# ct state new,established, related, untracked ip test-ip4 output [ ct load state => reg 1 ] [ bitwise reg 1 = (reg=1 & 0x0000004e ) ^ 0x00000000 ] [ cmp neq reg 1 0x00000000 ] # ct state != related ip test-ip4 output [ ct load state => reg 1 ] [ cmp neq reg 1 0x00000004 ] # ct state {new,established, related, untracked} __set%d test-ip4 3 __set%d test-ip4 0 element 00000008 : 0 [end] element 00000002 : 0 [end] element 00000004 : 0 [end] element 00000040 : 0 [end] ip test-ip4 output [ ct load state => reg 1 ] [ lookup reg 1 set __set%d ] # ct state != {new,established, related, untracked} __set%d test-ip4 3 __set%d test-ip4 0 element 00000008 : 0 [end] element 00000002 : 0 [end] element 00000004 : 0 [end] element 00000040 : 0 [end] ip test-ip4 output [ ct load state => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] # ct state invalid drop ip test-ip4 output [ ct load state => reg 1 ] [ bitwise reg 1 = (reg=1 & 0x00000001 ) ^ 0x00000000 ] [ cmp neq reg 1 0x00000000 ] [ immediate reg 0 drop ] # ct state established accept ip test-ip4 output [ ct load state => reg 1 ] [ bitwise reg 1 = (reg=1 & 0x00000002 ) ^ 0x00000000 ] [ cmp neq reg 1 0x00000000 ] [ immediate reg 0 accept ] # ct state 8 ip test-ip4 output [ ct load state => reg 1 ] [ bitwise reg 1 = (reg=1 & 0x00000008 ) ^ 0x00000000 ] [ cmp neq reg 1 0x00000000 ] # ct direction original ip test-ip4 output [ ct load direction => reg 1 ] [ cmp eq reg 1 0x00000000 ] # ct direction != original ip test-ip4 output [ ct load direction => reg 1 ] [ cmp neq reg 1 0x00000000 ] # ct direction reply ip test-ip4 output [ ct load direction => reg 1 ] [ cmp eq reg 1 0x00000001 ] # ct direction != reply ip test-ip4 output [ ct load direction => reg 1 ] [ cmp neq reg 1 0x00000001 ] # ct direction {reply, original} __set%d test-ip4 3 __set%d test-ip4 0 element 00000001 : 0 [end] element 00000000 : 0 [end] ip test-ip4 output [ ct load direction => reg 1 ] [ lookup reg 1 set __set%d ] # ct direction != {reply, original} __set%d test-ip4 3 __set%d test-ip4 0 element 00000001 : 0 [end] element 00000000 : 0 [end] ip test-ip4 output [ ct load direction => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] # ct status expected ip test-ip4 output [ ct load status => reg 1 ] [ bitwise reg 1 = (reg=1 & 0x00000001 ) ^ 0x00000000 ] [ cmp neq reg 1 0x00000000 ] # ct status != expected ip test-ip4 output [ ct load status => reg 1 ] [ cmp neq reg 1 0x00000001 ] # ct status seen-reply ip test-ip4 output [ ct load status => reg 1 ] [ bitwise reg 1 = (reg=1 & 0x00000002 ) ^ 0x00000000 ] [ cmp neq reg 1 0x00000000 ] # ct status != seen-reply ip test-ip4 output [ ct load status => reg 1 ] [ cmp neq reg 1 0x00000002 ] # ct status {expected, seen-reply, assured, confirmed, dying} __set%d test-ip4 3 __set%d test-ip4 0 element 00000001 : 0 [end] element 00000002 : 0 [end] element 00000004 : 0 [end] element 00000008 : 0 [end] element 00000200 : 0 [end] ip test-ip4 output [ ct load status => reg 1 ] [ lookup reg 1 set __set%d ] # ct status != {expected, seen-reply, assured, confirmed, dying} __set%d test-ip4 3 __set%d test-ip4 0 element 00000001 : 0 [end] element 00000002 : 0 [end] element 00000004 : 0 [end] element 00000008 : 0 [end] element 00000200 : 0 [end] ip test-ip4 output [ ct load status => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] # ct mark 0 ip test-ip4 output [ ct load mark => reg 1 ] [ cmp eq reg 1 0x00000000 ] # ct mark or 0x23 == 0x11 ip test-ip4 output [ ct load mark => reg 1 ] [ bitwise reg 1 = (reg=1 & 0xffffffdc ) ^ 0x00000023 ] [ cmp eq reg 1 0x00000011 ] # ct mark or 0x3 != 0x1 ip test-ip4 output [ ct load mark => reg 1 ] [ bitwise reg 1 = (reg=1 & 0xfffffffc ) ^ 0x00000003 ] [ cmp neq reg 1 0x00000001 ] # ct mark and 0x23 == 0x11 ip test-ip4 output [ ct load mark => reg 1 ] [ bitwise reg 1 = (reg=1 & 0x00000023 ) ^ 0x00000000 ] [ cmp eq reg 1 0x00000011 ] # ct mark and 0x3 != 0x1 ip test-ip4 output [ ct load mark => reg 1 ] [ bitwise reg 1 = (reg=1 & 0x00000003 ) ^ 0x00000000 ] [ cmp neq reg 1 0x00000001 ] # ct mark xor 0x23 == 0x11 ip test-ip4 output [ ct load mark => reg 1 ] [ cmp eq reg 1 0x00000032 ] # ct mark xor 0x3 != 0x1 ip test-ip4 output [ ct load mark => reg 1 ] [ cmp neq reg 1 0x00000002 ] # ct mark 0x00000032 ip test-ip4 output [ ct load mark => reg 1 ] [ cmp eq reg 1 0x00000032 ] # ct mark != 0x00000032 ip test-ip4 output [ ct load mark => reg 1 ] [ cmp neq reg 1 0x00000032 ] # ct mark 0x00000032-0x00000045 ip test-ip4 output [ ct load mark => reg 1 ] [ byteorder reg 1 = hton(reg 1, 4, 4) ] [ cmp gte reg 1 0x32000000 ] [ cmp lte reg 1 0x45000000 ] # ct mark != 0x00000032-0x00000045 ip test-ip4 output [ ct load mark => reg 1 ] [ byteorder reg 1 = hton(reg 1, 4, 4) ] [ range neq reg 1 0x32000000 0x45000000 ] # ct mark {0x32, 0x2222, 0x42de3} __set%d test-ip4 3 __set%d test-ip4 0 element 00000032 : 0 [end] element 00002222 : 0 [end] element 00042de3 : 0 [end] ip test-ip4 output [ ct load mark => reg 1 ] [ lookup reg 1 set __set%d ] # ct mark {0x32-0x2222, 0x4444-0x42de3} __set%d test-ip4 7 __set%d test-ip4 0 element 00000000 : 1 [end] element 32000000 : 0 [end] element 23220000 : 1 [end] element 44440000 : 0 [end] element e42d0400 : 1 [end] ip test-ip4 output [ ct load mark => reg 1 ] [ byteorder reg 1 = hton(reg 1, 4, 4) ] [ lookup reg 1 set __set%d ] # ct mark != {0x32, 0x2222, 0x42de3} __set%d test-ip4 3 __set%d test-ip4 0 element 00000032 : 0 [end] element 00002222 : 0 [end] element 00042de3 : 0 [end] ip test-ip4 output [ ct load mark => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] # ct mark set 0x11 xor 0x1331 ip test-ip4 output [ immediate reg 1 0x00001320 ] [ ct set mark with reg 1 ] # ct mark set 0x11333 and 0x11 ip test-ip4 output [ immediate reg 1 0x00000011 ] [ ct set mark with reg 1 ] # ct mark set 0x12 or 0x11 ip test-ip4 output [ immediate reg 1 0x00000013 ] [ ct set mark with reg 1 ] # ct mark set 0x11 ip test-ip4 output [ immediate reg 1 0x00000011 ] [ ct set mark with reg 1 ] # ct expiration 30 ip test-ip4 output [ ct load expiration => reg 1 ] [ cmp eq reg 1 0x00007530 ] # ct expiration 22 ip test-ip4 output [ ct load expiration => reg 1 ] [ cmp eq reg 1 0x000055f0 ] # ct expiration != 233 ip test-ip4 output [ ct load expiration => reg 1 ] [ cmp neq reg 1 0x00038e28 ] # ct expiration 33-45 ip test-ip4 output [ ct load expiration => reg 1 ] [ byteorder reg 1 = hton(reg 1, 4, 4) ] [ cmp gte reg 1 0xe8800000 ] [ cmp lte reg 1 0xc8af0000 ] # ct expiration != 33-45 ip test-ip4 output [ ct load expiration => reg 1 ] [ byteorder reg 1 = hton(reg 1, 4, 4) ] [ range neq reg 1 0xe8800000 0xc8af0000 ] # ct expiration {33, 55, 67, 88} __set%d test-ip4 3 __set%d test-ip4 0 element 000080e8 : 0 [end] element 0000d6d8 : 0 [end] element 000105b8 : 0 [end] element 000157c0 : 0 [end] ip test-ip4 output [ ct load expiration => reg 1 ] [ lookup reg 1 set __set%d ] # ct expiration != {33, 55, 67, 88} __set%d test-ip4 3 __set%d test-ip4 0 element 000080e8 : 0 [end] element 0000d6d8 : 0 [end] element 000105b8 : 0 [end] element 000157c0 : 0 [end] ip test-ip4 output [ ct load expiration => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] # ct expiration {33-55} __set%d test-ip4 7 __set%d test-ip4 0 element 00000000 : 1 [end] element e8800000 : 0 [end] element d9d60000 : 1 [end] ip test-ip4 output [ ct load expiration => reg 1 ] [ byteorder reg 1 = hton(reg 1, 4, 4) ] [ lookup reg 1 set __set%d ] # ct expiration != {33-55} __set%d test-ip4 7 __set%d test-ip4 0 element 00000000 : 1 [end] element e8800000 : 0 [end] element d9d60000 : 1 [end] ip test-ip4 output [ ct load expiration => reg 1 ] [ byteorder reg 1 = hton(reg 1, 4, 4) ] [ lookup reg 1 set __set%d 0x1 ] # ct helper "ftp" ip test-ip4 output [ ct load helper => reg 1 ] [ cmp eq reg 1 0x00707466 0x00000000 0x00000000 0x00000000 ] # ct state . ct mark { new . 0x12345678} __set%d test 3 __set%d test 0 element 00000008 12345678 : 0 [end] ip test-ip4 output [ ct load state => reg 1 ] [ ct load mark => reg 9 ] [ lookup reg 1 set __set%d ] # ct state . ct mark { new . 0x12345678, new . 0x34127856, established . 0x12785634} __set%d test-ip4 3 __set%d test-ip4 0 element 00000008 12345678 : 0 [end] element 00000008 34127856 : 0 [end] element 00000002 12785634 : 0 [end] ip test-ip4 output [ ct load state => reg 1 ] [ ct load mark => reg 9 ] [ lookup reg 1 set __set%d ] # ct direction . ct mark { original . 0x12345678} __set%d test 3 __set%d test 0 element 00000000 12345678 : 0 [end] ip test-ip4 output [ ct load direction => reg 1 ] [ ct load mark => reg 9 ] [ lookup reg 1 set __set%d ] # ct state . ct mark vmap { new . 0x12345678 : drop} __map%d test-ip4 b __map%d test-ip4 0 element 00000008 12345678 : 0 [end] ip test-ip4 output [ ct load state => reg 1 ] [ ct load mark => reg 9 ] [ lookup reg 1 set __map%d dreg 0 ] # ct mark set mark ip test-ip4 output [ meta load mark => reg 1 ] [ ct set mark with reg 1 ] # ct mark set mark map { 1 : 10, 2 : 20, 3 : 30 } __map%d test-ip4 b __map%d test-ip4 0 element 00000001 : 0000000a 0 [end] element 00000002 : 00000014 0 [end] element 00000003 : 0000001e 0 [end] ip test-ip4 output [ meta load mark => reg 1 ] [ lookup reg 1 set __map%d dreg 1 ] [ ct set mark with reg 1 ] # ct original bytes \> 100000 ip test-ip4 output [ ct load bytes => reg 1 , dir original ] [ byteorder reg 1 = hton(reg 1, 8, 8) ] [ cmp gt reg 1 0x00000000 0xa0860100 ] # ct reply packets \< 100 ip test-ip4 output [ ct load packets => reg 1 , dir reply ] [ byteorder reg 1 = hton(reg 1, 8, 8) ] [ cmp lt reg 1 0x00000000 0x64000000 ] # ct bytes \> 100000 ip test-ip4 output [ ct load bytes => reg 1 ] [ byteorder reg 1 = hton(reg 1, 8, 8) ] [ cmp gt reg 1 0x00000000 0xa0860100 ] # ct avgpkt \> 200 ip test-ip4 output [ ct load avgpkt => reg 1 ] [ byteorder reg 1 = hton(reg 1, 8, 8) ] [ cmp gt reg 1 0x00000000 0xc8000000 ] # ct original avgpkt \< 500 ip test-ip4 output [ ct load avgpkt => reg 1 , dir original ] [ byteorder reg 1 = hton(reg 1, 8, 8) ] [ cmp lt reg 1 0x00000000 0xf4010000 ] # ct status expected,seen-reply,assured,confirmed,snat,dnat,dying ip test-ip4 output [ ct load status => reg 1 ] [ bitwise reg 1 = (reg=1 & 0x0000023f ) ^ 0x00000000 ] [ cmp neq reg 1 0x00000000 ] # ct status snat ip test-ip4 output [ ct load status => reg 1 ] [ bitwise reg 1 = (reg=1 & 0x00000010 ) ^ 0x00000000 ] [ cmp neq reg 1 0x00000000 ] # ct status dnat ip test-ip4 output [ ct load status => reg 1 ] [ bitwise reg 1 = (reg=1 & 0x00000020 ) ^ 0x00000000 ] [ cmp neq reg 1 0x00000000 ] # ct event set new ip test-ip4 output [ immediate reg 1 0x00000001 ] [ ct set event with reg 1 ] # ct event set 'new | related | destroy | label' ip test-ip4 output [ immediate reg 1 0x00000407 ] [ ct set event with reg 1 ] # ct event set new,related,destroy,label ip test-ip4 output [ immediate reg 1 0x00000407 ] [ ct set event with reg 1 ] # ct event set new,destroy ip test-ip4 output [ immediate reg 1 0x00000005 ] [ ct set event with reg 1 ] # ct event set 1 ip test-ip4 output [ immediate reg 1 0x00000001 ] [ ct set event with reg 1 ] # ct event set 0x0 ip test-ip4 output [ immediate reg 1 0x00000000 ] [ ct set event with reg 1 ] # ct label 127 ip test-ip4 output [ ct load label => reg 1 ] [ bitwise reg 1 = (reg=1 & 0x00000000 0x00000000 0x00000000 0x80000000 ) ^ 0x00000000 0x00000000 0x00000000 0x00000000 ] [ cmp neq reg 1 0x00000000 0x00000000 0x00000000 0x00000000 ] # ct label set 127 ip test-ip4 output [ immediate reg 1 0x00000000 0x00000000 0x00000000 0x80000000 ] [ ct set label with reg 1 ] # ct zone 0 ip test-ip4 output [ ct load zone => reg 1 ] [ cmp eq reg 1 0x00000000 ] # ct zone 23 ip test-ip4 output [ ct load zone => reg 1 ] [ cmp eq reg 1 0x00000017 ] # ct original zone 1 ip test-ip4 output [ ct load zone => reg 1 , dir original ] [ cmp eq reg 1 0x00000001 ] # ct reply zone 1 ip test-ip4 output [ ct load zone => reg 1 , dir reply ] [ cmp eq reg 1 0x00000001 ] # ct zone set 1 ip test-ip4 output [ immediate reg 1 0x00000001 ] [ ct set zone with reg 1 ] # ct original zone set 1 ip test-ip4 output [ immediate reg 1 0x00000001 ] [ ct set zone with reg 1 , dir original ] # ct reply zone set 1 ip test-ip4 output [ immediate reg 1 0x00000001 ] [ ct set zone with reg 1 , dir reply ] # ct zone set mark map { 1 : 1, 2 : 2 } __map%d test-ip4 b __map%d test-ip4 0 element 00000001 : 00000001 0 [end] element 00000002 : 00000002 0 [end] ip test-ip4 output [ meta load mark => reg 1 ] [ lookup reg 1 set __map%d dreg 1 ] [ ct set zone with reg 1 ] # notrack ip test-ip4 output [ notrack ]