# ip dscp cs1 inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ payload load 1b @ network header + 1 => reg 1 ] [ bitwise reg 1 = (reg=1 & 0x000000fc ) ^ 0x00000000 ] [ cmp eq reg 1 0x00000020 ] # ip dscp != cs1 inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ payload load 1b @ network header + 1 => reg 1 ] [ bitwise reg 1 = (reg=1 & 0x000000fc ) ^ 0x00000000 ] [ cmp neq reg 1 0x00000020 ] # ip dscp 0x38 inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ payload load 1b @ network header + 1 => reg 1 ] [ bitwise reg 1 = (reg=1 & 0x000000fc ) ^ 0x00000000 ] [ cmp eq reg 1 0x000000e0 ] # ip dscp != 0x20 inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ payload load 1b @ network header + 1 => reg 1 ] [ bitwise reg 1 = (reg=1 & 0x000000fc ) ^ 0x00000000 ] [ cmp neq reg 1 0x00000080 ] # ip dscp {cs0, cs1, cs2, cs3, cs4, cs5, cs6, cs7, af11, af12, af13, af21, af22, af23, af31, af32, af33, af41, af42, af43, ef} __set%d test-inet 3 __set%d test-inet 0 element 00000020 : 0 [end] element 00000040 : 0 [end] element 00000060 : 0 [end] element 00000080 : 0 [end] element 000000a0 : 0 [end] element 000000c0 : 0 [end] element 000000e0 : 0 [end] element 00000000 : 0 [end] element 00000028 : 0 [end] element 00000030 : 0 [end] element 00000038 : 0 [end] element 00000048 : 0 [end] element 00000050 : 0 [end] element 00000058 : 0 [end] element 00000068 : 0 [end] element 00000070 : 0 [end] element 00000078 : 0 [end] element 00000088 : 0 [end] element 00000090 : 0 [end] element 00000098 : 0 [end] element 000000b8 : 0 [end] inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ payload load 1b @ network header + 1 => reg 1 ] [ bitwise reg 1 = (reg=1 & 0x000000fc ) ^ 0x00000000 ] [ lookup reg 1 set __set%d ] # ip dscp != {cs0, cs3} __set%d test-inet 3 __set%d test-inet 0 element 00000000 : 0 [end] element 00000060 : 0 [end] inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ payload load 1b @ network header + 1 => reg 1 ] [ bitwise reg 1 = (reg=1 & 0x000000fc ) ^ 0x00000000 ] [ lookup reg 1 set __set%d 0x1 ] # ip length 232 inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ payload load 2b @ network header + 2 => reg 1 ] [ cmp eq reg 1 0x0000e800 ] # ip length != 233 inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ payload load 2b @ network header + 2 => reg 1 ] [ cmp neq reg 1 0x0000e900 ] # ip length 333-435 inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ payload load 2b @ network header + 2 => reg 1 ] [ cmp gte reg 1 0x00004d01 ] [ cmp lte reg 1 0x0000b301 ] # ip length != 333-453 inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ payload load 2b @ network header + 2 => reg 1 ] [ range neq reg 1 0x00004d01 0x0000c501 ] # ip length { 333, 553, 673, 838} __set%d test-inet 3 __set%d test-inet 0 element 00004d01 : 0 [end] element 00002902 : 0 [end] element 0000a102 : 0 [end] element 00004603 : 0 [end] inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ payload load 2b @ network header + 2 => reg 1 ] [ lookup reg 1 set __set%d ] # ip length != { 333, 553, 673, 838} __set%d test-inet 3 __set%d test-inet 0 element 00004d01 : 0 [end] element 00002902 : 0 [end] element 0000a102 : 0 [end] element 00004603 : 0 [end] inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ payload load 2b @ network header + 2 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] # ip length { 333-535} __set%d test-inet 7 __set%d test-inet 0 element 00000000 : 1 [end] element 00004d01 : 0 [end] element 00001802 : 1 [end] inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ payload load 2b @ network header + 2 => reg 1 ] [ lookup reg 1 set __set%d ] # ip length != { 333-535} __set%d test-inet 7 __set%d test-inet 0 element 00000000 : 1 [end] element 00004d01 : 0 [end] element 00001802 : 1 [end] inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ payload load 2b @ network header + 2 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] # ip id 22 inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ payload load 2b @ network header + 4 => reg 1 ] [ cmp eq reg 1 0x00001600 ] # ip id != 233 inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ payload load 2b @ network header + 4 => reg 1 ] [ cmp neq reg 1 0x0000e900 ] # ip id 