 020a8d0a 00002723 0 [end] +ip + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ payload load 2b @ transport header + 2 => reg 9 ] + [ lookup reg 1 set __map%d dreg 1 ] + [ nat dnat ip addr_min reg 1 addr_max reg 10 proto_min reg 9 proto_max reg 11 ] + +# iifname "eth0" tcp dport 81 dnat to 192.168.3.2:8080-8999 +ip + [ meta load iifname => reg 1 ] + [ cmp eq reg 1 0x30687465 0x00000000 0x00000000 0x00000000 ] + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x00005100 ] + [ immediate reg 1 0x0203a8c0 ] + [ immediate reg 2 0x0000901f ] + [ immediate reg 3 0x00002723 ] + [ nat dnat ip addr_min reg 1 proto_min reg 2 proto_max reg 3 flags 0x2 ] + +# iifname "eth0" tcp dport 81 dnat to 192.168.3.2-192.168.3.4:8080 +ip + [ meta load iifname => reg 1 ] + [ cmp eq reg 1 0x30687465 0x00000000 0x00000000 0x00000000 ] + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x00005100 ] + [ immediate reg 1 0x0203a8c0 ] + [ immediate reg 2 0x0403a8c0 ] + [ immediate reg 3 0x0000901f ] + [ nat dnat ip addr_min reg 1 addr_max reg 2 proto_min reg 3 flags 0x2 ] + +# iifname "eth0" tcp dport 81 dnat to 192.168.3.2-192.168.3.4:8080-8999 +ip + [ meta load iifname => reg 1 ] + [ cmp eq reg 1 0x30687465 0x00000000 0x00000000 0x00000000 ] + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x00005100 ] + [ immediate reg 1 0x0203a8c0 ] + [ immediate reg 2 0x0403a8c0 ] + [ immediate reg 3 0x0000901f ] + [ immediate reg 4 0x00002723 ] + [ nat dnat ip addr_min reg 1 addr_max reg 2 proto_min reg 3 proto_max reg 4 flags 0x2 ] + +# ip daddr 192.168.0.1 dnat ip to tcp dport map { 443 : 10.141.10.4 . 8443, 80 : 10.141.10.4 . 8080 } +__map%d test-ip4 b size 2 +__map%d test-ip4 0 + element 0000bb01 : 040a8d0a 0000fb20 0 [end] element 00005000 : 040a8d0a 0000901f 0 [end] +ip + [ payload load 4b @ network header + 16 => reg 1 ] + [ cmp eq reg 1 0x0100a8c0 ] + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ lookup reg 1 set __map%d dreg 1 ] + [ nat dnat ip addr_min reg 1 proto_min reg 9 ] + +# meta l4proto 6 dnat ip to iifname . ip saddr map { "enp2s0" . 10.1.1.136 : 1.1.2.69 . 22, "enp2s0" . 10.1.1.1-10.1.1.135 : 1.1.2.66-1.84.236.78 . 22 } +__map%d test-ip4 8f size 2 +__map%d test-ip4 0 + element 32706e65 00003073 00000000 00000000 8801010a - 32706e65 00003073 00000000 00000000 8801010a : 45020101 00001600 45020101 00001600 0 [end] element 32706e65 00003073 00000000 00000000 0101010a - 32706e65 00003073 00000000 00000000 8701010a : 42020101 00001600 4eec5401 00001600 0 [end] +ip test-ip4 prerouting + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ meta load iifname => reg 1 ] + [ payload load 4b @ network header + 12 => reg 2 ] + [ lookup reg 1 set __map%d dreg 1 ] + [ nat dnat ip addr_min reg 1 addr_max reg 10 proto_min reg 9 proto_max reg 11 ] + +# dnat ip to iifname . ip saddr map { "enp2s0" . 10.1.1.136 : 1.1.2.69/32, "enp2s0" . 10.1.1.1-10.1.1.135 : 1.1.2.66-1.84.236.78 } +__map%d test-ip4 8f size 2 +__map%d test-ip4 0 + element 32706e65 00003073 00000000 00000000 8801010a - 32706e65 00003073 00000000 00000000 8801010a : 45020101 45020101 0 [end] element 32706e65 00003073 00000000 00000000 0101010a - 32706e65 00003073 00000000 00000000 8701010a : 42020101 4eec5401 0 [end] +ip test-ip4 prerouting + [ meta load iifname => reg 1 ] + [ payload load 4b @ network header + 12 => reg 2 ] + [ lookup reg 1 set __map%d dreg 1 ] + [ nat dnat ip addr_min reg 1 addr_max reg 9 ] diff --git a/tests/py/ip/flowtable.t b/tests/py/ip/flowtable.t deleted file mode 100644 index 086c6cf6..00000000 --- a/tests/py/ip/flowtable.t +++ /dev/null @@ -1,5 +0,0 @@ -:input;type filter hook input priority 0 - -*ip;test-ip;input - -meter xyz size 8192 { ip saddr timeout 30s counter};ok diff --git a/tests/py/ip/flowtable.t.json b/tests/py/ip/flowtable.t.json deleted file mode 100644 index a03cc9d7..00000000 --- a/tests/py/ip/flowtable.t.json +++ /dev/null @@ -1,24 +0,0 @@ -# meter xyz size 8192 { ip saddr timeout 30s counter} -[ - { - "meter": { - "key": { - "elem": { - "timeout": 30, - "val": { - "payload": { - "field": "saddr", - "protocol": "ip" - } - } - } - }, - "name": "xyz", - "size": 8192, - "stmt": { - "counter": null - } - } - } -] - diff --git a/tests/py/ip/flowtable.t.payload b/tests/py/ip/flowtable.t.payload deleted file mode 100644 index c0aad39e..00000000 --- a/tests/py/ip/flowtable.t.payload +++ /dev/null @@ -1,7 +0,0 @@ -# meter xyz size 8192 { ip saddr timeout 30s counter} -xyz test-ip 31 -xyz test-ip 0 -ip test-ip input - [ payload load 4b @ network header + 12 => reg 1 ] - [ dynset update reg_key 1 set xyz timeout 30000ms expr [ counter pkts 0 bytes 0 ] ] - diff --git a/tests/py/ip/hash.t.payload b/tests/py/ip/hash.t.payload index 71ab0652..fefe492d 100644 --- a/tests/py/ip/hash.t.payload +++ b/tests/py/ip/hash.t.payload @@ -41,7 +41,7 @@ ip test-ip4 pre [ payload load 4b @ network header + 12 => reg 2 ] [ hash reg 1 = jhash(reg 2, 4, 0xdeadbeef) % mod 2 ] [ lookup reg 1 set __map%d dreg 1 ] - [ nat dnat ip addr_min reg 1 addr_max reg 0 ] + [ nat dnat ip addr_min reg 1 ] # ct mark set symhash mod 2 offset 100 ip test-ip4 pre diff --git a/tests/py/ip/icmp.t b/tests/py/ip/icmp.t index 11f3662e..226c339b 100644 --- a/tests/py/ip/icmp.t +++ b/tests/py/ip/icmp.t @@ -26,17 +26,13 @@ icmp code 111 accept;ok icmp code != 111 accept;ok icmp code 33-55;ok icmp code != 33-55;ok -icmp code { 33-55};ok -icmp code != { 33-55};ok -icmp code { 2, 4, 54, 33, 56};ok;icmp code { prot-unreachable, frag-needed, 33, 54, 56} -icmp code != { prot-unreachable, frag-needed, 33, 54, 56};ok +icmp code { 2, 4, 54, 33, 56};ok +icmp code != { prot-unreachable, frag-needed, 33, 54, 56};ok;icmp code != { 2, 4, 33, 54, 56} icmp checksum 12343 accept;ok icmp checksum != 12343 accept;ok icmp checksum 11-343 accept;ok icmp checksum != 11-343 accept;ok -icmp checksum { 11-343} accept;ok -icmp checksum != { 11-343} accept;ok icmp checksum { 1111, 222, 343} accept;ok icmp checksum != { 1111, 222, 343} accept;ok @@ -45,8 +41,6 @@ icmp id 22;ok;icmp type { echo-reply, echo-request} icmp id 22 icmp id != 233;ok;icmp type { echo-reply, echo-request} icmp id != 233 icmp id 33-45;ok;icmp type { echo-reply, echo-request} icmp id 33-45 icmp id != 33-45;ok;icmp type { echo-reply, echo-request} icmp id != 33-45 -icmp id { 33-55};ok;icmp type { echo-reply, echo-request} icmp id { 33-55} -icmp id != { 33-55};ok;icmp type { echo-reply, echo-request} icmp id != { 33-55} icmp id { 22, 34, 333};ok;icmp type { echo-request, echo-reply} icmp id { 22, 34, 333} icmp id != { 22, 34, 333};ok;icmp type { echo-request, echo-reply} icmp id != { 22, 34, 333} @@ -57,23 +51,18 @@ icmp sequence 33-45;ok;icmp type { echo-reply, echo-request} icmp sequence 33-45 icmp sequence != 33-45;ok;icmp type { echo-reply, echo-request} icmp sequence != 33-45 icmp sequence { 33, 55, 67, 88};ok;icmp type { echo-request, echo-reply} icmp sequence { 33, 55, 67, 88} icmp sequence != { 33, 55, 67, 88};ok;icmp type { echo-request, echo-reply} icmp sequence != { 33, 55, 67, 88} -icmp sequence { 33-55};ok;icmp type { echo-request, echo-reply} icmp sequence { 33-55} -icmp sequence != { 33-55};ok;icmp type { echo-request, echo-reply} icmp sequence != { 33-55} icmp id 1 icmp sequence 2;ok;icmp type { echo-reply, echo-request} icmp id 1 icmp sequence 2 icmp type { echo-reply, echo-request} icmp id 1 icmp sequence 2;ok +icmp type echo-reply icmp id 1;ok icmp mtu 33;ok icmp mtu 22-33;ok -icmp mtu { 22-33};ok -icmp mtu != { 22-33};ok icmp mtu 22;ok icmp mtu != 233;ok icmp mtu 33-45;ok icmp mtu != 33-45;ok icmp mtu { 33, 55, 67, 88};ok icmp mtu != { 33, 55, 67, 88};ok -icmp mtu { 33-55};ok -icmp mtu != { 33-55};ok icmp gateway 22;ok icmp gateway != 233;ok @@ -81,10 +70,8 @@ icmp gateway 33-45;ok icmp gateway != 33-45;ok icmp gateway { 33, 55, 67, 88};ok icmp gateway != { 33, 55, 67, 88};ok -icmp gateway { 33-55};ok -icmp gateway != { 33-55};ok icmp gateway != 34;ok icmp gateway != { 333, 334};ok -icmp code 1 icmp type 2;ok;icmp type 2 icmp code host-unreachable +icmp code 1 icmp type 2;ok;icmp type 2 icmp code 1 icmp code != 1 icmp type 2 icmp mtu 5;fail diff --git a/tests/py/ip/icmp.t.json b/tests/py/ip/icmp.t.json index 12b53b0f..45e04c78 100644 --- a/tests/py/ip/icmp.t.json +++ b/tests/py/ip/icmp.t.json @@ -422,56 +422,6 @@ } ] -# icmp code { 33-55} -[ - { - "match": { - "left": { - "payload": { - "field": "code", - "protocol": "icmp" - } - }, - "op": "==", - "right": { - "set": [ - { - "range": [ - 33, - 55 - ] - } - ] - } - } - } -] - -# icmp code != { 33-55} -[ - { - "match": { - "left": { - "payload": { - "field": "code", - "protocol": "icmp" - } - }, - "op": "!=", - "right": { - "set": [ - { - "range": [ - 33, - 55 - ] - } - ] - } - } - } -] - # icmp code { 2, 4, 54, 33, 56} [ { @@ -509,8 +459,8 @@ "op": "!=", "right": { "set": [ - "prot-unreachable", - "frag-needed", + 2, + 4, 33, 54, 56 @@ -606,62 +556,6 @@ } ] -# icmp checksum { 11-343} accept -[ - { - "match": { - "left": { - "payload": { - "field": "checksum", - "protocol": "icmp" - } - }, - "op": "==", - "right": { - "set": [ - { - "range": [ - 11, - 343 - ] - } - ] - } - } - }, - { - "accept": null - } -] - -# icmp checksum != { 11-343} accept -[ - { - "match": { - "left": { - "payload": { - "field": "checksum", - "protocol": "icmp" - } - }, - "op": "!=", - "right": { - "set": [ - { - "range": [ - 11, - 343 - ] - } - ] - } - } - }, - { - "accept": null - } -] - # icmp checksum { 1111, 222, 343} accept [ { @@ -839,73 +733,6 @@ } ] -# icmp id { 33-55} -[ - { - "match": { - "left": { - "payload": { - "field": "id", - "protocol": "icmp" - } - }, - "op": "==", - "right": { - "set": [ - { - "range": [ - 33, - 55 - ] - } - ] - } - } - } -] - -# icmp id != { 33-55} -[ - { - "match": { - "left": { - "payload": { - "field": "type", - "protocol": "icmp" - } - }, - "op": "==", - "right": { - "set": [ - "echo-reply", - "echo-request" - ] - } - } - }, - { - "match": { - "left": { - "payload": { - "field": "id", - "protocol": "icmp" - } - }, - "op": "!=", - "right": { - "set": [ - { - "range": [ - 33, - 55 - ] - } - ] - } - } - } -] - # icmp id { 22, 34, 333} [ { @@ -1206,7 +1033,7 @@ } ] -# icmp sequence { 33-55} +# icmp id 1 icmp sequence 2 [ { "match": { @@ -1229,42 +1056,12 @@ "match": { "left": { "payload": { - "field": "sequence", - "protocol": "icmp" - } - }, - "op": "==", - "right": { - "set": [ - { - "range": [ - 33, - 55 - ] - } - ] - } - } - } -] - -# icmp sequence != { 33-55} -[ - { - "match": { - "left": { - "payload": { - "field": "type", + "field": "id", "protocol": "icmp" } }, "op": "==", - "right": { - "set": [ - "echo-reply", - "echo-request" - ] - } + "right": 1 } }, { @@ -1275,22 +1072,13 @@ "protocol": "icmp" } }, - "op": "!=", - "right": { - "set": [ - { - "range": [ - 33, - 55 - ] - } - ] - } + "op": "==", + "right": 2 } } ] -# icmp id 1 icmp sequence 2 +# icmp type { echo-reply, echo-request} icmp id 1 icmp sequence 2 [ { "match": { @@ -1335,7 +1123,7 @@ } ] -# icmp type { echo-reply, echo-request} icmp id 1 icmp sequence 2 +# icmp type echo-reply icmp id 1 [ { "match": { @@ -1346,12 +1134,7 @@ } }, "op": "==", - "right": { - "set": [ - "echo-reply", - "echo-request" - ] - } + "right": "echo-reply" } }, { @@ -1365,18 +1148,6 @@ "op": "==", "right": 1 } - }, - { - "match": { - "left": { - "payload": { - "field": "sequence", - "protocol": "icmp" - } - }, - "op": "==", - "right": 2 - } } ] @@ -1417,56 +1188,6 @@ } ] -# icmp mtu { 22-33} -[ - { - "match": { - "left": { - "payload": { - "field": "mtu", - "protocol": "icmp" - } - }, - "op": "==", - "right": { - "set": [ - { - "range": [ - 22, - 33 - ] - } - ] - } - } - } -] - -# icmp mtu != { 22-33} -[ - { - "match": { - "left": { - "payload": { - "field": "mtu", - "protocol": "icmp" - } - }, - "op": "!=", - "right": { - "set": [ - { - "range": [ - 22, - 33 - ] - } - ] - } - } - } -] - # icmp mtu 22 [ { @@ -1587,56 +1308,6 @@ } ] -# icmp mtu { 33-55} -[ - { - "match": { - "left": { - "payload": { - "field": "mtu", - "protocol": "icmp" - } - }, - "op": "==", - "right": { - "set": [ - { - "range": [ - 33, - 55 - ] - } - ] - } - } - } -] - -# icmp mtu != { 33-55} -[ - { - "match": { - "left": { - "payload": { - "field": "mtu", - "protocol": "icmp" - } - }, - "op": "!=", - "right": { - "set": [ - { - "range": [ - 33, - 55 - ] - } - ] - } - } - } -] - # icmp gateway 22 [ { @@ -1757,56 +1428,6 @@ } ] -# icmp gateway { 33-55} -[ - { - "match": { - "left": { - "payload": { - "field": "gateway", - "protocol": "icmp" - } - }, - "op": "==", - "right": { - "set": [ - { - "range": [ - 33, - 55 - ] - } - ] - } - } - } -] - -# icmp gateway != { 33-55} -[ - { - "match": { - "left": { - "payload": { - "field": "gateway", - "protocol": "icmp" - } - }, - "op": "!=", - "right": { - "set": [ - { - "range": [ - 33, - 55 - ] - } - ] - } - } - } -] - # icmp gateway != 34 [ { @@ -1867,7 +1488,7 @@ } }, "op": "==", - "right": "host-unreachable" + "right": 1 } } ] diff --git a/tests/py/ip/icmp.t.json.output b/tests/py/ip/icmp.t.json.output index 5a075858..52fd6016 100644 --- a/tests/py/ip/icmp.t.json.output +++ b/tests/py/ip/icmp.t.json.output @@ -11,8 +11,8 @@ "op": "==", "right": { "set": [ - "prot-unreachable", - "frag-needed", + 2, + 4, 33, 54, 56 diff --git a/tests/py/ip/icmp.t.payload.ip b/tests/py/ip/icmp.t.payload.ip index dccff4c0..3bc6de3c 100644 --- a/tests/py/ip/icmp.t.payload.ip +++ b/tests/py/ip/icmp.t.payload.ip @@ -143,26 +143,6 @@ ip test-ip4 input [ payload load 1b @ transport header + 1 => reg 1 ] [ range neq reg 1 0x00000021 0x00000037 ] -# icmp code { 33-55} -__set%d test-ip4 7 -__set%d test-ip4 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end] -ip test-ip4 input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000001 ] - [ payload load 1b @ transport header + 1 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# icmp code != { 33-55} -__set%d test-ip4 7 -__set%d test-ip4 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end] -ip test-ip4 input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000001 ] - [ payload load 1b @ transport header + 1 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # icmp code { 2, 4, 54, 33, 56} __set%d test-ip4 3 __set%d test-ip4 0 @@ -216,28 +196,6 @@ ip test-ip4 input [ range neq reg 1 0x00000b00 0x00005701 ] [ immediate reg 0 accept ] -# icmp checksum { 11-343} accept -__set%d test-ip4 7 -__set%d test-ip4 0 - element 00000000 : 1 [end] element 00000b00 : 0 [end] element 00005801 : 1 [end] -ip test-ip4 input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000001 ] - [ payload load 2b @ transport header + 2 => reg 1 ] - [ lookup reg 1 set __set%d ] - [ immediate reg 0 accept ] - -# icmp checksum != { 11-343} accept -__set%d test-ip4 7 -__set%d test-ip4 0 - element 00000000 : 1 [end] element 00000b00 : 0 [end] element 00005801 : 1 [end] -ip test-ip4 input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000001 ] - [ payload load 2b @ transport header + 2 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - [ immediate reg 0 accept ] - # icmp checksum { 1111, 222, 343} accept __set%d test-ip4 3 __set%d test-ip4 0 @@ -322,36 +280,6 @@ ip test-ip4 input [ payload load 2b @ transport header + 4 => reg 1 ] [ range neq reg 1 0x00002100 0x00002d00 ] -# icmp id { 33-55} -__set%d test-ip4 3 -__set%d test-ip4 0 - element 00000008 : 0 [end] element 00000000 : 0 [end] -__set%d test-ip4 7 -__set%d test-ip4 0 - element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] -ip test-ip4 input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000001 ] - [ payload load 1b @ transport header + 0 => reg 1 ] - [ lookup reg 1 set __set%d ] - [ payload load 2b @ transport header + 4 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# icmp id != { 33-55} -__set%d test-ip4 3 -__set%d test-ip4 0 - element 00000008 : 0 [end] element 00000000 : 0 [end] -__set%d test-ip4 7 -__set%d test-ip4 0 - element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] -ip test-ip4 input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000001 ] - [ payload load 1b @ transport header + 0 => reg 1 ] - [ lookup reg 1 set __set%d ] - [ payload load 2b @ transport header + 4 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # icmp id { 22, 34, 333} __set%d test-ip4 3 __set%d test-ip4 0 @@ -461,36 +389,6 @@ ip test-ip4 input [ payload load 2b @ transport header + 6 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# icmp sequence { 33-55} -__set%d test-ip4 3 -__set%d test-ip4 0 - element 00000008 : 0 [end] element 00000000 : 0 [end] -__set%d test-ip4 7 -__set%d test-ip4 0 - element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] -ip test-ip4 input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000001 ] - [ payload load 1b @ transport header + 0 => reg 1 ] - [ lookup reg 1 set __set%d ] - [ payload load 2b @ transport header + 6 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# icmp sequence != { 33-55} -__set%d test-ip4 3 -__set%d test-ip4 0 - element 00000008 : 0 [end] element 00000000 : 0 [end] -__set%d test-ip4 7 -__set%d test-ip4 0 - element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] -ip test-ip4 input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000001 ] - [ payload load 1b @ transport header + 0 => reg 1 ] - [ lookup reg 1 set __set%d ] - [ payload load 2b @ transport header + 6 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # icmp id 1 icmp sequence 2 __set%d test-ip4 3 __set%d test-ip4 0 @@ -515,6 +413,15 @@ ip [ payload load 4b @ transport header + 4 => reg 1 ] [ cmp eq reg 1 0x02000100 ] +# icmp type echo-reply icmp id 1 +ip + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ payload load 1b @ transport header + 0 => reg 1 ] + [ cmp eq reg 1 0x00000000 ] + [ payload load 2b @ transport header + 4 => reg 1 ] + [ cmp eq reg 1 0x00000100 ] + # icmp mtu 33 ip test-ip4 input [ meta load l4proto => reg 1 ] @@ -534,30 +441,6 @@ ip test-ip4 input [ cmp gte reg 1 0x00001600 ] [ cmp lte reg 1 0x00002100 ] -# icmp mtu { 22-33} -__set%d test-ip4 7 -__set%d test-ip4 0 - element 00000000 : 1 [end] element 00001600 : 0 [end] element 00002200 : 1 [end] -ip test-ip4 input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000001 ] - [ payload load 1b @ transport header + 0 => reg 1 ] - [ cmp eq reg 1 0x00000003 ] - [ payload load 2b @ transport header + 6 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# icmp mtu != { 22-33} -__set%d test-ip4 7 -__set%d test-ip4 0 - element 00000000 : 1 [end] element 00001600 : 0 [end] element 00002200 : 1 [end] -ip test-ip4 input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000001 ] - [ payload load 1b @ transport header + 0 => reg 1 ] - [ cmp eq reg 1 0x00000003 ] - [ payload load 2b @ transport header + 6 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # icmp mtu 22 ip test-ip4 input [ meta load l4proto => reg 1 ] @@ -619,30 +502,6 @@ ip test-ip4 input [ payload load 2b @ transport header + 6 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# icmp mtu { 33-55} -__set%d test-ip4 7 -__set%d test-ip4 0 - element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] -ip test-ip4 input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000001 ] - [ payload load 1b @ transport header + 0 => reg 1 ] - [ cmp eq reg 1 0x00000003 ] - [ payload load 2b @ transport header + 6 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# icmp mtu != { 33-55} -__set%d test-ip4 7 -__set%d test-ip4 0 - element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] -ip test-ip4 input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000001 ] - [ payload load 1b @ transport header + 0 => reg 1 ] - [ cmp eq reg 1 0x00000003 ] - [ payload load 2b @ transport header + 6 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # icmp gateway 22 ip test-ip4 input [ meta load l4proto => reg 1 ] @@ -704,30 +563,6 @@ ip test-ip4 input [ payload load 4b @ transport header + 4 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# icmp gateway { 33-55} -__set%d test-ip4 7 -__set%d test-ip4 0 - element 00000000 : 1 [end] element 21000000 : 0 [end] element 38000000 : 1 [end] -ip test-ip4 input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000001 ] - [ payload load 1b @ transport header + 0 => reg 1 ] - [ cmp eq reg 1 0x00000005 ] - [ payload load 4b @ transport header + 4 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# icmp gateway != { 33-55} -__set%d test-ip4 7 -__set%d test-ip4 0 - element 00000000 : 1 [end] element 21000000 : 0 [end] element 38000000 : 1 [end] -ip test-ip4 input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000001 ] - [ payload load 1b @ transport header + 0 => reg 1 ] - [ cmp eq reg 1 0x00000005 ] - [ payload load 4b @ transport header + 4 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # icmp gateway != 34 ip test-ip4 input [ meta load l4proto => reg 1 ] diff --git a/tests/py/ip/igmp.t b/tests/py/ip/igmp.t index 939dcc32..a556e475 100644 --- a/tests/py/ip/igmp.t +++ b/tests/py/ip/igmp.t @@ -16,8 +16,6 @@ igmp checksum 12343;ok igmp checksum != 12343;ok igmp checksum 11-343;ok igmp checksum != 11-343;ok -igmp checksum { 11-343};ok -igmp checksum != { 11-343};ok igmp checksum { 1111, 222, 343};ok igmp checksum != { 1111, 222, 343};ok diff --git a/tests/py/ip/igmp.t.json b/tests/py/ip/igmp.t.json index 66dd3bb7..0e2a43f3 100644 --- a/tests/py/ip/igmp.t.json +++ b/tests/py/ip/igmp.t.json @@ -196,56 +196,6 @@ } ] -# igmp checksum { 11-343} -[ - { - "match": { - "left": { - "payload": { - "field": "checksum", - "protocol": "igmp" - } - }, - "op": "==", - "right": { - "set": [ - { - "range": [ - 11, - 343 - ] - } - ] - } - } - } -] - -# igmp checksum != { 11-343} -[ - { - "match": { - "left": { - "payload": { - "field": "checksum", - "protocol": "igmp" - } - }, - "op": "!=", - "right": { - "set": [ - { - "range": [ - 11, - 343 - ] - } - ] - } - } - } -] - # igmp checksum { 1111, 222, 343} [ { diff --git a/tests/py/ip/igmp.t.payload b/tests/py/ip/igmp.t.payload index b5207475..940fe2cd 100644 --- a/tests/py/ip/igmp.t.payload +++ b/tests/py/ip/igmp.t.payload @@ -62,26 +62,6 @@ ip test-ip4 input [ payload load 2b @ transport header + 2 => reg 1 ] [ range neq reg 1 0x00000b00 0x00005701 ] -# igmp checksum { 11-343} -__set%d test-ip4 7 size 3 -__set%d test-ip4 0 - element 00000000 : 1 [end] element 00000b00 : 0 [end] element 00005801 : 1 [end] -ip test-ip4 input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000002 ] - [ payload load 2b @ transport header + 2 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# igmp checksum != { 11-343} -__set%d test-ip4 7 size 3 -__set%d test-ip4 0 - element 00000000 : 1 [end] element 00000b00 : 0 [end] element 00005801 : 1 [end] -ip test-ip4 input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x00000002 ] - [ payload load 2b @ transport header + 2 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # igmp checksum { 1111, 222, 343} __set%d test-ip4 3 size 3 __set%d test-ip4 0 diff --git a/tests/py/ip/ip.t b/tests/py/ip/ip.t index 04aada2d..e6999c29 100644 --- a/tests/py/ip/ip.t +++ b/tests/py/ip/ip.t @@ -1,10 +1,11 @@ :input;type filter hook input priority 0 :ingress;type filter hook ingress device lo priority 0 +:egress;type filter hook egress device lo priority 0 *ip;test-ip4;input *inet;test-inet;input *bridge;test-bridge;input -*netdev;test-netdev;ingress +*netdev;test-netdev;ingress,egress - ip version 2;ok @@ -39,8 +40,6 @@ ip length 333-435;ok ip length != 333-453;ok ip length { 333, 553, 673, 838};ok ip length != { 333, 553, 673, 838};ok -ip length { 333-535};ok -ip length != { 333-535};ok ip id 22;ok ip id != 233;ok @@ -48,17 +47,16 @@ ip id 33-45;ok ip id != 33-45;ok ip id { 33, 55, 67, 88};ok ip id != { 33, 55, 67, 88};ok -ip id { 33-55};ok -ip id != { 33-55};ok - -ip frag-off 222 accept;ok -ip frag-off != 233;ok -ip frag-off 33-45;ok -ip frag-off != 33-45;ok -ip frag-off { 33, 55, 67, 88};ok -ip frag-off != { 33, 55, 67, 88};ok -ip frag-off { 33-55};ok -ip frag-off != { 33-55};ok + +ip frag-off 0xde accept;ok +ip frag-off != 0xe9;ok +ip frag-off 0x21-0x2d;ok +ip frag-off != 0x21-0x2d;ok +ip frag-off { 0x21, 0x37, 0x43, 0x58};ok +ip frag-off != { 0x21, 0x37, 0x43, 0x58};ok +ip frag-off & 0x1fff != 0x0;ok +ip frag-off & 0x2000 != 0x0;ok +ip frag-off & 0x4000 != 0x0;ok ip ttl 0 drop;ok ip ttl 233;ok @@ -66,8 +64,6 @@ ip ttl 33-55;ok ip ttl != 45-50;ok ip ttl {43, 53, 45 };ok ip ttl != {43, 53, 45 };ok -ip ttl { 33-55};ok -ip ttl != { 33-55};ok ip protocol tcp;ok;ip protocol 6 ip protocol != tcp;ok;ip protocol != 6 @@ -84,8 +80,6 @@ ip checksum 33-45;ok ip checksum != 33-45;ok ip checksum { 33, 55, 67, 88};ok ip checksum != { 33, 55, 67, 88};ok -ip checksum { 33-55};ok -ip checksum != { 33-55};ok ip saddr set {192.19.1.2, 191.1.22.1};fail @@ -99,8 +93,6 @@ ip daddr 10.0.0.0-10.255.255.255;ok ip daddr 172.16.0.0-172.31.255.255;ok ip daddr 192.168.3.1-192.168.4.250;ok ip daddr != 192.168.0.1-192.168.0.250;ok -ip daddr { 192.168.0.1-192.168.0.250};ok -ip daddr != { 192.168.0.1-192.168.0.250};ok ip daddr { 192.168.5.1, 192.168.5.2, 192.168.5.3 } accept;ok ip daddr != { 192.168.5.1, 192.168.5.2, 192.168.5.3 } accept;ok @@ -135,3 +127,11 @@ iif "lo" ip protocol set 1;ok iif "lo" ip dscp set af23;ok iif "lo" ip dscp set cs0;ok + +ip saddr . ip daddr { 192.0.2.1 . 10.0.0.1-10.0.0.2 };ok +ip saddr . ip daddr vmap { 192.168.5.1-192.168.5.128 . 192.168.6.1-192.168.6.128 : accept };ok + +ip saddr 1.2.3.4 ip daddr 3.4.5.6;ok +ip saddr 1.2.3.4 counter ip daddr 3.4.5.6;ok + +ip dscp 1/6;ok;ip dscp & 0x3f == lephb diff --git a/tests/py/ip/ip.t.json b/tests/py/ip/ip.t.json index 3131ab79..a170e5c1 100644 --- a/tests/py/ip/ip.t.json +++ b/tests/py/ip/ip.t.json @@ -270,46 +270,6 @@ } ] -# ip length { 333-535} -[ - { - "match": { - "left": { - "payload": { - "field": "length", - "protocol": "ip" - } - }, - "op": "==", - "right": { - "set": [ - { "range": [ 333, 535 ] } - ] - } - } - } -] - -# ip length != { 333-535} -[ - { - "match": { - "left": { - "payload": { - "field": "length", - "protocol": "ip" - } - }, - "op": "!=", - "right": { - "set": [ - { "range": [ 333, 535 ] } - ] - } - } - } -] - # ip id 22 [ { @@ -424,47 +384,7 @@ } ] -# ip id { 33-55} -[ - { - "match": { - "left": { - "payload": { - "field": "id", - "protocol": "ip" - } - }, - "op": "==", - "right": { - "set": [ - { "range": [ 33, 55 ] } - ] - } - } - } -] - -# ip id != { 33-55} -[ - { - "match": { - "left": { - "payload": { - "field": "id", - "protocol": "ip" - } - }, - "op": "!=", - "right": { - "set": [ - { "range": [ 33, 55 ] } - ] - } - } - } -] - -# ip frag-off 222 accept +# ip frag-off 0xde accept [ { "match": { @@ -483,7 +403,7 @@ } ] -# ip frag-off != 233 +# ip frag-off != 0xe9 [ { "match": { @@ -499,7 +419,7 @@ } ] -# ip frag-off 33-45 +# ip frag-off 0x21-0x2d [ { "match": { @@ -517,7 +437,7 @@ } ] -# ip frag-off != 33-45 +# ip frag-off != 0x21-0x2d [ { "match": { @@ -535,7 +455,7 @@ } ] -# ip frag-off { 33, 55, 67, 88} +# ip frag-off { 0x21, 0x37, 0x43, 0x58} [ { "match": { @@ -558,7 +478,7 @@ } ] -# ip frag-off != { 33, 55, 67, 88} +# ip frag-off != { 0x21, 0x37, 0x43, 0x58} [ { "match": { @@ -581,42 +501,65 @@ } ] -# ip frag-off { 33-55} +# ip frag-off & 0x1fff != 0x0 [ { "match": { "left": { - "payload": { - "field": "frag-off", - "protocol": "ip" - } - }, - "op": "==", - "right": { - "set": [ - { "range": [ 33, 55 ] } + "&": [ + { + "payload": { + "field": "frag-off", + "protocol": "ip" + } + }, + 8191 ] - } + }, + "op": "!=", + "right": 0 } } ] -# ip frag-off != { 33-55} +# ip frag-off & 0x2000 != 0x0 [ { "match": { "left": { - "payload": { - "field": "frag-off", - "protocol": "ip" - } + "&": [ + { + "payload": { + "field": "frag-off", + "protocol": "ip" + } + }, + 8192 + ] }, "op": "!=", - "right": { - "set": [ - { "range": [ 33, 55 ] } + "right": 0 + } + } +] + +# ip frag-off & 0x4000 != 0x0 +[ + { + "match": { + "left": { + "&": [ + { + "payload": { + "field": "frag-off", + "protocol": "ip" + } + }, + 16384 ] - } + }, + "op": "!=", + "right": 0 } } ] @@ -736,46 +679,6 @@ } ] -# ip ttl { 33-55} -[ - { - "match": { - "left": { - "payload": { - "field": "ttl", - "protocol": "ip" - } - }, - "op": "==", - "right": { - "set": [ - { "range": [ 33, 55 ] } - ] - } - } - } -] - -# ip ttl != { 33-55} -[ - { - "match": { - "left": { - "payload": { - "field": "ttl", - "protocol": "ip" - } - }, - "op": "!=", - "right": { - "set": [ - { "range": [ 33, 55 ] } - ] - } - } - } -] - # ip protocol tcp [ { @@ -1019,46 +922,6 @@ } ] -# ip checksum { 33-55} -[ - { - "match": { - "left": { - "payload": { - "field": "checksum", - "protocol": "ip" - } - }, - "op": "==", - "right": { - "set": [ - { "range": [ 33, 55 ] } - ] - } - } - } -] - -# ip checksum != { 33-55} -[ - { - "match": { - "left": { - "payload": { - "field": "checksum", - "protocol": "ip" - } - }, - "op": "!=", - "right": { - "set": [ - { "range": [ 33, 55 ] } - ] - } - } - } -] - # ip saddr 192.168.2.0/24 [ { @@ -1251,46 +1114,6 @@ } ] -# ip daddr { 192.168.0.1-192.168.0.250} -[ - { - "match": { - "left": { - "payload": { - "field": "daddr", - "protocol": "ip" - } - }, - "op": "==", - "right": { - "set": [ - { "range": [ "192.168.0.1", "192.168.0.250" ] } - ] - } - } - } -] - -# ip daddr != { 192.168.0.1-192.168.0.250} -[ - { - "match": { - "left": { - "payload": { - "field": "daddr", - "protocol": "ip" - } - }, - "op": "!=", - "right": { - "set": [ - { "range": [ "192.168.0.1", "192.168.0.250" ] } - ] - } - } - } -] - # ip daddr { 192.168.5.1, 192.168.5.2, 192.168.5.3 } accept [ { @@ -1836,3 +1659,174 @@ } ] +# ip saddr . ip daddr { 192.0.2.1 . 10.0.0.1-10.0.0.2 } +[ + { + "match": { + "left": { + "concat": [ + { + "payload": { + "field": "saddr", + "protocol": "ip" + } + }, + { + "payload": { + "field": "daddr", + "protocol": "ip" + } + } + ] + }, + "op": "==", + "right": { + "set": [ + { + "concat": [ + "192.0.2.1", + { + "range": [ + "10.0.0.1", + "10.0.0.2" + ] + } + ] + } + ] + } + } + } +] + +# ip saddr . ip daddr vmap { 192.168.5.1-192.168.5.128 . 