diff options
Diffstat (limited to 'tests')
-rw-r--r-- | tests/py/bridge/reject.t | 2 | ||||
-rw-r--r-- | tests/py/bridge/reject.t.json | 72 | ||||
-rw-r--r-- | tests/py/inet/sets.t.json | 74 | ||||
-rw-r--r-- | tests/py/ip/icmp.t.json | 4 | ||||
-rw-r--r-- | tests/py/ip/icmp.t.json.output | 2 |
5 files changed, 150 insertions, 4 deletions
diff --git a/tests/py/bridge/reject.t b/tests/py/bridge/reject.t index f5ed2038..ee33af77 100644 --- a/tests/py/bridge/reject.t +++ b/tests/py/bridge/reject.t @@ -32,7 +32,7 @@ ether type ip6 reject with icmp type host-unreachable;fail ether type ip reject with icmpv6 type no-route;fail ether type vlan reject;ok ether type arp reject;fail -ether type vlan reject with tcp reset;ok +ether type vlan reject with tcp reset;ok;meta l4proto 6 ether type vlan reject with tcp reset ether type arp reject with tcp reset;fail ip protocol udp reject with tcp reset;fail diff --git a/tests/py/bridge/reject.t.json b/tests/py/bridge/reject.t.json index d20a1d8b..aea871f7 100644 --- a/tests/py/bridge/reject.t.json +++ b/tests/py/bridge/reject.t.json @@ -267,3 +267,75 @@ } ] +# ether type vlan reject with tcp reset +[ + { + "match": { + "left": { + "meta": { + "key": "l4proto" + } + }, + "op": "==", + "right": 6 + } + }, + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "ether" + } + }, + "op": "==", + "right": "vlan" + } + }, + { + "reject": { + "type": "tcp reset" + } + } +] + +# ether type vlan reject +[ + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "ether" + } + }, + "op": "==", + "right": "vlan" + } + }, + { + "reject": null + } +] + +# ether type vlan reject with icmpx type admin-prohibited +[ + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "ether" + } + }, + "op": "==", + "right": "vlan" + } + }, + { + "reject": { + "expr": "admin-prohibited", + "type": "icmpx" + } + } +] diff --git a/tests/py/inet/sets.t.json b/tests/py/inet/sets.t.json index 58e19ef6..ef0cedca 100644 --- a/tests/py/inet/sets.t.json +++ b/tests/py/inet/sets.t.json @@ -71,3 +71,77 @@ } ] +# ip daddr . tcp dport { 10.0.0.0/8 . 10-23, 192.168.1.1-192.168.3.8 . 80-443 } accept +[ + { + "match": { + "left": { + "meta": { + "key": "nfproto" + } + }, + "op": "==", + "right": "ipv4" + } + }, + { + "match": { + "left": { + "concat": [ + { + "payload": { + "field": "daddr", + "protocol": "ip" + } + }, + { + "payload": { + "field": "dport", + "protocol": "tcp" + } + } + ] + }, + "op": "==", + "right": { + "set": [ + { + "concat": [ + { + "prefix": { + "addr": "10.0.0.0", + "len": 8 + } + }, + { + "range": [ + 10, + 23 + ] + } + ] + }, + { + "concat": [ + { + "range": [ + "192.168.1.1", + "192.168.3.8" + ] + }, + { + "range": [ + 80, + 443 + ] + } + ] + } + ] + } + } + }, + { + "accept": null + } +] diff --git a/tests/py/ip/icmp.t.json b/tests/py/ip/icmp.t.json index 4e172745..965eb10b 100644 --- a/tests/py/ip/icmp.t.json +++ b/tests/py/ip/icmp.t.json @@ -480,7 +480,7 @@ } ] -# icmp code != { prot-unreachable, 4, 33, 54, 56} +# icmp code != { prot-unreachable, frag-needed, 33, 54, 56} [ { "match": { @@ -494,7 +494,7 @@ "right": { "set": [ "prot-unreachable", - 4, + "frag-needed", 33, 54, 56 diff --git a/tests/py/ip/icmp.t.json.output b/tests/py/ip/icmp.t.json.output index e8045bb8..2391983a 100644 --- a/tests/py/ip/icmp.t.json.output +++ b/tests/py/ip/icmp.t.json.output @@ -49,7 +49,7 @@ "right": { "set": [ "prot-unreachable", - 4, + "frag-needed", 33, 54, 56 |