33-45 inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ payload load 2b @ network header + 4 => reg 1 ] [ cmp gte reg 1 0x00002100 ] [ cmp lte reg 1 0x00002d00 ] # ip id != 33-45 inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ payload load 2b @ network header + 4 => reg 1 ] [ range neq reg 1 0x00002100 0x00002d00 ] # ip id { 33, 55, 67, 88} __set%d test-inet 3 __set%d test-inet 0 element 00002100 : 0 [end] element 00003700 : 0 [end] element 00004300 : 0 [end] element 00005800 : 0 [end] inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ payload load 2b @ network header + 4 => reg 1 ] [ lookup reg 1 set __set%d ] # ip id != { 33, 55, 67, 88} __set%d test-inet 3 __set%d test-inet 0 element 00002100 : 0 [end] element 00003700 : 0 [end] element 00004300 : 0 [end] element 00005800 : 0 [end] inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ payload load 2b @ network header + 4 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] # ip id { 33-55} __set%d test-inet 7 __set%d test-inet 0 element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ payload load 2b @ network header + 4 => reg 1 ] [ lookup reg 1 set __set%d ] # ip id != { 33-55} __set%d test-inet 7 __set%d test-inet 0 element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ payload load 2b @ network header + 4 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] # ip frag-off 222 accept inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ payload load 2b @ network header + 6 => reg 1 ] [ cmp eq reg 1 0x0000de00 ] [ immediate reg 0 accept ] # ip frag-off != 233 inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ payload load 2b @ network header + 6 => reg 1 ] [ cmp neq reg 1 0x0000e900 ] # ip frag-off 33-45 inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ payload load 2b @ network header + 6 => reg 1 ] [ cmp gte reg 1 0x00002100 ] [ cmp lte reg 1 0x00002d00 ] # ip frag-off != 33-45 inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ payload load 2b @ network header + 6 => reg 1 ] [ range neq reg 1 0x00002100 0x00002d00 ] # ip frag-off { 33, 55, 67, 88} __set%d test-inet 3 __set%d test-inet 0 element 00002100 : 0 [end] element 00003700 : 0 [end] element 00004300 : 0 [end] element 00005800 : 0 [end] inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ payload load 2b @ network header + 6 => reg 1 ] [ lookup reg 1 set __set%d ] # ip frag-off != { 33, 55, 67, 88} __set%d test-inet 3 __set%d test-inet 0 element 00002100 : 0 [end] element 00003700 : 0 [end] element 00004300 : 0 [end] element 00005800 : 0 [end] inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ payload load 2b @ network header + 6 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] # ip frag-off { 33-55} __set%d test-inet 7 __set%d test-inet 0 element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ payload load 2b @ network header + 6 => reg 1 ] [ lookup reg 1 set __set%d ] # ip frag-off != { 33-55} __set%d test-inet 7 __set%d test-inet 0 element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ payload load 2b @ network header + 6 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] # ip ttl 0 drop inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ payload load 1b @ network header + 8 => reg 1 ] [ cmp eq reg 1 0x00000000 ] [ immediate reg 0 drop ] # ip ttl 233 inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ payload load 1b @ network header + 8 => reg 1 ] [ cmp eq reg 1 0x000000e9 ] # ip ttl 33-55 inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ payload load 1b @ network header + 8 => reg 1 ] [ cmp gte reg 1 0x00000021 ] [ cmp lte reg 1 0x00000037 ] # ip ttl != 45-50 inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ payload load 1b @ network header + 8 => reg 1 ] [ range neq reg 1 0x0000002d 0x00000032 ] # ip ttl {43, 53, 45 } __set%d test-inet 3 __set%d test-inet 0 element 0000002b : 0 [end] element 00000035 : 0 [end] element 0000002d : 0 [end] inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ payload load 1b @ network header + 8 => reg 1 ] [ lookup reg 1 set __set%d ] # ip ttl != {43, 53, 45 } __set%d test-inet 3 __set%d test-inet 0 element 0000002b : 0 [end] element 00000035 : 0 [end] element 0000002d : 0 [end] inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ payload load 1b @ network header + 8 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] # ip ttl { 33-55} __set%d test-inet 7 __set%d test-inet 0 element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end] inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ payload load 1b @ network header + 8 => reg 1 ] [ lookup reg 1 set __set%d ] # ip ttl != { 33-55} __set%d test-inet 7 __set%d test-inet 0 element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end] inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ payload load 1b @ network header + 8 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] # ip protocol tcp inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ payload load 1b @ network header + 9 => reg 1 ] [ cmp eq reg 1 0x00000006 ] # ip protocol != tcp inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ payload load 1b @ network header + 9 => reg 1 ] [ cmp neq reg 1 0x00000006 ] # ip protocol { icmp, esp, ah, comp, udp, udplite, tcp, dccp, sctp} accept __set%d test-inet 3 __set%d test-inet 0 element 00000001 : 0 [end] element 00000032 : 0 [end] element 00000033 : 0 [end] element 0000006c : 0 [end] element 00000011 : 0 [end] element 00000088 : 0 [end] element 00000006 : 0 [end] element 00000021 : 0 [end] element 00000084 : 0 [end] inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ payload load 1b @ network header + 9 => reg 1 ] [ lookup reg 1 set __set%d ] [ immediate reg 0 accept ] # ip protocol != { icmp, esp, ah, comp, udp, udplite, tcp, dccp, sctp} accept __set%d test-inet 3 __set%d test-inet 0 element 00000001 : 0 [end] element 00000032 : 0 [end] element 00000033 : 0 [end] element 0000006c : 0 [end] element 00000011 : 0 [end] element 00000088 : 0 [end] element 00000006 : 0 [end] element 00000021 : 0 [end] element 00000084 : 0 [end] inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ payload load 1b @ network header + 9 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] [ immediate reg 0 accept ] # ip protocol 255 ip test-ip4 input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ payload load 1b @ network header + 9 => reg 1 ] [ cmp eq reg 1 0x000000ff ] # ip checksum 13172 drop inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ payload load 2b @ network header + 10 => reg 1 ] [ cmp eq reg 1 0x00007433 ] [ immediate reg 0 drop ] # ip checksum 22 inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ payload load 2b @ network header + 10 => reg 1 ] [ cmp eq reg 1 0x00001600 ] # ip checksum != 233 inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ payload load 2b @ network header + 10 => reg 1 ] [ cmp neq reg 1 0x0000e900 ] # ip checksum 33-45 inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ payload load 2b @ network header + 10 => reg 1 ] [ cmp gte reg 1 0x00002100 ] [ cmp lte reg 1 0x00002d00 ] # ip checksum != 33-45 inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ payload load 2b @ network header + 10 => reg 1 ] [ range neq reg 1 0x00002100 0x00002d00 ] # ip checksum { 33, 55, 67, 88} __set%d test-inet 3 __set%d test-inet 0 element 00002100 : 0 [end] element 00003700 : 0 [end] element 00004300 : 0 [end] element 00005800 : 0 [end] inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ payload load 2b @ network header + 10 => reg 1 ] [ lookup reg 1 set __set%d ] # ip checksum != { 33, 55, 67, 88} __set%d test-inet 3 __set%d test-inet 0 element 00002100 : 0 [end] element 00003700 : 0 [end] element 00004300 : 0 [end] element 00005800 : 0 [end] inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ payload load 2b @ network header + 10 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] # ip checksum { 33-55} __set%d test-inet 7 __set%d test-inet 0 element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ payload load 2b @ network header + 10 => reg 1 ] [ lookup reg 1 set __set%d ] # ip checksum != { 33-55} __set%d test-inet 7 __set%d test-inet 0 element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end] inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ payload load 2b @ network header + 10 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] # ip saddr 192.168.2.0/24 inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ payload load 4b @ network header + 12 => reg 1 ] [ bitwise reg 1 = (reg=1 & 0x00ffffff ) ^ 0x00000000 ] [ cmp eq reg 1 0x0002a8c0 ] # ip saddr != 192.168.2.0/24 inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ payload load 4b @ network header + 12 => reg 1 ] [ bitwise reg 1 = (reg=1 & 0x00ffffff ) ^ 0x00000000 ] [ cmp neq reg 1 0x0002a8c0 ] # ip saddr 192.168.3.1 ip daddr 192.168.3.100 inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ payload load 8b @ network header + 12 => reg 1 ] [ cmp eq reg 1 0x0103a8c0 0x6403a8c0 ] # ip saddr != 1.1.1.1 inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ payload load 4b @ network header + 12 => reg 1 ] [ cmp neq reg 1 0x01010101 ] # ip saddr 1.1.1.1 inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ payload load 4b @ network header + 12 => reg 1 ] [ cmp eq reg 1 0x01010101 ] # ip daddr 192.168.0.1-192.168.0.250 inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ payload load 4b @ network header + 16 => reg 1 ] [ cmp gte reg 1 0x0100a8c0 ] [ cmp lte reg 1 0xfa00a8c0 ] # ip daddr 10.0.0.0-10.255.255.255 inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ payload load 4b @ network header + 16 => reg 1 ] [ cmp gte reg 1 0x0000000a ] [ cmp lte reg 1 0xffffff0a ] # ip daddr 172.16.0.0-172.31.255.255 inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ payload load 4b @ network header + 16 => reg 1 ] [ cmp gte reg 1 0x000010ac ] [ cmp lte reg 1 0xffff1fac ] # ip daddr 192.168.3.1-192.168.4.250 inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ payload load 4b @ network header + 16 => reg 1 ] [ cmp gte reg 1 0x0103a8c0 ] [ cmp lte reg 1 0xfa04a8c0 ] # ip daddr != 192.168.0.1-192.168.0.250 inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ payload load 4b @ network header + 16 => reg 1 ] [ range neq reg 1 0x0100a8c0 0xfa00a8c0 ] # ip daddr { 192.168.0.1-192.168.0.250} __set%d test-inet 7 __set%d test-inet 0 element 00000000 : 1 [end] element 0100a8c0 : 0 [end] element fb00a8c0 : 1 [end] inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ payload load 4b @ network header + 16 => reg 1 ] [ lookup reg 1 set __set%d ] # ip daddr != { 192.168.0.1-192.168.0.250} __set%d test-inet 7 __set%d test-inet 0 element 00000000 : 1 [end] element 0100a8c0 : 0 [end] element fb00a8c0 : 1 [end] inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ payload load 4b @ network header + 16 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] # ip daddr { 192.168.5.1, 192.168.5.2, 192.168.5.3 } accept __set%d test-inet 3 __set%d test-inet 0 element 0105a8c0 : 0 [end] element 0205a8c0 : 0 [end] element 0305a8c0 : 0 [end] inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ payload load 4b @ network header + 16 => reg 1 ] [ lookup reg 1 set __set%d ] [ immediate reg 0 accept ] # ip daddr != { 192.168.5.1, 192.168.5.2, 192.168.5.3 } accept __set%d test-inet 3 __set%d test-inet 0 element 0105a8c0 : 0 [end] element 0205a8c0 : 0 [end] element 0305a8c0 : 0 [end] inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ payload load 4b @ network header + 16 => reg 1 ] [ lookup reg 1 set __set%d 0x1 ] [ immediate reg 0 accept ] # ip daddr 192.168.1.2-192.168.1.55 inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ payload load 4b @ network header + 16 => reg 1 ] [ cmp gte reg 1 0x0201a8c0 ] [ cmp lte reg 1 0x3701a8c0 ] # ip daddr != 192.168.1.2-192.168.1.55 inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ payload load 4b @ network header + 16 => reg 1 ] [ range neq reg 1 0x0201a8c0 0x3701a8c0 ] # ip saddr 192.168.1.3-192.168.33.55 inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ payload load 4b @ network header + 12 => reg 1 ] [ cmp gte reg 1 0x0301a8c0 ] [ cmp lte reg 1 0x3721a8c0 ] # ip saddr != 192.168.1.3-192.168.33.55 inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ payload load 4b @ network header + 12 => reg 1 ] [ range neq reg 1 0x0301a8c0 0x3721a8c0 ] # ip daddr 192.168.0.1 inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ payload load 4b @ network header + 16 => reg 1 ] [ cmp eq reg 1 0x0100a8c0 ] # ip daddr 192.168.0.1 drop inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ payload load 4b @ network header + 16 => reg 1 ] [ cmp