192.168.6.1-192.168.6.128 : accept } +[ + { + "vmap": { + "data": { + "set": [ + [ + { + "concat": [ + { + "range": [ + "192.168.5.1", + "192.168.5.128" + ] + }, + { + "range": [ + "192.168.6.1", + "192.168.6.128" + ] + } + ] + }, + { + "accept": null + } + ] + ] + }, + "key": { + "concat": [ + { + "payload": { + "field": "saddr", + "protocol": "ip" + } + }, + { + "payload": { + "field": "daddr", + "protocol": "ip" + } + } + ] + } + } + } +] + +# ip saddr 1.2.3.4 ip daddr 3.4.5.6 +[ + { + "match": { + "left": { + "payload": { + "field": "saddr", + "protocol": "ip" + } + }, + "op": "==", + "right": "1.2.3.4" + } + }, + { + "match": { + "left": { + "payload": { + "field": "daddr", + "protocol": "ip" + } + }, + "op": "==", + "right": "3.4.5.6" + } + } +] + +# ip saddr 1.2.3.4 counter ip daddr 3.4.5.6 +[ + { + "match": { + "left": { + "payload": { + "field": "saddr", + "protocol": "ip" + } + }, + "op": "==", + "right": "1.2.3.4" + } + }, + { + "counter": { + "bytes": 0, + "packets": 0 + } + }, + { + "match": { + "left": { + "payload": { + "field": "daddr", + "protocol": "ip" + } + }, + "op": "==", + "right": "3.4.5.6" + } + } +] + +# ip dscp 1/6 +[ + { + "match": { + "left": { + "&": [ + { + "payload": { + "field": "dscp", + "protocol": "ip" + } + }, + 63 + ] + }, + "op": "==", + "right": "lephb" + } + } +] diff --git a/tests/py/ip/ip.t.json.output b/tests/py/ip/ip.t.json.output index b201cdaa..351ae935 100644 --- a/tests/py/ip/ip.t.json.output +++ b/tests/py/ip/ip.t.json.output @@ -230,3 +230,34 @@ } ] +# ip saddr 1.2.3.4 counter ip daddr 3.4.5.6 +[ + { + "match": { + "left": { + "payload": { + "field": "saddr", + "protocol": "ip" + } + }, + "op": "==", + "right": "1.2.3.4" + } + }, + { + "counter": null + }, + { + "match": { + "left": { + "payload": { + "field": "daddr", + "protocol": "ip" + } + }, + "op": "==", + "right": "3.4.5.6" + } + } +] + diff --git a/tests/py/ip/ip.t.payload b/tests/py/ip/ip.t.payload index 578c8d37..d7ddf7be 100644 --- a/tests/py/ip/ip.t.payload +++ b/tests/py/ip/ip.t.payload @@ -43,7 +43,7 @@ ip test-ip4 input # ip dscp vmap { cs1 : continue , cs4 : accept } counter __map%d test-ip4 b size 2 __map%d test-ip4 0 - element 00000020 : 0 [end] element 00000080 : 0 [end] + element 00000020 : continue 0 [end] element 00000080 : accept 0 [end] ip test-ip4 input [ payload load 1b @ network header + 1 => reg 1 ] [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ] @@ -87,22 +87,6 @@ ip test-ip4 input [ payload load 2b @ network header + 2 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# ip length { 333-535} -__set%d test-ip4 7 -__set%d test-ip4 0 - element 00000000 : 1 [end] element 00004d01 : 0 [end] element 00001802 : 1 [end] -ip test-ip4 input - [ payload load 2b @ network header + 2 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# ip length != { 333-535} -__set%d test-ip4 7 -__set%d test-ip4 0 - element 00000000 : 1 [end] element 00004d01 : 0 [end] element 00001802 : 1 [end] -ip test-ip4 input - [ payload load 2b @ network header + 2 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # ip id 22 ip test-ip4 input [ payload load 2b @ network header + 4 => reg 1 ] @@ -140,45 +124,29 @@ ip test-ip4 input [ payload load 2b @ network header + 4 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# ip id { 33-55} -__set%d test-ip4 7 -__set%d test-ip4 0 - element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] -ip test-ip4 input - [ payload load 2b @ network header + 4 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# ip id != { 33-55} -__set%d test-ip4 7 -__set%d test-ip4 0 - element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] -ip test-ip4 input - [ payload load 2b @ network header + 4 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - -# ip frag-off 222 accept +# ip frag-off 0xde accept ip test-ip4 input [ payload load 2b @ network header + 6 => reg 1 ] [ cmp eq reg 1 0x0000de00 ] [ immediate reg 0 accept ] -# ip frag-off != 233 +# ip frag-off != 0xe9 ip test-ip4 input [ payload load 2b @ network header + 6 => reg 1 ] [ cmp neq reg 1 0x0000e900 ] -# ip frag-off 33-45 +# ip frag-off 0x21-0x2d ip test-ip4 input [ payload load 2b @ network header + 6 => reg 1 ] [ cmp gte reg 1 0x00002100 ] [ cmp lte reg 1 0x00002d00 ] -# ip frag-off != 33-45 +# ip frag-off != 0x21-0x2d ip test-ip4 input [ payload load 2b @ network header + 6 => reg 1 ] [ range neq reg 1 0x00002100 0x00002d00 ] -# ip frag-off { 33, 55, 67, 88} +# ip frag-off { 0x21, 0x37, 0x43, 0x58} __set%d test-ip4 3 __set%d test-ip4 0 element 00002100 : 0 [end] element 00003700 : 0 [end] element 00004300 : 0 [end] element 00005800 : 0 [end] @@ -186,7 +154,7 @@ ip test-ip4 input [ payload load 2b @ network header + 6 => reg 1 ] [ lookup reg 1 set __set%d ] -# ip frag-off != { 33, 55, 67, 88} +# ip frag-off != { 0x21, 0x37, 0x43, 0x58} __set%d test-ip4 3 __set%d test-ip4 0 element 00002100 : 0 [end] element 00003700 : 0 [end] element 00004300 : 0 [end] element 00005800 : 0 [end] @@ -194,21 +162,23 @@ ip test-ip4 input [ payload load 2b @ network header + 6 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# ip frag-off { 33-55} -__set%d test-ip4 7 -__set%d test-ip4 0 - element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] +# ip frag-off & 0x1fff != 0x0 ip test-ip4 input [ payload load 2b @ network header + 6 => reg 1 ] - [ lookup reg 1 set __set%d ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff1f ) ^ 0x00000000 ] + [ cmp neq reg 1 0x00000000 ] -# ip frag-off != { 33-55} -__set%d test-ip4 7 -__set%d test-ip4 0 - element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] +# ip frag-off & 0x2000 != 0x0 ip test-ip4 input [ payload load 2b @ network header + 6 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] + [ bitwise reg 1 = ( reg 1 & 0x00000020 ) ^ 0x00000000 ] + [ cmp neq reg 1 0x00000000 ] + +# ip frag-off & 0x4000 != 0x0 +ip test-ip4 input + [ payload load 2b @ network header + 6 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x00000040 ) ^ 0x00000000 ] + [ cmp neq reg 1 0x00000000 ] # ip ttl 0 drop ip test-ip4 input @@ -248,22 +218,6 @@ ip test-ip4 input [ payload load 1b @ network header + 8 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# ip ttl { 33-55} -__set%d test-ip4 7 -__set%d test-ip4 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end] -ip test-ip4 input - [ payload load 1b @ network header + 8 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# ip ttl != { 33-55} -__set%d test-ip4 7 -__set%d test-ip4 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end] -ip test-ip4 input - [ payload load 1b @ network header + 8 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # ip protocol tcp ip test-ip4 input [ payload load 1b @ network header + 9 => reg 1 ] @@ -340,22 +294,6 @@ ip test-ip4 input [ payload load 2b @ network header + 10 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# ip checksum { 33-55} -__set%d test-ip4 7 -__set%d test-ip4 0 - element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] -ip test-ip4 input - [ payload load 2b @ network header + 10 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# ip checksum != { 33-55} -__set%d test-ip4 7 -__set%d test-ip4 0 - element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] -ip test-ip4 input - [ payload load 2b @ network header + 10 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # ip saddr 192.168.2.0/24 ip test-ip4 input [ payload load 3b @ network header + 12 => reg 1 ] @@ -412,22 +350,6 @@ ip test-ip4 input [ payload load 4b @ network header + 16 => reg 1 ] [ range neq reg 1 0x0100a8c0 0xfa00a8c0 ] -# ip daddr { 192.168.0.1-192.168.0.250} -__set%d test-ip4 7 -__set%d test-ip4 0 - element 00000000 : 1 [end] element 0100a8c0 : 0 [end] element fb00a8c0 : 1 [end] -ip test-ip4 input - [ payload load 4b @ network header + 16 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# ip daddr != { 192.168.0.1-192.168.0.250} -__set%d test-ip4 7 -__set%d test-ip4 0 - element 00000000 : 1 [end] element 0100a8c0 : 0 [end] element fb00a8c0 : 1 [end] -ip test-ip4 input - [ payload load 4b @ network header + 16 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # ip daddr { 192.168.5.1, 192.168.5.2, 192.168.5.3 } accept __set%d test-ip4 3 __set%d test-ip4 0 @@ -526,7 +448,7 @@ ip test-ip4 input # ip hdrlength vmap { 0-4 : drop, 5 : accept, 6 : continue } counter __map%d test-ip4 f size 4 __map%d test-ip4 0 - element 00000000 : 0 [end] element 00000005 : 0 [end] element 00000006 : 0 [end] element 00000007 : 1 [end] + element 00000000 : drop 0 [end] element 00000005 : accept 0 [end] element 00000006 : continue 0 [end] element 00000007 : 1 [end] ip test-ip4 input [ payload load 1b @ network header + 0 => reg 1 ] [ bitwise reg 1 = ( reg 1 & 0x0000000f ) ^ 0x00000000 ] @@ -602,3 +524,43 @@ ip test-ip4 input [ bitwise reg 1 = ( reg 1 & 0x000000ff ) ^ 0x00000100 ] [ payload write reg 1 => 2b @ network header + 8 csum_type 1 csum_off 10 csum_flags 0x1 ] +# ip saddr . ip daddr { 192.0.2.1 . 10.0.0.1-10.0.0.2 } +__set%d test-ip4 87 size 1 +__set%d test-ip4 0 + element 010200c0 0100000a - 010200c0 0200000a : 0 [end] +ip + [ payload load 4b @ network header + 12 => reg 1 ] + [ payload load 4b @ network header + 16 => reg 9 ] + [ lookup reg 1 set __set%d ] + +# ip saddr . ip daddr vmap { 192.168.5.1-192.168.5.128 . 192.168.6.1-192.168.6.128 : accept } +__map%d test-ip4 8f size 1 +__map%d test-ip4 0 + element 0105a8c0 0106a8c0 - 8005a8c0 8006a8c0 : accept 0 [end] +ip + [ payload load 4b @ network header + 12 => reg 1 ] + [ payload load 4b @ network header + 16 => reg 9 ] + [ lookup reg 1 set __map%d dreg 0 ] + +# ip saddr 1.2.3.4 ip daddr 3.4.5.6 +ip test-ip4 input + [ payload load 4b @ network header + 12 => reg 1 ] + [ cmp eq reg 1 0x04030201 ] + [ payload load 4b @ network header + 16 => reg 1 ] + [ cmp eq reg 1 0x06050403 ] + +# ip saddr 1.2.3.4 counter ip daddr 3.4.5.6 +ip test-ip4 input + [ payload load 4b @ network header + 12 => reg 1 ] + [ cmp eq reg 1 0x04030201 ] + [ counter pkts 0 bytes 0 ] + [ payload load 4b @ network header + 16 => reg 1 ] + [ cmp eq reg 1 0x06050403 ] + +# ip dscp 1/6 +ip test-ip4 input + [ payload load 1b @ network header + 1 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 >> 0x00000002 ) ] + [ bitwise reg 1 = ( reg 1 & 0x0000003f ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000001 ] diff --git a/tests/py/ip/ip.t.payload.bridge b/tests/py/ip/ip.t.payload.bridge index 6ac5e740..53f881d3 100644 --- a/tests/py/ip/ip.t.payload.bridge +++ b/tests/py/ip/ip.t.payload.bridge @@ -55,7 +55,7 @@ bridge test-bridge input # ip dscp vmap { cs1 : continue , cs4 : accept } counter __map%d test-bridge b size 2 __map%d test-bridge 0 - element 00000020 : 0 [end] element 00000080 : 0 [end] + element 00000020 : continue 0 [end] element 00000080 : accept 0 [end] bridge test-bridge input [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x00000008 ] @@ -113,26 +113,6 @@ bridge test-bridge input [ payload load 2b @ network header + 2 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# ip length { 333-535} -__set%d test-bridge 7 size 3 -__set%d test-bridge 0 - element 00000000 : 1 [end] element 00004d01 : 0 [end] element 00001802 : 1 [end] -bridge test-bridge input - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x00000008 ] - [ payload load 2b @ network header + 2 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# ip length != { 333-535} -__set%d test-bridge 7 size 3 -__set%d test-bridge 0 - element 00000000 : 1 [end] element 00004d01 : 0 [end] element 00001802 : 1 [end] -bridge test-bridge input - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x00000008 ] - [ payload load 2b @ network header + 2 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # ip id 22 bridge test-bridge input [ meta load protocol => reg 1 ] @@ -182,27 +162,7 @@ bridge test-bridge input [ payload load 2b @ network header + 4 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# ip id { 33-55} -__set%d test-bridge 7 size 3 -__set%d test-bridge 0 - element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] -bridge test-bridge input - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x00000008 ] - [ payload load 2b @ network header + 4 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# ip id != { 33-55} -__set%d test-bridge 7 size 3 -__set%d test-bridge 0 - element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] -bridge test-bridge input - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x00000008 ] - [ payload load 2b @ network header + 4 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - -# ip frag-off 222 accept +# ip frag-off 0xde accept bridge test-bridge input [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x00000008 ] @@ -210,14 +170,14 @@ bridge test-bridge input [ cmp eq reg 1 0x0000de00 ] [ immediate reg 0 accept ] -# ip frag-off != 233 +# ip frag-off != 0xe9 bridge test-bridge input [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x00000008 ] [ payload load 2b @ network header + 6 => reg 1 ] [ cmp neq reg 1 0x0000e900 ] -# ip frag-off 33-45 +# ip frag-off 0x21-0x2d bridge test-bridge input [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x00000008 ] @@ -225,14 +185,14 @@ bridge test-bridge input [ cmp gte reg 1 0x00002100 ] [ cmp lte reg 1 0x00002d00 ] -# ip frag-off != 33-45 +# ip frag-off != 0x21-0x2d bridge test-bridge input [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x00000008 ] [ payload load 2b @ network header + 6 => reg 1 ] [ range neq reg 1 0x00002100 0x00002d00 ] -# ip frag-off { 33, 55, 67, 88} +# ip frag-off { 0x21, 0x37, 0x43, 0x58} __set%d test-bridge 3 size 4 __set%d test-bridge 0 element 00002100 : 0 [end] element 00003700 : 0 [end] element 00004300 : 0 [end] element 00005800 : 0 [end] @@ -242,7 +202,7 @@ bridge test-bridge input [ payload load 2b @ network header + 6 => reg 1 ] [ lookup reg 1 set __set%d ] -# ip frag-off != { 33, 55, 67, 88} +# ip frag-off != { 0x21, 0x37, 0x43, 0x58} __set%d test-bridge 3 size 4 __set%d test-bridge 0 element 00002100 : 0 [end] element 00003700 : 0 [end] element 00004300 : 0 [end] element 00005800 : 0 [end] @@ -252,25 +212,29 @@ bridge test-bridge input [ payload load 2b @ network header + 6 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# ip frag-off { 33-55} -__set%d test-bridge 7 size 3 -__set%d test-bridge 0 - element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] +# ip frag-off & 0x1fff != 0x0 bridge test-bridge input [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x00000008 ] [ payload load 2b @ network header + 6 => reg 1 ] - [ lookup reg 1 set __set%d ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff1f ) ^ 0x00000000 ] + [ cmp neq reg 1 0x00000000 ] -# ip frag-off != { 33-55} -__set%d test-bridge 7 size 3 -__set%d test-bridge 0 - element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] +# ip frag-off & 0x2000 != 0x0 bridge test-bridge input [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x00000008 ] [ payload load 2b @ network header + 6 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] + [ bitwise reg 1 = ( reg 1 & 0x00000020 ) ^ 0x00000000 ] + [ cmp neq reg 1 0x00000000 ] + +# ip frag-off & 0x4000 != 0x0 +bridge test-bridge input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 2b @ network header + 6 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x00000040 ) ^ 0x00000000 ] + [ cmp neq reg 1 0x00000000 ] # ip ttl 0 drop bridge test-bridge input @@ -322,26 +286,6 @@ bridge test-bridge input [ payload load 1b @ network header + 8 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# ip ttl { 33-55} -__set%d test-bridge 7 size 3 -__set%d test-bridge 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end] -bridge test-bridge input - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x00000008 ] - [ payload load 1b @ network header + 8 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# ip ttl != { 33-55} -__set%d test-bridge 7 size 3 -__set%d test-bridge 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end] -bridge test-bridge input - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x00000008 ] - [ payload load 1b @ network header + 8 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # ip protocol tcp bridge test-bridge input [ meta load protocol => reg 1 ] @@ -442,26 +386,6 @@ bridge test-bridge input [ payload load 2b @ network header + 10 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# ip checksum { 33-55} -__set%d test-bridge 7 size 3 -__set%d test-bridge 0 - element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] -bridge test-bridge input - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x00000008 ] - [ payload load 2b @ network header + 10 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# ip checksum != { 33-55} -__set%d test-bridge 7 size 3 -__set%d test-bridge 0 - element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] -bridge test-bridge input - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x00000008 ] - [ payload load 2b @ network header + 10 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # ip saddr 192.168.2.0/24 bridge test-bridge input [ meta load protocol => reg 1 ] @@ -538,26 +462,6 @@ bridge test-bridge input [ payload load 4b @ network header + 16 => reg 1 ] [ range neq reg 1 0x0100a8c0 0xfa00a8c0 ] -# ip daddr { 192.168.0.1-192.168.0.250} -__set%d test-bridge 7 size 3 -__set%d test-bridge 0 - element 00000000 : 1 [end] element 0100a8c0 : 0 [end] element fb00a8c0 : 1 [end] -bridge test-bridge input - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x00000008 ] - [ payload load 4b @ network header + 16 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# ip daddr != { 192.168.0.1-192.168.0.250} -__set%d test-bridge 7 size 3 -__set%d test-bridge 0 - element 00000000 : 1 [end] element 0100a8c0 : 0 [end] element fb00a8c0 : 1 [end] -bridge test-bridge input - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x00000008 ] - [ payload load 4b @ network header + 16 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # ip daddr { 192.168.5.1, 192.168.5.2, 192.168.5.3 } accept __set%d test-bridge 3 size 3 __set%d test-bridge 0 @@ -686,7 +590,7 @@ bridge test-bridge input # ip hdrlength vmap { 0-4 : drop, 5 : accept, 6 : continue } counter __map%d test-bridge f size 4 __map%d test-bridge 0 - element 00000000 : 0 [end] element 00000005 : 0 [end] element 00000006 : 0 [end] element 00000007 : 1 [end] + element 00000000 : drop 0 [end] element 00000005 : accept 0 [end] element 00000006 : continue 0 [end] element 00000007 : 1 [end] bridge test-bridge input [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x00000008 ] @@ -782,3 +686,53 @@ bridge test-bridge input [ bitwise reg 1 = ( reg 1 & 0x000003ff ) ^ 0x00000000 ] [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ] +# ip saddr . ip daddr { 192.0.2.1 . 10.0.0.1-10.0.0.2 } +__set%d test-bridge 87 size 1 +__set%d test-bridge 0 + element 010200c0 0100000a - 010200c0 0200000a : 0 [end] +bridge + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ payload load 4b @ network header + 16 => reg 9 ] + [ lookup reg 1 set __set%d ] + +# ip saddr . ip daddr vmap { 192.168.5.1-192.168.5.128 . 192.168.6.1-192.168.6.128 : accept } +__map%d test-bridge 8f size 1 +__map%d test-bridge 0 + element 0105a8c0 0106a8c0 - 8005a8c0 8006a8c0 : accept 0 [end] +bridge + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ payload load 4b @ network header + 16 => reg 9 ] + [ lookup reg 1 set __map%d dreg 0 ] + +# ip saddr 1.2.3.4 ip daddr 3.4.5.6 +bridge test-bridge input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ cmp eq reg 1 0x04030201 ] + [ payload load 4b @ network header + 16 => reg 1 ] + [ cmp eq reg 1 0x06050403 ] + +# ip saddr 1.2.3.4 counter ip daddr 3.4.5.6 +bridge test-bridge input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ cmp eq reg 1 0x04030201 ] + [ counter pkts 0 bytes 0 ] + [ payload load 4b @ network header + 16 => reg 1 ] + [ cmp eq reg 1 0x06050403 ] + +# ip dscp 1/6 +bridge test-bridge input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 1b @ network header + 1 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 >> 0x00000002 ) ] + [ bitwise reg 1 = ( reg 1 & 0x0000003f ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000001 ] diff --git a/tests/py/ip/ip.t.payload.inet b/tests/py/ip/ip.t.payload.inet index 8c778f99..08674c98 100644 --- a/tests/py/ip/ip.t.payload.inet +++ b/tests/py/ip/ip.t.payload.inet @@ -55,7 +55,7 @@ inet test-inet input # ip dscp vmap { cs1 : continue , cs4 : accept } counter __map%d test-inet b size 2 __map%d test-inet 0 - element 00000020 : 0 [end] element 00000080 : 0 [end] + element 00000020 : continue 0 [end] element 00000080 : accept 0 [end] inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] @@ -113,26 +113,6 @@ inet test-inet input [ payload load 2b @ network header + 2 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# ip length { 333-535} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00004d01 : 0 [end] element 00001802 : 1 [end] -inet test-inet input - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x00000002 ] - [ payload load 2b @ network header + 2 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# ip length != { 333-535} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00004d01 : 0 [end] element 00001802 : 1 [end] -inet test-inet input - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x00000002 ] - [ payload load 2b @ network header + 2 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # ip id 22 inet test-inet input [ meta load nfproto => reg 1 ] @@ -182,27 +162,7 @@ inet test-inet input [ payload load 2b @ network header + 4 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# ip id { 33-55} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] -inet test-inet input - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x00000002 ] - [ payload load 2b @ network header + 4 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# ip id != { 33-55} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] -inet test-inet input - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x00000002 ] - [ payload load 2b @ network header + 4 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - -# ip frag-off 222 accept +# ip frag-off 0xde accept inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] @@ -210,14 +170,14 @@ inet test-inet input [ cmp eq reg 1 0x0000de00 ] [ immediate reg 0 accept ] -# ip frag-off != 233 +# ip frag-off != 0xe9 inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ payload load 2b @ network header + 6 => reg 1 ] [ cmp neq reg 1 0x0000e900 ] -# ip frag-off 33-45 +# ip frag-off 0x21-0x2d inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] @@ -225,14 +185,14 @@ inet test-inet input [ cmp gte reg 1 0x00002100 ] [ cmp lte reg 1 0x00002d00 ] -# ip frag-off != 33-45 +# ip frag-off != 0x21-0x2d inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ payload load 2b @ network header + 6 => reg 1 ] [ range neq reg 1 0x00002100 0x00002d00 ] -# ip frag-off { 33, 55, 67, 88} +# ip frag-off { 0x21, 0x37, 0x43, 0x58} __set%d test-inet 3 __set%d test-inet 0 element 00002100 : 0 [end] element 00003700 : 0 [end] element 00004300 : 0 [end] element 00005800 : 0 [end] @@ -242,7 +202,7 @@ inet test-inet input [ payload load 2b @ network header + 6 => reg 1 ] [ lookup reg 1 set __set%d ] -# ip frag-off != { 33, 55, 67, 88} +# ip frag-off != { 0x21, 0x37, 0x43, 0x58} __set%d test-inet 3 __set%d test-inet 0 element 00002100 : 0 [end] element 00003700 : 0 [end] element 00004300 : 0 [end] element 00005800 : 0 [end] @@ -252,25 +212,29 @@ inet test-inet input [ payload load 2b @ network header + 6 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# ip frag-off { 33-55} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] +# ip frag-off & 0x1fff != 0x0 inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ payload load 2b @ network header + 6 => reg 1 ] - [ lookup reg 1 set __set%d ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff1f ) ^ 0x00000000 ] + [ cmp neq reg 1 0x00000000 ] -# ip frag-off != { 33-55} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] +# ip frag-off & 0x2000 != 0x0 inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ payload load 2b @ network header + 6 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] + [ bitwise reg 1 = ( reg 1 & 0x00000020 ) ^ 0x00000000 ] + [ cmp neq reg 1 0x00000000 ] + +# ip frag-off & 0x4000 != 0x0 +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 2b @ network header + 6 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x00000040 ) ^ 0x00000000 ] + [ cmp neq reg 1 0x00000000 ] # ip ttl 0 drop inet test-inet input @@ -322,26 +286,6 @@ inet test-inet input [ payload load 1b @ network header + 8 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# ip ttl { 33-55} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end] -inet test-inet input - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x00000002 ] - [ payload load 1b @ network header + 8 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# ip ttl != { 33-55} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end] -inet test-inet input - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x00000002 ] - [ payload load 1b @ network header + 8 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # ip protocol tcp inet test-inet input [ meta load nfproto => reg 1 ] @@ -442,26 +386,6 @@ inet test-inet input [ payload load 2b @ network header + 10 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# ip checksum { 33-55} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] -inet test-inet input - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x00000002 ] - [ payload load 2b @ network header + 10 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# ip checksum != { 33-55} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] -inet test-inet input - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x00000002 ] - [ payload load 2b @ network header + 10 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # ip saddr 192.168.2.0/24 inet test-inet input [ meta load nfproto => reg 1 ] @@ -538,26 +462,6 @@ inet test-inet input [ payload load 4b @ network header + 16 => reg 1 ] [ range neq reg 1 0x0100a8c0 0xfa00a8c0 ] -# ip daddr { 192.168.0.1-192.168.0.250} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 0100a8c0 : 0 [end] element fb00a8c0 : 1 [end] -inet test-inet input - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x00000002 ] - [ payload load 4b @ network header + 16 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# ip daddr != { 192.168.0.1-192.168.0.250} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 0100a8c0 : 0 [end] element fb00a8c0 : 1 [end] -inet test-inet input - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x00000002 ] - [ payload load 4b @ network header + 16 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # ip daddr { 192.168.5.1, 192.168.5.2, 192.168.5.3 } accept __set%d test-inet 3 __set%d test-inet 0 @@ -686,7 +590,7 @@ inet test-inet input # ip hdrlength vmap { 0-4 : drop, 5 : accept, 6 : continue } counter __map%d test-inet f size 4 __map%d test-inet 0 - element 00000000 : 0 [end] element 00000005 : 0 [end] element 00000006 : 0 [end] element 00000007 : 1 [end] + element 00000000 : drop 0 [end] element 00000005 : accept 0 [end] element 00000006 : continue 0 [end] element 00000007 : 1 [end] inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] @@ -782,3 +686,53 @@ inet test-inet input [ bitwise reg 1 = ( reg 1 & 0x000000ff ) ^ 0x00000100 ] [ payload write reg 1 => 2b @ network header + 8 csum_type 1 csum_off 10 csum_flags 0x1 ] +# ip saddr . ip daddr { 192.0.2.1 . 10.0.0.1-10.0.0.2 } +__set%d test-inet 87 size 1 +__set%d test-inet 0 + element 010200c0 0100000a - 010200c0 0200000a : 0 [end] +inet + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ payload load 4b @ network header + 16 => reg 9 ] + [ lookup reg 1 set __set%d ] + +# ip saddr . ip daddr vmap { 192.168.5.1-192.168.5.128 . 192.168.6.1-192.168.6.128 : accept } +__map%d test-inet 8f size 1 +__map%d test-inet 0 + element 0105a8c0 0106a8c0 - 8005a8c0 8006a8c0 : accept 0 [end] +inet + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ payload load 4b @ network header + 16 => reg 9 ] + [ lookup reg 1 set __map%d dreg 0 ] + +# ip saddr 1.2.3.4 ip daddr 3.4.5.6 +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ cmp eq reg 1 0x04030201 ] + [ payload load 4b @ network header + 16 => reg 1 ] + [ cmp eq reg 1 0x06050403 ] + +# ip saddr 1.2.3.4 counter ip daddr 3.4.5.6 +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ cmp eq reg 1 0x04030201 ] + [ counter pkts 0 bytes 0 ] + [ payload load 4b @ network header + 16 => reg 1 ] + [ cmp eq reg 1 0x06050403 ] + +# ip dscp 1/6 +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 1b @ network header + 1 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 >> 0x00000002 ) ] + [ bitwise reg 1 = ( reg 1 & 0x0000003f ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000001 ] diff --git a/tests/py/ip/ip.t.payload.netdev b/tests/py/ip/ip.t.payload.netdev index d4e029b0..8220b05d 100644 --- a/tests/py/ip/ip.t.payload.netdev +++ b/tests/py/ip/ip.t.payload.netdev @@ -47,26 +47,6 @@ netdev test-netdev ingress [ payload load 2b @ network header + 2 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# ip length { 333-535} -__set%d test-netdev 7 -__set%d test-netdev 0 - element 00000000 : 1 [end] element 00004d01 : 0 [end] element 00001802 : 1 [end] -netdev test-netdev ingress - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x00000008 ] - [ payload load 2b @ network header + 2 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# ip length != { 333-535} -__set%d test-netdev 7 -__set%d test-netdev 0 - element 00000000 : 1 [end] element 00004d01 : 0 [end] element 00001802 : 1 [end] -netdev test-netdev ingress - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x00000008 ] - [ payload load 2b @ network header + 2 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # ip id 22 netdev test-netdev ingress [ meta load protocol => reg 1 ] @@ -116,27 +96,7 @@ netdev test-netdev ingress [ payload load 2b @ network header + 4 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# ip id { 33-55} -__set%d test-netdev 7 -__set%d test-netdev 0 - element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] -netdev test-netdev ingress - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x00000008 ] - [ payload load 2b @ network header + 4 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# ip id != { 33-55} -__set%d test-netdev 7 -__set%d test-netdev 0 - element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] -netdev test-netdev ingress - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x00000008 ] - [ payload load 2b @ network header + 4 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - -# ip frag-off 222 accept +# ip frag-off 0xde accept netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x00000008 ] @@ -144,14 +104,14 @@ netdev test-netdev ingress [ cmp eq reg 1 0x0000de00 ] [ immediate reg 0 accept ] -# ip frag-off != 233 +# ip frag-off != 0xe9 netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x00000008 ] [ payload load 2b @ network header + 6 => reg 1 ] [ cmp neq reg 1 0x0000e900 ] -# ip frag-off 33-45 +# ip frag-off 0x21-0x2d netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x00000008 ] @@ -159,14 +119,14 @@ netdev test-netdev ingress [ cmp gte reg 1 0x00002100 ] [ cmp lte reg 1 0x00002d00 ] -# ip frag-off != 33-45 +# ip frag-off != 0x21-0x2d netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x00000008 ] [ payload load 2b @ network header + 6 => reg 1 ] [ range neq reg 1 0x00002100 0x00002d00 ] -# ip frag-off { 33, 55, 67, 88} +# ip frag-off { 0x21, 0x37, 0x43, 0x58} __set%d test-netdev 3 __set%d test-netdev 0 element 00002100 : 0 [end] element 00003700 : 0 [end] element 00004300 : 0 [end] element 00005800 : 0 [end] @@ -176,7 +136,7 @@ netdev test-netdev ingress [ payload load 2b @ network header + 6 => reg 1 ] [ lookup reg 1 set __set%d ] -# ip frag-off != { 33, 55, 67, 88} +# ip frag-off != { 0x21, 0x37, 0x43, 0x58} __set%d test-netdev 3 __set%d test-netdev 0 element 00002100 : 0 [end] element 00003700 : 0 [end] element 00004300 : 0 [end] element 00005800 : 0 [end] @@ -186,25 +146,29 @@ netdev test-netdev ingress [ payload load 2b @ network header + 6 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# ip frag-off { 33-55} -__set%d test-netdev 7 -__set%d test-netdev 0 - element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] -netdev test-netdev ingress +# ip frag-off & 0x1fff != 0x0 +netdev x y [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x00000008 ] [ payload load 2b @ network header + 6 => reg 1 ] - [ lookup reg 1 set __set%d ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff1f ) ^ 0x00000000 ] + [ cmp neq reg 1 0x00000000 ] -# ip frag-off != { 33-55} -__set%d test-netdev 7 -__set%d test-netdev 0 - element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] -netdev test-netdev ingress +# ip frag-off & 0x2000 != 0x0 +netdev x y [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x00000008 ] [ payload load 2b @ network header + 6 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] + [ bitwise reg 1 = ( reg 1 & 0x00000020 ) ^ 0x00000000 ] + [ cmp neq reg 1 0x00000000 ] + +# ip frag-off & 0x4000 != 0x0 +netdev x y + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 2b @ network header + 6 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x00000040 ) ^ 0x00000000 ] + [ cmp neq reg 1 0x00000000 ] # ip ttl 0 drop netdev test-netdev ingress @@ -249,26 +213,6 @@ netdev test-netdev ingress [ payload load 1b @ network header + 8 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# ip ttl { 33-55} -__set%d test-netdev 7 -__set%d test-netdev 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end] -netdev test-netdev ingress - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x00000008 ] - [ payload load 1b @ network header + 8 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# ip ttl != { 33-55} -__set%d test-netdev 7 -__set%d test-netdev 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end] -netdev test-netdev ingress - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x00000008 ] - [ payload load 1b @ network header + 8 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # ip protocol { icmp, esp, ah, comp, udp, udplite, tcp, dccp, sctp} accept __set%d test-netdev 3 __set%d test-netdev 0 @@ -355,26 +299,6 @@ netdev test-netdev ingress [ payload load 2b @ network header + 10 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# ip checksum { 33-55} -__set%d test-netdev 7 -__set%d test-netdev 0 - element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] -netdev test-netdev ingress - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x00000008 ] - [ payload load 2b @ network header + 10 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# ip checksum != { 33-55} -__set%d test-netdev 7 -__set%d test-netdev 0 - element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] -netdev test-netdev ingress - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x00000008 ] - [ payload load 2b @ network header + 10 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # ip saddr 192.168.2.0/24 netdev test-netdev ingress [ meta load protocol => reg 1 ] @@ -444,26 +368,6 @@ netdev test-netdev ingress [ payload load 4b @ network header + 16 => reg 1 ] [ range neq reg 1 0x0100a8c0 0xfa00a8c0 ] -# ip daddr { 192.168.0.1-192.168.0.250} -__set%d test-netdev 7 -__set%d test-netdev 0 - element 00000000 : 1 [end] element 0100a8c0 : 0 [end] element fb00a8c0 : 1 [end] -netdev test-netdev ingress - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x00000008 ] - [ payload load 4b @ network header + 16 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# ip daddr != { 192.168.0.1-192.168.0.250} -__set%d test-netdev 7 -__set%d test-netdev 0 - element 00000000 : 1 [end] element 0100a8c0 : 0 [end] element fb00a8c0 : 1 [end] -netdev test-netdev ingress - [ meta load protocol => reg 1 ] - [ cmp eq reg 1 0x00000008 ] - [ payload load 4b @ network header + 16 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # ip daddr { 192.168.5.1, 192.168.5.2, 192.168.5.3 } accept __set%d test-netdev 3 __set%d test-netdev 0 @@ -585,7 +489,7 @@ netdev test-netdev ingress # ip hdrlength vmap { 0-4 : drop, 5 : accept, 6 : continue } counter __map%d test-netdev f size 4 __map%d test-netdev 0 - element 00000000 : 0 [end] element 00000005 : 0 [end] element 00000006 : 0 [end] element 00000007 : 1 [end] + element 00000000 : drop 0 [end] element 00000005 : accept 0 [end] element 00000006 : continue 0 [end] element 00000007 : 1 [end] netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x00000008 ] @@ -686,7 +590,7 @@ netdev test-netdev ingress # ip dscp vmap { cs1 : continue , cs4 : accept } counter __map%d test-netdev b size 2 __map%d test-netdev 0 - element 00000020 : 0 [end] element 00000080 : 0 [end] + element 00000020 : continue 0 [end] element 00000080 : accept 0 [end] netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x00000008 ] @@ -782,3 +686,53 @@ netdev test-netdev ingress [ bitwise reg 1 = ( reg 1 & 0x000000ff ) ^ 0x00000100 ] [ payload write reg 1 => 2b @ network header + 8 csum_type 1 csum_off 10 csum_flags 0x1 ] +# ip saddr . ip daddr { 192.0.2.1 . 10.0.0.1-10.0.0.2 } +__set%d test-netdev 87 size 1 +__set%d test-netdev 0 + element 010200c0 0100000a - 010200c0 0200000a : 0 [end] +netdev + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ payload load 4b @ network header + 16 => reg 9 ] + [ lookup reg 1 set __set%d ] + +# ip saddr . ip daddr vmap { 192.168.5.1-192.168.5.128 . 192.168.6.1-192.168.6.128 : accept } +__map%d test-netdev 8f size 1 +__map%d test-netdev 0 + element 0105a8c0 0106a8c0 - 8005a8c0 8006a8c0 : accept 0 [end] +netdev + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ payload load 4b @ network header + 16 => reg 9 ] + [ lookup reg 1 set __map%d dreg 0 ] + +# ip saddr 1.2.3.4 ip daddr 3.4.5.6 +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ cmp eq reg 1 0x04030201 ] + [ payload load 4b @ network header + 16 => reg 1 ] + [ cmp eq reg 1 0x06050403 ] + +# ip saddr 1.2.3.4 counter ip daddr 3.4.5.6 +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ cmp eq reg 1 0x04030201 ] + [ counter pkts 0 bytes 0 ] + [ payload load 4b @ network header + 16 => reg 1 ] + [ cmp eq reg 1 0x06050403 ] + +# ip dscp 1/6 +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 1b @ network header + 1 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 >> 0x00000002 ) ] + [ bitwise reg 1 = ( reg 1 & 0x0000003f ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000001 ] diff --git a/tests/py/ip/ip_tcp.t b/tests/py/ip/ip_tcp.t index 467da3ef..ff398aa6 100644 --- a/tests/py/ip/ip_tcp.t +++ b/tests/py/ip/ip_tcp.t @@ -1,5 +1,4 @@ :input;type filter hook input priority 0 -:ingress;type filter hook ingress device lo priority 0 *ip;test-ip;input diff --git a/tests/py/ip/masquerade.t.payload b/tests/py/ip/masquerade.t.payload index d5157d71..79e52856 100644 --- a/tests/py/ip/masquerade.t.payload +++ b/tests/py/ip/masquerade.t.payload @@ -112,7 +112,7 @@ ip test-ip4 postrouting # iifname "eth0" ct state established,new tcp dport vmap {22 : drop, 222 : drop } masquerade __map%d test-ip4 b __map%d test-ip4 0 - element 00001600 : 0 [end] element 0000de00 : 0 [end] + element 00001600 : drop 0 [end] element 0000de00 : drop 0 [end] ip test-ip4 postrouting [ meta load iifname => reg 1 ] [ cmp eq reg 1 0x30687465 0x00000000 0x00000000 0x00000000 ] @@ -130,7 +130,7 @@ ip test-ip4 postrouting [ payload load 1b @ network header + 9 => reg 1 ] [ cmp eq reg 1 0x00000006 ] [ immediate reg 1 0x00000004 ] - [ masq proto_min reg 1 proto_max reg 0 flags 0x2 ] + [ masq proto_min reg 1 flags 0x2 ] # ip protocol 6 masquerade to :1024-2048 ip test-ip4 postrouting diff --git a/tests/py/ip/meta.t b/tests/py/ip/meta.t index f733d22d..a88a6145 100644 --- a/tests/py/ip/meta.t +++ b/tests/py/ip/meta.t @@ -8,8 +8,15 @@ meta l4proto ipv6-icmp icmpv6 type nd-router-advert;ok;icmpv6 type nd-router-adv meta l4proto 58 icmpv6 type nd-router-advert;ok;icmpv6 type nd-router-advert icmpv6 type nd-router-advert;ok +meta protocol ip udp dport 67;ok;udp dport 67 + meta ibrname "br0";fail meta obrname "br0";fail meta sdif "lo" accept;ok meta sdifname != "vrf1" accept;ok + +meta mark set ip dscp;ok + +meta mark set ip dscp << 2 | 0x10;ok +meta mark set ip dscp << 26 | 0x10;ok diff --git a/tests/py/ip/meta.t.json b/tests/py/ip/meta.t.json index f83864f6..25936dba 100644 --- a/tests/py/ip/meta.t.json +++ b/tests/py/ip/meta.t.json @@ -140,3 +140,97 @@ "accept": null } ] + +# meta protocol ip udp dport 67 +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 67 + } + } +] + +# meta mark set ip dscp +[ + { + "mangle": { + "key": { + "meta": { + "key": "mark" + } + }, + "value": { + "payload": { + "field": "dscp", + "protocol": "ip" + } + } + } + } +] + +# meta mark set ip dscp << 2 | 0x10 +[ + { + "mangle": { + "key": { + "meta": { + "key": "mark" + } + }, + "value": { + "|": [ + { + "<<": [ + { + "payload": { + "field": "dscp", + "protocol": "ip" + } + }, + 2 + ] + }, + 16 + ] + } + } + } +] + + +# meta mark set ip dscp << 26 | 0x10 +[ + { + "mangle": { + "key": { + "meta": { + "key": "mark" + } + }, + "value": { + "|": [ + { + "<<": [ + { + "payload": { + "field": "dscp", + "protocol": "ip" + } + }, + 26 + ] + }, + 16 + ] + } + } + } +] diff --git a/tests/py/ip/meta.t.payload b/tests/py/ip/meta.t.payload index 7bc69a29..880ac5d6 100644 --- a/tests/py/ip/meta.t.payload +++ b/tests/py/ip/meta.t.payload @@ -44,3 +44,35 @@ ip6 test-ip4 input [ meta load sdifname => reg 1 ] [ cmp neq reg 1 0x31667276 0x00000000 0x00000000 0x00000000 ] [ immediate reg 0 accept ] + +# meta protocol ip udp dport 67 +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x00004300 ] + +# meta mark set ip dscp +ip test-ip4 input + [ payload load 1b @ network header + 1 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 >> 0x00000002 ) ] + [ meta set mark with reg 1 ] + +# meta mark set ip dscp << 2 | 0x10 +ip test-ip4 input + [ payload load 1b @ network header + 1 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 >> 0x00000002 ) ] + [ bitwise reg 1 = ( reg 1 << 0x00000002 ) ] + [ bitwise reg 1 = ( reg 1 & 0xffffffef ) ^ 0x00000010 ] + [ meta set mark with reg 1 ] + +# meta mark set ip dscp << 26 | 0x10 +ip + [ payload load 1b @ network header + 1 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 >> 0x00000002 ) ] + [ bitwise reg 1 = ( reg 1 << 0x0000001a ) ] + [ bitwise reg 1 = ( reg 1 & 0xffffffef ) ^ 0x00000010 ] + [ meta set mark with reg 1 ] diff --git a/tests/py/ip/numgen.t b/tests/py/ip/numgen.t index 29a6a105..2a881460 100644 --- a/tests/py/ip/numgen.t +++ b/tests/py/ip/numgen.t @@ -5,3 +5,5 @@ ct mark set numgen inc mod 2;ok ct mark set numgen inc mod 2 offset 100;ok dnat to numgen inc mod 2 map { 0 : 192.168.10.100, 1 : 192.168.20.200 };ok dnat to numgen inc mod 10 map { 0-5 : 192.168.10.100, 6-9 : 192.168.20.200};ok +dnat to numgen inc mod 7 offset 167772161;ok +dnat to numgen inc mod 255 offset 167772161;ok diff --git a/tests/py/ip/numgen.t.json b/tests/py/ip/numgen.t.json index 9902c2cf..6cf66041 100644 --- a/tests/py/ip/numgen.t.json +++ b/tests/py/ip/numgen.t.json @@ -97,3 +97,33 @@ } ] +# dnat to numgen inc mod 7 offset 167772161 +[ + { + "dnat": { + "addr": { + "numgen": { + "mod": 7, + "mode": "inc", + "offset": 167772161 + } + } + } + } +] + +# dnat to numgen inc mod 255 offset 167772161 +[ + { + "dnat": { + "addr": { + "numgen": { + "mod": 255, + "mode": "inc", + "offset": 167772161 + } + } + } + } +] + diff --git a/tests/py/ip/numgen.t.payload b/tests/py/ip/numgen.t.payload index 04088b75..b4eadf85 100644 --- a/tests/py/ip/numgen.t.payload +++ b/tests/py/ip/numgen.t.payload @@ -10,7 +10,7 @@ __map%d x 0 ip test-ip4 pre [ numgen reg 1 = inc mod 2 ] [ lookup reg 1 set __map%d dreg 1 ] - [ nat dnat ip addr_min reg 1 addr_max reg 0 ] + [ nat dnat ip addr_min reg 1 ] # dnat to numgen inc mod 10 map { 0-5 : 192.168.10.100, 6-9 : 192.168.20.200} __map%d test-ip4 f @@ -20,10 +20,21 @@ ip test-ip4 pre [ numgen reg 1 = inc mod 10 ] [ byteorder reg 1 = hton(reg 1, 4, 4) ] [ lookup reg 1 set __map%d dreg 1 ] - [ nat dnat ip addr_min reg 1 addr_max reg 0 ] + [ nat dnat ip addr_min reg 1 ] # ct mark set numgen inc mod 2 offset 100 ip test-ip4 pre [ numgen reg 1 = inc mod 2 offset 100 ] [ ct set mark with reg 1 ] +# dnat to numgen inc mod 7 offset 167772161 +ip test-ip4 pre + [ numgen reg 1 = inc mod 7 offset 167772161 ] + [ byteorder reg 1 = hton(reg 1, 4, 4) ] + [ nat dnat ip addr_min reg 1 ] + +# dnat to numgen inc mod 255 offset 167772161 +ip test-ip4 pre + [ numgen reg 1 = inc mod 255 offset 167772161 ] + [ byteorder reg 1 = hton(reg 1, 4, 4) ] + [ nat dnat ip addr_min reg 1 ] diff --git a/tests/py/ip/redirect.t b/tests/py/ip/redirect.t index d2991ce2..8c2b52f0 100644 --- a/tests/py/ip/redirect.t +++ b/tests/py/ip/redirect.t @@ -47,5 +47,5 @@ ip daddr 10.0.0.0-10.2.3.4 udp dport 53 counter redirect;ok iifname "eth0" ct state established,new tcp dport vmap {22 : drop, 222 : drop } redirect;ok # redirect with maps -ip protocol 6 redirect to :tcp dport map { 22 : 8000, 80 : 8080};ok +redirect to :tcp dport map { 22 : 8000, 80 : 8080};ok diff --git a/tests/py/ip/redirect.t.json b/tests/py/ip/redirect.t.json index 3544e7f1..2afdf9b1 100644 --- a/tests/py/ip/redirect.t.json +++ b/tests/py/ip/redirect.t.json @@ -593,21 +593,9 @@ } ] -# ip protocol 6 redirect to :tcp dport map { 22 : 8000, 80 : 8080} +# redirect to :tcp dport map { 22 : 8000, 80 : 8080} [ { - "match": { - "left": { - "payload": { - "field": "protocol", - "protocol": "ip" - } - }, - "op": "==", - "right": 6 - } - }, - { "redirect": { "port": { "map": { diff --git a/tests/py/ip/redirect.t.payload b/tests/py/ip/redirect.t.payload index bdfc6d72..4bed47c1 100644 --- a/tests/py/ip/redirect.t.payload +++ b/tests/py/ip/redirect.t.payload @@ -194,7 +194,7 @@ ip test-ip4 output # iifname "eth0" ct state established,new tcp dport vmap {22 : drop, 222 : drop } redirect __map%d test-ip4 b __map%d test-ip4 0 - element 00001600 : 0 [end] element 0000de00 : 0 [end] + element 00001600 : drop 0 [end] element 0000de00 : drop 0 [end] ip test-ip4 output [ meta load iifname => reg 1 ] [ cmp eq reg 1 0x30687465 0x00000000 0x00000000 0x00000000 ] @@ -207,12 +207,12 @@ ip test-ip4 output [ lookup reg 1 set __map%d dreg 0 ] [ redir ] -# ip protocol 6 redirect to :tcp dport map { 22 : 8000, 80 : 8080} +# redirect to :tcp dport map { 22 : 8000, 80 : 8080} __map%d test-ip4 b __map%d test-ip4 0 element 00001600 : 0000401f 0 [end] element 00005000 : 0000901f 0 [end] ip test-ip4 output - [ payload load 1b @ network header + 9 => reg 1 ] + [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000006 ] [ payload load 2b @ transport header + 2 => reg 1 ] [ lookup reg 1 set __map%d dreg 1 ] diff --git a/tests/py/ip/reject.t b/tests/py/ip/reject.t index cc5561a0..ad009944 100644 --- a/tests/py/ip/reject.t +++ b/tests/py/ip/reject.t @@ -3,14 +3,15 @@ *ip;test-ip4;output reject;ok -reject with icmp type host-unreachable;ok -reject with icmp type net-unreachable;ok -reject with icmp type prot-unreachable;ok -reject with icmp type port-unreachable;ok;reject -reject with icmp type net-prohibited;ok -reject with icmp type host-prohibited;ok -reject with icmp type admin-prohibited;ok +reject with icmp host-unreachable;ok +reject with icmp net-unreachable;ok +reject with icmp prot-unreachable;ok +reject with icmp port-unreachable;ok;reject +reject with icmp net-prohibited;ok +reject with icmp host-prohibited;ok +reject with icmp admin-prohibited;ok +reject with icmp 3;ok;reject mark 0x80000000 reject with tcp reset;ok;meta mark 0x80000000 reject with tcp reset -reject with icmp type no-route;fail -reject with icmpv6 type no-route;fail +reject with icmp no-route;fail +reject with icmpv6 no-route;fail diff --git a/tests/py/ip/reject.t.json b/tests/py/ip/reject.t.json index d120b9f1..3e1d28de 100644 --- a/tests/py/ip/reject.t.json +++ b/tests/py/ip/reject.t.json @@ -5,7 +5,7 @@ } ] -# reject with icmp type host-unreachable +# reject with icmp host-unreachable [ { "reject": { @@ -15,7 +15,7 @@ } ] -# reject with icmp type net-unreachable +# reject with icmp net-unreachable [ { "reject": { @@ -25,7 +25,7 @@ } ] -# reject with icmp type prot-unreachable +# reject with icmp prot-unreachable [ { "reject": { @@ -35,7 +35,7 @@ } ] -# reject with icmp type port-unreachable +# reject with icmp port-unreachable [ { "reject": { @@ -45,7 +45,7 @@ } ] -# reject with icmp type net-prohibited +# reject with icmp net-prohibited [ { "reject": { @@ -55,7 +55,7 @@ } ] -# reject with icmp type host-prohibited +# reject with icmp host-prohibited [ { "reject": { @@ -65,7 +65,7 @@ } ] -# reject with icmp type admin-prohibited +# reject with icmp admin-prohibited [ { "reject": { @@ -75,6 +75,16 @@ } ] +# reject with icmp 3 +[ + { + "reject": { + "expr": "port-unreachable", + "type": "icmp" + } + } +] + # mark 0x80000000 reject with tcp reset [ { diff --git a/tests/py/ip/reject.t.payload b/tests/py/ip/reject.t.payload index 07e4cc8d..5829065a 100644 --- a/tests/py/ip/reject.t.payload +++ b/tests/py/ip/reject.t.payload @@ -2,34 +2,38 @@ ip test-ip4 output [ reject type 0 code 3 ] -# reject with icmp type host-unreachable +# reject with icmp host-unreachable ip test-ip4 output [ reject type 0 code 1 ] -# reject with icmp type net-unreachable +# reject with icmp net-unreachable ip test-ip4 output [ reject type 0 code 0 ] -# reject with icmp type prot-unreachable +# reject with icmp prot-unreachable ip test-ip4 output [ reject type 0 code 2 ] -# reject with icmp type port-unreachable +# reject with icmp port-unreachable ip test-ip4 output [ reject type 0 code 3 ] -# reject with icmp type net-prohibited +# reject with icmp net-prohibited ip test-ip4 output [ reject type 0 code 9 ] -# reject with icmp type host-prohibited +# reject with icmp host-prohibited ip test-ip4 output [ reject type 0 code 10 ] -# reject with icmp type admin-prohibited +# reject with icmp admin-prohibited ip test-ip4 output [ reject type 0 code 13 ] +# reject with icmp 3 +ip test-ip4 output + [ reject type 0 code 3 ] + # mark 0x80000000 reject with tcp reset ip test-ip4 output [ meta load l4proto => reg 1 ] diff --git a/tests/py/ip/sets.t b/tests/py/ip/sets.t index 7b7e0722..46d9686b 100644 --- a/tests/py/ip/sets.t +++ b/tests/py/ip/sets.t @@ -1,9 +1,10 @@ :input;type filter hook input priority 0 :ingress;type filter hook ingress device lo priority 0 +:egress;type filter hook egress device lo priority 0 *ip;test-ip4;input *inet;test-inet;input -*netdev;test-netdev;ingress +*netdev;test-netdev;ingress,egress !w type ipv4_addr;ok !x type inet_proto;ok @@ -51,6 +52,17 @@ ip saddr != @set33 drop;fail ip saddr . ip daddr @set5 drop;ok add @set5 { ip saddr . ip daddr };ok +!map1 type ipv4_addr . ipv4_addr : mark;ok +add @map1 { ip saddr . ip daddr : meta mark };ok + # test nested anonymous sets ip saddr { { 1.1.1.0, 3.3.3.0 }, 2.2.2.0 };ok;ip saddr { 1.1.1.0, 2.2.2.0, 3.3.3.0 } ip saddr { { 1.1.1.0/24, 3.3.3.0/24 }, 2.2.2.0/24 };ok;ip saddr { 1.1.1.0/24, 2.2.2.0/24, 3.3.3.0/24 } + +!set6 type ipv4_addr;ok +?set6 192.168.3.5, *;ok +ip saddr @set6 drop;ok + +ip saddr vmap { 1.1.1.1 : drop, * : accept };ok +meta mark set ip saddr map { 1.1.1.1 : 0x00000001, * : 0x00000002 };ok + diff --git a/tests/py/ip/sets.t.json b/tests/py/ip/sets.t.json index 65d2df87..44ca1528 100644 --- a/tests/py/ip/sets.t.json +++ b/tests/py/ip/sets.t.json @@ -188,3 +188,118 @@ } ] +# ip saddr @set6 drop +[ + { + "match": { + "left": { + "payload": { + "field": "saddr", + "protocol": "ip" + } + }, + "op": "==", + "right": "@set6" + } + }, + { + "drop": null + } +] + +# ip saddr vmap { 1.1.1.1 : drop, * : accept } +[ + { + "vmap": { + "data": { + "set": [ + [ + "1.1.1.1", + { + "drop": null + } + ], + [ + "*", + { + "accept": null + } + ] + ] + }, + "key": { + "payload": { + "field": "saddr", + "protocol": "ip" + } + } + } + } +] + +# meta mark set ip saddr map { 1.1.1.1 : 0x00000001, * : 0x00000002 } +[ + { + "mangle": { + "key": { + "meta": { + "key": "mark" + } + }, + "value": { + "map": { + "data": { + "set": [ + [ + "1.1.1.1", + 1 + ], + [ + "*", + 2 + ] + ] + }, + "key": { + "payload": { + "field": "saddr", + "protocol": "ip" + } + } + } + } + } + } +] + +# add @map1 { ip saddr . ip daddr : meta mark } +[ + { + "map": { + "data": { + "meta": { + "key": "mark" + } + }, + "elem": { + "concat": [ + { + "payload": { + "field": "saddr", + "protocol": "ip" + } + }, + { + "payload": { + "field": "daddr", + "protocol": "ip" + } + } + ] + }, + "map": "@map1", + "op": "add" + } + } +] + diff --git a/tests/py/ip/sets.t.payload.inet b/tests/py/ip/sets.t.payload.inet index fa956c0c..fd6517a5 100644 --- a/tests/py/ip/sets.t.payload.inet +++ b/tests/py/ip/sets.t.payload.inet @@ -66,3 +66,41 @@ inet test-inet input [ cmp eq reg 1 0x00000002 ] [ payload load 4b @ network header + 12 => reg 1 ] [ lookup reg 1 set __set%d ] + +# ip saddr @set6 drop +inet + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ lookup reg 1 set set6 ] + [ immediate reg 0 drop ] + +# add @map1 { ip saddr . ip daddr : meta mark } +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ payload load 4b @ network header + 16 => reg 9 ] + [ meta load mark => reg 10 ] + [ dynset add reg_key 1 set map1 sreg_data 10 ] + +# ip saddr vmap { 1.1.1.1 : drop, * : accept } +__map%d test-inet b +__map%d test-inet 0 + element 01010101 : drop 0 [end] element : accept 2 [end] +inet + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ lookup reg 1 set __map%d dreg 0 ] + +# meta mark set ip saddr map { 1.1.1.1 : 0x00000001, * : 0x00000002 } +__map%d test-inet b +__map%d test-inet 0 + element 01010101 : 00000001 0 [end] element : 00000002 2 [end] +inet + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ lookup reg 1 set __map%d dreg 1 ] + [ meta set mark with reg 1 ] diff --git a/tests/py/ip/sets.t.payload.ip b/tests/py/ip/sets.t.payload.ip index ca3b5ade..d9cc32b6 100644 --- a/tests/py/ip/sets.t.payload.ip +++ b/tests/py/ip/sets.t.payload.ip @@ -50,3 +50,34 @@ __set%d test-ip4 0 ip test-ip4 input [ payload load 4b @ network header + 12 => reg 1 ] [ lookup reg 1 set __set%d ] + +# ip saddr @set6 drop +ip + [ payload load 4b @ network header + 12 => reg 1 ] + [ lookup reg 1 set set6 ] + [ immediate reg 0 drop ] + +# ip saddr vmap { 1.1.1.1 : drop, * : accept } +__map%d test-ip4 b +__map%d test-ip4 0 + element 01010101 : drop 0 [end] element : accept 2 [end] +ip + [ payload load 4b @ network header + 12 => reg 1 ] + [ lookup reg 1 set __map%d dreg 0 ] + +# meta mark set ip saddr map { 1.1.1.1 : 0x00000001, * : 0x00000002 } +__map%d test-ip4 b +__map%d test-ip4 0 + element 01010101 : 00000001 0 [end] element : 00000002 2 [end] +ip + [ payload load 4b @ network header + 12 => reg 1 ] + [ lookup reg 1 set __map%d dreg 1 ] + [ meta set mark with reg 1 ] + +# add @map1 { ip saddr . ip daddr : meta mark } +ip test-ip4 input + [ payload load 4b @ network header + 12 => reg 1 ] + [ payload load 4b @ network header + 16 => reg 9 ] + [ meta load mark => reg 10 ] + [ dynset add reg_key 1 set map1 sreg_data 10 ] + diff --git a/tests/py/ip/sets.t.payload.netdev b/tests/py/ip/sets.t.payload.netdev index 9772d756..d41b9e8b 100644 --- a/tests/py/ip/sets.t.payload.netdev +++ b/tests/py/ip/sets.t.payload.netdev @@ -66,3 +66,42 @@ netdev test-netdev ingress [ cmp eq reg 1 0x00000008 ] [ payload load 4b @ network header + 12 => reg 1 ] [ lookup reg 1 set __set%d ] + +# ip saddr @set6 drop +netdev + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ lookup reg 1 set set6 ] + [ immediate reg 0 drop ] + +# ip saddr vmap { 1.1.1.1 : drop, * : accept } +__map%d test-netdev b +__map%d test-netdev 0 + element 01010101 : drop 0 [end] element : accept 2 [end] +netdev + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ lookup reg 1 set __map%d dreg 0 ] + +# meta mark set ip saddr map { 1.1.1.1 : 0x00000001, * : 0x00000002 } +__map%d test-netdev b +__map%d test-netdev 0 + element 01010101 : 00000001 0 [end] element : 00000002 2 [end] +netdev + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ lookup reg 1 set __map%d dreg 1 ] + [ meta set mark with reg 1 ] + +# add @map1 { ip saddr . ip daddr : meta mark } +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ payload load 4b @ network header + 16 => reg 9 ] + [ meta load mark => reg 10 ] + [ dynset add reg_key 1 set map1 sreg_data 10 ] + diff --git a/tests/py/ip/snat.t b/tests/py/ip/snat.t index c6e8a8e6..d4b0d2cb 100644 --- a/tests/py/ip/snat.t +++ b/tests/py/ip/snat.t @@ -6,9 +6,16 @@ iifname "eth0" tcp dport 80-90 snat to 192.168.3.2;ok iifname "eth0" tcp dport != 80-90 snat to 192.168.3.2;ok iifname "eth0" tcp dport {80, 90, 23} snat to 192.168.3.2;ok iifname "eth0" tcp dport != {80, 90, 23} snat to 192.168.3.2;ok +iifname "eth0" tcp dport 80-90 snat to 192.168.3.0-192.168.3.255;ok;iifname "eth0" tcp dport 80-90 snat to 192.168.3.0/24 +iifname "eth0" tcp dport 80-90 snat to 192.168.3.15-192.168.3.240;ok iifname "eth0" tcp dport != 23-34 snat to 192.168.3.2;ok -snat ip addr . port to ip saddr map { 10.141.11.4 : 192.168.2.3 . 80 };ok -snat ip interval to ip saddr map { 10.141.11.4 : 192.168.2.2-192.168.2.4 };ok +meta l4proto 17 snat ip to ip saddr map { 10.141.11.4 : 192.168.2.3 . 80 };ok +snat ip to ip saddr map { 10.141.11.4 : 192.168.2.2-192.168.2.4 };ok +snat ip to ip saddr map { 10.141.12.14 : 192.168.2.0/24 };ok snat ip prefix to ip saddr map { 10.141.11.0/24 : 192.168.2.0/24 };ok + +meta l4proto { 6, 17} snat ip to ip saddr . th dport map { 10.141.11.4 . 20 : 192.168.2.3 . 80};ok +snat ip to ip saddr map { 10.141.11.4 : 192.168.2.3 . 80 };fail +snat ip to ip saddr . th dport map { 10.141.11.4 . 20 : 192.168.2.3 . 80 };fail diff --git a/tests/py/ip/snat.t.json b/tests/py/ip/snat.t.json index 62c6e61b..967560e6 100644 --- a/tests/py/ip/snat.t.json +++ b/tests/py/ip/snat.t.json @@ -166,7 +166,91 @@ } ] -# snat ip addr . port to ip saddr map { 10.141.11.4 : 192.168.2.3 . 80 } +# iifname "eth0" tcp dport 80-90 snat to 192.168.3.0-192.168.3.255 +[ + { + "match": { + "left": { + "meta": { + "key": "iifname" + } + }, + "op": "==", + "right": "eth0" + } + }, + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "tcp" + } + }, + "op": "==", + "right": { + "range": [ + 80, + 90 + ] + } + } + }, + { + "snat": { + "addr": { + "prefix": { + "addr": "192.168.3.0", + "len": 24 + } + } + } + } +] + +# iifname "eth0" tcp dport 80-90 snat to 192.168.3.15-192.168.3.240 +[ + { + "match": { + "left": { + "meta": { + "key": "iifname" + } + }, + "op": "==", + "right": "eth0" + } + }, + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "tcp" + } + }, + "op": "==", + "right": { + "range": [ + 80, + 90 + ] + } + } + }, + { + "snat": { + "addr": { + "range": [ + "192.168.3.15", + "192.168.3.240" + ] + } + } + } +] + +# snat ip to ip saddr map { 10.141.11.4 : 192.168.2.3 . 80 } [ { "snat": { @@ -274,3 +358,173 @@ } ] +# meta l4proto 17 snat ip to ip saddr map { 10.141.11.4 : 192.168.2.3 . 80 } +[ + { + "match": { + "left": { + "meta": { + "key": "l4proto" + } + }, + "op": "==", + "right": "udp" + } + }, + { + "snat": { + "addr": { + "map": { + "data": { + "set": [ + [ + "10.141.11.4", + { + "concat": [ + "192.168.2.3", + 80 + ] + } + ] + ] + }, + "key": { + "payload": { + "field": "saddr", + "protocol": "ip" + } + } + } + }, + "family": "ip" + } + } +] + +# snat ip to ip saddr map { 10.141.11.4 : 192.168.2.2-192.168.2.4 } +[ + { + "snat": { + "addr": { + "map": { + "data": { + "set": [ + [ + "10.141.11.4", + { + "range": [ + "192.168.2.2", + "192.168.2.4" + ] + } + ] + ] + }, + "key": { + "payload": { + "field": "saddr", + "protocol": "ip" + } + } + } + }, + "family": "ip" + } + } +] + +# snat ip to ip saddr map { 10.141.12.14 : 192.168.2.0/24 } +[ + { + "snat": { + "addr": { + "map": { + "data": { + "set": [ + [ + "10.141.12.14", + { + "prefix": { + "addr": "192.168.2.0", + "len": 24 + } + } + ] + ] + }, + "key": { + "payload": { + "field": "saddr", + "protocol": "ip" + } + } + } + }, + "family": "ip" + } + } +] + +# meta l4proto { 6, 17} snat ip to ip saddr . th dport map { 10.141.11.4 . 20 : 192.168.2.3 . 80} +[ + { + "match": { + "left": { + "meta": { + "key": "l4proto" + } + }, + "op": "==", + "right": { + "set": [ + "tcp", + "udp" + ] + } + } + }, + { + "snat": { + "addr": { + "map": { + "data": { + "set": [ + [ + { + "concat": [ + "10.141.11.4", + 20 + ] + }, + { + "concat": [ + "192.168.2.3", + 80 + ] + } + ] + ] + }, + "key": { + "concat": [ + { + "payload": { + "field": "saddr", + "protocol": "ip" + } + }, + { + "payload": { + "field": "dport", + "protocol": "th" + } + } + ] + } + } + }, + "family": "ip" + } + } +] + diff --git a/tests/py/ip/snat.t.json.output b/tests/py/ip/snat.t.json.output index 1365316c..2a997801 100644 --- a/tests/py/ip/snat.t.json.output +++ b/tests/py/ip/snat.t.json.output @@ -70,3 +70,180 @@ } ] +# snat ip to ip saddr map { 10.141.11.4 : 192.168.2.3 . 80 } +[ + { + "snat": { + "addr": { + "map": { + "data": { + "set": [ + [ + "10.141.11.4", + { + "concat": [ + "192.168.2.3", + 80 + ] + } + ] + ] + }, + "key": { + "payload": { + "field": "saddr", + "protocol": "ip" + } + } + } + }, + "family": "ip" + } + } +] + +# meta l4proto 17 snat ip to ip saddr map { 10.141.11.4 : 192.168.2.3 . 80 } +[ + { + "match": { + "left": { + "meta": { + "key": "l4proto" + } + }, + "op": "==", + "right": 17 + } + }, + { + "snat": { + "addr": { + "map": { + "data": { + "set": [ + [ + "10.141.11.4", + { + "concat": [ + "192.168.2.3", + 80 + ] + } + ] + ] + }, + "key": { + "payload": { + "field": "saddr", + "protocol": "ip" + } + } + } + }, + "family": "ip" + } + } +] + +# meta l4proto { 6, 17} snat ip to ip saddr . th dport map { 10.141.11.4 . 20 : 192.168.2.3 . 80} +[ + { + "match": { + "left": { + "meta": { + "key": "l4proto" + } + }, + "op": "==", + "right": { + "set": [ + 6, + 17 + ] + } + } + }, + { + "snat": { + "addr": { + "map": { + "data": { + "set": [ + [ + { + "concat": [ + "10.141.11.4", + 20 + ] + }, + { + "concat": [ + "192.168.2.3", + 80 + ] + } + ] + ] + }, + "key": { + "concat": [ + { + "payload": { + "field": "saddr", + "protocol": "ip" + } + }, + { + "payload": { + "field": "dport", + "protocol": "th" + } + } + ] + } + } + }, + "family": "ip" + } + } +] + +# snat ip prefix to ip saddr map { 10.141.11.0/24 : 192.168.2.0/24 } +[ + { + "snat": { + "addr": { + "map": { + "data": { + "set": [ + [ + { + "prefix": { + "addr": "10.141.11.0", + "len": 24 + } + }, + { + "prefix": { + "addr": "192.168.2.0", + "len": 24 + } + } + ] + ] + }, + "key": { + "payload": { + "field": "saddr", + "protocol": "ip" + } + } + } + }, + "family": "ip", + "flags": "netmap", + "type_flags": "prefix" + } + } +] + diff --git a/tests/py/ip/snat.t.payload b/tests/py/ip/snat.t.payload index 22befe15..71a5e2f1 100644 --- a/tests/py/ip/snat.t.payload +++ b/tests/py/ip/snat.t.payload @@ -8,7 +8,7 @@ ip test-ip4 postrouting [ cmp gte reg 1 0x00005000 ] [ cmp lte reg 1 0x00005a00 ] [ immediate reg 1 0x0203a8c0 ] - [ nat snat ip addr_min reg 1 addr_max reg 0 ] + [ nat snat ip addr_min reg 1 ] # iifname "eth0" tcp dport != 80-90 snat to 192.168.3.2 ip test-ip4 postrouting @@ -19,7 +19,7 @@ ip test-ip4 postrouting [ payload load 2b @ transport header + 2 => reg 1 ] [ range neq reg 1 0x00005000 0x00005a00 ] [ immediate reg 1 0x0203a8c0 ] - [ nat snat ip addr_min reg 1 addr_max reg 0 ] + [ nat snat ip addr_min reg 1 ] # iifname "eth0" tcp dport {80, 90, 23} snat to 192.168.3.2 __set%d test-ip4 3 @@ -33,7 +33,7 @@ ip test-ip4 postrouting [ payload load 2b @ transport header + 2 => reg 1 ] [ lookup reg 1 set __set%d ] [ immediate reg 1 0x0203a8c0 ] - [ nat snat ip addr_min reg 1 addr_max reg 0 ] + [ nat snat ip addr_min reg 1 ] # iifname "eth0" tcp dport != {80, 90, 23} snat to 192.168.3.2 __set%d test-ip4 3 @@ -47,7 +47,7 @@ ip test-ip4 postrouting [ payload load 2b @ transport header + 2 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] [ immediate reg 1 0x0203a8c0 ] - [ nat snat ip addr_min reg 1 addr_max reg 0 ] + [ nat snat ip addr_min reg 1 ] # iifname "eth0" tcp dport != 23-34 snat to 192.168.3.2 ip test-ip4 postrouting @@ -58,18 +58,46 @@ ip test-ip4 postrouting [ payload load 2b @ transport header + 2 => reg 1 ] [ range neq reg 1 0x00001700 0x00002200 ] [ immediate reg 1 0x0203a8c0 ] - [ nat snat ip addr_min reg 1 addr_max reg 0 ] + [ nat snat ip addr_min reg 1 ] -# snat ip addr . port to ip saddr map { 10.141.11.4 : 192.168.2.3 . 80 } +# iifname "eth0" tcp dport 80-90 snat to 192.168.3.0-192.168.3.255 +ip + [ meta load iifname => reg 1 ] + [ cmp eq reg 1 0x30687465 0x00000000 0x00000000 0x00000000 ] + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp gte reg 1 0x00005000 ] + [ cmp lte reg 1 0x00005a00 ] + [ immediate reg 1 0x0003a8c0 ] + [ immediate reg 2 0xff03a8c0 ] + [ nat snat ip addr_min reg 1 addr_max reg 2 ] + +# iifname "eth0" tcp dport 80-90 snat to 192.168.3.15-192.168.3.240 +ip + [ meta load iifname => reg 1 ] + [ cmp eq reg 1 0x30687465 0x00000000 0x00000000 0x00000000 ] + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp gte reg 1 0x00005000 ] + [ cmp lte reg 1 0x00005a00 ] + [ immediate reg 1 0x0f03a8c0 ] + [ immediate reg 2 0xf003a8c0 ] + [ nat snat ip addr_min reg 1 addr_max reg 2 ] + +# meta l4proto 17 snat ip to ip saddr map { 10.141.11.4 : 192.168.2.3 . 80 } __map%d test-ip4 b size 1 __map%d test-ip4 0 element 040b8d0a : 0302a8c0 00005000 0 [end] -ip +ip + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] [ payload load 4b @ network header + 12 => reg 1 ] [ lookup reg 1 set __map%d dreg 1 ] - [ nat snat ip addr_min reg 1 addr_max reg 0 proto_min reg 9 proto_max reg 0 ] + [ nat snat ip addr_min reg 1 proto_min reg 9 ] -# snat ip interval to ip saddr map { 10.141.11.4 : 192.168.2.2-192.168.2.4 } +# snat ip to ip saddr map { 10.141.11.4 : 192.168.2.2-192.168.2.4 } __map%d test-ip4 b size 1 __map%d test-ip4 0 element 040b8d0a : 0202a8c0 0402a8c0 0 [end] @@ -87,3 +115,40 @@ ip [ lookup reg 1 set __map%d dreg 1 ] [ nat snat ip addr_min reg 1 addr_max reg 9 flags 0x40 ] +# snat ip to ip saddr map { 10.141.12.14 : 192.168.2.0/24 } +__map%d test-ip4 b size 1 +__map%d test-ip4 0 + element 0e0c8d0a : 0002a8c0 ff02a8c0 0 [end] +ip + [ payload load 4b @ network header + 12 => reg 1 ] + [ lookup reg 1 set __map%d dreg 1 ] + [ nat snat ip addr_min reg 1 addr_max reg 9 ] + +# meta l4proto { 6, 17} snat ip to ip saddr . th dport map { 10.141.11.4 . 20 : 192.168.2.3 . 80} +__set%d test-ip4 3 size 2 +__set%d test-ip4 0 + element 00000006 : 0 [end] element 00000011 : 0 [end] +__map%d test-ip4 b size 1 +__map%d test-ip4 0 + element 040b8d0a 00001400 : 0302a8c0 00005000 0 [end] +ip + [ meta load l4proto => reg 1 ] + [ lookup reg 1 set __set%d ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ payload load 2b @ transport header + 2 => reg 9 ] + [ lookup reg 1 set __map%d dreg 1 ] + [ nat snat ip addr_min reg 1 proto_min reg 9 ] + +# ip daddr 192.168.0.1 dnat to tcp dport map { 443 : 10.141.10.4 . 8443, 80 : 10.141.10.4 . 8080 } +__map%d x b size 2 +__map%d x 0 + element 0000bb01 : 040a8d0a 0000fb20 0 [end] element 00005000 : 040a8d0a 0000901f 0 [end] +ip + [ payload load 4b @ network header + 16 => reg 1 ] + [ cmp eq reg 1 0x0100a8c0 ] + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ lookup reg 1 set __map%d dreg 1 ] + [ nat dnat ip addr_min reg 1 proto_min reg 9 ] + diff --git a/tests/py/ip6/ct.t b/tests/py/ip6/ct.t new file mode 100644 index 00000000..c06fd6a0 --- /dev/null +++ b/tests/py/ip6/ct.t @@ -0,0 +1,9 @@ +:output;type filter hook output priority 0 + +*ip6;test-ip6;output + +ct mark set ip6 dscp << 2 | 0x10;ok +ct mark set ip6 dscp << 26 | 0x10;ok +ct mark set ip6 dscp | 0x04;ok +ct mark set ip6 dscp | 0xff000000;ok +ct mark set ip6 dscp & 0x0f << 2;ok;ct mark set ip6 dscp & 0x3c diff --git a/tests/py/ip6/ct.t.json b/tests/py/ip6/ct.t.json new file mode 100644 index 00000000..7d8c88bb --- /dev/null +++ b/tests/py/ip6/ct.t.json @@ -0,0 +1,293 @@ +# ct mark set ip6 dscp lshift 2 or 0x10 +[ + { + "mangle": { + "key": { + "ct": { + "key": "mark" + } + }, + "value": { + "|": [ + { + "<<": [ + { + "payload": { + "field": "dscp", + "protocol": "ip6" + } + }, + 2 + ] + }, + 16 + ] + } + } + } +] + +# ct mark set ip6 dscp lshift 26 or 0x10 +[ + { + "mangle": { + "key": { + "ct": { + "key": "mark" + } + }, + "value": { + "|": [ + { + "<<": [ + { + "payload": { + "field": "dscp", + "protocol": "ip6" + } + }, + 26 + ] + }, + 16 + ] + } + } + } +] + +# ct mark set ip6 dscp << 2 | 0x10 +[ + { + "mangle": { + "key": { + "ct": { + "key": "mark" + } + }, + "value": { + "|": [ + { + "<<": [ + { + "payload": { + "field": "dscp", + "protocol": "ip6" + } + }, + 2 + ] + }, + 16 + ] + } + } + } +] + +# ct mark set ip6 dscp << 26 | 0x10 +[ + { + "mangle": { + "key": { + "ct": { + "key": "mark" + } + }, + "value": { + "|": [ + { + "<<": [ + { + "payload": { + "field": "dscp", + "protocol": "ip6" + } + }, + 26 + ] + }, + 16 + ] + } + } + } +] + +# ct mark set ip6 dscp | 0x04 +[ + { + "mangle": { + "key": { + "ct": { + "key": "mark" + } + }, + "value": { + "|": [ + { + "payload": { + "field": "dscp", + "protocol": "ip6" + } + }, + 4 + ] + } + } + } +] + +# ct mark set ip6 dscp | 0xff000000 +[ + { + "mangle": { + "key": { + "ct": { + "key": "mark" + } + }, + "value": { + "|": [ + { + "payload": { + "field": "dscp", + "protocol": "ip6" + } + }, + 4278190080 + ] + } + } + } +] + +# ct mark set ip6 dscp << 2 | 0x10 +[ + { + "mangle": { + "key": { + "ct": { + "key": "mark" + } + }, + "value": { + "|": [ + { + "<<": [ + { + "payload": { + "field": "dscp", + "protocol": "ip6" + } + }, + 2 + ] + }, + 16 + ] + } + } + } +] + +# ct mark set ip6 dscp << 26 | 0x10 +[ + { + "mangle": { + "key": { + "ct": { + "key": "mark" + } + }, + "value": { + "|": [ + { + "<<": [ + { + "payload": { + "field": "dscp", + "protocol": "ip6" + } + }, + 26 + ] + }, + 16 + ] + } + } + } +] + +# ct mark set ip6 dscp | 0x04 +[ + { + "mangle": { + "key": { + "ct": { + "key": "mark" + } + }, + "value": { + "|": [ + { + "payload": { + "field": "dscp", + "protocol": "ip6" + } + }, + 4 + ] + } + } + } +] + +# ct mark set ip6 dscp | 0xff000000 +[ + { + "mangle": { + "key": { + "ct": { + "key": "mark" + } + }, + "value": { + "|": [ + { + "payload": { + "field": "dscp", + "protocol": "ip6" + } + }, + 4278190080 + ] + } + } + } +] + +# ct mark set ip6 dscp & 0x0f << 2 +[ + { + "mangle": { + "key": { + "ct": { + "key": "mark" + } + }, + "value": { + "&": [ + { + "payload": { + "field": "dscp", + "protocol": "ip6" + } + }, + 60 + ] + } + } + } +] diff --git a/tests/py/ip6/ct.t.payload b/tests/py/ip6/ct.t.payload new file mode 100644 index 00000000..944208f2 --- /dev/null +++ b/tests/py/ip6/ct.t.payload @@ -0,0 +1,46 @@ +# ct mark set ip6 dscp << 2 | 0x10 +ip6 test-ip6 output + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000c00f ) ^ 0x00000000 ] + [ byteorder reg 1 = ntoh(reg 1, 2, 2) ] + [ bitwise reg 1 = ( reg 1 >> 0x00000006 ) ] + [ bitwise reg 1 = ( reg 1 << 0x00000002 ) ] + [ bitwise reg 1 = ( reg 1 & 0xffffffef ) ^ 0x00000010 ] + [ ct set mark with reg 1 ] + +# ct mark set ip6 dscp << 26 | 0x10 +ip6 test-ip6 output + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000c00f ) ^ 0x00000000 ] + [ byteorder reg 1 = ntoh(reg 1, 2, 2) ] + [ bitwise reg 1 = ( reg 1 >> 0x00000006 ) ] + [ bitwise reg 1 = ( reg 1 << 0x0000001a ) ] + [ bitwise reg 1 = ( reg 1 & 0xffffffef ) ^ 0x00000010 ] + [ ct set mark with reg 1 ] + +# ct mark set ip6 dscp | 0x04 +ip6 test-ip6 output + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000c00f ) ^ 0x00000000 ] + [ byteorder reg 1 = ntoh(reg 1, 2, 2) ] + [ bitwise reg 1 = ( reg 1 >> 0x00000006 ) ] + [ bitwise reg 1 = ( reg 1 & 0xfffffffb ) ^ 0x00000004 ] + [ ct set mark with reg 1 ] + +# ct mark set ip6 dscp | 0xff000000 +ip6 test-ip6 output + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000c00f ) ^ 0x00000000 ] + [ byteorder reg 1 = ntoh(reg 1, 2, 2) ] + [ bitwise reg 1 = ( reg 1 >> 0x00000006 ) ] + [ bitwise reg 1 = ( reg 1 & 0x00ffffff ) ^ 0xff000000 ] + [ ct set mark with reg 1 ] + +# ct mark set ip6 dscp & 0x0f << 2 +ip6 test-ip6 output + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000c00f ) ^ 0x00000000 ] + [ byteorder reg 1 = ntoh(reg 1, 2, 2) ] + [ bitwise reg 1 = ( reg 1 >> 0x00000006 ) ] + [ bitwise reg 1 = ( reg 1 & 0x0000003c ) ^ 0x00000000 ] + [ ct set mark with reg 1 ] diff --git a/tests/py/ip6/dnat.t.payload.ip6 b/tests/py/ip6/dnat.t.payload.ip6 index 5906e0f8..004ffdeb 100644 --- a/tests/py/ip6/dnat.t.payload.ip6 +++ b/tests/py/ip6/dnat.t.payload.ip6 @@ -21,7 +21,7 @@ ip6 test-ip6 prerouting [ immediate reg 1 0x38080120 0x01005f03 0x00000000 0x00000000 ] [ immediate reg 2 0x38080120 0x02005f03 0x00000000 0x00000000 ] [ immediate reg 3 0x00006400 ] - [ nat dnat ip6 addr_min reg 1 addr_max reg 2 proto_min reg 3 proto_max reg 0 flags 0x2 ] + [ nat dnat ip6 addr_min reg 1 addr_max reg 2 proto_min reg 3 flags 0x2 ] # tcp dport 80-90 dnat to [2001:838:35f:1::]:80 ip6 test-ip6 prerouting @@ -32,7 +32,7 @@ ip6 test-ip6 prerouting [ cmp lte reg 1 0x00005a00 ] [ immediate reg 1 0x38080120 0x01005f03 0x00000000 0x00000000 ] [ immediate reg 2 0x00005000 ] - [ nat dnat ip6 addr_min reg 1 addr_max reg 0 proto_min reg 2 proto_max reg 0 flags 0x2 ] + [ nat dnat ip6 addr_min reg 1 proto_min reg 2 flags 0x2 ] # dnat to [2001:838:35f:1::]/64 ip6 test-ip6 prerouting diff --git a/tests/py/ip6/dst.t b/tests/py/ip6/dst.t index 9e7c554f..cd1fd3b2 100644 --- a/tests/py/ip6/dst.t +++ b/tests/py/ip6/dst.t @@ -9,8 +9,6 @@ dst nexthdr 33-45;ok dst nexthdr != 33-45;ok dst nexthdr { 33, 55, 67, 88};ok dst nexthdr != { 33, 55, 67, 88};ok -dst nexthdr { 33-55};ok -dst nexthdr != { 33-55};ok dst nexthdr { udplite, ipcomp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp};ok;dst nexthdr { 51, 50, 17, 136, 58, 6, 33, 132, 108} dst nexthdr != { udplite, ipcomp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp};ok;dst nexthdr != { 51, 50, 17, 136, 58, 6, 33, 132, 108} dst nexthdr icmp;ok;dst nexthdr 1 @@ -21,6 +19,3 @@ dst hdrlength != 233;ok dst hdrlength 33-45;ok dst hdrlength != 33-45;ok dst hdrlength { 33, 55, 67, 88};ok -dst hdrlength != { 33, 55, 67, 88};ok -dst hdrlength { 33-55};ok -dst hdrlength != { 33-55};ok diff --git a/tests/py/ip6/dst.t.json b/tests/py/ip6/dst.t.json index 1373e177..e947a76f 100644 --- a/tests/py/ip6/dst.t.json +++ b/tests/py/ip6/dst.t.json @@ -112,46 +112,6 @@ } ] -# dst nexthdr { 33-55} -[ - { - "match": { - "left": { - "exthdr": { - "field": "nexthdr", - "name": "dst" - } - }, - "op": "==", - "right": { - "set": [ - { "range": [ 33, 55 ] } - ] - } - } - } -] - -# dst nexthdr != { 33-55} -[ - { - "match": { - "left": { - "exthdr": { - "field": "nexthdr", - "name": "dst" - } - }, - "op": "!=", - "right": { - "set": [ - { "range": [ 33, 55 ] } - ] - } - } - } -] - # dst nexthdr { udplite, ipcomp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp} [ { @@ -353,44 +313,3 @@ } } ] - -# dst hdrlength { 33-55} -[ - { - "match": { - "left": { - "exthdr": { - "field": "hdrlength", - "name": "dst" - } - }, - "op": "==", - "right": { - "set": [ - { "range": [ 33, 55 ] } - ] - } - } - } -] - -# dst hdrlength != { 33-55} -[ - { - "match": { - "left": { - "exthdr": { - "field": "hdrlength", - "name": "dst" - } - }, - "op": "!=", - "right": { - "set": [ - { "range": [ 33, 55 ] } - ] - } - } - } -] - diff --git a/tests/py/ip6/dst.t.payload.inet b/tests/py/ip6/dst.t.payload.inet index ff22237e..90d6bda1 100644 --- a/tests/py/ip6/dst.t.payload.inet +++ b/tests/py/ip6/dst.t.payload.inet @@ -47,26 +47,6 @@ inet test-inet input [ exthdr load ipv6 1b @ 60 + 0 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# dst nexthdr { 33-55} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end] -inet test-inet input - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x0000000a ] - [ exthdr load ipv6 1b @ 60 + 0 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# dst nexthdr != { 33-55} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end] -inet test-inet input - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x0000000a ] - [ exthdr load ipv6 1b @ 60 + 0 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # dst nexthdr { udplite, ipcomp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp} __set%d test-inet 3 __set%d test-inet 0 @@ -149,24 +129,3 @@ ip6 test-ip6 input [ cmp eq reg 1 0x0000000a ] [ exthdr load ipv6 1b @ 60 + 1 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] - -# dst hdrlength { 33-55} -__set%d test-ip6 7 -__set%d test-ip6 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end] -ip6 test-ip6 input - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x0000000a ] - [ exthdr load ipv6 1b @ 60 + 1 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# dst hdrlength != { 33-55} -__set%d test-ip6 7 -__set%d test-ip6 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end] -ip6 test-ip6 input - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x0000000a ] - [ exthdr load ipv6 1b @ 60 + 1 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - diff --git a/tests/py/ip6/dst.t.payload.ip6 b/tests/py/ip6/dst.t.payload.ip6 index 9bf564cb..941140d0 100644 --- a/tests/py/ip6/dst.t.payload.ip6 +++ b/tests/py/ip6/dst.t.payload.ip6 @@ -35,22 +35,6 @@ ip6 test-ip6 input [ exthdr load ipv6 1b @ 60 + 0 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# dst nexthdr { 33-55} -__set%d test-ip6 7 -__set%d test-ip6 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end] -ip6 test-ip6 input - [ exthdr load ipv6 1b @ 60 + 0 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# dst nexthdr != { 33-55} -__set%d test-ip6 7 -__set%d test-ip6 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end] -ip6 test-ip6 input - [ exthdr load ipv6 1b @ 60 + 0 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # dst nexthdr { udplite, ipcomp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp} __set%d test-ip6 3 __set%d test-ip6 0 @@ -113,21 +97,3 @@ __set%d test-ip6 0 ip6 test-ip6 input [ exthdr load ipv6 1b @ 60 + 1 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] - -# dst hdrlength { 33-55} -__set%d test-ip6 7 -__set%d test-ip6 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end] -ip6 test-ip6 input - [ exthdr load ipv6 1b @ 60 + 1 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# dst hdrlength != { 33-55} -__set%d test-ip6 7 -__set%d test-ip6 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end] -ip6 test-ip6 input - [ exthdr load ipv6 1b @ 60 + 1 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - - diff --git a/tests/py/ip6/exthdr.t.json.output b/tests/py/ip6/exthdr.t.json.output index c9f5b49b..813402a2 100644 --- a/tests/py/ip6/exthdr.t.json.output +++ b/tests/py/ip6/exthdr.t.json.output @@ -1,33 +1,3 @@ -# exthdr hbh == exists -[ - { - "match": { - "left": { - "exthdr": { - "name": "hbh" - } - }, - "op": "==", - "right": true - } - } -] - -# exthdr hbh == missing -[ - { - "match": { - "left": { - "exthdr": { - "name": "hbh" - } - }, - "op": "==", - "right": false - } - } -] - # exthdr hbh 1 [ { diff --git a/tests/py/ip6/flowtable.t b/tests/py/ip6/flowtable.t deleted file mode 100644 index e58d51bb..00000000 --- a/tests/py/ip6/flowtable.t +++ /dev/null @@ -1,6 +0,0 @@ -:input;type filter hook input priority 0 - -*ip6;test-ip6;input - -meter acct_out size 4096 { meta iif . ip6 saddr timeout 600s counter };ok;meter acct_out size 4096 { iif . ip6 saddr timeout 10m counter } -meter acct_out size 12345 { ip6 saddr . meta iif timeout 600s counter };ok;meter acct_out size 12345 { ip6 saddr . iif timeout 10m counter } diff --git a/tests/py/ip6/flowtable.t.json b/tests/py/ip6/flowtable.t.json deleted file mode 100644 index d0b3a957..00000000 --- a/tests/py/ip6/flowtable.t.json +++ /dev/null @@ -1,62 +0,0 @@ -# meter acct_out size 4096 { meta iif . ip6 saddr timeout 600s counter } -[ - { - "meter": { - "key": { - "elem": { - "timeout": 600, - "val": { - "concat": [ - { - "meta": { "key": "iif" } - }, - { - "payload": { - "field": "saddr", - "protocol": "ip6" - } - } - ] - } - } - }, - "name": "acct_out", - "size": 4096, - "stmt": { - "counter": null - } - } - } -] - -# meter acct_out size 12345 { ip6 saddr . meta iif timeout 600s counter } -[ - { - "meter": { - "key": { - "elem": { - "timeout": 600, - "val": { - "concat": [ - { - "payload": { - "field": "saddr", - "protocol": "ip6" - } - }, - { - "meta": { "key": "iif" } - } - ] - } - } - }, - "name": "acct_out", - "size": 12345, - "stmt": { - "counter": null - } - } - } -] - diff --git a/tests/py/ip6/flowtable.t.json.output b/tests/py/ip6/flowtable.t.json.output deleted file mode 100644 index d0b3a957..00000000 --- a/tests/py/ip6/flowtable.t.json.output +++ /dev/null @@ -1,62 +0,0 @@ -# meter acct_out size 4096 { meta iif . ip6 saddr timeout 600s counter } -[ - { - "meter": { - "key": { - "elem": { - "timeout": 600, - "val": { - "concat": [ - { - "meta": { "key": "iif" } - }, - { - "payload": { - "field": "saddr", - "protocol": "ip6" - } - } - ] - } - } - }, - "name": "acct_out", - "size": 4096, - "stmt": { - "counter": null - } - } - } -] - -# meter acct_out size 12345 { ip6 saddr . meta iif timeout 600s counter } -[ - { - "meter": { - "key": { - "elem": { - "timeout": 600, - "val": { - "concat": [ - { - "payload": { - "field": "saddr", - "protocol": "ip6" - } - }, - { - "meta": { "key": "iif" } - } - ] - } - } - }, - "name": "acct_out", - "size": 12345, - "stmt": { - "counter": null - } - } - } -] - diff --git a/tests/py/ip6/flowtable.t.payload b/tests/py/ip6/flowtable.t.payload deleted file mode 100644 index 559475f6..00000000 --- a/tests/py/ip6/flowtable.t.payload +++ /dev/null @@ -1,16 +0,0 @@ -# meter acct_out size 4096 { meta iif . ip6 saddr timeout 600s counter } -acct_out test-ip6 31 -acct_out test-ip6 0 -ip6 test-ip6 input - [ meta load iif => reg 1 ] - [ payload load 16b @ network header + 8 => reg 9 ] - [ dynset update reg_key 1 set acct_out timeout 600000ms expr [ counter pkts 0 bytes 0 ] ] - -# meter acct_out size 12345 { ip6 saddr . meta iif timeout 600s counter } -acct_out test-ip6 31 -acct_out test-ip6 0 -ip6 test-ip6 input - [ payload load 16b @ network header + 8 => reg 1 ] - [ meta load iif => reg 2 ] - [ dynset update reg_key 1 set acct_out timeout 600000ms expr [ counter pkts 0 bytes 0 ] ] - diff --git a/tests/py/ip6/frag.t b/tests/py/ip6/frag.t index e16529ad..6bbd6ac0 100644 --- a/tests/py/ip6/frag.t +++ b/tests/py/ip6/frag.t @@ -1,8 +1,10 @@ :output;type filter hook output priority 0 :ingress;type filter hook ingress device lo priority 0 +:egress;type filter hook egress device lo priority 0 *ip6;test-ip6;output *inet;test-inet;output +*netdev;test-netdev;ingress,egress frag nexthdr tcp;ok;frag nexthdr 6 frag nexthdr != icmp;ok;frag nexthdr != 1 @@ -17,8 +19,6 @@ frag reserved 33-45;ok frag reserved != 33-45;ok frag reserved { 33, 55, 67, 88};ok frag reserved != { 33, 55, 67, 88};ok -frag reserved { 33-55};ok -frag reserved != { 33-55};ok frag frag-off 22;ok frag frag-off != 233;ok @@ -26,8 +26,6 @@ frag frag-off 33-45;ok frag frag-off != 33-45;ok frag frag-off { 33, 55, 67, 88};ok frag frag-off != { 33, 55, 67, 88};ok -frag frag-off { 33-55};ok -frag frag-off != { 33-55};ok frag reserved2 1;ok frag more-fragments 0;ok @@ -40,5 +38,3 @@ frag id 33-45;ok frag id != 33-45;ok frag id { 33, 55, 67, 88};ok frag id != { 33, 55, 67, 88};ok -frag id { 33-55};ok -frag id != { 33-55};ok diff --git a/tests/py/ip6/frag.t.payload.inet b/tests/py/ip6/frag.t.payload.inet index ff1458d2..20334f44 100644 --- a/tests/py/ip6/frag.t.payload.inet +++ b/tests/py/ip6/frag.t.payload.inet @@ -95,26 +95,6 @@ inet test-inet output [ exthdr load ipv6 1b @ 44 + 1 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# frag reserved { 33-55} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end] -inet test-inet output - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x0000000a ] - [ exthdr load ipv6 1b @ 44 + 1 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# frag reserved != { 33-55} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end] -inet test-inet output - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x0000000a ] - [ exthdr load ipv6 1b @ 44 + 1 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # frag frag-off 22 inet test-inet output [ meta load nfproto => reg 1 ] @@ -170,28 +150,6 @@ inet test-inet output [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ] [ lookup reg 1 set __set%d 0x1 ] -# frag frag-off { 33-55} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00000801 : 0 [end] element 0000b901 : 1 [end] -inet test-inet output - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x0000000a ] - [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ] - [ lookup reg 1 set __set%d ] - -# frag frag-off != { 33-55} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00000801 : 0 [end] element 0000b901 : 1 [end] -inet test-inet output - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x0000000a ] - [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ] - [ lookup reg 1 set __set%d 0x1 ] - # frag id 1 inet test-inet output [ meta load nfproto => reg 1 ] @@ -248,26 +206,6 @@ inet test-inet output [ exthdr load ipv6 4b @ 44 + 4 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# frag id { 33-55} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 21000000 : 0 [end] element 38000000 : 1 [end] -inet test-inet output - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x0000000a ] - [ exthdr load ipv6 4b @ 44 + 4 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# frag id != { 33-55} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 21000000 : 0 [end] element 38000000 : 1 [end] -inet test-inet output - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x0000000a ] - [ exthdr load ipv6 4b @ 44 + 4 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # frag reserved2 1 inet test-inet output [ meta load nfproto => reg 1 ] diff --git a/tests/py/ip6/frag.t.payload.ip6 b/tests/py/ip6/frag.t.payload.ip6 index dc4103fd..7c3e7a4e 100644 --- a/tests/py/ip6/frag.t.payload.ip6 +++ b/tests/py/ip6/frag.t.payload.ip6 @@ -71,22 +71,6 @@ ip6 test-ip6 output [ exthdr load ipv6 1b @ 44 + 1 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# frag reserved { 33-55} -__set%d test-ip6 7 -__set%d test-ip6 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end] -ip6 test-ip6 output - [ exthdr load ipv6 1b @ 44 + 1 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# frag reserved != { 33-55} -__set%d test-ip6 7 -__set%d test-ip6 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end] -ip6 test-ip6 output - [ exthdr load ipv6 1b @ 44 + 1 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # frag frag-off 22 ip6 test-ip6 output [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ] @@ -130,24 +114,6 @@ ip6 test-ip6 output [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ] [ lookup reg 1 set __set%d 0x1 ] -# frag frag-off { 33-55} -__set%d test-ip6 7 -__set%d test-ip6 0 - element 00000000 : 1 [end] element 00000801 : 0 [end] element 0000b901 : 1 [end] -ip6 test-ip6 output - [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ] - [ lookup reg 1 set __set%d ] - -# frag frag-off != { 33-55} -__set%d test-ip6 7 -__set%d test-ip6 0 - element 00000000 : 1 [end] element 00000801 : 0 [end] element 0000b901 : 1 [end] -ip6 test-ip6 output - [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ] - [ lookup reg 1 set __set%d 0x1 ] - # frag id 1 ip6 test-ip6 output [ exthdr load ipv6 4b @ 44 + 4 => reg 1 ] @@ -190,22 +156,6 @@ ip6 test-ip6 output [ exthdr load ipv6 4b @ 44 + 4 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# frag id { 33-55} -__set%d test-ip6 7 -__set%d test-ip6 0 - element 00000000 : 1 [end] element 21000000 : 0 [end] element 38000000 : 1 [end] -ip6 test-ip6 output - [ exthdr load ipv6 4b @ 44 + 4 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# frag id != { 33-55} -__set%d test-ip6 7 -__set%d test-ip6 0 - element 00000000 : 1 [end] element 21000000 : 0 [end] element 38000000 : 1 [end] -ip6 test-ip6 output - [ exthdr load ipv6 4b @ 44 + 4 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # frag reserved2 1 ip6 test-ip6 output [ exthdr load ipv6 1b @ 44 + 3 => reg 1 ] diff --git a/tests/py/ip6/frag.t.payload.netdev b/tests/py/ip6/frag.t.payload.netdev new file mode 100644 index 00000000..05620754 --- /dev/null +++ b/tests/py/ip6/frag.t.payload.netdev @@ -0,0 +1,232 @@ +# frag nexthdr tcp +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x0000dd86 ] + [ exthdr load ipv6 1b @ 44 + 0 => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + +# frag nexthdr != icmp +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x0000dd86 ] + [ exthdr load ipv6 1b @ 44 + 0 => reg 1 ] + [ cmp neq reg 1 0x00000001 ] + +# frag nexthdr {esp, ah, comp, udp, udplite, tcp, dccp, sctp} +__set%d test-netdev 3 size 8 +__set%d test-netdev 0 + element 00000032 : 0 [end] element 00000033 : 0 [end] element 0000006c : 0 [end] element 00000011 : 0 [end] element 00000088 : 0 [end] element 00000006 : 0 [end] element 00000021 : 0 [end] element 00000084 : 0 [end] +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x0000dd86 ] + [ exthdr load ipv6 1b @ 44 + 0 => reg 1 ] + [ lookup reg 1 set __set%d ] + +# frag nexthdr != {esp, ah, comp, udp, udplite, tcp, dccp, sctp} +__set%d test-netdev 3 size 8 +__set%d test-netdev 0 + element 00000032 : 0 [end] element 00000033 : 0 [end] element 0000006c : 0 [end] element 00000011 : 0 [end] element 00000088 : 0 [end] element 00000006 : 0 [end] element 00000021 : 0 [end] element 00000084 : 0 [end] +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x0000dd86 ] + [ exthdr load ipv6 1b @ 44 + 0 => reg 1 ] + [ lookup reg 1 set __set%d 0x1 ] + +# frag nexthdr esp +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x0000dd86 ] + [ exthdr load ipv6 1b @ 44 + 0 => reg 1 ] + [ cmp eq reg 1 0x00000032 ] + +# frag nexthdr ah +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x0000dd86 ] + [ exthdr load ipv6 1b @ 44 + 0 => reg 1 ] + [ cmp eq reg 1 0x00000033 ] + +# frag reserved 22 +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x0000dd86 ] + [ exthdr load ipv6 1b @ 44 + 1 => reg 1 ] + [ cmp eq reg 1 0x00000016 ] + +# frag reserved != 233 +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x0000dd86 ] + [ exthdr load ipv6 1b @ 44 + 1 => reg 1 ] + [ cmp neq reg 1 0x000000e9 ] + +# frag reserved 33-45 +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x0000dd86 ] + [ exthdr load ipv6 1b @ 44 + 1 => reg 1 ] + [ cmp gte reg 1 0x00000021 ] + [ cmp lte reg 1 0x0000002d ] + +# frag reserved != 33-45 +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x0000dd86 ] + [ exthdr load ipv6 1b @ 44 + 1 => reg 1 ] + [ range neq reg 1 0x00000021 0x0000002d ] + +# frag reserved { 33, 55, 67, 88} +__set%d test-netdev 3 size 4 +__set%d test-netdev 0 + element 00000021 : 0 [end] element 00000037 : 0 [end] element 00000043 : 0 [end] element 00000058 : 0 [end] +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x0000dd86 ] + [ exthdr load ipv6 1b @ 44 + 1 => reg 1 ] + [ lookup reg 1 set __set%d ] + +# frag reserved != { 33, 55, 67, 88} +__set%d test-netdev 3 size 4 +__set%d test-netdev 0 + element 00000021 : 0 [end] element 00000037 : 0 [end] element 00000043 : 0 [end] element 00000058 : 0 [end] +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x0000dd86 ] + [ exthdr load ipv6 1b @ 44 + 1 => reg 1 ] + [ lookup reg 1 set __set%d 0x1 ] + +# frag frag-off 22 +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x0000dd86 ] + [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ] + [ cmp eq reg 1 0x0000b000 ] + +# frag frag-off != 233 +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x0000dd86 ] + [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ] + [ cmp neq reg 1 0x00004807 ] + +# frag frag-off 33-45 +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x0000dd86 ] + [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ] + [ cmp gte reg 1 0x00000801 ] + [ cmp lte reg 1 0x00006801 ] + +# frag frag-off != 33-45 +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x0000dd86 ] + [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ] + [ range neq reg 1 0x00000801 0x00006801 ] + +# frag frag-off { 33, 55, 67, 88} +__set%d test-netdev 3 size 4 +__set%d test-netdev 0 + element 00000801 : 0 [end] element 0000b801 : 0 [end] element 00001802 : 0 [end] element 0000c002 : 0 [end] +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x0000dd86 ] + [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ] + [ lookup reg 1 set __set%d ] + +# frag frag-off != { 33, 55, 67, 88} +__set%d test-netdev 3 size 4 +__set%d test-netdev 0 + element 00000801 : 0 [end] element 0000b801 : 0 [end] element 00001802 : 0 [end] element 0000c002 : 0 [end] +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x0000dd86 ] + [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ] + [ lookup reg 1 set __set%d 0x1 ] + +# frag reserved2 1 +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x0000dd86 ] + [ exthdr load ipv6 1b @ 44 + 3 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x00000006 ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000002 ] + +# frag more-fragments 0 +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x0000dd86 ] + [ exthdr load ipv6 1b @ 44 + 3 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x00000001 ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000000 ] + +# frag more-fragments 1 +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x0000dd86 ] + [ exthdr load ipv6 1b @ 44 + 3 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x00000001 ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000001 ] + +# frag id 1 +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x0000dd86 ] + [ exthdr load ipv6 4b @ 44 + 4 => reg 1 ] + [ cmp eq reg 1 0x01000000 ] + +# frag id 22 +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x0000dd86 ] + [ exthdr load ipv6 4b @ 44 + 4 => reg 1 ] + [ cmp eq reg 1 0x16000000 ] + +# frag id != 33 +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x0000dd86 ] + [ exthdr load ipv6 4b @ 44 + 4 => reg 1 ] + [ cmp neq reg 1 0x21000000 ] + +# frag id 33-45 +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x0000dd86 ] + [ exthdr load ipv6 4b @ 44 + 4 => reg 1 ] + [ cmp gte reg 1 0x21000000 ] + [ cmp lte reg 1 0x2d000000 ] + +# frag id != 33-45 +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x0000dd86 ] + [ exthdr load ipv6 4b @ 44 + 4 => reg 1 ] + [ range neq reg 1 0x21000000 0x2d000000 ] + +# frag id { 33, 55, 67, 88} +__set%d test-netdev 3 size 4 +__set%d test-netdev 0 + element 21000000 : 0 [end] element 37000000 : 0 [end] element 43000000 : 0 [end] element 58000000 : 0 [end] +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x0000dd86 ] + [ exthdr load ipv6 4b @ 44 + 4 => reg 1 ] + [ lookup reg 1 set __set%d ] + +# frag id != { 33, 55, 67, 88} +__set%d test-netdev 3 size 4 +__set%d test-netdev 0 + element 21000000 : 0 [end] element 37000000 : 0 [end] element 43000000 : 0 [end] element 58000000 : 0 [end] +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x0000dd86 ] + [ exthdr load ipv6 4b @ 44 + 4 => reg 1 ] + [ lookup reg 1 set __set%d 0x1 ] + diff --git a/tests/py/ip6/hbh.t b/tests/py/ip6/hbh.t index f367a384..fce5feae 100644 --- a/tests/py/ip6/hbh.t +++ b/tests/py/ip6/hbh.t @@ -9,8 +9,6 @@ hbh hdrlength 33-45;ok hbh hdrlength != 33-45;ok hbh hdrlength {33, 55, 67, 88};ok hbh hdrlength != {33, 55, 67, 88};ok -hbh hdrlength { 33-55};ok -hbh hdrlength != { 33-55};ok hbh nexthdr {esp, ah, comp, udp, udplite, tcp, dccp, sctp, icmpv6};ok;hbh nexthdr { 58, 136, 51, 50, 6, 17, 132, 33, 108} hbh nexthdr != {esp, ah, comp, udp, udplite, tcp, dccp, sctp, icmpv6};ok;hbh nexthdr != { 58, 136, 51, 50, 6, 17, 132, 33, 108} @@ -20,7 +18,5 @@ hbh nexthdr 33-45;ok hbh nexthdr != 33-45;ok hbh nexthdr {33, 55, 67, 88};ok hbh nexthdr != {33, 55, 67, 88};ok -hbh nexthdr { 33-55};ok -hbh nexthdr != { 33-55};ok hbh nexthdr ip;ok;hbh nexthdr 0 hbh nexthdr != ip;ok;hbh nexthdr != 0 diff --git a/tests/py/ip6/hbh.t.json b/tests/py/ip6/hbh.t.json index 441d3bfe..68670a3b 100644 --- a/tests/py/ip6/hbh.t.json +++ b/tests/py/ip6/hbh.t.json @@ -112,46 +112,6 @@ } ] -# hbh hdrlength { 33-55} -[ - { - "match": { - "left": { - "exthdr": { - "field": "hdrlength", - "name": "hbh" - } - }, - "op": "==", - "right": { - "set": [ - { "range": [ 33, 55 ] } - ] - } - } - } -] - -# hbh hdrlength != { 33-55} -[ - { - "match": { - "left": { - "exthdr": { - "field": "hdrlength", - "name": "hbh" - } - }, - "op": "!=", - "right": { - "set": [ - { "range": [ 33, 55 ] } - ] - } - } - } -] - # hbh nexthdr {esp, ah, comp, udp, udplite, tcp, dccp, sctp, icmpv6} [ { @@ -322,46 +282,6 @@ } ] -# hbh nexthdr { 33-55} -[ - { - "match": { - "left": { - "exthdr": { - "field": "nexthdr", - "name": "hbh" - } - }, - "op": "==", - "right": { - "set": [ - { "range": [ 33, 55 ] } - ] - } - } - } -] - -# hbh nexthdr != { 33-55} -[ - { - "match": { - "left": { - "exthdr": { - "field": "nexthdr", - "name": "hbh" - } - }, - "op": "!=", - "right": { - "set": [ - { "range": [ 33, 55 ] } - ] - } - } - } -] - # hbh nexthdr ip [ { diff --git a/tests/py/ip6/hbh.t.payload.inet b/tests/py/ip6/hbh.t.payload.inet index e358351d..63afd832 100644 --- a/tests/py/ip6/hbh.t.payload.inet +++ b/tests/py/ip6/hbh.t.payload.inet @@ -47,26 +47,6 @@ inet test-inet filter-input [ exthdr load ipv6 1b @ 0 + 1 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# hbh hdrlength { 33-55} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end] -inet test-inet filter-input - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x0000000a ] - [ exthdr load ipv6 1b @ 0 + 1 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# hbh hdrlength != { 33-55} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end] -inet test-inet filter-input - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x0000000a ] - [ exthdr load ipv6 1b @ 0 + 1 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # hbh nexthdr {esp, ah, comp, udp, udplite, tcp, dccp, sctp, icmpv6} __set%d test-inet 3 __set%d test-inet 0 @@ -136,26 +116,6 @@ inet test-inet filter-input [ exthdr load ipv6 1b @ 0 + 0 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# hbh nexthdr { 33-55} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end] -inet test-inet filter-input - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x0000000a ] - [ exthdr load ipv6 1b @ 0 + 0 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# hbh nexthdr != { 33-55} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end] -inet test-inet filter-input - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x0000000a ] - [ exthdr load ipv6 1b @ 0 + 0 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # hbh nexthdr ip inet test-inet filter-input [ meta load nfproto => reg 1 ] diff --git a/tests/py/ip6/hbh.t.payload.ip6 b/tests/py/ip6/hbh.t.payload.ip6 index a4b131a5..913505a5 100644 --- a/tests/py/ip6/hbh.t.payload.ip6 +++ b/tests/py/ip6/hbh.t.payload.ip6 @@ -35,22 +35,6 @@ ip6 test-ip6 filter-input [ exthdr load ipv6 1b @ 0 + 1 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# hbh hdrlength { 33-55} -__set%d test-ip6 7 -__set%d test-ip6 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end] -ip6 test-ip6 filter-input - [ exthdr load ipv6 1b @ 0 + 1 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# hbh hdrlength != { 33-55} -__set%d test-ip6 7 -__set%d test-ip6 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end] -ip6 test-ip6 filter-input - [ exthdr load ipv6 1b @ 0 + 1 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # hbh nexthdr {esp, ah, comp, udp, udplite, tcp, dccp, sctp, icmpv6} __set%d test-ip6 3 __set%d test-ip6 0 @@ -104,22 +88,6 @@ ip6 test-ip6 filter-input [ exthdr load ipv6 1b @ 0 + 0 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# hbh nexthdr { 33-55} -__set%d test-ip6 7 -__set%d test-ip6 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end] -ip6 test-ip6 filter-input - [ exthdr load ipv6 1b @ 0 + 0 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# hbh nexthdr != { 33-55} -__set%d test-ip6 7 -__set%d test-ip6 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end] -ip6 test-ip6 filter-input - [ exthdr load ipv6 1b @ 0 + 0 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # hbh nexthdr ip ip6 test-ip6 filter-input [ exthdr load ipv6 1b @ 0 + 0 => reg 1 ] diff --git a/tests/py/ip6/icmpv6.t b/tests/py/ip6/icmpv6.t index a45efed6..7632bfd8 100644 --- a/tests/py/ip6/icmpv6.t +++ b/tests/py/ip6/icmpv6.t @@ -28,12 +28,10 @@ icmpv6 type {router-renumbering, mld-listener-done, time-exceeded, nd-router-sol icmpv6 type {mld-listener-query, time-exceeded, nd-router-advert} accept;ok icmpv6 type != {mld-listener-query, time-exceeded, nd-router-advert} accept;ok -icmpv6 code 4;ok;icmpv6 code port-unreachable +icmpv6 code 4;ok icmpv6 code 3-66;ok -icmpv6 code {5, 6, 7} accept;ok;icmpv6 code {policy-fail, reject-route, 7} accept -icmpv6 code != {policy-fail, reject-route, 7} accept;ok -icmpv6 code { 3-66};ok -icmpv6 code != { 3-66};ok +icmpv6 code {5, 6, 7} accept;ok +icmpv6 code != {policy-fail, reject-route, 7} accept;ok;icmpv6 code != {5, 6, 7} accept icmpv6 checksum 2222 log;ok icmpv6 checksum != 2222 log;ok @@ -41,8 +39,6 @@ icmpv6 checksum 222-226;ok icmpv6 checksum != 222-226;ok icmpv6 checksum { 222, 226};ok icmpv6 checksum != { 222, 226};ok -icmpv6 checksum { 222-226};ok -icmpv6 checksum != { 222-226};ok # BUG: icmpv6 parameter-problem, pptr # [ICMP6HDR_PPTR] = ICMP6HDR_FIELD("parameter-problem", icmp6_pptr), @@ -64,16 +60,15 @@ icmpv6 mtu 33-45;ok icmpv6 mtu != 33-45;ok icmpv6 mtu {33, 55, 67, 88};ok icmpv6 mtu != {33, 55, 67, 88};ok -icmpv6 mtu {33-55};ok -icmpv6 mtu != {33-55};ok icmpv6 type packet-too-big icmpv6 mtu 1280;ok;icmpv6 mtu 1280 icmpv6 id 33-45;ok;icmpv6 type { echo-request, echo-reply} icmpv6 id 33-45 icmpv6 id != 33-45;ok;icmpv6 type { echo-request, echo-reply} icmpv6 id != 33-45 icmpv6 id {33, 55, 67, 88};ok;icmpv6 type { echo-request, echo-reply} icmpv6 id { 33, 55, 67, 88} icmpv6 id != {33, 55, 67, 88};ok;icmpv6 type { echo-request, echo-reply} icmpv6 id != { 33, 55, 67, 88} -icmpv6 id {33-55};ok;icmpv6 type { echo-request, echo-reply} icmpv6 id { 33-55} -icmpv6 id != {33-55};ok;icmpv6 type { echo-request, echo-reply} icmpv6 id != { 33-55} + +icmpv6 id 1;ok;icmpv6 type { echo-request, echo-reply} icmpv6 id 1 +icmpv6 type echo-reply icmpv6 id 65534;ok icmpv6 sequence 2;ok;icmpv6 type { echo-request, echo-reply} icmpv6 sequence 2 icmpv6 sequence {3, 4, 5, 6, 7} accept;ok;icmpv6 type { echo-request, echo-reply} icmpv6 sequence { 3, 4, 5, 6, 7} accept @@ -83,14 +78,22 @@ icmpv6 sequence {2, 4};ok;icmpv6 type { echo-request, echo-reply} icmpv6 sequenc icmpv6 sequence != {2, 4};ok;icmpv6 type { echo-request, echo-reply} icmpv6 sequence != { 2, 4} icmpv6 sequence 2-4;ok;icmpv6 type { echo-request, echo-reply} icmpv6 sequence 2-4 icmpv6 sequence != 2-4;ok;icmpv6 type { echo-request, echo-reply} icmpv6 sequence != 2-4 -icmpv6 sequence { 2-4};ok;icmpv6 type { echo-request, echo-reply} icmpv6 sequence { 2-4} -icmpv6 sequence != { 2-4};ok;icmpv6 type { echo-request, echo-reply} icmpv6 sequence != { 2-4} icmpv6 max-delay 33-45;ok icmpv6 max-delay != 33-45;ok icmpv6 max-delay {33, 55, 67, 88};ok icmpv6 max-delay != {33, 55, 67, 88};ok -icmpv6 max-delay {33-55};ok -icmpv6 max-delay != {33-55};ok -icmpv6 type parameter-problem icmpv6 code no-route;ok +icmpv6 type parameter-problem icmpv6 code 0;ok + +icmpv6 type mld-listener-query icmpv6 taddr 2001:db8::133;ok +icmpv6 type nd-neighbor-solicit icmpv6 taddr 2001:db8::133;ok +icmpv6 type nd-neighbor-advert icmpv6 taddr 2001:db8::133;ok +icmpv6 taddr 2001:db8::133;ok;icmpv6 type { mld-listener-query, mld-listener-report, mld-listener-done, nd-neighbor-solicit, nd-neighbor-advert, nd-redirect} icmpv6 taddr 2001:db8::133 + +icmpv6 taddr 2001:db8::133;ok;icmpv6 type { mld-listener-query, mld-listener-report, mld-listener-done, nd-neighbor-solicit, nd-neighbor-advert, nd-redirect} icmpv6 taddr 2001:db8::133 + +icmpv6 type { mld-listener-query, mld-listener-report, mld-listener-done, nd-neighbor-solicit, nd-neighbor-advert, nd-redirect} icmpv6 taddr 2001:db8::133;ok +icmpv6 type { nd-neighbor-solicit, nd-neighbor-advert } icmpv6 taddr 2001:db8::133;ok +icmpv6 daddr 2001:db8::133;ok +icmpv6 type nd-redirect icmpv6 daddr 2001:db8::133;ok;icmpv6 daddr 2001:db8::133 diff --git a/tests/py/ip6/icmpv6.t.json b/tests/py/ip6/icmpv6.t.json index 96079042..9df886dd 100644 --- a/tests/py/ip6/icmpv6.t.json +++ b/tests/py/ip6/icmpv6.t.json @@ -532,8 +532,8 @@ "op": "!=", "right": { "set": [ - "policy-fail", - "reject-route", + 5, + 6, 7 ] } @@ -544,46 +544,6 @@ } ] -# icmpv6 code { 3-66} -[ - { - "match": { - "left": { - "payload": { - "field": "code", - "protocol": "icmpv6" - } - }, - "op": "==", - "right": { - "set": [ - { "range": [ 3, 66 ] } - ] - } - } - } -] - -# icmpv6 code != { 3-66} -[ - { - "match": { - "left": { - "payload": { - "field": "code", - "protocol": "icmpv6" - } - }, - "op": "!=", - "right": { - "set": [ - { "range": [ 3, 66 ] } - ] - } - } - } -] - # icmpv6 checksum 2222 log [ { @@ -700,46 +660,6 @@ } ] -# icmpv6 checksum { 222-226} -[ - { - "match": { - "left": { - "payload": { - "field": "checksum", - "protocol": "icmpv6" - } - }, - "op": "==", - "right": { - "set": [ - { "range": [ 222, 226 ] } - ] - } - } - } -] - -# icmpv6 checksum != { 222-226} -[ - { - "match": { - "left": { - "payload": { - "field": "checksum", - "protocol": "icmpv6" - } - }, - "op": "!=", - "right": { - "set": [ - { "range": [ 222, 226 ] } - ] - } - } - } -] - # icmpv6 mtu 22 [ { @@ -854,46 +774,6 @@ } ] -# icmpv6 mtu {33-55} -[ - { - "match": { - "left": { - "payload": { - "field": "mtu", - "protocol": "icmpv6" - } - }, - "op": "==", - "right": { - "set": [ - { "range": [ 33, 55 ] } - ] - } - } - } -] - -# icmpv6 mtu != {33-55} -[ - { - "match": { - "left": { - "payload": { - "field": "mtu", - "protocol": "icmpv6" - } - }, - "op": "!=", - "right": { - "set": [ - { "range": [ 33, 55 ] } - ] - } - } - } -] - # icmpv6 id 33-45 [ { @@ -976,42 +856,63 @@ } ] -# icmpv6 id {33-55} +# icmpv6 id 1 [ { "match": { "left": { "payload": { - "field": "id", + "field": "type", "protocol": "icmpv6" } }, - "op": "==", + "op": "==", "right": { "set": [ - { "range": [ 33, 55 ] } + "echo-request", + "echo-reply" ] } } + }, + { + "match": { + "left": { + "payload": { + "field": "id", + "protocol": "icmpv6" + } + }, + "op": "==", + "right": 1 + } } ] -# icmpv6 id != {33-55} +# icmpv6 type echo-reply icmpv6 id 65534 [ { "match": { "left": { "payload": { + "field": "type", + "protocol": "icmpv6" + } + }, + "op": "==", + "right": "echo-reply" + } + }, + { + "match": { + "left": { + "payload": { "field": "id", "protocol": "icmpv6" } }, - "op": "!=", - "right": { - "set": [ - { "range": [ 33, 55 ] } - ] - } + "op": "==", + "right": 65534 } } ] @@ -1137,47 +1038,43 @@ } ] -# icmpv6 sequence { 2-4} +# icmpv6 max-delay 33-45 [ { "match": { "left": { "payload": { - "field": "sequence", + "field": "max-delay", "protocol": "icmpv6" } }, "op": "==", "right": { - "set": [ - { "range": [ 2, 4 ] } - ] + "range": [ 33, 45 ] } } } ] -# icmpv6 sequence != { 2-4} +# icmpv6 max-delay != 33-45 [ { "match": { "left": { "payload": { - "field": "sequence", + "field": "max-delay", "protocol": "icmpv6" } }, "op": "!=", "right": { - "set": [ - { "range": [ 2, 4 ] } - ] + "range": [ 33, 45 ] } } } ] -# icmpv6 max-delay 33-45 +# icmpv6 max-delay {33, 55, 67, 88} [ { "match": { @@ -1189,13 +1086,18 @@ }, "op": "==", "right": { - "range": [ 33, 45 ] + "set": [ + 33, + 55, + 67, + 88 + ] } } } ] -# icmpv6 max-delay != 33-45 +# icmpv6 max-delay != {33, 55, 67, 88} [ { "match": { @@ -1207,138 +1109,317 @@ }, "op": "!=", "right": { - "range": [ 33, 45 ] + "set": [ + 33, + 55, + 67, + 88 + ] } } } ] -# icmpv6 max-delay {33, 55, 67, 88} +# icmpv6 type packet-too-big icmpv6 mtu 1280 [ { "match": { "left": { "payload": { - "field": "max-delay", + "field": "mtu", "protocol": "icmpv6" } }, - "op": "==", - "right": { - "set": [ - 33, - 55, - 67, - 88 - ] - } + "op": "==", + "right": 1280 } } ] -# icmpv6 max-delay != {33, 55, 67, 88} +# icmpv6 type parameter-problem icmpv6 code 0 [ { "match": { "left": { "payload": { - "field": "max-delay", + "field": "type", "protocol": "icmpv6" } }, - "op": "!=", + "op": "==", + "right": "parameter-problem" + } + }, + { + "match": { + "left": { + "payload": { + "field": "code", + "protocol": "icmpv6" + } + }, + "op": "==", + "right": 0 + } + } +] + +# icmpv6 type mld-listener-query icmpv6 taddr 2001:db8::133 +[ + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "icmpv6" + } + }, + "op": "==", + "right": "mld-listener-query" + } + }, + { + "match": { + "left": { + "payload": { + "field": "taddr", + "protocol": "icmpv6" + } + }, + "op": "==", + "right": "2001:db8::133" + } + } +] + +# icmpv6 type nd-neighbor-solicit icmpv6 taddr 2001:db8::133 +[ + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "icmpv6" + } + }, + "op": "==", + "right": "nd-neighbor-solicit" + } + }, + { + "match": { + "left": { + "payload": { + "field": "taddr", + "protocol": "icmpv6" + } + }, + "op": "==", + "right": "2001:db8::133" + } + } +] + +# icmpv6 type nd-neighbor-advert icmpv6 taddr 2001:db8::133 +[ + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "icmpv6" + } + }, + "op": "==", + "right": "nd-neighbor-advert" + } + }, + { + "match": { + "left": { + "payload": { + "field": "taddr", + "protocol": "icmpv6" + } + }, + "op": "==", + "right": "2001:db8::133" + } + } +] + +# icmpv6 taddr 2001:db8::133 +[ + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "icmpv6" + } + }, + "op": "==", "right": { "set": [ - 33, - 55, - 67, - 88 + "mld-listener-query", + "mld-listener-report", + "mld-listener-done", + "nd-neighbor-solicit", + "nd-neighbor-advert", + "nd-redirect" ] } } + }, + { + "match": { + "left": { + "payload": { + "field": "taddr", + "protocol": "icmpv6" + } + }, + "op": "==", + "right": "2001:db8::133" + } } ] -# icmpv6 max-delay {33-55} +# icmpv6 taddr 2001:db8::133 [ { "match": { "left": { "payload": { - "field": "max-delay", + "field": "type", "protocol": "icmpv6" } }, - "op": "==", + "op": "==", "right": { "set": [ - { "range": [ 33, 55 ] } + "mld-listener-query", + "mld-listener-report", + "mld-listener-done", + "nd-neighbor-solicit", + "nd-neighbor-advert", + "nd-redirect" ] } } + }, + { + "match": { + "left": { + "payload": { + "field": "taddr", + "protocol": "icmpv6" + } + }, + "op": "==", + "right": "2001:db8::133" + } } ] -# icmpv6 max-delay != {33-55} +# icmpv6 type { mld-listener-query, mld-listener-report, mld-listener-done, nd-neighbor-solicit, nd-neighbor-advert, nd-redirect} icmpv6 taddr 2001:db8::133 [ { "match": { "left": { "payload": { - "field": "max-delay", + "field": "type", "protocol": "icmpv6" } }, - "op": "!=", + "op": "==", "right": { "set": [ - { "range": [ 33, 55 ] } + "mld-listener-query", + "mld-listener-report", + "mld-listener-done", + "nd-neighbor-solicit", + "nd-neighbor-advert", + "nd-redirect" ] } } + }, + { + "match": { + "left": { + "payload": { + "field": "taddr", + "protocol": "icmpv6" + } + }, + "op": "==", + "right": "2001:db8::133" + } } ] -# icmpv6 type packet-too-big icmpv6 mtu 1280 +# icmpv6 type { nd-neighbor-solicit, nd-neighbor-advert } icmpv6 taddr 2001:db8::133 [ { "match": { "left": { "payload": { - "field": "mtu", + "field": "type", "protocol": "icmpv6" } }, "op": "==", - "right": 1280 + "right": { + "set": [ + "nd-neighbor-solicit", + "nd-neighbor-advert" + ] + } + } + }, + { + "match": { + "left": { + "payload": { + "field": "taddr", + "protocol": "icmpv6" + } + }, + "op": "==", + "right": "2001:db8::133" } } ] -# icmpv6 type parameter-problem icmpv6 code no-route +# icmpv6 daddr 2001:db8::133 [ { "match": { "left": { "payload": { - "field": "type", + "field": "daddr", "protocol": "icmpv6" } }, "op": "==", - "right": "parameter-problem" + "right": "2001:db8::133" } - }, + } +] + +# icmpv6 type nd-redirect icmpv6 daddr 2001:db8::133 +[ { "match": { "left": { "payload": { - "field": "code", + "field": "daddr", "protocol": "icmpv6" } }, "op": "==", - "right": "no-route" + "right": "2001:db8::133" } } ] diff --git a/tests/py/ip6/icmpv6.t.json.output b/tests/py/ip6/icmpv6.t.json.output index 7b8f5c19..f29b346c 100644 --- a/tests/py/ip6/icmpv6.t.json.output +++ b/tests/py/ip6/icmpv6.t.json.output @@ -104,7 +104,7 @@ } }, "op": "==", - "right": "port-unreachable" + "right": 4 } } ] @@ -122,7 +122,7 @@ "op": "==", "right": { "range": [ - "addr-unreachable", + 3, 66 ] } @@ -143,8 +143,8 @@ "op": "==", "right": { "set": [ - "policy-fail", - "reject-route", + 5, + 6, 7 ] } diff --git a/tests/py/ip6/icmpv6.t.payload.ip6 b/tests/py/ip6/icmpv6.t.payload.ip6 index c98a2548..5b6035d1 100644 --- a/tests/py/ip6/icmpv6.t.payload.ip6 +++ b/tests/py/ip6/icmpv6.t.payload.ip6 @@ -231,26 +231,6 @@ ip6 test-ip6 input [ lookup reg 1 set __set%d 0x1 ] [ immediate reg 0 accept ] -# icmpv6 code { 3-66} -__set%d test-ip6 7 -__set%d test-ip6 0 - element 00000000 : 1 [end] element 00000003 : 0 [end] element 00000043 : 1 [end] -ip6 test-ip6 input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x0000003a ] - [ payload load 1b @ transport header + 1 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# icmpv6 code != { 3-66} -__set%d test-ip6 7 -__set%d test-ip6 0 - element 00000000 : 1 [end] element 00000003 : 0 [end] element 00000043 : 1 [end] -ip6 test-ip6 input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x0000003a ] - [ payload load 1b @ transport header + 1 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # icmpv6 checksum 2222 log ip6 test-ip6 input [ meta load l4proto => reg 1 ] @@ -302,26 +282,6 @@ ip6 test-ip6 input [ payload load 2b @ transport header + 2 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# icmpv6 checksum { 222-226} -__set%d test-ip6 7 -__set%d test-ip6 0 - element 00000000 : 1 [end] element 0000de00 : 0 [end] element 0000e300 : 1 [end] -ip6 test-ip6 input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x0000003a ] - [ payload load 2b @ transport header + 2 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# icmpv6 checksum != { 222-226} -__set%d test-ip6 7 -__set%d test-ip6 0 - element 00000000 : 1 [end] element 0000de00 : 0 [end] element 0000e300 : 1 [end] -ip6 test-ip6 input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x0000003a ] - [ payload load 2b @ transport header + 2 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # icmpv6 mtu 22 ip6 test-ip6 input [ meta load l4proto => reg 1 ] @@ -383,30 +343,6 @@ ip6 test-ip6 input [ payload load 4b @ transport header + 4 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# icmpv6 mtu {33-55} -__set%d test-ip6 7 -__set%d test-ip6 0 - element 00000000 : 1 [end] element 21000000 : 0 [end] element 38000000 : 1 [end] -ip6 test-ip6 input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x0000003a ] - [ payload load 1b @ transport header + 0 => reg 1 ] - [ cmp eq reg 1 0x00000002 ] - [ payload load 4b @ transport header + 4 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# icmpv6 mtu != {33-55} -__set%d test-ip6 7 -__set%d test-ip6 0 - element 00000000 : 1 [end] element 21000000 : 0 [end] element 38000000 : 1 [end] -ip6 test-ip6 input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x0000003a ] - [ payload load 1b @ transport header + 0 => reg 1 ] - [ cmp eq reg 1 0x00000002 ] - [ payload load 4b @ transport header + 4 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # icmpv6 type packet-too-big icmpv6 mtu 1280 ip6 [ meta load l4proto => reg 1 ] @@ -471,35 +407,26 @@ ip6 test-ip6 input [ payload load 2b @ transport header + 4 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# icmpv6 id {33-55} -__set%d test-ip6 3 +# icmpv6 id 1 +__set%d test-ip6 3 size 2 __set%d test-ip6 0 element 00000080 : 0 [end] element 00000081 : 0 [end] -__set%d test-ip6 7 -__set%d test-ip6 0 - element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] -ip6 test-ip6 input +ip6 [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x0000003a ] [ payload load 1b @ transport header + 0 => reg 1 ] [ lookup reg 1 set __set%d ] [ payload load 2b @ transport header + 4 => reg 1 ] - [ lookup reg 1 set __set%d ] + [ cmp eq reg 1 0x00000100 ] -# icmpv6 id != {33-55} -__set%d test-ip6 3 -__set%d test-ip6 0 - element 00000080 : 0 [end] element 00000081 : 0 [end] -__set%d test-ip6 7 -__set%d test-ip6 0 - element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] -ip6 test-ip6 input +# icmpv6 type echo-reply icmpv6 id 65534 +ip6 [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x0000003a ] [ payload load 1b @ transport header + 0 => reg 1 ] - [ lookup reg 1 set __set%d ] + [ cmp eq reg 1 0x00000081 ] [ payload load 2b @ transport header + 4 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] + [ cmp eq reg 1 0x0000feff ] # icmpv6 sequence 2 __set%d test-ip6 3 @@ -584,36 +511,6 @@ ip6 test-ip6 input [ payload load 2b @ transport header + 6 => reg 1 ] [ range neq reg 1 0x00000200 0x00000400 ] -# icmpv6 sequence { 2-4} -__set%d test-ip6 3 -__set%d test-ip6 0 - element 00000080 : 0 [end] element 00000081 : 0 [end] -__set%d test-ip6 7 -__set%d test-ip6 0 - element 00000000 : 1 [end] element 00000200 : 0 [end] element 00000500 : 1 [end] -ip6 test-ip6 input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x0000003a ] - [ payload load 1b @ transport header + 0 => reg 1 ] - [ lookup reg 1 set __set%d ] - [ payload load 2b @ transport header + 6 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# icmpv6 sequence != { 2-4} -__set%d test-ip6 3 -__set%d test-ip6 0 - element 00000080 : 0 [end] element 00000081 : 0 [end] -__set%d test-ip6 7 -__set%d test-ip6 0 - element 00000000 : 1 [end] element 00000200 : 0 [end] element 00000500 : 1 [end] -ip6 test-ip6 input - [ meta load l4proto => reg 1 ] - [ cmp eq reg 1 0x0000003a ] - [ payload load 1b @ transport header + 0 => reg 1 ] - [ lookup reg 1 set __set%d ] - [ payload load 2b @ transport header + 6 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # icmpv6 max-delay 33-45 ip6 test-ip6 input [ meta load l4proto => reg 1 ] @@ -657,34 +554,90 @@ ip6 test-ip6 input [ payload load 2b @ transport header + 4 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# icmpv6 max-delay {33-55} -__set%d test-ip6 7 -__set%d test-ip6 0 - element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] +# icmpv6 type parameter-problem icmpv6 code 0 +ip6 + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x0000003a ] + [ payload load 2b @ transport header + 0 => reg 1 ] + [ cmp eq reg 1 0x00000004 ] + +# icmpv6 type mld-listener-query icmpv6 taddr 2001:db8::133 ip6 test-ip6 input [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x0000003a ] [ payload load 1b @ transport header + 0 => reg 1 ] [ cmp eq reg 1 0x00000082 ] - [ payload load 2b @ transport header + 4 => reg 1 ] + [ payload load 16b @ transport header + 8 => reg 1 ] + [ cmp eq reg 1 0xb80d0120 0x00000000 0x00000000 0x33010000 ] + +# icmpv6 type nd-neighbor-solicit icmpv6 taddr 2001:db8::133 +ip6 test-ip6 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x0000003a ] + [ payload load 1b @ transport header + 0 => reg 1 ] + [ cmp eq reg 1 0x00000087 ] + [ payload load 16b @ transport header + 8 => reg 1 ] + [ cmp eq reg 1 0xb80d0120 0x00000000 0x00000000 0x33010000 ] + +# icmpv6 type nd-neighbor-advert icmpv6 taddr 2001:db8::133 +ip6 test-ip6 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x0000003a ] + [ payload load 1b @ transport header + 0 => reg 1 ] + [ cmp eq reg 1 0x00000088 ] + [ payload load 16b @ transport header + 8 => reg 1 ] + [ cmp eq reg 1 0xb80d0120 0x00000000 0x00000000 0x33010000 ] + +# icmpv6 taddr 2001:db8::133 +__set%d test-ip6 3 size 6 +__set%d test-ip6 0 + element 00000082 : 0 [end] element 00000083 : 0 [end] element 00000084 : 0 [end] element 00000087 : 0 [end] element 00000088 : 0 [end] element 00000089 : 0 [end] +ip6 test-ip6 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x0000003a ] + [ payload load 1b @ transport header + 0 => reg 1 ] [ lookup reg 1 set __set%d ] + [ payload load 16b @ transport header + 8 => reg 1 ] + [ cmp eq reg 1 0xb80d0120 0x00000000 0x00000000 0x33010000 ] -# icmpv6 max-delay != {33-55} -__set%d test-ip6 7 +# icmpv6 type { mld-listener-query, mld-listener-report, mld-listener-done, nd-neighbor-solicit, nd-neighbor-advert, nd-redirect} icmpv6 taddr 2001:db8::133 +__set%d test-ip6 3 size 6 __set%d test-ip6 0 - element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] + element 00000082 : 0 [end] element 00000083 : 0 [end] element 00000084 : 0 [end] element 00000087 : 0 [end] element 00000088 : 0 [end] element 00000089 : 0 [end] ip6 test-ip6 input [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x0000003a ] [ payload load 1b @ transport header + 0 => reg 1 ] - [ cmp eq reg 1 0x00000082 ] - [ payload load 2b @ transport header + 4 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] + [ lookup reg 1 set __set%d ] + [ payload load 16b @ transport header + 8 => reg 1 ] + [ cmp eq reg 1 0xb80d0120 0x00000000 0x00000000 0x33010000 ] -# icmpv6 type parameter-problem icmpv6 code no-route -ip6 +# icmpv6 type { nd-neighbor-solicit, nd-neighbor-advert } icmpv6 taddr 2001:db8::133 +__set%d test-ip6 3 size 2 +__set%d test-ip6 0 + element 00000087 : 0 [end] element 00000088 : 0 [end] +ip6 test-ip6 input [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x0000003a ] - [ payload load 2b @ transport header + 0 => reg 1 ] - [ cmp eq reg 1 0x00000004 ] + [ payload load 1b @ transport header + 0 => reg 1 ] + [ lookup reg 1 set __set%d ] + [ payload load 16b @ transport header + 8 => reg 1 ] + [ cmp eq reg 1 0xb80d0120 0x00000000 0x00000000 0x33010000 ] + +# icmpv6 daddr 2001:db8::133 +ip6 test-ip6 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x0000003a ] + [ payload load 1b @ transport header + 0 => reg 1 ] + [ cmp eq reg 1 0x00000089 ] + [ payload load 16b @ transport header + 24 => reg 1 ] + [ cmp eq reg 1 0xb80d0120 0x00000000 0x00000000 0x33010000 ] +# icmpv6 type nd-redirect icmpv6 daddr 2001:db8::133 +ip6 test-ip6 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x0000003a ] + [ payload load 1b @ transport header + 0 => reg 1 ] + [ cmp eq reg 1 0x00000089 ] + [ payload load 16b @ transport header + 24 => reg 1 ] + [ cmp eq reg 1 0xb80d0120 0x00000000 0x00000000 0x33010000 ] diff --git a/tests/py/ip6/ip6.t b/tests/py/ip6/ip6.t index dbb56fa3..430dd571 100644 --- a/tests/py/ip6/ip6.t +++ b/tests/py/ip6/ip6.t @@ -17,6 +17,15 @@ ip6 dscp != 0x20;ok;ip6 dscp != cs4 ip6 dscp {cs0, cs1, cs2, cs3, cs4, cs5, cs6, cs7, af11, af12, af13, af21, af22, af23, af31, af32, af33, af41, af42, af43, ef};ok ip6 dscp vmap { 0x04 : accept, 0x3f : continue } counter;ok +!map1 type dscp : mark;ok +meta mark set ip6 dscp map @map1;ok +!map2 type dscp . ipv6_addr : mark;ok +meta mark set ip6 dscp . ip6 daddr map @map2;ok +!map3 type dscp : mark;ok +ip6 dscp @map3;ok +!map4 type dscp . ipv6_addr : mark;ok +ip6 dscp . ip6 daddr @map4;ok + ip6 flowlabel 22;ok ip6 flowlabel != 233;ok - ip6 flowlabel 33-45;ok @@ -24,8 +33,6 @@ ip6 flowlabel != 233;ok ip6 flowlabel { 33, 55, 67, 88};ok # BUG ip6 flowlabel { 5046528, 2883584, 13522432 } ip6 flowlabel != { 33, 55, 67, 88};ok -ip6 flowlabel { 33-55};ok -ip6 flowlabel != { 33-55};ok ip6 flowlabel vmap { 0 : accept, 2 : continue };ok ip6 length 22;ok @@ -34,16 +41,12 @@ ip6 length 33-45;ok ip6 length != 33-45;ok ip6 length { 33, 55, 67, 88};ok ip6 length != {33, 55, 67, 88};ok -ip6 length { 33-55};ok -ip6 length != { 33-55};ok ip6 nexthdr {udp, ah, comp, udplite, tcp, dccp, sctp};ok;ip6 nexthdr { 132, 51, 108, 136, 17, 33, 6} ip6 nexthdr {esp, ah, comp, udp, udplite, tcp, dccp, sctp, icmpv6};ok;ip6 nexthdr { 6, 136, 108, 33, 50, 17, 132, 58, 51} ip6 nexthdr != {esp, ah, comp, udp, udplite, tcp, dccp, sctp, icmpv6};ok;ip6 nexthdr != { 6, 136, 108, 33, 50, 17, 132, 58, 51} ip6 nexthdr esp;ok;ip6 nexthdr 50 ip6 nexthdr != esp;ok;ip6 nexthdr != 50 -ip6 nexthdr { 33-44};ok -ip6 nexthdr != { 33-44};ok ip6 nexthdr 33-44;ok ip6 nexthdr != 33-44;ok @@ -53,8 +56,6 @@ ip6 hoplimit 33-45;ok ip6 hoplimit != 33-45;ok ip6 hoplimit {33, 55, 67, 88};ok ip6 hoplimit != {33, 55, 67, 88};ok -ip6 hoplimit {33-55};ok -ip6 hoplimit != {33-55};ok # from src/scanner.l # v680 (({hex4}:){7}{hex4}) diff --git a/tests/py/ip6/ip6.t.json b/tests/py/ip6/ip6.t.json index f898240f..49e5a2dd 100644 --- a/tests/py/ip6/ip6.t.json +++ b/tests/py/ip6/ip6.t.json @@ -135,39 +135,107 @@ } ] -# ip6 flowlabel 22 +# meta mark set ip6 dscp map @map1 +[ + { + "mangle": { + "key": { + "meta": { + "key": "mark" + } + }, + "value": { + "map": { + "data": "@map1", + "key": { + "payload": { + "field": "dscp", + "protocol": "ip6" + } + } + } + } + } + } +] + +# meta mark set ip6 dscp . ip6 daddr map @map2 +[ + { + "mangle": { + "key": { + "meta": { + "key": "mark" + } + }, + "value": { + "map": { + "data": "@map2", + "key": { + "concat": [ + { + "payload": { + "field": "dscp", + "protocol": "ip6" + } + }, + { + "payload": { + "field": "daddr", + "protocol": "ip6" + } + } + ] + } + } + } + } + } +] + +# ip6 dscp @map3 [ { "match": { "left": { "payload": { - "field": "flowlabel", + "field": "dscp", "protocol": "ip6" } }, - "op": "==", - "right": 22 + "op": "==", + "right": "@map3" } } ] -# ip6 flowlabel != 233 +# ip6 dscp . ip6 daddr @map4 [ { "match": { "left": { - "payload": { - "field": "flowlabel", - "protocol": "ip6" - } + "concat": [ + { + "payload": { + "field": "dscp", + "protocol": "ip6" + } + }, + { + "payload": { + "field": "daddr", + "protocol": "ip6" + } + } + ] }, - "op": "!=", - "right": 233 + "op": "==", + "right": "@map4" } } ] -# ip6 flowlabel { 33, 55, 67, 88} +# ip6 flowlabel 22 [ { "match": { @@ -178,19 +246,12 @@ } }, "op": "==", - "right": { - "set": [ - 33, - 55, - 67, - 88 - ] - } + "right": 22 } } ] -# ip6 flowlabel != { 33, 55, 67, 88} +# ip6 flowlabel != 233 [ { "match": { @@ -201,19 +262,12 @@ } }, "op": "!=", - "right": { - "set": [ - 33, - 55, - 67, - 88 - ] - } + "right": 233 } } ] -# ip6 flowlabel { 33-55} +# ip6 flowlabel { 33, 55, 67, 88} [ { "match": { @@ -226,14 +280,17 @@ "op": "==", "right": { "set": [ - { "range": [ 33, 55 ] } + 33, + 55, + 67, + 88 ] } } } ] -# ip6 flowlabel != { 33-55} +# ip6 flowlabel != { 33, 55, 67, 88} [ { "match": { @@ -246,7 +303,10 @@ "op": "!=", "right": { "set": [ - { "range": [ 33, 55 ] } + 33, + 55, + 67, + 88 ] } } @@ -397,48 +457,6 @@ } ] -# ip6 length { 33-55} -[ - { - "match": { - "left": { - "payload": { - "field": "length", - "protocol": "ip6" - } - }, - "op": "==", - "right": { - "set": [ - { - "range": [ 33, 55 ] - } - ] - } - } - } -] - -# ip6 length != { 33-55} -[ - { - "match": { - "left": { - "payload": { - "field": "length", - "protocol": "ip6" - } - }, - "op": "!=", - "right": { - "set": [ - { "range": [ 33, 55 ] } - ] - } - } - } -] - # ip6 nexthdr {udp, ah, comp, udplite, tcp, dccp, sctp} [ { @@ -743,46 +761,6 @@ } ] -# ip6 hoplimit {33-55} -[ - { - "match": { - "left": { - "payload": { - "field": "hoplimit", - "protocol": "ip6" - } - }, - "op": "==", - "right": { - "set": [ - { "range": [ 33, 55 ] } - ] - } - } - } -] - -# ip6 hoplimit != {33-55} -[ - { - "match": { - "left": { - "payload": { - "field": "hoplimit", - "protocol": "ip6" - } - }, - "op": "!=", - "right": { - "set": [ - { "range": [ 33, 55 ] } - ] - } - } - } -] - # ip6 saddr 1234:1234:1234:1234:1234:1234:1234:1234 [ { diff --git a/tests/py/ip6/ip6.t.payload.inet b/tests/py/ip6/ip6.t.payload.inet index 11ba34a1..dbb430af 100644 --- a/tests/py/ip6/ip6.t.payload.inet +++ b/tests/py/ip6/ip6.t.payload.inet @@ -44,7 +44,7 @@ inet test-inet input # ip6 dscp vmap { 0x04 : accept, 0x3f : continue } counter __map%d test-inet b size 2 __map%d test-inet 0 - element 00000001 : 0 [end] element 0000c00f : 0 [end] + element 00000001 : accept 0 [end] element 0000c00f : continue 0 [end] ip6 test-ip6 input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x0000000a ] @@ -53,6 +53,50 @@ ip6 test-ip6 input [ lookup reg 1 set __map%d dreg 0 ] [ counter pkts 0 bytes 0 ] +# meta mark set ip6 dscp map @map1 +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x0000000a ] + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000c00f ) ^ 0x00000000 ] + [ byteorder reg 1 = ntoh(reg 1, 2, 2) ] + [ bitwise reg 1 = ( reg 1 >> 0x00000006 ) ] + [ lookup reg 1 set map1 dreg 1 ] + [ meta set mark with reg 1 ] + +# meta mark set ip6 dscp . ip6 daddr map @map2 +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x0000000a ] + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000c00f ) ^ 0x00000000 ] + [ byteorder reg 1 = ntoh(reg 1, 2, 2) ] + [ bitwise reg 1 = ( reg 1 >> 0x00000006 ) ] + [ payload load 16b @ network header + 24 => reg 9 ] + [ lookup reg 1 set map2 dreg 1 ] + [ meta set mark with reg 1 ] + +# ip6 dscp @map3 +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x0000000a ] + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000c00f ) ^ 0x00000000 ] + [ byteorder reg 1 = ntoh(reg 1, 2, 2) ] + [ bitwise reg 1 = ( reg 1 >> 0x00000006 ) ] + [ lookup reg 1 set map3 ] + +# ip6 dscp . ip6 daddr @map4 +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x0000000a ] + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000c00f ) ^ 0x00000000 ] + [ byteorder reg 1 = ntoh(reg 1, 2, 2) ] + [ bitwise reg 1 = ( reg 1 >> 0x00000006 ) ] + [ payload load 16b @ network header + 24 => reg 9 ] + [ lookup reg 1 set map4 ] + # ip6 flowlabel 22 inet test-inet input [ meta load nfproto => reg 1 ] @@ -91,32 +135,10 @@ inet test-inet input [ bitwise reg 1 = ( reg 1 & 0x00ffff0f ) ^ 0x00000000 ] [ lookup reg 1 set __set%d 0x1 ] -# ip6 flowlabel { 33-55} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00210000 : 0 [end] element 00380000 : 1 [end] -inet test-inet input - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x0000000a ] - [ payload load 3b @ network header + 1 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x00ffff0f ) ^ 0x00000000 ] - [ lookup reg 1 set __set%d ] - -# ip6 flowlabel != { 33-55} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00210000 : 0 [end] element 00380000 : 1 [end] -inet test-inet input - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x0000000a ] - [ payload load 3b @ network header + 1 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x00ffff0f ) ^ 0x00000000 ] - [ lookup reg 1 set __set%d 0x1 ] - # ip6 flowlabel vmap { 0 : accept, 2 : continue } __map%d test-inet b size 2 __map%d test-inet 0 - element 00000000 : 0 [end] element 00020000 : 0 [end] + element 00000000 : accept 0 [end] element 00020000 : continue 0 [end] inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x0000000a ] @@ -173,26 +195,6 @@ inet test-inet input [ payload load 2b @ network header + 4 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# ip6 length { 33-55} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] -inet test-inet input - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x0000000a ] - [ payload load 2b @ network header + 4 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# ip6 length != { 33-55} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] -inet test-inet input - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x0000000a ] - [ payload load 2b @ network header + 4 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # ip6 nexthdr {udp, ah, comp, udplite, tcp, dccp, sctp} __set%d test-inet 3 __set%d test-inet 0 @@ -237,26 +239,6 @@ inet test-inet input [ payload load 1b @ network header + 6 => reg 1 ] [ cmp neq reg 1 0x00000032 ] -# ip6 nexthdr { 33-44} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 0000002d : 1 [end] -inet test-inet input - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x0000000a ] - [ payload load 1b @ network header + 6 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# ip6 nexthdr != { 33-44} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 0000002d : 1 [end] -inet test-inet input - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x0000000a ] - [ payload load 1b @ network header + 6 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # ip6 nexthdr 33-44 inet test-inet input [ meta load nfproto => reg 1 ] @@ -321,26 +303,6 @@ inet test-inet input [ payload load 1b @ network header + 7 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# ip6 hoplimit {33-55} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end] -inet test-inet input - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x0000000a ] - [ payload load 1b @ network header + 7 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# ip6 hoplimit != {33-55} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end] -inet test-inet input - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x0000000a ] - [ payload load 1b @ network header + 7 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # ip6 saddr 1234:1234:1234:1234:1234:1234:1234:1234 inet test-inet input [ meta load nfproto => reg 1 ] diff --git a/tests/py/ip6/ip6.t.payload.ip6 b/tests/py/ip6/ip6.t.payload.ip6 index 78479253..b1289232 100644 --- a/tests/py/ip6/ip6.t.payload.ip6 +++ b/tests/py/ip6/ip6.t.payload.ip6 @@ -34,13 +34,49 @@ ip6 test-ip6 input # ip6 dscp vmap { 0x04 : accept, 0x3f : continue } counter __map%d test-ip6 b size 2 __map%d test-ip6 0 - element 00000001 : 0 [end] element 0000c00f : 0 [end] + element 00000001 : accept 0 [end] element 0000c00f : continue 0 [end] ip6 test-ip6 input [ payload load 2b @ network header + 0 => reg 1 ] [ bitwise reg 1 = ( reg 1 & 0x0000c00f ) ^ 0x00000000 ] [ lookup reg 1 set __map%d dreg 0 ] [ counter pkts 0 bytes 0 ] +# meta mark set ip6 dscp map @map1 +ip6 test-ip6 input + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000c00f ) ^ 0x00000000 ] + [ byteorder reg 1 = ntoh(reg 1, 2, 2) ] + [ bitwise reg 1 = ( reg 1 >> 0x00000006 ) ] + [ lookup reg 1 set map1 dreg 1 ] + [ meta set mark with reg 1 ] + +# meta mark set ip6 dscp . ip6 daddr map @map2 +ip6 test-ip6 input + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000c00f ) ^ 0x00000000 ] + [ byteorder reg 1 = ntoh(reg 1, 2, 2) ] + [ bitwise reg 1 = ( reg 1 >> 0x00000006 ) ] + [ payload load 16b @ network header + 24 => reg 9 ] + [ lookup reg 1 set map2 dreg 1 ] + [ meta set mark with reg 1 ] + +# ip6 dscp @map3 +ip6 test-ip6 input + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000c00f ) ^ 0x00000000 ] + [ byteorder reg 1 = ntoh(reg 1, 2, 2) ] + [ bitwise reg 1 = ( reg 1 >> 0x00000006 ) ] + [ lookup reg 1 set map3 ] + +# ip6 dscp . ip6 daddr @map4 +ip6 test-ip6 input + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000c00f ) ^ 0x00000000 ] + [ byteorder reg 1 = ntoh(reg 1, 2, 2) ] + [ bitwise reg 1 = ( reg 1 >> 0x00000006 ) ] + [ payload load 16b @ network header + 24 => reg 9 ] + [ lookup reg 1 set map4 ] + # ip6 flowlabel 22 ip6 test-ip6 input [ payload load 3b @ network header + 1 => reg 1 ] @@ -71,28 +107,10 @@ ip6 test-ip6 input [ bitwise reg 1 = ( reg 1 & 0x00ffff0f ) ^ 0x00000000 ] [ lookup reg 1 set __set%d 0x1 ] -# ip6 flowlabel { 33-55} -__set%d test-ip6 7 -__set%d test-ip6 0 - element 00000000 : 1 [end] element 00210000 : 0 [end] element 00380000 : 1 [end] -ip6 test-ip6 input - [ payload load 3b @ network header + 1 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x00ffff0f ) ^ 0x00000000 ] - [ lookup reg 1 set __set%d ] - -# ip6 flowlabel != { 33-55} -__set%d test-ip6 7 -__set%d test-ip6 0 - element 00000000 : 1 [end] element 00210000 : 0 [end] element 00380000 : 1 [end] -ip6 test-ip6 input - [ payload load 3b @ network header + 1 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x00ffff0f ) ^ 0x00000000 ] - [ lookup reg 1 set __set%d 0x1 ] - # ip6 flowlabel vmap { 0 : accept, 2 : continue } __map%d test-ip6 b size 2 __map%d test-ip6 0 - element 00000000 : 0 [end] element 00020000 : 0 [end] + element 00000000 : accept 0 [end] element 00020000 : continue 0 [end] ip6 test-ip6 input [ payload load 3b @ network header + 1 => reg 1 ] [ bitwise reg 1 = ( reg 1 & 0x00ffff0f ) ^ 0x00000000 ] @@ -135,22 +153,6 @@ ip6 test-ip6 input [ payload load 2b @ network header + 4 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# ip6 length { 33-55} -__set%d test-ip6 7 -__set%d test-ip6 0 - element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] -ip6 test-ip6 input - [ payload load 2b @ network header + 4 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# ip6 length != { 33-55} -__set%d test-ip6 7 -__set%d test-ip6 0 - element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] -ip6 test-ip6 input - [ payload load 2b @ network header + 4 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # ip6 nexthdr {udp, ah, comp, udplite, tcp, dccp, sctp} __set%d test-ip6 3 __set%d test-ip6 0 @@ -185,22 +187,6 @@ ip6 test-ip6 input [ payload load 1b @ network header + 6 => reg 1 ] [ cmp neq reg 1 0x00000032 ] -# ip6 nexthdr { 33-44} -__set%d test-ip6 7 -__set%d test-ip6 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 0000002d : 1 [end] -ip6 test-ip6 input - [ payload load 1b @ network header + 6 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# ip6 nexthdr != { 33-44} -__set%d test-ip6 7 -__set%d test-ip6 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 0000002d : 1 [end] -ip6 test-ip6 input - [ payload load 1b @ network header + 6 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # ip6 nexthdr 33-44 ip6 test-ip6 input [ payload load 1b @ network header + 6 => reg 1 ] @@ -249,22 +235,6 @@ ip6 test-ip6 input [ payload load 1b @ network header + 7 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# ip6 hoplimit {33-55} -__set%d test-ip6 7 -__set%d test-ip6 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end] -ip6 test-ip6 input - [ payload load 1b @ network header + 7 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# ip6 hoplimit != {33-55} -__set%d test-ip6 7 -__set%d test-ip6 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end] -ip6 test-ip6 input - [ payload load 1b @ network header + 7 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # ip6 saddr 1234:1234:1234:1234:1234:1234:1234:1234 ip6 test-ip6 input [ payload load 16b @ network header + 8 => reg 1 ] diff --git a/tests/py/ip6/masquerade.t.payload.ip6 b/tests/py/ip6/masquerade.t.payload.ip6 index 06b79d8e..43ae2ae4 100644 --- a/tests/py/ip6/masquerade.t.payload.ip6 +++ b/tests/py/ip6/masquerade.t.payload.ip6 @@ -112,7 +112,7 @@ ip6 test-ip6 postrouting # iifname "eth0" ct state established,new tcp dport vmap {22 : drop, 222 : drop } masquerade __map%d test-ip6 b __map%d test-ip6 0 - element 00001600 : 0 [end] element 0000de00 : 0 [end] + element 00001600 : drop 0 [end] element 0000de00 : drop 0 [end] ip6 test-ip6 postrouting [ meta load iifname => reg 1 ] [ cmp eq reg 1 0x30687465 0x00000000 0x00000000 0x00000000 ] @@ -130,7 +130,7 @@ ip6 test-ip6 postrouting [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000006 ] [ immediate reg 1 0x00000004 ] - [ masq proto_min reg 1 proto_max reg 0 flags 0x2 ] + [ masq proto_min reg 1 flags 0x2 ] # meta l4proto 6 masquerade to :1024-2048 ip6 test-ip6 postrouting diff --git a/tests/py/ip6/meta.t b/tests/py/ip6/meta.t index dce97f5b..c177b081 100644 --- a/tests/py/ip6/meta.t +++ b/tests/py/ip6/meta.t @@ -9,5 +9,11 @@ meta l4proto icmp icmp type echo-request;ok;icmp type echo-request meta l4proto 1 icmp type echo-request;ok;icmp type echo-request icmp type echo-request;ok +meta protocol ip udp dport 67;ok +meta protocol ip6 udp dport 67;ok;udp dport 67 + meta sdif "lo" accept;ok meta sdifname != "vrf1" accept;ok + +meta mark set ip6 dscp << 2 | 0x10;ok +meta mark set ip6 dscp << 26 | 0x10;ok diff --git a/tests/py/ip6/meta.t.json b/tests/py/ip6/meta.t.json index e72350f3..1a2394d8 100644 --- a/tests/py/ip6/meta.t.json +++ b/tests/py/ip6/meta.t.json @@ -140,3 +140,174 @@ "accept": null } ] + +# meta protocol ip udp dport 67 +[ + { + "match": { + "left": { + "meta": { + "key": "protocol" + } + }, + "op": "==", + "right": "ip" + } + }, + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 67 + } + } +] + +# meta protocol ip6 udp dport 67 +[ + { + "match": { + "left": { + "meta": { + "key": "protocol" + } + }, + "op": "==", + "right": "ip6" + } + }, + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 67 + } + } +] + +# meta mark set ip6 dscp lshift 2 or 0x10 +[ + { + "mangle": { + "key": { + "meta": { + "key": "mark" + } + }, + "value": { + "|": [ + { + "<<": [ + { + "payload": { + "field": "dscp", + "protocol": "ip6" + } + }, + 2 + ] + }, + 16 + ] + } + } + } +] + +# meta mark set ip6 dscp lshift 26 or 0x10 +[ + { + "mangle": { + "key": { + "meta": { + "key": "mark" + } + }, + "value": { + "|": [ + { + "<<": [ + { + "payload": { + "field": "dscp", + "protocol": "ip6" + } + }, + 26 + ] + }, + 16 + ] + } + } + } +] + +# meta mark set ip6 dscp << 2 | 0x10 +[ + { + "mangle": { + "key": { + "meta": { + "key": "mark" + } + }, + "value": { + "|": [ + { + "<<": [ + { + "payload": { + "field": "dscp", + "protocol": "ip6" + } + }, + 2 + ] + }, + 16 + ] + } + } + } +] + +# meta mark set ip6 dscp << 26 | 0x10 +[ + { + "mangle": { + "key": { + "meta": { + "key": "mark" + } + }, + "value": { + "|": [ + { + "<<": [ + { + "payload": { + "field": "dscp", + "protocol": "ip6" + } + }, + 26 + ] + }, + 16 + ] + } + } + } +] + diff --git a/tests/py/ip6/meta.t.json.output b/tests/py/ip6/meta.t.json.output index dede9b16..61adf184 100644 --- a/tests/py/ip6/meta.t.json.output +++ b/tests/py/ip6/meta.t.json.output @@ -46,3 +46,19 @@ } ] +# meta protocol ip6 udp dport 67 +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 67 + } + } +] + diff --git a/tests/py/ip6/meta.t.payload b/tests/py/ip6/meta.t.payload index be04816e..6a37f1de 100644 --- a/tests/py/ip6/meta.t.payload +++ b/tests/py/ip6/meta.t.payload @@ -44,3 +44,39 @@ ip6 test-ip6 input [ meta load sdifname => reg 1 ] [ cmp neq reg 1 0x31667276 0x00000000 0x00000000 0x00000000 ] [ immediate reg 0 accept ] + +# meta protocol ip udp dport 67 +ip6 test-ip6 input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x00004300 ] + +# meta protocol ip6 udp dport 67 +ip6 test-ip6 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x00004300 ] + +# meta mark set ip6 dscp << 2 | 0x10 +ip6 test-ip6 input + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000c00f ) ^ 0x00000000 ] + [ byteorder reg 1 = ntoh(reg 1, 2, 2) ] + [ bitwise reg 1 = ( reg 1 >> 0x00000006 ) ] + [ bitwise reg 1 = ( reg 1 << 0x00000002 ) ] + [ bitwise reg 1 = ( reg 1 & 0xffffffef ) ^ 0x00000010 ] + [ meta set mark with reg 1 ] + +# meta mark set ip6 dscp << 26 | 0x10 +ip6 test-ip6 input + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000c00f ) ^ 0x00000000 ] + [ byteorder reg 1 = ntoh(reg 1, 2, 2) ] + [ bitwise reg 1 = ( reg 1 >> 0x00000006 ) ] + [ bitwise reg 1 = ( reg 1 << 0x0000001a ) ] + [ bitwise reg 1 = ( reg 1 & 0xffffffef ) ^ 0x00000010 ] + [ meta set mark with reg 1 ] diff --git a/tests/py/ip6/mh.t b/tests/py/ip6/mh.t index 2f90372e..46f4ba05 100644 --- a/tests/py/ip6/mh.t +++ b/tests/py/ip6/mh.t @@ -15,8 +15,6 @@ mh nexthdr 33-45;ok mh nexthdr != 33-45;ok mh nexthdr { 33, 55, 67, 88 };ok mh nexthdr != { 33, 55, 67, 88 };ok -mh nexthdr { 33-55 };ok -mh nexthdr != { 33-55 };ok mh hdrlength 22;ok mh hdrlength != 233;ok @@ -24,8 +22,6 @@ mh hdrlength 33-45;ok mh hdrlength != 33-45;ok mh hdrlength { 33, 55, 67, 88 };ok mh hdrlength != { 33, 55, 67, 88 };ok -mh hdrlength { 33-55 };ok -mh hdrlength != { 33-55 };ok mh type {binding-refresh-request, home-test-init, careof-test-init, home-test, careof-test, binding-update, binding-acknowledgement, binding-error, fast-binding-update, fast-binding-acknowledgement, fast-binding-advertisement, experimental-mobility-header, home-agent-switch-message};ok mh type home-agent-switch-message;ok @@ -37,8 +33,6 @@ mh reserved 33-45;ok mh reserved != 33-45;ok mh reserved { 33, 55, 67, 88};ok mh reserved != { 33, 55, 67, 88};ok -mh reserved { 33-55};ok -mh reserved != { 33-55};ok mh checksum 22;ok mh checksum != 233;ok @@ -46,5 +40,3 @@ mh checksum 33-45;ok mh checksum != 33-45;ok mh checksum { 33, 55, 67, 88};ok mh checksum != { 33, 55, 67, 88};ok -mh checksum { 33-55};ok -mh checksum != { 33-55};ok diff --git a/tests/py/ip6/mh.t.json b/tests/py/ip6/mh.t.json index 211477d3..3159b14b 100644 --- a/tests/py/ip6/mh.t.json +++ b/tests/py/ip6/mh.t.json @@ -232,48 +232,6 @@ } ] -# mh nexthdr { 33-55 } -[ - { - "match": { - "left": { - "exthdr": { - "field": "nexthdr", - "name": "mh" - } - }, - "op": "==", - "right": { - "set": [ - { - "range": [ 33, 55 ] - } - ] - } - } - } -] - -# mh nexthdr != { 33-55 } -[ - { - "match": { - "left": { - "exthdr": { - "field": "nexthdr", - "name": "mh" - } - }, - "op": "!=", - "right": { - "set": [ - { "range": [ 33, 55 ] } - ] - } - } - } -] - # mh hdrlength 22 [ { @@ -388,46 +346,6 @@ } ] -# mh hdrlength { 33-55 } -[ - { - "match": { - "left": { - "exthdr": { - "field": "hdrlength", - "name": "mh" - } - }, - "op": "==", - "right": { - "set": [ - { "range": [ 33, 55 ] } - ] - } - } - } -] - -# mh hdrlength != { 33-55 } -[ - { - "match": { - "left": { - "exthdr": { - "field": "hdrlength", - "name": "mh" - } - }, - "op": "!=", - "right": { - "set": [ - { "range": [ 33, 55 ] } - ] - } - } - } -] - # mh type {binding-refresh-request, home-test-init, careof-test-init, home-test, careof-test, binding-update, binding-acknowledgement, binding-error, fast-binding-update, fast-binding-acknowledgement, fast-binding-advertisement, experimental-mobility-header, home-agent-switch-message} [ { @@ -606,46 +524,6 @@ } ] -# mh reserved { 33-55} -[ - { - "match": { - "left": { - "exthdr": { - "field": "reserved", - "name": "mh" - } - }, - "op": "==", - "right": { - "set": [ - { "range": [ 33, 55 ] } - ] - } - } - } -] - -# mh reserved != { 33-55} -[ - { - "match": { - "left": { - "exthdr": { - "field": "reserved", - "name": "mh" - } - }, - "op": "!=", - "right": { - "set": [ - { "range": [ 33, 55 ] } - ] - } - } - } -] - # mh checksum 22 [ { @@ -760,43 +638,3 @@ } ] -# mh checksum { 33-55} -[ - { - "match": { - "left": { - "exthdr": { - "field": "checksum", - "name": "mh" - } - }, - "op": "==", - "right": { - "set": [ - { "range": [ 33, 55 ] } - ] - } - } - } -] - -# mh checksum != { 33-55} -[ - { - "match": { - "left": { - "exthdr": { - "field": "checksum", - "name": "mh" - } - }, - "op": "!=", - "right": { - "set": [ - { "range": [ 33, 55 ] } - ] - } - } - } -] - diff --git a/tests/py/ip6/mh.t.payload.inet b/tests/py/ip6/mh.t.payload.inet index 2c473fbd..54eaa70e 100644 --- a/tests/py/ip6/mh.t.payload.inet +++ b/tests/py/ip6/mh.t.payload.inet @@ -95,26 +95,6 @@ inet test-inet input [ exthdr load ipv6 1b @ 135 + 0 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# mh nexthdr { 33-55 } -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end] -inet test-inet input - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x0000000a ] - [ exthdr load ipv6 1b @ 135 + 0 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# mh nexthdr != { 33-55 } -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end] -inet test-inet input - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x0000000a ] - [ exthdr load ipv6 1b @ 135 + 0 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # mh hdrlength 22 inet test-inet input [ meta load nfproto => reg 1 ] @@ -164,26 +144,6 @@ inet test-inet input [ exthdr load ipv6 1b @ 135 + 1 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# mh hdrlength { 33-55 } -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end] -inet test-inet input - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x0000000a ] - [ exthdr load ipv6 1b @ 135 + 1 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# mh hdrlength != { 33-55 } -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end] -inet test-inet input - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x0000000a ] - [ exthdr load ipv6 1b @ 135 + 1 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # mh type {binding-refresh-request, home-test-init, careof-test-init, home-test, careof-test, binding-update, binding-acknowledgement, binding-error, fast-binding-update, fast-binding-acknowledgement, fast-binding-advertisement, experimental-mobility-header, home-agent-switch-message} __set%d test-inet 3 __set%d test-inet 0 @@ -257,26 +217,6 @@ inet test-inet input [ exthdr load ipv6 1b @ 135 + 3 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# mh reserved { 33-55} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end] -inet test-inet input - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x0000000a ] - [ exthdr load ipv6 1b @ 135 + 3 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# mh reserved != { 33-55} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end] -inet test-inet input - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x0000000a ] - [ exthdr load ipv6 1b @ 135 + 3 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # mh checksum 22 inet test-inet input [ meta load nfproto => reg 1 ] @@ -325,24 +265,3 @@ inet test-inet input [ cmp eq reg 1 0x0000000a ] [ exthdr load ipv6 2b @ 135 + 4 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] - -# mh checksum { 33-55} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] -inet test-inet input - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x0000000a ] - [ exthdr load ipv6 2b @ 135 + 4 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# mh checksum != { 33-55} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] -inet test-inet input - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x0000000a ] - [ exthdr load ipv6 2b @ 135 + 4 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - diff --git a/tests/py/ip6/mh.t.payload.ip6 b/tests/py/ip6/mh.t.payload.ip6 index 93744dac..73bd4226 100644 --- a/tests/py/ip6/mh.t.payload.ip6 +++ b/tests/py/ip6/mh.t.payload.ip6 @@ -71,22 +71,6 @@ ip6 test-ip6 input [ exthdr load ipv6 1b @ 135 + 0 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# mh nexthdr { 33-55 } -__set%d test-ip6 7 -__set%d test-ip6 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end] -ip6 test-ip6 input - [ exthdr load ipv6 1b @ 135 + 0 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# mh nexthdr != { 33-55 } -__set%d test-ip6 7 -__set%d test-ip6 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end] -ip6 test-ip6 input - [ exthdr load ipv6 1b @ 135 + 0 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # mh hdrlength 22 ip6 test-ip6 input [ exthdr load ipv6 1b @ 135 + 1 => reg 1 ] @@ -124,22 +108,6 @@ ip6 test-ip6 input [ exthdr load ipv6 1b @ 135 + 1 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# mh hdrlength { 33-55 } -__set%d test-ip6 7 -__set%d test-ip6 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end] -ip6 test-ip6 input - [ exthdr load ipv6 1b @ 135 + 1 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# mh hdrlength != { 33-55 } -__set%d test-ip6 7 -__set%d test-ip6 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end] -ip6 test-ip6 input - [ exthdr load ipv6 1b @ 135 + 1 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # mh type {binding-refresh-request, home-test-init, careof-test-init, home-test, careof-test, binding-update, binding-acknowledgement, binding-error, fast-binding-update, fast-binding-acknowledgement, fast-binding-advertisement, experimental-mobility-header, home-agent-switch-message} __set%d test-ip6 3 __set%d test-ip6 0 @@ -195,22 +163,6 @@ ip6 test-ip6 input [ exthdr load ipv6 1b @ 135 + 3 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# mh reserved { 33-55} -__set%d test-ip6 7 -__set%d test-ip6 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end] -ip6 test-ip6 input - [ exthdr load ipv6 1b @ 135 + 3 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# mh reserved != { 33-55} -__set%d test-ip6 7 -__set%d test-ip6 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end] -ip6 test-ip6 input - [ exthdr load ipv6 1b @ 135 + 3 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # mh checksum 22 ip6 test-ip6 input [ exthdr load ipv6 2b @ 135 + 4 => reg 1 ] @@ -247,20 +199,3 @@ __set%d test-ip6 0 ip6 test-ip6 input [ exthdr load ipv6 2b @ 135 + 4 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] - -# mh checksum { 33-55} -__set%d test-ip6 7 -__set%d test-ip6 0 - element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] -ip6 test-ip6 input - [ exthdr load ipv6 2b @ 135 + 4 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# mh checksum != { 33-55} -__set%d test-ip6 7 -__set%d test-ip6 0 - element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] -ip6 test-ip6 input - [ exthdr load ipv6 2b @ 135 + 4 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - diff --git a/tests/py/ip6/redirect.t b/tests/py/ip6/redirect.t index 778d53f3..70ef7f9f 100644 --- a/tests/py/ip6/redirect.t +++ b/tests/py/ip6/redirect.t @@ -46,4 +46,4 @@ ip6 daddr fe00::1-fe00::200 udp dport 53 counter redirect;ok iifname "eth0" ct state established,new tcp dport vmap {22 : drop, 222 : drop } redirect;ok # redirect with maps -ip6 nexthdr 6 redirect to :tcp dport map { 22 : 8000, 80 : 8080};ok +redirect to :tcp dport map { 22 : 8000, 80 : 8080};ok diff --git a/tests/py/ip6/redirect.t.json b/tests/py/ip6/redirect.t.json index 0059c7ac..c18223fa 100644 --- a/tests/py/ip6/redirect.t.json +++ b/tests/py/ip6/redirect.t.json @@ -557,21 +557,9 @@ } ] -# ip6 nexthdr 6 redirect to :tcp dport map { 22 : 8000, 80 : 8080} +# redirect to :tcp dport map { 22 : 8000, 80 : 8080} [ { - "match": { - "left": { - "payload": { - "field": "nexthdr", - "protocol": "ip6" - } - }, - "op": "==", - "right": 6 - } - }, - { "redirect": { "port": { "map": { diff --git a/tests/py/ip6/redirect.t.payload.ip6 b/tests/py/ip6/redirect.t.payload.ip6 index 20405cea..cfc29013 100644 --- a/tests/py/ip6/redirect.t.payload.ip6 +++ b/tests/py/ip6/redirect.t.payload.ip6 @@ -178,7 +178,7 @@ ip6 test-ip6 output # iifname "eth0" ct state established,new tcp dport vmap {22 : drop, 222 : drop } redirect __map%d test-ip6 b __map%d test-ip6 0 - element 00001600 : 0 [end] element 0000de00 : 0 [end] + element 00001600 : drop 0 [end] element 0000de00 : drop 0 [end] ip6 test-ip6 output [ meta load iifname => reg 1 ] [ cmp eq reg 1 0x30687465 0x00000000 0x00000000 0x00000000 ] @@ -191,12 +191,12 @@ ip6 test-ip6 output [ lookup reg 1 set __map%d dreg 0 ] [ redir ] -# ip6 nexthdr 6 redirect to :tcp dport map { 22 : 8000, 80 : 8080} +# redirect to :tcp dport map { 22 : 8000, 80 : 8080} __map%d test-ip6 b __map%d test-ip6 0 element 00001600 : 0000401f 0 [end] element 00005000 : 0000901f 0 [end] ip6 test-ip6 output - [ payload load 1b @ network header + 6 => reg 1 ] + [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000006 ] [ payload load 2b @ transport header + 2 => reg 1 ] [ lookup reg 1 set __map%d dreg 1 ] diff --git a/tests/py/ip6/reject.t b/tests/py/ip6/reject.t index 7fa04eec..bfdd094e 100644 --- a/tests/py/ip6/reject.t +++ b/tests/py/ip6/reject.t @@ -3,13 +3,14 @@ *ip6;test-ip6;output reject;ok -reject with icmpv6 type no-route;ok -reject with icmpv6 type admin-prohibited;ok -reject with icmpv6 type addr-unreachable;ok -reject with icmpv6 type port-unreachable;ok;reject -reject with icmpv6 type policy-fail;ok -reject with icmpv6 type reject-route;ok +reject with icmpv6 no-route;ok +reject with icmpv6 admin-prohibited;ok +reject with icmpv6 addr-unreachable;ok +reject with icmpv6 port-unreachable;ok;reject +reject with icmpv6 policy-fail;ok +reject with icmpv6 reject-route;ok +reject with icmpv6 3;ok;reject with icmpv6 addr-unreachable mark 0x80000000 reject with tcp reset;ok;meta mark 0x80000000 reject with tcp reset -reject with icmpv6 type host-unreachable;fail -reject with icmp type host-unreachable;fail +reject with icmpv6 host-unreachable;fail +reject with icmp host-unreachable;fail diff --git a/tests/py/ip6/reject.t.json b/tests/py/ip6/reject.t.json index ae57c333..312a7dab 100644 --- a/tests/py/ip6/reject.t.json +++ b/tests/py/ip6/reject.t.json @@ -5,7 +5,7 @@ } ] -# reject with icmpv6 type no-route +# reject with icmpv6 no-route [ { "reject": { @@ -15,7 +15,7 @@ } ] -# reject with icmpv6 type admin-prohibited +# reject with icmpv6 admin-prohibited [ { "reject": { @@ -25,7 +25,7 @@ } ] -# reject with icmpv6 type addr-unreachable +# reject with icmpv6 addr-unreachable [ { "reject": { @@ -35,7 +35,7 @@ } ] -# reject with icmpv6 type port-unreachable +# reject with icmpv6 port-unreachable [ { "reject": { @@ -45,7 +45,7 @@ } ] -# reject with icmpv6 type policy-fail +# reject with icmpv6 policy-fail [ { "reject": { @@ -55,7 +55,7 @@ } ] -# reject with icmpv6 type reject-route +# reject with icmpv6 reject-route [ { "reject": { @@ -65,6 +65,16 @@ } ] +# reject with icmpv6 3 +[ + { + "reject": { + "expr": "addr-unreachable", + "type": "icmpv6" + } + } +] + # mark 0x80000000 reject with tcp reset [ { diff --git a/tests/py/ip6/reject.t.payload.ip6 b/tests/py/ip6/reject.t.payload.ip6 index dd4491ae..3d4321b0 100644 --- a/tests/py/ip6/reject.t.payload.ip6 +++ b/tests/py/ip6/reject.t.payload.ip6 @@ -2,30 +2,34 @@ ip6 test-ip6 output [ reject type 0 code 4 ] -# reject with icmpv6 type no-route +# reject with icmpv6 no-route ip6 test-ip6 output [ reject type 0 code 0 ] -# reject with icmpv6 type admin-prohibited +# reject with icmpv6 admin-prohibited ip6 test-ip6 output [ reject type 0 code 1 ] -# reject with icmpv6 type addr-unreachable +# reject with icmpv6 addr-unreachable ip6 test-ip6 output [ reject type 0 code 3 ] -# reject with icmpv6 type port-unreachable +# reject with icmpv6 port-unreachable ip6 test-ip6 output [ reject type 0 code 4 ] -# reject with icmpv6 type policy-fail +# reject with icmpv6 policy-fail ip6 test-ip6 output [ reject type 0 code 5 ] -# reject with icmpv6 type reject-route +# reject with icmpv6 reject-route ip6 test-ip6 output [ reject type 0 code 6 ] +# reject with icmpv6 3 +ip6 test-ip6 output + [ reject type 0 code 3 ] + # mark 0x80000000 reject with tcp reset ip6 test-ip6 output [ meta load l4proto => reg 1 ] diff --git a/tests/py/ip6/rt.t b/tests/py/ip6/rt.t index c3feaabe..c33d38a5 100644 --- a/tests/py/ip6/rt.t +++ b/tests/py/ip6/rt.t @@ -15,8 +15,6 @@ rt nexthdr 33-45;ok rt nexthdr != 33-45;ok rt nexthdr { 33, 55, 67, 88};ok rt nexthdr != { 33, 55, 67, 88};ok -rt nexthdr { 33-55};ok -rt nexthdr != { 33-55};ok rt hdrlength 22;ok rt hdrlength != 233;ok @@ -24,8 +22,6 @@ rt hdrlength 33-45;ok rt hdrlength != 33-45;ok rt hdrlength { 33, 55, 67, 88};ok rt hdrlength != { 33, 55, 67, 88};ok -rt hdrlength { 33-55};ok -rt hdrlength != { 33-55};ok rt type 22;ok rt type != 233;ok @@ -33,8 +29,6 @@ rt type 33-45;ok rt type != 33-45;ok rt type { 33, 55, 67, 88};ok rt type != { 33, 55, 67, 88};ok -rt type { 33-55};ok -rt type != { 33-55};ok rt seg-left 22;ok rt seg-left != 233;ok @@ -42,5 +36,3 @@ rt seg-left 33-45;ok rt seg-left != 33-45;ok rt seg-left { 33, 55, 67, 88};ok rt seg-left != { 33, 55, 67, 88};ok -rt seg-left { 33-55};ok -rt seg-left != { 33-55};ok diff --git a/tests/py/ip6/rt.t.json b/tests/py/ip6/rt.t.json index 86a46402..b12873d6 100644 --- a/tests/py/ip6/rt.t.json +++ b/tests/py/ip6/rt.t.json @@ -232,46 +232,6 @@ } ] -# rt nexthdr { 33-55} -[ - { - "match": { - "left": { - "exthdr": { - "field": "nexthdr", - "name": "rt" - } - }, - "op": "==", - "right": { - "set": [ - { "range": [ 33, 55 ] } - ] - } - } - } -] - -# rt nexthdr != { 33-55} -[ - { - "match": { - "left": { - "exthdr": { - "field": "nexthdr", - "name": "rt" - } - }, - "op": "!=", - "right": { - "set": [ - { "range": [ 33, 55 ] } - ] - } - } - } -] - # rt hdrlength 22 [ { @@ -386,46 +346,6 @@ } ] -# rt hdrlength { 33-55} -[ - { - "match": { - "left": { - "exthdr": { - "field": "hdrlength", - "name": "rt" - } - }, - "op": "==", - "right": { - "set": [ - { "range": [ 33, 55 ] } - ] - } - } - } -] - -# rt hdrlength != { 33-55} -[ - { - "match": { - "left": { - "exthdr": { - "field": "hdrlength", - "name": "rt" - } - }, - "op": "!=", - "right": { - "set": [ - { "range": [ 33, 55 ] } - ] - } - } - } -] - # rt type 22 [ { @@ -540,46 +460,6 @@ } ] -# rt type { 33-55} -[ - { - "match": { - "left": { - "exthdr": { - "field": "type", - "name": "rt" - } - }, - "op": "==", - "right": { - "set": [ - { "range": [ 33, 55 ] } - ] - } - } - } -] - -# rt type != { 33-55} -[ - { - "match": { - "left": { - "exthdr": { - "field": "type", - "name": "rt" - } - }, - "op": "!=", - "right": { - "set": [ - { "range": [ 33, 55 ] } - ] - } - } - } -] - # rt seg-left 22 [ { @@ -694,43 +574,3 @@ } ] -# rt seg-left { 33-55} -[ - { - "match": { - "left": { - "exthdr": { - "field": "seg-left", - "name": "rt" - } - }, - "op": "==", - "right": { - "set": [ - { "range": [ 33, 55 ] } - ] - } - } - } -] - -# rt seg-left != { 33-55} -[ - { - "match": { - "left": { - "exthdr": { - "field": "seg-left", - "name": "rt" - } - }, - "op": "!=", - "right": { - "set": [ - { "range": [ 33, 55 ] } - ] - } - } - } -] - diff --git a/tests/py/ip6/rt.t.payload.inet b/tests/py/ip6/rt.t.payload.inet index eafb4a00..864d3114 100644 --- a/tests/py/ip6/rt.t.payload.inet +++ b/tests/py/ip6/rt.t.payload.inet @@ -95,26 +95,6 @@ inet test-inet input [ exthdr load ipv6 1b @ 43 + 0 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# rt nexthdr { 33-55} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end] -inet test-inet input - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x0000000a ] - [ exthdr load ipv6 1b @ 43 + 0 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# rt nexthdr != { 33-55} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end] -inet test-inet input - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x0000000a ] - [ exthdr load ipv6 1b @ 43 + 0 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # rt hdrlength 22 inet test-inet input [ meta load nfproto => reg 1 ] @@ -164,26 +144,6 @@ inet test-inet input [ exthdr load ipv6 1b @ 43 + 1 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# rt hdrlength { 33-55} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end] -inet test-inet input - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x0000000a ] - [ exthdr load ipv6 1b @ 43 + 1 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# rt hdrlength != { 33-55} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end] -inet test-inet input - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x0000000a ] - [ exthdr load ipv6 1b @ 43 + 1 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # rt type 22 inet test-inet input [ meta load nfproto => reg 1 ] @@ -233,26 +193,6 @@ inet test-inet input [ exthdr load ipv6 1b @ 43 + 2 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# rt type { 33-55} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end] -inet test-inet input - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x0000000a ] - [ exthdr load ipv6 1b @ 43 + 2 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# rt type != { 33-55} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end] -inet test-inet input - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x0000000a ] - [ exthdr load ipv6 1b @ 43 + 2 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # rt seg-left 22 inet test-inet input [ meta load nfproto => reg 1 ] @@ -302,23 +242,3 @@ inet test-inet input [ exthdr load ipv6 1b @ 43 + 3 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# rt seg-left { 33-55} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end] -inet test-inet input - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x0000000a ] - [ exthdr load ipv6 1b @ 43 + 3 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# rt seg-left != { 33-55} -__set%d test-inet 7 -__set%d test-inet 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end] -inet test-inet input - [ meta load nfproto => reg 1 ] - [ cmp eq reg 1 0x0000000a ] - [ exthdr load ipv6 1b @ 43 + 3 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - diff --git a/tests/py/ip6/rt.t.payload.ip6 b/tests/py/ip6/rt.t.payload.ip6 index 929cf9e1..c7b52f82 100644 --- a/tests/py/ip6/rt.t.payload.ip6 +++ b/tests/py/ip6/rt.t.payload.ip6 @@ -71,22 +71,6 @@ ip6 test-ip6 input [ exthdr load ipv6 1b @ 43 + 0 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# rt nexthdr { 33-55} -__set%d test-ip6 7 -__set%d test-ip6 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end] -ip6 test-ip6 input - [ exthdr load ipv6 1b @ 43 + 0 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# rt nexthdr != { 33-55} -__set%d test-ip6 7 -__set%d test-ip6 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end] -ip6 test-ip6 input - [ exthdr load ipv6 1b @ 43 + 0 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # rt hdrlength 22 ip6 test-ip6 input [ exthdr load ipv6 1b @ 43 + 1 => reg 1 ] @@ -124,22 +108,6 @@ ip6 test-ip6 input [ exthdr load ipv6 1b @ 43 + 1 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# rt hdrlength { 33-55} -__set%d test-ip6 7 -__set%d test-ip6 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end] -ip6 test-ip6 input - [ exthdr load ipv6 1b @ 43 + 1 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# rt hdrlength != { 33-55} -__set%d test-ip6 7 -__set%d test-ip6 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end] -ip6 test-ip6 input - [ exthdr load ipv6 1b @ 43 + 1 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # rt type 22 ip6 test-ip6 input [ exthdr load ipv6 1b @ 43 + 2 => reg 1 ] @@ -177,22 +145,6 @@ ip6 test-ip6 input [ exthdr load ipv6 1b @ 43 + 2 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# rt type { 33-55} -__set%d test-ip6 7 -__set%d test-ip6 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end] -ip6 test-ip6 input - [ exthdr load ipv6 1b @ 43 + 2 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# rt type != { 33-55} -__set%d test-ip6 7 -__set%d test-ip6 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end] -ip6 test-ip6 input - [ exthdr load ipv6 1b @ 43 + 2 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - # rt seg-left 22 ip6 test-ip6 input [ exthdr load ipv6 1b @ 43 + 3 => reg 1 ] @@ -230,19 +182,3 @@ ip6 test-ip6 input [ exthdr load ipv6 1b @ 43 + 3 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] -# rt seg-left { 33-55} -__set%d test-ip6 7 -__set%d test-ip6 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end] -ip6 test-ip6 input - [ exthdr load ipv6 1b @ 43 + 3 => reg 1 ] - [ lookup reg 1 set __set%d ] - -# rt seg-left != { 33-55} -__set%d test-ip6 7 -__set%d test-ip6 0 - element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end] -ip6 test-ip6 input - [ exthdr load ipv6 1b @ 43 + 3 => reg 1 ] - [ lookup reg 1 set __set%d 0x1 ] - diff --git a/tests/py/ip6/sets.t b/tests/py/ip6/sets.t index add82eb8..17fd62f5 100644 --- a/tests/py/ip6/sets.t +++ b/tests/py/ip6/sets.t @@ -1,9 +1,10 @@ :input;type filter hook input priority 0 :ingress;type filter hook ingress device lo priority 0 +:egress;type filter hook egress device lo priority 0 *ip6;test-ip6;input *inet;test-inet;input -*netdev;test-netdev;ingress +*netdev;test-netdev;ingress,egress !w type ipv6_addr;ok !x type inet_proto;ok @@ -40,4 +41,8 @@ ip6 saddr != @set33 drop;fail !set5 type ipv6_addr . ipv6_addr;ok ip6 saddr . ip6 daddr @set5 drop;ok add @set5 { ip6 saddr . ip6 daddr };ok + +!map1 type ipv6_addr . ipv6_addr : mark;ok +add @map1 { ip6 saddr . ip6 daddr : meta mark };ok + delete @set5 { ip6 saddr . ip6 daddr };ok diff --git a/tests/py/ip6/sets.t.json b/tests/py/ip6/sets.t.json index 948c1f16..2029d2b5 100644 --- a/tests/py/ip6/sets.t.json +++ b/tests/py/ip6/sets.t.json @@ -116,3 +116,35 @@ } } ] + +# add @map1 { ip6 saddr . ip6 daddr : meta mark } +[ + { + "map": { + "data": { + "meta": { + "key": "mark" + } + }, + "elem": { + "concat": [ + { + "payload": { + "field": "saddr", + "protocol": "ip6" + } + }, + { + "payload": { + "field": "daddr", + "protocol": "ip6" + } + } + ] + }, + "map": "@map1", + "op": "add" + } + } +] + diff --git a/tests/py/ip6/sets.t.payload.inet b/tests/py/ip6/sets.t.payload.inet index 47ad86a2..2bbd5573 100644 --- a/tests/py/ip6/sets.t.payload.inet +++ b/tests/py/ip6/sets.t.payload.inet @@ -31,6 +31,15 @@ inet test-inet input [ payload load 16b @ network header + 24 => reg 2 ] [ dynset add reg_key 1 set set5 ] +# add @map1 { ip6 saddr . ip6 daddr : meta mark } +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x0000000a ] + [ payload load 16b @ network header + 8 => reg 1 ] + [ payload load 16b @ network header + 24 => reg 2 ] + [ meta load mark => reg 3 ] + [ dynset add reg_key 1 set map1 sreg_data 3 ] + # delete @set5 { ip6 saddr . ip6 daddr } inet test-inet input [ meta load nfproto => reg 1 ] diff --git a/tests/py/ip6/sets.t.payload.ip6 b/tests/py/ip6/sets.t.payload.ip6 index a5febb9f..c59f7b5c 100644 --- a/tests/py/ip6/sets.t.payload.ip6 +++ b/tests/py/ip6/sets.t.payload.ip6 @@ -29,3 +29,10 @@ ip6 test-ip6 input [ payload load 16b @ network header + 24 => reg 2 ] [ dynset delete reg_key 1 set set5 ] +# add @map1 { ip6 saddr . ip6 daddr : meta mark } +ip6 test-ip6 input + [ payload load 16b @ network header + 8 => reg 1 ] + [ payload load 16b @ network header + 24 => reg 2 ] + [ meta load mark => reg 3 ] + [ dynset add reg_key 1 set map1 sreg_data 3 ] + diff --git a/tests/py/ip6/sets.t.payload.netdev b/tests/py/ip6/sets.t.payload.netdev index dab74159..1866d26b 100644 --- a/tests/py/ip6/sets.t.payload.netdev +++ b/tests/py/ip6/sets.t.payload.netdev @@ -39,3 +39,12 @@ netdev test-netdev ingress [ payload load 16b @ network header + 24 => reg 2 ] [ dynset delete reg_key 1 set set5 ] +# add @map1 { ip6 saddr . ip6 daddr : meta mark } +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x0000dd86 ] + [ payload load 16b @ network header + 8 => reg 1 ] + [ payload load 16b @ network header + 24 => reg 2 ] + [ meta load mark => reg 3 ] + [ dynset add reg_key 1 set map1 sreg_data 3 ] + diff --git a/tests/py/ip6/snat.t.payload.ip6 b/tests/py/ip6/snat.t.payload.ip6 index e7fd8ff8..66a29672 100644 --- a/tests/py/ip6/snat.t.payload.ip6 +++ b/tests/py/ip6/snat.t.payload.ip6 @@ -21,5 +21,5 @@ ip6 test-ip6 postrouting [ immediate reg 1 0x38080120 0x01005f03 0x00000000 0x00000000 ] [ immediate reg 2 0x38080120 0x02005f03 0x00000000 0x00000000 ] [ immediate reg 3 0x00006400 ] - [ nat snat ip6 addr_min reg 1 addr_max reg 2 proto_min reg 3 proto_max reg 0 flags 0x2 ] + [ nat snat ip6 addr_min reg 1 addr_max reg 2 proto_min reg 3 flags 0x2 ] diff --git a/tests/py/ip6/srh.t.payload b/tests/py/ip6/srh.t.payload index b6247456..364940a9 100644 --- a/tests/py/ip6/srh.t.payload +++ b/tests/py/ip6/srh.t.payload @@ -11,7 +11,7 @@ ip6 test-ip6 input # srh last-entry { 0, 4-127, 255 } __set%d test-ip6 7 size 5 __set%d test-ip6 0 - element 00000000 : 0 [end] element 00000001 : 1 [end] element 00000004 : 0 [end] element 00000080 : 1 [end] element 000000ff : 0 [end] userdata = { + element 00000000 : 0 [end] element 00000001 : 1 [end] element 00000004 : 0 [end] element 00000080 : 1 [end] element 000000ff : 0 [end] userdata = { \x01\x04\x01\x00\x00\x00 } ip6 test-ip6 input [ exthdr load ipv6 1b @ 43 + 4 => reg 1 ] [ lookup reg 1 set __set%d ] @@ -29,7 +29,7 @@ ip6 test-ip6 input # srh flags { 0, 4-127, 255 } __set%d test-ip6 7 size 5 __set%d test-ip6 0 - element 00000000 : 0 [end] element 00000001 : 1 [end] element 00000004 : 0 [end] element 00000080 : 1 [end] element 000000ff : 0 [end] userdata = { + element 00000000 : 0 [end] element 00000001 : 1 [end] element 00000004 : 0 [end] element 00000080 : 1 [end] element 000000ff : 0 [end] userdata = { \x01\x04\x01\x00\x00\x00 } ip6 test-ip6 input [ exthdr load ipv6 1b @ 43 + 5 => reg 1 ] [ lookup reg 1 set __set%d ] @@ -47,7 +47,7 @@ ip6 test-ip6 input # srh tag { 0, 4-127, 0xffff } __set%d test-ip6 7 size 5 __set%d test-ip6 0 - element 00000000 : 0 [end] element 00000100 : 1 [end] element 00000400 : 0 [end] element 00008000 : 1 [end] element 0000ffff : 0 [end] userdata = { + element 00000000 : 0 [end] element 00000100 : 1 [end] element 00000400 : 0 [end] element 00008000 : 1 [end] element 0000ffff : 0 [end] userdata = { \x01\x04\x01\x00\x00\x00 } ip6 test-ip6 input [ exthdr load ipv6 2b @ 43 + 6 => reg 1 ] [ lookup reg 1 set __set%d ] diff --git a/tests/py/ip6/vmap.t b/tests/py/ip6/vmap.t index 434f5d92..2d54b822 100644 --- a/tests/py/ip6/vmap.t +++ b/tests/py/ip6/vmap.t @@ -1,9 +1,10 @@ :input;type filter hook input priority 0 :ingress;type filter hook ingress device lo priority 0 +:egress;type filter hook egress device lo priority 0 *ip6;test-ip6;input *inet;test-inet;input -*netdev;test-netdev;ingress +*netdev;test-netdev;ingress,egress ip6 saddr vmap { abcd::3 : accept };ok ip6 saddr 1234:1234:1234:1234:1234:1234:1234:1234:1234;fail diff --git a/tests/py/ip6/vmap.t.payload.inet b/tests/py/ip6/vmap.t.payload.inet index 53f19eb9..931cc6bd 100644 --- a/tests/py/ip6/vmap.t.payload.inet +++ b/tests/py/ip6/vmap.t.payload.inet @@ -1,7 +1,7 @@ # ip6 saddr vmap { abcd::3 : accept } __map%d test-inet b __map%d test-inet 0 - element 0000cdab 00000000 00000000 03000000 : 0 [end] + element 0000cdab 00000000 00000000 03000000 : accept 0 [end] inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x0000000a ] @@ -11,7 +11,7 @@ inet test-inet input # ip6 saddr vmap { 1234:1234:1234:1234:1234:1234:1234:1234 : accept} __map%d test-inet b __map%d test-inet 0 - element 34123412 34123412 34123412 34123412 : 0 [end] + element 34123412 34123412 34123412 34123412 : accept 0 [end] inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x0000000a ] @@ -21,7 +21,7 @@ inet test-inet input # ip6 saddr vmap { ::1234:1234:1234:1234:1234:1234:1234 : accept} __map%d test-inet b __map%d test-inet 0 - element 34120000 34123412 34123412 34123412 : 0 [end] + element 34120000 34123412 34123412 34123412 : accept 0 [end] inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x0000000a ] @@ -31,7 +31,7 @@ inet test-inet input # ip6 saddr vmap { 1234::1234:1234:1234:1234:1234:1234 : accept} __map%d test-inet b __map%d test-inet 0 - element 00003412 34123412 34123412 34123412 : 0 [end] + element 00003412 34123412 34123412 34123412 : accept 0 [end] inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x0000000a ] @@ -41,7 +41,7 @@ inet test-inet input # ip6 saddr vmap { 1234:1234::1234:1234:1234:1234:1234 : accept} __map%d test-inet b __map%d test-inet 0 - element 34123412 34120000 34123412 34123412 : 0 [end] + element 34123412 34120000 34123412 34123412 : accept 0 [end] inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x0000000a ] @@ -51,7 +51,7 @@ inet test-inet input # ip6 saddr vmap { 1234:1234:1234::1234:1234:1234:1234 : accept} __map%d test-inet b __map%d test-inet 0 - element 34123412 00003412 34123412 34123412 : 0 [end] + element 34123412 00003412 34123412 34123412 : accept 0 [end] inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x0000000a ] @@ -61,7 +61,7 @@ inet test-inet input # ip6 saddr vmap { 1234:1234:1234:1234::1234:1234:1234 : accept} __map%d test-inet b __map%d test-inet 0 - element 34123412 34123412 34120000 34123412 : 0 [end] + element 34123412 34123412 34120000 34123412 : accept 0 [end] inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x0000000a ] @@ -71,7 +71,7 @@ inet test-inet input # ip6 saddr vmap { 1234:1234:1234:1234:1234::1234:1234 : accept} __map%d test-inet b __map%d test-inet 0 - element 34123412 34123412 00003412 34123412 : 0 [end] + element 34123412 34123412 00003412 34123412 : accept 0 [end] inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x0000000a ] @@ -81,7 +81,7 @@ inet test-inet input # ip6 saddr vmap { 1234:1234:1234:1234:1234:1234::1234 : accept} __map%d test-inet b __map%d test-inet 0 - element 34123412 34123412 34123412 34120000 : 0 [end] + element 34123412 34123412 34123412 34120000 : accept 0 [end] inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x0000000a ] @@ -91,7 +91,7 @@ inet test-inet input # ip6 saddr vmap { 1234:1234:1234:1234:1234:1234:1234:: : accept} __map%d test-inet b __map%d test-inet 0 - element 34123412 34123412 34123412 00003412 : 0 [end] + element 34123412 34123412 34123412 00003412 : accept 0 [end] inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x0000000a ] @@ -101,7 +101,7 @@ inet test-inet input # ip6 saddr vmap { ::1234:1234:1234:1234:1234:1234 : accept} __map%d test-inet b __map%d test-inet 0 - element 00000000 34123412 34123412 34123412 : 0 [end] + element 00000000 34123412 34123412 34123412 : accept 0 [end] inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x0000000a ] @@ -111,7 +111,7 @@ inet test-inet input # ip6 saddr vmap { 1234::1234:1234:1234:1234:1234 : accept} __map%d test-inet b __map%d test-inet 0 - element 00003412 34120000 34123412 34123412 : 0 [end] + element 00003412 34120000 34123412 34123412 : accept 0 [end] inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x0000000a ] @@ -121,7 +121,7 @@ inet test-inet input # ip6 saddr vmap { 1234:1234::1234:1234:1234:1234 : accept} __map%d test-inet b __map%d test-inet 0 - element 34123412 00000000 34123412 34123412 : 0 [end] + element 34123412 00000000 34123412 34123412 : accept 0 [end] inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x0000000a ] @@ -131,7 +131,7 @@ inet test-inet input # ip6 saddr vmap { 1234:1234:1234::1234:1234:1234 : accept} __map%d test-inet b __map%d test-inet 0 - element 34123412 00003412 34120000 34123412 : 0 [end] + element 34123412 00003412 34120000 34123412 : accept 0 [end] inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x0000000a ] @@ -141,7 +141,7 @@ inet test-inet input # ip6 saddr vmap { 1234:1234:1234:1234::1234:1234 : accept} __map%d test-inet b __map%d test-inet 0 - element 34123412 34123412 00000000 34123412 : 0 [end] + element 34123412 34123412 00000000 34123412 : accept 0 [end] inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x0000000a ] @@ -151,7 +151,7 @@ inet test-inet input # ip6 saddr vmap { 1234:1234:1234:1234:1234::1234 : accept} __map%d test-inet b __map%d test-inet 0 - element 34123412 34123412 00003412 34120000 : 0 [end] + element 34123412 34123412 00003412 34120000 : accept 0 [end] inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x0000000a ] @@ -161,7 +161,7 @@ inet test-inet input # ip6 saddr vmap { 1234:1234:1234:1234:1234:1234:: : accept} __map%d test-inet b __map%d test-inet 0 - element 34123412 34123412 34123412 00000000 : 0 [end] + element 34123412 34123412 34123412 00000000 : accept 0 [end] inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x0000000a ] @@ -171,7 +171,7 @@ inet test-inet input # ip6 saddr vmap { ::1234:1234:1234:1234:1234 : accept} __map%d test-inet b __map%d test-inet 0 - element 00000000 34120000 34123412 34123412 : 0 [end] + element 00000000 34120000 34123412 34123412 : accept 0 [end] inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x0000000a ] @@ -181,7 +181,7 @@ inet test-inet input # ip6 saddr vmap { 1234::1234:1234:1234:1234 : accept} __map%d test-inet b __map%d test-inet 0 - element 00003412 00000000 34123412 34123412 : 0 [end] + element 00003412 00000000 34123412 34123412 : accept 0 [end] inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x0000000a ] @@ -191,7 +191,7 @@ inet test-inet input # ip6 saddr vmap { 1234:1234::1234:1234:1234 : accept} __map%d test-inet b __map%d test-inet 0 - element 34123412 00000000 34120000 34123412 : 0 [end] + element 34123412 00000000 34120000 34123412 : accept 0 [end] inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x0000000a ] @@ -201,7 +201,7 @@ inet test-inet input # ip6 saddr vmap { 1234:1234:1234::1234:1234 : accept} __map%d test-inet b __map%d test-inet 0 - element 34123412 00003412 00000000 34123412 : 0 [end] + element 34123412 00003412 00000000 34123412 : accept 0 [end] inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x0000000a ] @@ -211,7 +211,7 @@ inet test-inet input # ip6 saddr vmap { 1234:1234:1234:1234::1234 : accept} __map%d test-inet b __map%d test-inet 0 - element 34123412 34123412 00000000 34120000 : 0 [end] + element 34123412 34123412 00000000 34120000 : accept 0 [end] inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x0000000a ] @@ -221,7 +221,7 @@ inet test-inet input # ip6 saddr vmap { 1234:1234:1234:1234:1234:: : accept} __map%d test-inet b __map%d test-inet 0 - element 34123412 34123412 00003412 00000000 : 0 [end] + element 34123412 34123412 00003412 00000000 : accept 0 [end] inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x0000000a ] @@ -231,7 +231,7 @@ inet test-inet input # ip6 saddr vmap { ::1234:1234:1234:1234 : accept} __map%d test-inet b __map%d test-inet 0 - element 00000000 00000000 34123412 34123412 : 0 [end] + element 00000000 00000000 34123412 34123412 : accept 0 [end] inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x0000000a ] @@ -241,7 +241,7 @@ inet test-inet input # ip6 saddr vmap { 1234::1234:1234:1234 : accept} __map%d test-inet b __map%d test-inet 0 - element 00003412 00000000 34120000 34123412 : 0 [end] + element 00003412 00000000 34120000 34123412 : accept 0 [end] inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x0000000a ] @@ -251,7 +251,7 @@ inet test-inet input # ip6 saddr vmap { 1234:1234::1234:1234 : accept} __map%d test-inet b __map%d test-inet 0 - element 34123412 00000000 00000000 34123412 : 0 [end] + element 34123412 00000000 00000000 34123412 : accept 0 [end] inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x0000000a ] @@ -261,7 +261,7 @@ inet test-inet input # ip6 saddr vmap { 1234:1234:1234::1234 : accept} __map%d test-inet b __map%d test-inet 0 - element 34123412 00003412 00000000 34120000 : 0 [end] + element 34123412 00003412 00000000 34120000 : accept 0 [end] inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x0000000a ] @@ -271,7 +271,7 @@ inet test-inet input # ip6 saddr vmap { 1234:1234:1234:1234:: : accept} __map%d test-inet b __map%d test-inet 0 - element 34123412 34123412 00000000 00000000 : 0 [end] + element 34123412 34123412 00000000 00000000 : accept 0 [end] inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x0000000a ] @@ -281,7 +281,7 @@ inet test-inet input # ip6 saddr vmap { ::1234:1234:1234 : accept} __map%d test-inet b __map%d test-inet 0 - element 00000000 00000000 34120000 34123412 : 0 [end] + element 00000000 00000000 34120000 34123412 : accept 0 [end] inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x0000000a ] @@ -291,7 +291,7 @@ inet test-inet input # ip6 saddr vmap { 1234::1234:1234 : accept} __map%d test-inet b __map%d test-inet 0 - element 00003412 00000000 00000000 34123412 : 0 [end] + element 00003412 00000000 00000000 34123412 : accept 0 [end] inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x0000000a ] @@ -301,7 +301,7 @@ inet test-inet input # ip6 saddr vmap { 1234:1234::1234 : accept} __map%d test-inet b __map%d test-inet 0 - element 34123412 00000000 00000000 34120000 : 0 [end] + element 34123412 00000000 00000000 34120000 : accept 0 [end] inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x0000000a ] @@ -311,7 +311,7 @@ inet test-inet input # ip6 saddr vmap { 1234:1234:1234:: : accept} __map%d test-inet b __map%d test-inet 0 - element 34123412 00003412 00000000 00000000 : 0 [end] + element 34123412 00003412 00000000 00000000 : accept 0 [end] inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x0000000a ] @@ -321,7 +321,7 @@ inet test-inet input # ip6 saddr vmap { ::1234:1234 : accept} __map%d test-inet b __map%d test-inet 0 - element 00000000 00000000 00000000 34123412 : 0 [end] + element 00000000 00000000 00000000 34123412 : accept 0 [end] inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x0000000a ] @@ -331,7 +331,7 @@ inet test-inet input # ip6 saddr vmap { 1234::1234 : accept} __map%d test-inet b __map%d test-inet 0 - element 00003412 00000000 00000000 34120000 : 0 [end] + element 00003412 00000000 00000000 34120000 : accept 0 [end] inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x0000000a ] @@ -341,7 +341,7 @@ inet test-inet input # ip6 saddr vmap { 1234:1234:: : accept} __map%d test-inet b __map%d test-inet 0 - element 34123412 00000000 00000000 00000000 : 0 [end] + element 34123412 00000000 00000000 00000000 : accept 0 [end] inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x0000000a ] @@ -351,7 +351,7 @@ inet test-inet input # ip6 saddr vmap { ::1234 : accept} __map%d test-inet b __map%d test-inet 0 - element 00000000 00000000 00000000 34120000 : 0 [end] + element 00000000 00000000 00000000 34120000 : accept 0 [end] inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x0000000a ] @@ -361,7 +361,7 @@ inet test-inet input # ip6 saddr vmap { 1234:: : accept} __map%d test-inet b __map%d test-inet 0 - element 00003412 00000000 00000000 00000000 : 0 [end] + element 00003412 00000000 00000000 00000000 : accept 0 [end] inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x0000000a ] @@ -371,7 +371,7 @@ inet test-inet input # ip6 saddr vmap { ::/64 : accept} __map%d test-inet f __map%d test-inet 0 - element 00000000 00000000 00000000 00000000 : 0 [end] element 00000000 01000000 00000000 00000000 : 1 [end] + element 00000000 00000000 00000000 00000000 : accept 0 [end] element 00000000 01000000 00000000 00000000 : 1 [end] inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x0000000a ] @@ -381,7 +381,7 @@ inet test-inet input # ip6 saddr vmap {1234:1234:1234:1234:1234:1234:aaaa:: : accept, ::aaaa : drop} __map%d test-inet b __map%d test-inet 0 - element 34123412 34123412 34123412 0000aaaa : 0 [end] element 00000000 00000000 00000000 aaaa0000 : 0 [end] + element 34123412 34123412 34123412 0000aaaa : accept 0 [end] element 00000000 00000000 00000000 aaaa0000 : drop 0 [end] inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x0000000a ] @@ -391,7 +391,7 @@ inet test-inet input # ip6 saddr vmap {1234:1234:1234:1234:1234:1234:aaaa:::accept, ::bbbb : drop} __map%d test-inet b __map%d test-inet 0 - element 34123412 34123412 34123412 0000aaaa : 0 [end] element 00000000 00000000 00000000 bbbb0000 : 0 [end] + element 34123412 34123412 34123412 0000aaaa : accept 0 [end] element 00000000 00000000 00000000 bbbb0000 : drop 0 [end] inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x0000000a ] @@ -401,7 +401,7 @@ inet test-inet input # ip6 saddr vmap {1234:1234:1234:1234:1234:1234:aaaa:::accept,::cccc : drop} __map%d test-inet b __map%d test-inet 0 - element 34123412 34123412 34123412 0000aaaa : 0 [end] element 00000000 00000000 00000000 cccc0000 : 0 [end] + element 34123412 34123412 34123412 0000aaaa : accept 0 [end] element 00000000 00000000 00000000 cccc0000 : drop 0 [end] inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x0000000a ] @@ -411,7 +411,7 @@ inet test-inet input # ip6 saddr vmap {1234:1234:1234:1234:1234:1234:aaaa:::accept,::dddd: drop} __map%d test-inet b __map%d test-inet 0 - element 34123412 34123412 34123412 0000aaaa : 0 [end] element 00000000 00000000 00000000 dddd0000 : 0 [end] + element 34123412 34123412 34123412 0000aaaa : accept 0 [end] element 00000000 00000000 00000000 dddd0000 : drop 0 [end] inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x0000000a ] diff --git a/tests/py/ip6/vmap.t.payload.ip6 b/tests/py/ip6/vmap.t.payload.ip6 index 620979f0..6e077b27 100644 --- a/tests/py/ip6/vmap.t.payload.ip6 +++ b/tests/py/ip6/vmap.t.payload.ip6 @@ -1,7 +1,7 @@ # ip6 saddr vmap { abcd::3 : accept } __map%d test-ip6 b __map%d test-ip6 0 - element 0000cdab 00000000 00000000 03000000 : 0 [end] + element 0000cdab 00000000 00000000 03000000 : accept 0 [end] ip6 test-ip6 input [ payload load 16b @ network header + 8 => reg 1 ] [ lookup reg 1 set __map%d dreg 0 ] @@ -9,7 +9,7 @@ ip6 test-ip6 input # ip6 saddr vmap { 1234:1234:1234:1234:1234:1234:1234:1234 : accept} __map%d test-ip6 b __map%d test-ip6 0 - element 34123412 34123412 34123412 34123412 : 0 [end] + element 34123412 34123412 34123412 34123412 : accept 0 [end] ip6 test-ip6 input [ payload load 16b @ network header + 8 => reg 1 ] [ lookup reg 1 set __map%d dreg 0 ] @@ -17,7 +17,7 @@ ip6 test-ip6 input # ip6 saddr vmap { ::1234:1234:1234:1234:1234:1234:1234 : accept} __map%d test-ip6 b __map%d test-ip6 0 - element 34120000 34123412 34123412 34123412 : 0 [end] + element 34120000 34123412 34123412 34123412 : accept 0 [end] ip6 test-ip6 input [ payload load 16b @ network header + 8 => reg 1 ] [ lookup reg 1 set __map%d dreg 0 ] @@ -25,7 +25,7 @@ ip6 test-ip6 input # ip6 saddr vmap { 1234::1234:1234:1234:1234:1234:1234 : accept} __map%d test-ip6 b __map%d test-ip6 0 - element 00003412 34123412 34123412 34123412 : 0 [end] + element 00003412 34123412 34123412 34123412 : accept 0 [end] ip6 test-ip6 input [ payload load 16b @ network header + 8 => reg 1 ] [ lookup reg 1 set __map%d dreg 0 ] @@ -33,7 +33,7 @@ ip6 test-ip6 input # ip6 saddr vmap { 1234:1234::1234:1234:1234:1234:1234 : accept} __map%d test-ip6 b __map%d test-ip6 0 - element 34123412 34120000 34123412 34123412 : 0 [end] + element 34123412 34120000 34123412 34123412 : accept 0 [end] ip6 test-ip6 input [ payload load 16b @ network header + 8 => reg 1 ] [ lookup reg 1 set __map%d dreg 0 ] @@ -41,7 +41,7 @@ ip6 test-ip6 input # ip6 saddr vmap { 1234:1234:1234::1234:1234:1234:1234 : accept} __map%d test-ip6 b __map%d test-ip6 0 - element 34123412 00003412 34123412 34123412 : 0 [end] + element 34123412 00003412 34123412 34123412 : accept 0 [end] ip6 test-ip6 input [ payload load 16b @ network header + 8 => reg 1 ] [ lookup reg 1 set __map%d dreg 0 ] @@ -49,7 +49,7 @@ ip6 test-ip6 input # ip6 saddr vmap { 1234:1234:1234:1234::1234:1234:1234 : accept} __map%d test-ip6 b __map%d test-ip6 0 - element 34123412 34123412 34120000 34123412 : 0 [end] + element 34123412 34123412 34120000 34123412 : accept 0 [end] ip6 test-ip6 input [ payload load 16b @ network header + 8 => reg 1 ] [ lookup reg 1 set __map%d dreg 0 ] @@ -57,7 +57,7 @@ ip6 test-ip6 input # ip6 saddr vmap { 1234:1234:1234:1234:1234::1234:1234 : accept} __map%d test-ip6 b __map%d test-ip6 0 - element 34123412 34123412 00003412 34123412 : 0 [end] + element 34123412 34123412 00003412 34123412 : accept 0 [end] ip6 test-ip6 input [ payload load 16b @ network header + 8 => reg 1 ] [ lookup reg 1 set __map%d dreg 0 ] @@ -65,7 +65,7 @@ ip6 test-ip6 input # ip6 saddr vmap { 1234:1234:1234:1234:1234:1234::1234 : accept} __map%d test-ip6 b __map%d test-ip6 0 - element 34123412 34123412 34123412 34120000 : 0 [end] + element 34123412 34123412 34123412 34120000 : accept 0 [end] ip6 test-ip6 input [ payload load 16b @ network header + 8 => reg 1 ] [ lookup reg 1 set __map%d dreg 0 ] @@ -73,7 +73,7 @@ ip6 test-ip6 input # ip6 saddr vmap { 1234:1234:1234:1234:1234:1234:1234:: : accept} __map%d test-ip6 b __map%d test-ip6 0 - element 34123412 34123412 34123412 00003412 : 0 [end] + element 34123412 34123412 34123412 00003412 : accept 0 [end] ip6 test-ip6 input [ payload load 16b @ network header + 8 => reg 1 ] [ lookup reg 1 set __map%d dreg 0 ] @@ -81,7 +81,7 @@ ip6 test-ip6 input # ip6 saddr vmap { ::1234:1234:1234:1234:1234:1234 : accept} __map%d test-ip6 b __map%d test-ip6 0 - element 00000000 34123412 34123412 34123412 : 0 [end] + element 00000000 34123412 34123412 34123412 : accept 0 [end] ip6 test-ip6 input [ payload load 16b @ network header + 8 => reg 1 ] [ lookup reg 1 set __map%d dreg 0 ] @@ -89,7 +89,7 @@ ip6 test-ip6 input # ip6 saddr vmap { 1234::1234:1234:1234:1234:1234 : accept} __map%d test-ip6 b __map%d test-ip6 0 - element 00003412 34120000 34123412 34123412 : 0 [end] + element 00003412 34120000 34123412 34123412 : accept 0 [end] ip6 test-ip6 input [ payload load 16b @ network header + 8 => reg 1 ] [ lookup reg 1 set __map%d dreg 0 ] @@ -97,7 +97,7 @@ ip6 test-ip6 input # ip6 saddr vmap { 1234:1234::1234:1234:1234:1234 : accept} __map%d test-ip6 b __map%d test-ip6 0 - element 34123412 00000000 34123412 34123412 : 0 [end] + element 34123412 00000000 34123412 34123412 : accept 0 [end] ip6 test-ip6 input [ payload load 16b @ network header + 8 => reg 1 ] [ lookup reg 1 set __map%d dreg 0 ] @@ -105,7 +105,7 @@ ip6 test-ip6 input # ip6 saddr vmap { 1234:1234:1234::1234:1234:1234 : accept} __map%d test-ip6 b __map%d test-ip6 0 - element 34123412 00003412 34120000 34123412 : 0 [end] + element 34123412 00003412 34120000 34123412 : accept 0 [end] ip6 test-ip6 input [ payload load 16b @ network header + 8 => reg 1 ] [ lookup reg 1 set __map%d dreg 0 ] @@ -113,7 +113,7 @@ ip6 test-ip6 input # ip6 saddr vmap { 1234:1234:1234:1234::1234:1234 : accept} __map%d test-ip6 b __map%d test-ip6 0 - element 34123412 34123412 00000000 34123412 : 0 [end] + element 34123412 34123412 00000000 34123412 : accept 0 [end] ip6 test-ip6 input [ payload load 16b @ network header + 8 => reg 1 ] [ lookup reg 1 set __map%d dreg 0 ] @@ -121,7 +121,7 @@ ip6 test-ip6 input # ip6 saddr vmap { 1234:1234:1234:1234:1234::1234 : accept} __map%d test-ip6 b __map%d test-ip6 0 - element 34123412 34123412 00003412 34120000 : 0 [end] + element 34123412 34123412 00003412 34120000 : accept 0 [end] ip6 test-ip6 input [ payload load 16b @ network header + 8 => reg 1 ] [ lookup reg 1 set __map%d dreg 0 ] @@ -129,7 +129,7 @@ ip6 test-ip6 input # ip6 saddr vmap { 1234:1234:1234:1234:1234:1234:: : accept} __map%d test-ip6 b __map%d test-ip6 0 - element 34123412 34123412 34123412 00000000 : 0 [end] + element 34123412 34123412 34123412 00000000 : accept 0 [end] ip6 test-ip6 input [ payload load 16b @ network header + 8 => reg 1 ] [ lookup reg 1 set __map%d dreg 0 ] @@ -137,7 +137,7 @@ ip6 test-ip6 input # ip6 saddr vmap { ::1234:1234:1234:1234:1234 : accept} __map%d test-ip6 b __map%d test-ip6 0 - element 00000000 34120000 34123412 34123412 : 0 [end] + element 00000000 34120000 34123412 34123412 : accept 0 [end] ip6 test-ip6 input [ payload load 16b @ network header + 8 => reg 1 ] [ lookup reg 1 set __map%d dreg 0 ] @@ -145,7 +145,7 @@ ip6 test-ip6 input # ip6 saddr vmap { 1234::1234:1234:1234:1234 : accept} __map%d test-ip6 b __map%d test-ip6 0 - element 00003412 00000000 34123412 34123412 : 0 [end] + element 00003412 00000000 34123412 34123412 : accept 0 [end] ip6 test-ip6 input [ payload load 16b @ network header + 8 => reg 1 ] [ lookup reg 1 set __map%d dreg 0 ] @@ -153,7 +153,7 @@ ip6 test-ip6 input # ip6 saddr vmap { 1234:1234::1234:1234:1234 : accept} __map%d test-ip6 b __map%d test-ip6 0 - element 34123412 00000000 34120000 34123412 : 0 [end] + element 34123412 00000000 34120000 34123412 : accept 0 [end] ip6 test-ip6 input [ payload load 16b @ network header + 8 => reg 1 ] [ lookup reg 1 set __map%d dreg 0 ] @@ -161,7 +161,7 @@ ip6 test-ip6 input # ip6 saddr vmap { 1234:1234:1234::1234:1234 : accept} __map%d test-ip6 b __map%d test-ip6 0 - element 34123412 00003412 00000000 34123412 : 0 [end] + element 34123412 00003412 00000000 34123412 : accept 0 [end] ip6 test-ip6 input [ payload load 16b @ network header + 8 => reg 1 ] [ lookup reg 1 set __map%d dreg 0 ] @@ -169,7 +169,7 @@ ip6 test-ip6 input # ip6 saddr vmap { 1234:1234:1234:1234::1234 : accept} __map%d test-ip6 b __map%d test-ip6 0 - element 34123412 34123412 00000000 34120000 : 0 [end] + element 34123412 34123412 00000000 34120000 : accept 0 [end] ip6 test-ip6 input [ payload load 16b @ network header + 8 => reg 1 ] [ lookup reg 1 set __map%d dreg 0 ] @@ -177,7 +177,7 @@ ip6 test-ip6 input # ip6 saddr vmap { 1234:1234:1234:1234:1234:: : accept} __map%d test-ip6 b __map%d test-ip6 0 - element 34123412 34123412 00003412 00000000 : 0 [end] + element 34123412 34123412 00003412 00000000 : accept 0 [end] ip6 test-ip6 input [ payload load 16b @ network header + 8 => reg 1 ] [ lookup reg 1 set __map%d dreg 0 ] @@ -185,7 +185,7 @@ ip6 test-ip6 input # ip6 saddr vmap { ::1234:1234:1234:1234 : accept} __map%d test-ip6 b __map%d test-ip6 0 - element 00000000 00000000 34123412 34123412 : 0 [end] + element 00000000 00000000 34123412 34123412 : accept 0 [end] ip6 test-ip6 input [ payload load 16b @ network header + 8 => reg 1 ] [ lookup reg 1 set __map%d dreg 0 ] @@ -193,7 +193,7 @@ ip6 test-ip6 input # ip6 saddr vmap { 1234::1234:1234:1234 : accept} __map%d test-ip6 b __map%d test-ip6 0 - element 00003412 00000000 34120000 34123412 : 0 [end] + element 00003412 00000000 34120000 34123412 : accept 0 [end] ip6 test-ip6 input [ payload load 16b @ network header + 8 => reg 1 ] [ lookup reg 1 set __map%d dreg 0 ] @@ -201,7 +201,7 @@ ip6 test-ip6 input # ip6 saddr vmap { 1234:1234::1234:1234 : accept} __map%d test-ip6 b __map%d test-ip6 0 - element 34123412 00000000 00000000 34123412 : 0 [end] + element 34123412 00000000 00000000 34123412 : accept 0 [end] ip6 test-ip6 input [ payload load 16b @ network header + 8 => reg 1 ] [ lookup reg 1 set __map%d dreg 0 ] @@ -209,7 +209,7 @@ ip6 test-ip6 input # ip6 saddr vmap { 1234:1234:1234::1234 : accept} __map%d test-ip6 b __map%d test-ip6 0 - element 34123412 00003412 00000000 34120000 : 0 [end] + element 34123412 00003412 00000000 34120000 : accept 0 [end] ip6 test-ip6 input [ payload load 16b @ network header + 8 => reg 1 ] [ lookup reg 1 set __map%d dreg 0 ] @@ -217,7 +217,7 @@ ip6 test-ip6 input # ip6 saddr vmap { 1234:1234:1234:1234:: : accept} __map%d test-ip6 b __map%d test-ip6 0 - element 34123412 34123412 00000000 00000000 : 0 [end] + element 34123412 34123412 00000000 00000000 : accept 0 [end] ip6 test-ip6 input [ payload load 16b @ network header + 8 => reg 1 ] [ lookup reg 1 set __map%d dreg 0 ] @@ -225,7 +225,7 @@ ip6 test-ip6 input # ip6 saddr vmap { ::1234:1234:1234 : accept} __map%d test-ip6 b __map%d test-ip6 0 - element 00000000 00000000 34120000 34123412 : 0 [end] + element 00000000 00000000 34120000 34123412 : accept 0 [end] ip6 test-ip6 input [ payload load 16b @ network header + 8 => reg 1 ] [ lookup reg 1 set __map%d dreg 0 ] @@ -233,7 +233,7 @@ ip6 test-ip6 input # ip6 saddr vmap { 1234::1234:1234 : accept} __map%d test-ip6 b __map%d test-ip6 0 - element 00003412 00000000 00000000 34123412 : 0 [end] + element 00003412 00000000 00000000 34123412 : accept 0 [end] ip6 test-ip6 input [ payload load 16b @ network header + 8 => reg 1 ] [ lookup reg 1 set __map%d dreg 0 ] @@ -241,7 +241,7 @@ ip6 test-ip6 input # ip6 saddr vmap { 1234:1234::1234 : accept} __map%d test-ip6 b __map%d test-ip6 0 - element 34123412 00000000 00000000 34120000 : 0 [end] + element 34123412 00000000 00000000 34120000 : accept 0 [end] ip6 test-ip6 input [ payload load 16b @ network header + 8 => reg 1 ] [ lookup reg 1 set __map%d dreg 0 ] @@ -249,7 +249,7 @@ ip6 test-ip6 input # ip6 saddr vmap { 1234:1234:1234:: : accept} __map%d test-ip6 b __map%d test-ip6 0 - element 34123412 00003412 00000000 00000000 : 0 [end] + element 34123412 00003412 00000000 00000000 : accept 0 [end] ip6 test-ip6 input [ payload load 16b @ network header + 8 => reg 1 ] [ lookup reg 1 set __map%d dreg 0 ] @@ -257,7 +257,7 @@ ip6 test-ip6 input # ip6 saddr vmap { ::1234:1234 : accept} __map%d test-ip6 b __map%d test-ip6 0 - element 00000000 00000000 00000000 34123412 : 0 [end] + element 00000000 00000000 00000000 34123412 : accept 0 [end] ip6 test-ip6 input [ payload load 16b @ network header + 8 => reg 1 ] [ lookup reg 1 set __map%d dreg 0 ] @@ -265,7 +265,7 @@ ip6 test-ip6 input # ip6 saddr vmap { 1234::1234 : accept} __map%d test-ip6 b __map%d test-ip6 0 - element 00003412 00000000 00000000 34120000 : 0 [end] + element 00003412 00000000 00000000 34120000 : accept 0 [end] ip6 test-ip6 input [ payload load 16b @ network header + 8 => reg 1 ] [ lookup reg 1 set __map%d dreg 0 ] @@ -273,7 +273,7 @@ ip6 test-ip6 input # ip6 saddr vmap { 1234:1234:: : accept} __map%d test-ip6 b __map%d test-ip6 0 - element 34123412 00000000 00000000 00000000 : 0 [end] + element 34123412 00000000 00000000 00000000 : accept 0 [end] ip6 test-ip6 input [ payload load 16b @ network header + 8 => reg 1 ] [ lookup reg 1 set __map%d dreg 0 ] @@ -281,7 +281,7 @@ ip6 test-ip6 input # ip6 saddr vmap { ::1234 : accept} __map%d test-ip6 b __map%d test-ip6 0 - element 00000000 00000000 00000000 34120000 : 0 [end] + element 00000000 00000000 00000000 34120000 : accept 0 [end] ip6 test-ip6 input [ payload load 16b @ network header + 8 => reg 1 ] [ lookup reg 1 set __map%d dreg 0 ] @@ -289,7 +289,7 @@ ip6 test-ip6 input # ip6 saddr vmap { 1234:: : accept} __map%d test-ip6 b __map%d test-ip6 0 - element 00003412 00000000 00000000 00000000 : 0 [end] + element 00003412 00000000 00000000 00000000 : accept 0 [end] ip6 test-ip6 input [ payload load 16b @ network header + 8 => reg 1 ] [ lookup reg 1 set __map%d dreg 0 ] @@ -297,7 +297,7 @@ ip6 test-ip6 input # ip6 saddr vmap { ::/64 : accept} __map%d test-ip6 f __map%d test-ip6 0 - element 00000000 00000000 00000000 00000000 : 0 [end] element 00000000 01000000 00000000 00000000 : 1 [end] + element 00000000 00000000 00000000 00000000 : accept 0 [end] element 00000000 01000000 00000000 00000000 : 1 [end] ip6 test-ip6 input [ payload load 16b @ network header + 8 => reg 1 ] [ lookup reg 1 set __map%d dreg 0 ] @@ -305,7 +305,7 @@ ip6 test-ip6 input # ip6 saddr vmap {1234:1234:1234:1234:1234:1234:aaaa:: : accept, ::aaaa : drop} __map%d test-ip6 b __map%d test-ip6 0 - element 34123412 34123412 34123412 0000aaaa : 0 [end] element 00000000 00000000 00000000 aaaa0000 : 0 [end] + element 34123412 34123412 34123412 0000aaaa : accept 0 [end] element 00000000 00000000 00000000 aaaa0000 : drop 0 [end] ip6 test-ip6 input [ payload load 16b @ network header + 8 => reg 1 ] [ lookup reg 1 set __map%d dreg 0 ] @@ -313,7 +313,7 @@ ip6 test-ip6 input # ip6 saddr vmap {1234:1234:1234:1234:1234:1234:aaaa:::accept, ::bbbb : drop} __map%d test-ip6 b __map%d test-ip6 0 - element 34123412 34123412 34123412 0000aaaa : 0 [end] element 00000000 00000000 00000000 bbbb0000 : 0 [end] + element 34123412 34123412 34123412 0000aaaa : accept 0 [end] element 00000000 00000000 00000000 bbbb0000 : drop 0 [end] ip6 test-ip6 input [ payload load 16b @ network header + 8 => reg 1 ] [ lookup reg 1 set __map%d dreg 0 ] @@ -321,7 +321,7 @@ ip6 test-ip6 input # ip6 saddr vmap {1234:1234:1234:1234:1234:1234:aaaa:::accept,::cccc : drop} __map%d test-ip6 b __map%d test-ip6 0 - element 34123412 34123412 34123412 0000aaaa : 0 [end] element 00000000 00000000 00000000 cccc0000 : 0 [end] + element 34123412 34123412 34123412 0000aaaa : accept 0 [end] element 00000000 00000000 00000000 cccc0000 : drop 0 [end] ip6 test-ip6 input [ payload load 16b @ network header + 8 => reg 1 ] [ lookup reg 1 set __map%d dreg 0 ] @@ -329,7 +329,7 @@ ip6 test-ip6 input # ip6 saddr vmap {1234:1234:1234:1234:1234:1234:aaaa:::accept,::dddd: drop} __map%d test-ip6 b __map%d test-ip6 0 - element 34123412 34123412 34123412 0000aaaa : 0 [end] element 00000000 00000000 00000000 dddd0000 : 0 [end] + element 34123412 34123412 34123412 0000aaaa : accept 0 [end] element 00000000 00000000 00000000 dddd0000 : drop 0 [end] ip6 test-ip6 input [ payload load 16b @ network header + 8 => reg 1 ] [ lookup reg 1 set __map%d dreg 0 ] diff --git a/tests/py/ip6/vmap.t.payload.netdev b/tests/py/ip6/vmap.t.payload.netdev index 0ae5d5b0..45f2c0b0 100644 --- a/tests/py/ip6/vmap.t.payload.netdev +++ b/tests/py/ip6/vmap.t.payload.netdev @@ -1,7 +1,7 @@ # ip6 saddr vmap { abcd::3 : accept } __map%d test-netdev b __map%d test-netdev 0 - element 0000cdab 00000000 00000000 03000000 : 0 [end] + element 0000cdab 00000000 00000000 03000000 : accept 0 [end] netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x0000dd86 ] @@ -11,7 +11,7 @@ netdev test-netdev ingress # ip6 saddr vmap { 1234:1234:1234:1234:1234:1234:1234:1234 : accept} __map%d test-netdev b __map%d test-netdev 0 - element 34123412 34123412 34123412 34123412 : 0 [end] + element 34123412 34123412 34123412 34123412 : accept 0 [end] netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x0000dd86 ] @@ -21,7 +21,7 @@ netdev test-netdev ingress # ip6 saddr vmap { ::1234:1234:1234:1234:1234:1234:1234 : accept} __map%d test-netdev b __map%d test-netdev 0 - element 34120000 34123412 34123412 34123412 : 0 [end] + element 34120000 34123412 34123412 34123412 : accept 0 [end] netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x0000dd86 ] @@ -31,7 +31,7 @@ netdev test-netdev ingress # ip6 saddr vmap { 1234::1234:1234:1234:1234:1234:1234 : accept} __map%d test-netdev b __map%d test-netdev 0 - element 00003412 34123412 34123412 34123412 : 0 [end] + element 00003412 34123412 34123412 34123412 : accept 0 [end] netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x0000dd86 ] @@ -41,7 +41,7 @@ netdev test-netdev ingress # ip6 saddr vmap { 1234:1234::1234:1234:1234:1234:1234 : accept} __map%d test-netdev b __map%d test-netdev 0 - element 34123412 34120000 34123412 34123412 : 0 [end] + element 34123412 34120000 34123412 34123412 : accept 0 [end] netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x0000dd86 ] @@ -51,7 +51,7 @@ netdev test-netdev ingress # ip6 saddr vmap { 1234:1234:1234::1234:1234:1234:1234 : accept} __map%d test-netdev b __map%d test-netdev 0 - element 34123412 00003412 34123412 34123412 : 0 [end] + element 34123412 00003412 34123412 34123412 : accept 0 [end] netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x0000dd86 ] @@ -61,7 +61,7 @@ netdev test-netdev ingress # ip6 saddr vmap { 1234:1234:1234:1234::1234:1234:1234 : accept} __map%d test-netdev b __map%d test-netdev 0 - element 34123412 34123412 34120000 34123412 : 0 [end] + element 34123412 34123412 34120000 34123412 : accept 0 [end] netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x0000dd86 ] @@ -71,7 +71,7 @@ netdev test-netdev ingress # ip6 saddr vmap { 1234:1234:1234:1234:1234::1234:1234 : accept} __map%d test-netdev b __map%d test-netdev 0 - element 34123412 34123412 00003412 34123412 : 0 [end] + element 34123412 34123412 00003412 34123412 : accept 0 [end] netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x0000dd86 ] @@ -81,7 +81,7 @@ netdev test-netdev ingress # ip6 saddr vmap { 1234:1234:1234:1234:1234:1234::1234 : accept} __map%d test-netdev b __map%d test-netdev 0 - element 34123412 34123412 34123412 34120000 : 0 [end] + element 34123412 34123412 34123412 34120000 : accept 0 [end] netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x0000dd86 ] @@ -91,7 +91,7 @@ netdev test-netdev ingress # ip6 saddr vmap { 1234:1234:1234:1234:1234:1234:1234:: : accept} __map%d test-netdev b __map%d test-netdev 0 - element 34123412 34123412 34123412 00003412 : 0 [end] + element 34123412 34123412 34123412 00003412 : accept 0 [end] netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x0000dd86 ] @@ -101,7 +101,7 @@ netdev test-netdev ingress # ip6 saddr vmap { ::1234:1234:1234:1234:1234:1234 : accept} __map%d test-netdev b __map%d test-netdev 0 - element 00000000 34123412 34123412 34123412 : 0 [end] + element 00000000 34123412 34123412 34123412 : accept 0 [end] netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x0000dd86 ] @@ -111,7 +111,7 @@ netdev test-netdev ingress # ip6 saddr vmap { 1234::1234:1234:1234:1234:1234 : accept} __map%d test-netdev b __map%d test-netdev 0 - element 00003412 34120000 34123412 34123412 : 0 [end] + element 00003412 34120000 34123412 34123412 : accept 0 [end] netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x0000dd86 ] @@ -121,7 +121,7 @@ netdev test-netdev ingress # ip6 saddr vmap { 1234:1234::1234:1234:1234:1234 : accept} __map%d test-netdev b __map%d test-netdev 0 - element 34123412 00000000 34123412 34123412 : 0 [end] + element 34123412 00000000 34123412 34123412 : accept 0 [end] netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x0000dd86 ] @@ -131,7 +131,7 @@ netdev test-netdev ingress # ip6 saddr vmap { 1234:1234:1234::1234:1234:1234 : accept} __map%d test-netdev b __map%d test-netdev 0 - element 34123412 00003412 34120000 34123412 : 0 [end] + element 34123412 00003412 34120000 34123412 : accept 0 [end] netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x0000dd86 ] @@ -141,7 +141,7 @@ netdev test-netdev ingress # ip6 saddr vmap { 1234:1234:1234:1234::1234:1234 : accept} __map%d test-netdev b __map%d test-netdev 0 - element 34123412 34123412 00000000 34123412 : 0 [end] + element 34123412 34123412 00000000 34123412 : accept 0 [end] netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x0000dd86 ] @@ -151,7 +151,7 @@ netdev test-netdev ingress # ip6 saddr vmap { 1234:1234:1234:1234:1234::1234 : accept} __map%d test-netdev b __map%d test-netdev 0 - element 34123412 34123412 00003412 34120000 : 0 [end] + element 34123412 34123412 00003412 34120000 : accept 0 [end] netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x0000dd86 ] @@ -161,7 +161,7 @@ netdev test-netdev ingress # ip6 saddr vmap { 1234:1234:1234:1234:1234:1234:: : accept} __map%d test-netdev b __map%d test-netdev 0 - element 34123412 34123412 34123412 00000000 : 0 [end] + element 34123412 34123412 34123412 00000000 : accept 0 [end] netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x0000dd86 ] @@ -171,7 +171,7 @@ netdev test-netdev ingress # ip6 saddr vmap { ::1234:1234:1234:1234:1234 : accept} __map%d test-netdev b __map%d test-netdev 0 - element 00000000 34120000 34123412 34123412 : 0 [end] + element 00000000 34120000 34123412 34123412 : accept 0 [end] netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x0000dd86 ] @@ -181,7 +181,7 @@ netdev test-netdev ingress # ip6 saddr vmap { 1234::1234:1234:1234:1234 : accept} __map%d test-netdev b __map%d test-netdev 0 - element 00003412 00000000 34123412 34123412 : 0 [end] + element 00003412 00000000 34123412 34123412 : accept 0 [end] netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x0000dd86 ] @@ -191,7 +191,7 @@ netdev test-netdev ingress # ip6 saddr vmap { 1234:1234::1234:1234:1234 : accept} __map%d test-netdev b __map%d test-netdev 0 - element 34123412 00000000 34120000 34123412 : 0 [end] + element 34123412 00000000 34120000 34123412 : accept 0 [end] netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x0000dd86 ] @@ -201,7 +201,7 @@ netdev test-netdev ingress # ip6 saddr vmap { 1234:1234:1234::1234:1234 : accept} __map%d test-netdev b __map%d test-netdev 0 - element 34123412 00003412 00000000 34123412 : 0 [end] + element 34123412 00003412 00000000 34123412 : accept 0 [end] netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x0000dd86 ] @@ -211,7 +211,7 @@ netdev test-netdev ingress # ip6 saddr vmap { 1234:1234:1234:1234::1234 : accept} __map%d test-netdev b __map%d test-netdev 0 - element 34123412 34123412 00000000 34120000 : 0 [end] + element 34123412 34123412 00000000 34120000 : accept 0 [end] netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x0000dd86 ] @@ -221,7 +221,7 @@ netdev test-netdev ingress # ip6 saddr vmap { 1234:1234:1234:1234:1234:: : accept} __map%d test-netdev b __map%d test-netdev 0 - element 34123412 34123412 00003412 00000000 : 0 [end] + element 34123412 34123412 00003412 00000000 : accept 0 [end] netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x0000dd86 ] @@ -231,7 +231,7 @@ netdev test-netdev ingress # ip6 saddr vmap { ::1234:1234:1234:1234 : accept} __map%d test-netdev b __map%d test-netdev 0 - element 00000000 00000000 34123412 34123412 : 0 [end] + element 00000000 00000000 34123412 34123412 : accept 0 [end] netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x0000dd86 ] @@ -241,7 +241,7 @@ netdev test-netdev ingress # ip6 saddr vmap { 1234::1234:1234:1234 : accept} __map%d test-netdev b __map%d test-netdev 0 - element 00003412 00000000 34120000 34123412 : 0 [end] + element 00003412 00000000 34120000 34123412 : accept 0 [end] netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x0000dd86 ] @@ -251,7 +251,7 @@ netdev test-netdev ingress # ip6 saddr vmap { 1234:1234::1234:1234 : accept} __map%d test-netdev b __map%d test-netdev 0 - element 34123412 00000000 00000000 34123412 : 0 [end] + element 34123412 00000000 00000000 34123412 : accept 0 [end] netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x0000dd86 ] @@ -261,7 +261,7 @@ netdev test-netdev ingress # ip6 saddr vmap { 1234:1234:1234::1234 : accept} __map%d test-netdev b __map%d test-netdev 0 - element 34123412 00003412 00000000 34120000 : 0 [end] + element 34123412 00003412 00000000 34120000 : accept 0 [end] netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x0000dd86 ] @@ -271,7 +271,7 @@ netdev test-netdev ingress # ip6 saddr vmap { 1234:1234:1234:1234:: : accept} __map%d test-netdev b __map%d test-netdev 0 - element 34123412 34123412 00000000 00000000 : 0 [end] + element 34123412 34123412 00000000 00000000 : accept 0 [end] netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x0000dd86 ] @@ -281,7 +281,7 @@ netdev test-netdev ingress # ip6 saddr vmap { ::1234:1234:1234 : accept} __map%d test-netdev b __map%d test-netdev 0 - element 00000000 00000000 34120000 34123412 : 0 [end] + element 00000000 00000000 34120000 34123412 : accept 0 [end] netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x0000dd86 ] @@ -291,7 +291,7 @@ netdev test-netdev ingress # ip6 saddr vmap { 1234::1234:1234 : accept} __map%d test-netdev b __map%d test-netdev 0 - element 00003412 00000000 00000000 34123412 : 0 [end] + element 00003412 00000000 00000000 34123412 : accept 0 [end] netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x0000dd86 ] @@ -301,7 +301,7 @@ netdev test-netdev ingress # ip6 saddr vmap { 1234:1234::1234 : accept} __map%d test-netdev b __map%d test-netdev 0 - element 34123412 00000000 00000000 34120000 : 0 [end] + element 34123412 00000000 00000000 34120000 : accept 0 [end] netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x0000dd86 ] @@ -311,7 +311,7 @@ netdev test-netdev ingress # ip6 saddr vmap { 1234:1234:1234:: : accept} __map%d test-netdev b __map%d test-netdev 0 - element 34123412 00003412 00000000 00000000 : 0 [end] + element 34123412 00003412 00000000 00000000 : accept 0 [end] netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x0000dd86 ] @@ -321,7 +321,7 @@ netdev test-netdev ingress # ip6 saddr vmap { ::1234:1234 : accept} __map%d test-netdev b __map%d test-netdev 0 - element 00000000 00000000 00000000 34123412 : 0 [end] + element 00000000 00000000 00000000 34123412 : accept 0 [end] netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x0000dd86 ] @@ -331,7 +331,7 @@ netdev test-netdev ingress # ip6 saddr vmap { 1234::1234 : accept} __map%d test-netdev b __map%d test-netdev 0 - element 00003412 00000000 00000000 34120000 : 0 [end] + element 00003412 00000000 00000000 34120000 : accept 0 [end] netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x0000dd86 ] @@ -341,7 +341,7 @@ netdev test-netdev ingress # ip6 saddr vmap { 1234:1234:: : accept} __map%d test-netdev b __map%d test-netdev 0 - element 34123412 00000000 00000000 00000000 : 0 [end] + element 34123412 00000000 00000000 00000000 : accept 0 [end] netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x0000dd86 ] @@ -351,7 +351,7 @@ netdev test-netdev ingress # ip6 saddr vmap { ::1234 : accept} __map%d test-netdev b __map%d test-netdev 0 - element 00000000 00000000 00000000 34120000 : 0 [end] + element 00000000 00000000 00000000 34120000 : accept 0 [end] netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x0000dd86 ] @@ -361,7 +361,7 @@ netdev test-netdev ingress # ip6 saddr vmap { 1234:: : accept} __map%d test-netdev b __map%d test-netdev 0 - element 00003412 00000000 00000000 00000000 : 0 [end] + element 00003412 00000000 00000000 00000000 : accept 0 [end] netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x0000dd86 ] @@ -371,7 +371,7 @@ netdev test-netdev ingress # ip6 saddr vmap { ::/64 : accept} __map%d test-netdev f __map%d test-netdev 0 - element 00000000 00000000 00000000 00000000 : 0 [end] element 00000000 01000000 00000000 00000000 : 1 [end] + element 00000000 00000000 00000000 00000000 : accept 0 [end] element 00000000 01000000 00000000 00000000 : 1 [end] netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x0000dd86 ] @@ -381,7 +381,7 @@ netdev test-netdev ingress # ip6 saddr vmap {1234:1234:1234:1234:1234:1234:aaaa:: : accept, ::aaaa : drop} __map%d test-netdev b __map%d test-netdev 0 - element 34123412 34123412 34123412 0000aaaa : 0 [end] element 00000000 00000000 00000000 aaaa0000 : 0 [end] + element 34123412 34123412 34123412 0000aaaa : accept 0 [end] element 00000000 00000000 00000000 aaaa0000 : drop 0 [end] netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x0000dd86 ] @@ -391,7 +391,7 @@ netdev test-netdev ingress # ip6 saddr vmap {1234:1234:1234:1234:1234:1234:aaaa:::accept, ::bbbb : drop} __map%d test-netdev b __map%d test-netdev 0 - element 34123412 34123412 34123412 0000aaaa : 0 [end] element 00000000 00000000 00000000 bbbb0000 : 0 [end] + element 34123412 34123412 34123412 0000aaaa : accept 0 [end] element 00000000 00000000 00000000 bbbb0000 : drop 0 [end] netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x0000dd86 ] @@ -401,7 +401,7 @@ netdev test-netdev ingress # ip6 saddr vmap {1234:1234:1234:1234:1234:1234:aaaa:::accept,::cccc : drop} __map%d test-netdev b __map%d test-netdev 0 - element 34123412 34123412 34123412 0000aaaa : 0 [end] element 00000000 00000000 00000000 cccc0000 : 0 [end] + element 34123412 34123412 34123412 0000aaaa : accept 0 [end] element 00000000 00000000 00000000 cccc0000 : drop 0 [end] netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x0000dd86 ] @@ -411,7 +411,7 @@ netdev test-netdev ingress # ip6 saddr vmap {1234:1234:1234:1234:1234:1234:aaaa:::accept,::dddd: drop} __map%d test-netdev b __map%d test-netdev 0 - element 34123412 34123412 34123412 0000aaaa : 0 [end] element 00000000 00000000 00000000 dddd0000 : 0 [end] + element 34123412 34123412 34123412 0000aaaa : accept 0 [end] element 00000000 00000000 00000000 dddd0000 : drop 0 [end] netdev test-netdev ingress [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x0000dd86 ] diff --git a/tests/py/any/dup.t b/tests/py/netdev/dup.t index 181b4195..56328022 100644 --- a/tests/py/any/dup.t +++ b/tests/py/netdev/dup.t @@ -1,6 +1,7 @@ :ingress;type filter hook ingress device lo priority 0 +:egress;type filter hook egress device lo priority 0 -*netdev;test-netdev;ingress +*netdev;test-netdev;ingress,egress dup to "lo";ok dup to meta mark map { 0x00000001 : "lo", 0x00000002 : "lo"};ok diff --git a/tests/py/any/dup.t.json b/tests/py/netdev/dup.t.json index dc56f649..dc56f649 100644 --- a/tests/py/any/dup.t.json +++ b/tests/py/netdev/dup.t.json diff --git a/tests/py/any/dup.t.payload b/tests/py/netdev/dup.t.payload index 51ff782c..51ff782c 100644 --- a/tests/py/any/dup.t.payload +++ b/tests/py/netdev/dup.t.payload diff --git a/tests/py/any/fwd.t b/tests/py/netdev/fwd.t index 2e34d55a..6051560a 100644 --- a/tests/py/any/fwd.t +++ b/tests/py/netdev/fwd.t @@ -1,6 +1,7 @@ :ingress;type filter hook ingress device lo priority 0 +:egress;type filter hook egress device lo priority 0 -*netdev;test-netdev;ingress +*netdev;test-netdev;ingress,egress fwd to "lo";ok fwd to meta mark map { 0x00000001 : "lo", 0x00000002 : "lo"};ok diff --git a/tests/py/any/fwd.t.json b/tests/py/netdev/fwd.t.json index 583606c0..583606c0 100644 --- a/tests/py/any/fwd.t.json +++ b/tests/py/netdev/fwd.t.json diff --git a/tests/py/any/fwd.t.json.output b/tests/py/netdev/fwd.t.json.output index 8433e492..8433e492 100644 --- a/tests/py/any/fwd.t.json.output +++ b/tests/py/netdev/fwd.t.json.output diff --git a/tests/py/any/fwd.t.payload b/tests/py/netdev/fwd.t.payload index f03077a6..f03077a6 100644 --- a/tests/py/any/fwd.t.payload +++ b/tests/py/netdev/fwd.t.payload diff --git a/tests/py/netdev/reject.t b/tests/py/netdev/reject.t index af109086..c66e649c 100644 --- a/tests/py/netdev/reject.t +++ b/tests/py/netdev/reject.t @@ -2,39 +2,39 @@ *netdev;test-netdev;ingress -reject with icmp type host-unreachable;ok -reject with icmp type net-unreachable;ok -reject with icmp type prot-unreachable;ok -reject with icmp type port-unreachable;ok -reject with icmp type net-prohibited;ok -reject with icmp type host-prohibited;ok -reject with icmp type admin-prohibited;ok - -reject with icmpv6 type no-route;ok -reject with icmpv6 type admin-prohibited;ok -reject with icmpv6 type addr-unreachable;ok -reject with icmpv6 type port-unreachable;ok -reject with icmpv6 type policy-fail;ok -reject with icmpv6 type reject-route;ok +reject with icmp host-unreachable;ok +reject with icmp net-unreachable;ok +reject with icmp prot-unreachable;ok +reject with icmp port-unreachable;ok +reject with icmp net-prohibited;ok +reject with icmp host-prohibited;ok +reject with icmp admin-prohibited;ok + +reject with icmpv6 no-route;ok +reject with icmpv6 admin-prohibited;ok +reject with icmpv6 addr-unreachable;ok +reject with icmpv6 port-unreachable;ok +reject with icmpv6 policy-fail;ok +reject with icmpv6 reject-route;ok mark 12345 reject with tcp reset;ok;meta l4proto 6 meta mark 0x00003039 reject with tcp reset reject;ok -meta protocol ip reject;ok;reject with icmp type port-unreachable -meta protocol ip6 reject;ok;reject with icmpv6 type port-unreachable +meta protocol ip reject;ok;reject with icmp port-unreachable +meta protocol ip6 reject;ok;reject with icmpv6 port-unreachable -reject with icmpx type host-unreachable;ok -reject with icmpx type no-route;ok -reject with icmpx type admin-prohibited;ok -reject with icmpx type port-unreachable;ok;reject +reject with icmpx host-unreachable;ok +reject with icmpx no-route;ok +reject with icmpx admin-prohibited;ok +reject with icmpx port-unreachable;ok;reject -meta protocol ip reject with icmp type host-unreachable;ok;reject with icmp type host-unreachable -meta protocol ip6 reject with icmpv6 type no-route;ok;reject with icmpv6 type no-route +meta protocol ip reject with icmp host-unreachable;ok;reject with icmp host-unreachable +meta protocol ip6 reject with icmpv6 no-route;ok;reject with icmpv6 no-route -meta protocol ip6 reject with icmp type host-unreachable;fail -meta protocol ip ip protocol icmp reject with icmpv6 type no-route;fail -meta protocol ip6 ip protocol icmp reject with icmp type host-unreachable;fail +meta protocol ip6 reject with icmp host-unreachable;fail +meta protocol ip ip protocol icmp reject with icmpv6 no-route;fail +meta protocol ip6 ip protocol icmp reject with icmp host-unreachable;fail meta l4proto udp reject with tcp reset;fail -meta protocol ip reject with icmpx type admin-prohibited;ok -meta protocol ip6 reject with icmpx type admin-prohibited;ok +meta protocol ip reject with icmpx admin-prohibited;ok +meta protocol ip6 reject with icmpx admin-prohibited;ok diff --git a/tests/py/netdev/reject.t.json b/tests/py/netdev/reject.t.json index 21e6ebb5..9968aaf8 100644 --- a/tests/py/netdev/reject.t.json +++ b/tests/py/netdev/reject.t.json @@ -1,4 +1,4 @@ -# reject with icmp type host-unreachable +# reject with icmp host-unreachable [ { "reject": { @@ -8,7 +8,7 @@ } ] -# reject with icmp type net-unreachable +# reject with icmp net-unreachable [ { "reject": { @@ -18,7 +18,7 @@ } ] -# reject with icmp type prot-unreachable +# reject with icmp prot-unreachable [ { "reject": { @@ -28,7 +28,7 @@ } ] -# reject with icmp type port-unreachable +# reject with icmp port-unreachable [ { "reject": { @@ -38,7 +38,7 @@ } ] -# reject with icmp type net-prohibited +# reject with icmp net-prohibited [ { "reject": { @@ -48,7 +48,7 @@ } ] -# reject with icmp type host-prohibited +# reject with icmp host-prohibited [ { "reject": { @@ -58,7 +58,7 @@ } ] -# reject with icmp type admin-prohibited +# reject with icmp admin-prohibited [ { "reject": { @@ -68,7 +68,7 @@ } ] -# reject with icmpv6 type no-route +# reject with icmpv6 no-route [ { "reject": { @@ -78,7 +78,7 @@ } ] -# reject with icmpv6 type admin-prohibited +# reject with icmpv6 admin-prohibited [ { "reject": { @@ -88,7 +88,7 @@ } ] -# reject with icmpv6 type addr-unreachable +# reject with icmpv6 addr-unreachable [ { "reject": { @@ -98,7 +98,7 @@ } ] -# reject with icmpv6 type port-unreachable +# reject with icmpv6 port-unreachable [ { "reject": { @@ -108,7 +108,7 @@ } ] -# reject with icmpv6 type policy-fail +# reject with icmpv6 policy-fail [ { "reject": { @@ -118,7 +118,7 @@ } ] -# reject with icmpv6 type reject-route +# reject with icmpv6 reject-route [ { "reject": { @@ -134,6 +134,17 @@ "match": { "left": { "meta": { + "key": "l4proto" + } + }, + "op": "==", + "right": 6 + } + }, + { + "match": { + "left": { + "meta": { "key": "mark" } }, @@ -151,47 +162,34 @@ # reject [ { - "reject": null + "reject": { + "expr": "port-unreachable", + "type": "icmpx" + } } ] # meta protocol ip reject [ { - "match": { - "left": { - "meta": { - "key": "protocol" - } - }, - "op": "==", - "right": "ip" + "reject": { + "expr": "port-unreachable", + "type": "icmp" } - }, - { - "reject": null } ] # meta protocol ip6 reject [ { - "match": { - "left": { - "meta": { - "key": "protocol" - } - }, - "op": "==", - "right": "ip6" + "reject": { + "expr": "port-unreachable", + "type": "icmpv6" } - }, - { - "reject": null } ] -# reject with icmpx type host-unreachable +# reject with icmpx host-unreachable [ { "reject": { @@ -201,7 +199,7 @@ } ] -# reject with icmpx type no-route +# reject with icmpx no-route [ { "reject": { @@ -211,7 +209,7 @@ } ] -# reject with icmpx type admin-prohibited +# reject with icmpx admin-prohibited [ { "reject": { @@ -221,7 +219,7 @@ } ] -# reject with icmpx type port-unreachable +# reject with icmpx port-unreachable [ { "reject": { @@ -231,20 +229,9 @@ } ] -# meta protocol ip reject with icmp type host-unreachable +# meta protocol ip reject with icmp host-unreachable [ { - "match": { - "left": { - "meta": { - "key": "protocol" - } - }, - "op": "==", - "right": "ip" - } - }, - { "reject": { "expr": "host-unreachable", "type": "icmp" @@ -252,20 +239,9 @@ } ] -# meta protocol ip6 reject with icmpv6 type no-route +# meta protocol ip6 reject with icmpv6 no-route [ { - "match": { - "left": { - "meta": { - "key": "protocol" - } - }, - "op": "==", - "right": "ip6" - } - }, - { "reject": { "expr": "no-route", "type": "icmpv6" @@ -273,7 +249,7 @@ } ] -# meta protocol ip reject with icmpx type admin-prohibited +# meta protocol ip reject with icmpx admin-prohibited [ { "match": { @@ -294,7 +270,7 @@ } ] -# meta protocol ip6 reject with icmpx type admin-prohibited +# meta protocol ip6 reject with icmpx admin-prohibited [ { "match": { diff --git a/tests/py/netdev/reject.t.payload b/tests/py/netdev/reject.t.payload index 5f76b091..d014adab 100644 --- a/tests/py/netdev/reject.t.payload +++ b/tests/py/netdev/reject.t.payload @@ -1,76 +1,76 @@ -# reject with icmp type host-unreachable +# reject with icmp host-unreachable netdev [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x00000008 ] [ reject type 0 code 1 ] -# reject with icmp type net-unreachable +# reject with icmp net-unreachable netdev [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x00000008 ] [ reject type 0 code 0 ] -# reject with icmp type prot-unreachable +# reject with icmp prot-unreachable netdev [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x00000008 ] [ reject type 0 code 2 ] -# reject with icmp type port-unreachable +# reject with icmp port-unreachable netdev [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x00000008 ] [ reject type 0 code 3 ] -# reject with icmp type net-prohibited +# reject with icmp net-prohibited netdev [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x00000008 ] [ reject type 0 code 9 ] -# reject with icmp type host-prohibited +# reject with icmp host-prohibited netdev [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x00000008 ] [ reject type 0 code 10 ] -# reject with icmp type admin-prohibited +# reject with icmp admin-prohibited netdev [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x00000008 ] [ reject type 0 code 13 ] -# reject with icmpv6 type no-route +# reject with icmpv6 no-route netdev [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x0000dd86 ] [ reject type 0 code 0 ] -# reject with icmpv6 type admin-prohibited +# reject with icmpv6 admin-prohibited netdev [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x0000dd86 ] [ reject type 0 code 1 ] -# reject with icmpv6 type addr-unreachable +# reject with icmpv6 addr-unreachable netdev [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x0000dd86 ] [ reject type 0 code 3 ] -# reject with icmpv6 type port-unreachable +# reject with icmpv6 port-unreachable netdev [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x0000dd86 ] [ reject type 0 code 4 ] -# reject with icmpv6 type policy-fail +# reject with icmpv6 policy-fail netdev [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x0000dd86 ] [ reject type 0 code 5 ] -# reject with icmpv6 type reject-route +# reject with icmpv6 reject-route netdev [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x0000dd86 ] @@ -100,41 +100,41 @@ netdev [ cmp eq reg 1 0x0000dd86 ] [ reject type 0 code 4 ] -# reject with icmpx type host-unreachable +# reject with icmpx host-unreachable netdev [ reject type 2 code 2 ] -# reject with icmpx type no-route +# reject with icmpx no-route netdev [ reject type 2 code 0 ] -# reject with icmpx type admin-prohibited +# reject with icmpx admin-prohibited netdev [ reject type 2 code 3 ] -# reject with icmpx type port-unreachable +# reject with icmpx port-unreachable netdev [ reject type 2 code 1 ] -# meta protocol ip reject with icmp type host-unreachable +# meta protocol ip reject with icmp host-unreachable netdev [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x00000008 ] [ reject type 0 code 1 ] -# meta protocol ip6 reject with icmpv6 type no-route +# meta protocol ip6 reject with icmpv6 no-route netdev [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x0000dd86 ] [ reject type 0 code 0 ] -# meta protocol ip reject with icmpx type admin-prohibited +# meta protocol ip reject with icmpx admin-prohibited netdev [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x00000008 ] [ reject type 2 code 3 ] -# meta protocol ip6 reject with icmpx type admin-prohibited +# meta protocol ip6 reject with icmpx admin-prohibited netdev [ meta load protocol => reg 1 ] [ cmp eq reg 1 0x0000dd86 ] diff --git a/tests/py/nft-test.py b/tests/py/nft-test.py index 18e9c67f..1bc89558 100755 --- a/tests/py/nft-test.py +++ b/tests/py/nft-test.py @@ -39,7 +39,7 @@ signal_received = 0 class Colors: - if sys.stdout.isatty(): + if sys.stdout.isatty() and sys.stderr.isatty(): HEADER = '\033[95m' GREEN = '\033[92m' YELLOW = '\033[93m' @@ -86,11 +86,12 @@ class Table: class Set: """Class that represents a set""" - def __init__(self, family, table, name, type, timeout, flags): + def __init__(self, family, table, name, type, data, timeout, flags): self.family = family self.table = table self.name = name self.type = type + self.data = data self.timeout = timeout self.flags = flags @@ -366,7 +367,11 @@ def set_add(s, test_result, filename, lineno): if flags != "": flags = "flags %s; " % flags - cmd = "add set %s %s { type %s;%s %s}" % (table, s.name, s.type, s.timeout, flags) + if s.data == "": + cmd = "add set %s %s { %s;%s %s}" % (table, s.name, s.type, s.timeout, flags) + else: + cmd = "add map %s %s { %s : %s;%s %s}" % (table, s.name, s.type, s.data, s.timeout, flags) + ret = execute_cmd(cmd, filename, lineno) if (ret == 0 and test_result == "fail") or \ @@ -384,6 +389,44 @@ def set_add(s, test_result, filename, lineno): return 0 +def map_add(s, test_result, filename, lineno): + ''' + Adds a map + ''' + if not table_list: + reason = "Missing table to add rule" + print_error(reason, filename, lineno) + return -1 + + for table in table_list: + s.table = table.name + s.family = table.family + if _map_exist(s, filename, lineno): + reason = "Map %s already exists in %s" % (s.name, table) + print_error(reason, filename, lineno) + return -1 + + flags = s.flags + if flags != "": + flags = "flags %s; " % flags + + cmd = "add map %s %s { %s : %s;%s %s}" % (table, s.name, s.type, s.data, s.timeout, flags) + + ret = execute_cmd(cmd, filename, lineno) + + if (ret == 0 and test_result == "fail") or \ + (ret != 0 and test_result == "ok"): + reason = "%s: I cannot add the set %s" % (cmd, s.name) + print_error(reason, filename, lineno) + return -1 + + if not _map_exist(s, filename, lineno): + reason = "I have just added the set %s to " \ + "the table %s but it does not exist" % (s.name, table) + print_error(reason, filename, lineno) + return -1 + + def set_add_elements(set_element, set_name, state, filename, lineno): ''' Adds elements to the set. @@ -407,7 +450,11 @@ def set_add_elements(set_element, set_name, state, filename, lineno): ret = execute_cmd(cmd, filename, lineno) if (state == "fail" and ret == 0) or (state == "ok" and ret != 0): - test_state = "This rule should have failed." + if state == "fail": + test_state = "This rule should have failed." + else: + test_state = "This rule should not have failed." + reason = cmd + ": " + test_state print_error(reason, filename, lineno) return -1 @@ -486,6 +533,16 @@ def _set_exist(s, filename, lineno): return True if (ret == 0) else False +def _map_exist(s, filename, lineno): + ''' + Check if the map exists. + ''' + cmd = "list map %s %s %s" % (s.family, s.table, s.name) + ret = execute_cmd(cmd, filename, lineno) + + return True if (ret == 0) else False + + def set_check_element(rule1, rule2): ''' Check if element exists in anonymous sets. @@ -752,6 +809,8 @@ def rule_add(rule, filename, lineno, force_all_family_option, filename_path): reason = "Invalid JSON syntax in expected output: %s" % json_expected print_error(reason) return [-1, warning, error, unit_tests] + if json_expected == json_input: + print_warning("Recorded JSON output matches input for: %s" % rule[0]) for table in table_list: if rule[1].strip() == "ok": @@ -805,17 +864,26 @@ def rule_add(rule, filename, lineno, force_all_family_option, filename_path): if state == "ok" and not payload_check(table_payload_expected, payload_log, cmd): error += 1 - gotf = open("%s.got" % payload_path, 'a') + + try: + gotf = open("%s.got" % payload_path) + gotf_payload_expected = payload_find_expected(gotf, rule[0]) + gotf.close() + except: + gotf_payload_expected = None payload_log.seek(0, 0) - gotf.write("# %s\n" % rule[0]) - while True: - line = payload_log.readline() - if line == "": - break - gotf.write(line) - gotf.close() - print_warning("Wrote payload for rule %s" % rule[0], - gotf.name, 1) + if not payload_check(gotf_payload_expected, payload_log, cmd): + gotf = open("%s.got" % payload_path, 'a') + payload_log.seek(0, 0) + gotf.write("# %s\n" % rule[0]) + while True: + line = payload_log.readline() + if line == "": + break + gotf.write(line) + gotf.close() + print_warning("Wrote payload for rule %s" % rule[0], + gotf.name, 1) # Check for matching ruleset listing numeric_proto_old = nftables.set_numeric_proto_output(True) @@ -1078,14 +1146,28 @@ def set_process(set_line, filename, lineno): tokens = set_line[0].split(" ") set_name = tokens[0] - set_type = tokens[2] + parse_typeof = tokens[1] == "typeof" + set_type = tokens[1] + " " + tokens[2] + set_data = "" set_flags = "" i = 3 + if parse_typeof and tokens[i] == "id": + set_type += " " + tokens[i] + i += 1; + while len(tokens) > i and tokens[i] == ".": set_type += " . " + tokens[i+1] i += 2 + while len(tokens) > i and tokens[i] == ":": + set_data = tokens[i+1] + i += 2 + + if parse_typeof and tokens[i] == "mark": + set_data += " " + tokens[i] + i += 1; + if len(tokens) == i+2 and tokens[i] == "timeout": timeout = "timeout " + tokens[i+1] + ";" i += 2 @@ -1095,9 +1177,13 @@ def set_process(set_line, filename, lineno): elif len(tokens) != i: print_error(set_name + " bad flag: " + tokens[i], filename, lineno) - s = Set("", "", set_name, set_type, timeout, set_flags) + s = Set("", "", set_name, set_type, set_data, timeout, set_flags) + + if set_data == "": + ret = set_add(s, test_result, filename, lineno) + else: + ret = map_add(s, test_result, filename, lineno) - ret = set_add(s, test_result, filename, lineno) if ret == 0: all_set[set_name] = set() @@ -1345,6 +1431,33 @@ def run_test_file(filename, force_all_family_option, specific_file): return [tests, passed, total_warning, total_error, total_unit_run] +def spawn_netns(): + # prefer unshare module + try: + import unshare + unshare.unshare(unshare.CLONE_NEWNET) + return True + except: + pass + + # sledgehammer style: + # - call ourselves prefixed by 'unshare -n' if found + # - pass extra --no-netns parameter to avoid another recursion + try: + import shutil + + unshare = shutil.which("unshare") + if unshare is None: + return False + + sys.argv.append("--no-netns") + if debug_option: + print("calling: ", [unshare, "-n", sys.executable] + sys.argv) + os.execv(unshare, [unshare, "-n", sys.executable] + sys.argv) + except: + pass + + return False def main(): parser = argparse.ArgumentParser(description='Run nft tests') @@ -1372,6 +1485,10 @@ def main(): parser.add_argument('-l', '--library', default=None, help='path to libntables.so.1, overrides --host') + parser.add_argument('-N', '--no-netns', action='store_true', + dest='no_netns', + help='Do not run in own network namespace') + parser.add_argument('-s', '--schema', action='store_true', dest='enable_schema', help='verify json input/output against schema') @@ -1396,15 +1513,12 @@ def main(): print("You need to be root to run this, sorry") return + if not args.no_netns and not spawn_netns(): + print_warning("cannot run in own namespace, connectivity might break") + # Change working directory to repository root os.chdir(TESTS_PATH + "/../..") - try: - import unshare - unshare.unshare(unshare.CLONE_NEWNET) - except: - print_warning("cannot run in own namespace, connectivity might break") - check_lib_path = True if args.library is None: if args.host: |