eq reg 1 0x0100a8c0 ] [ immediate reg 0 drop ] # ip daddr 192.168.0.2 inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ payload load 4b @ network header + 16 => reg 1 ] [ cmp eq reg 1 0x0200a8c0 ] # ip saddr \& 0xff == 1 inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ payload load 4b @ network header + 12 => reg 1 ] [ bitwise reg 1 = (reg=1 & 0xff000000 ) ^ 0x00000000 ] [ cmp eq reg 1 0x01000000 ] # ip saddr \& 0.0.0.255 \< 0.0.0.127 inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ payload load 4b @ network header + 12 => reg 1 ] [ bitwise reg 1 = (reg=1 & 0xff000000 ) ^ 0x00000000 ] [ cmp lt reg 1 0x7f000000 ] # ip saddr \& 0xffff0000 == 0xffff0000 inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ payload load 4b @ network header + 12 => reg 1 ] [ bitwise reg 1 = (reg=1 & 0x0000ffff ) ^ 0x00000000 ] [ cmp eq reg 1 0x0000ffff ] # ip saddr . ip daddr . ip protocol { 1.1.1.1 . 2.2.2.2 . tcp, 1.1.1.1 . 3.3.3.3 . udp} __set%d test-ip 3 __set%d test-ip 0 element 01010101 02020202 00000006 : 0 [end] element 01010101 03030303 00000011 : 0 [end] inet test-ip input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ payload load 4b @ network header + 12 => reg 1 ] [ payload load 4b @ network header + 16 => reg 9 ] [ payload load 1b @ network header + 9 => reg 10 ] [ lookup reg 1 set __set%d ] # ip version 4 ip hdrlength 5 inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ payload load 1b @ network header + 0 => reg 1 ] [ bitwise reg 1 = (reg=1 & 0x000000f0 ) ^ 0x00000000 ] [ cmp eq reg 1 0x00000040 ] [ payload load 1b @ network header + 0 => reg 1 ] [ bitwise reg 1 = (reg=1 & 0x0000000f ) ^ 0x00000000 ] [ cmp eq reg 1 0x00000005 ] # ip hdrlength 0 inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ payload load 1b @ network header + 0 => reg 1 ] [ bitwise reg 1 = (reg=1 & 0x0000000f ) ^ 0x00000000 ] [ cmp eq reg 1 0x00000000 ] # ip hdrlength 15 inet test-inet input [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ payload load 1b @ network header + 0 => reg 1 ] [ bitwise reg 1 = (reg=1 & 0x0000000f ) ^ 0x00000000 ] [ cmp eq reg 1 0x0000000f ] # iif "lo" ip daddr set 127.0.0.1 inet test-inet input [ meta load iif => reg 1 ] [ cmp eq reg 1 0x00000001 ] [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ immediate reg 1 0x0100007f ] [ payload write reg 1 => 4b @ network header + 16 csum_type 1 csum_off 10 csum_flags 0x1 ] # iif "lo" ip checksum set 0 inet test-inet input [ meta load iif => reg 1 ] [ cmp eq reg 1 0x00000001 ] [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ immediate reg 1 0x00000000 ] [ payload write reg 1 => 2b @ network header + 10 csum_type 1 csum_off 10 csum_flags 0x0 ] # iif "lo" ip id set 0 inet test-inet input [ meta load iif => reg 1 ] [ cmp eq reg 1 0x00000001 ] [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ immediate reg 1 0x00000000 ] [ payload write reg 1 => 2b @ network header + 4 csum_type 1 csum_off 10 csum_flags 0x0 ] # iif "lo" ip ecn set 1 inet test-inet input [ meta load iif => reg 1 ] [ cmp eq reg 1 0x00000001 ] [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ payload load 2b @ network header + 0 => reg 1 ] [ bitwise reg 1 = (reg=1 & 0x0000fcff ) ^ 0x00000100 ] [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ] # iif "lo" ip ecn set ce inet test-netdev ingress [ meta load iif => reg 1 ] [ cmp eq reg 1 0x00000001 ] [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ payload load 2b @ network header + 0 => reg 1 ] [ bitwise reg 1 = (reg=1 & 0x0000fcff ) ^ 0x00000300 ] [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ] # iif "lo" ip dscp set af23 inet test-inet input [ meta load iif => reg 1 ] [ cmp eq reg 1 0x00000001 ] [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ payload load 2b @ network header + 0 => reg 1 ] [ bitwise reg 1 = (reg=1 & 0x000003ff ) ^ 0x00005800 ] [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ] # iif "lo" ip dscp set cs0 inet test-inet input [ meta load iif => reg 1 ] [ cmp eq reg 1 0x00000001 ] [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ payload load 2b @ network header + 0 => reg 1 ] [ bitwise reg 1 = (reg=1 & 0x000003ff ) ^ 0x00000000 ] [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ]