ct expiration != 33-45;ok;ct expiration != 33s-45s
ct expiration {33, 55, 67, 88};ok;ct expiration { 1m7s, 33s, 55s, 1m28s}
ct expiration != {33, 55, 67, 88};ok;ct expiration != { 1m7s, 33s, 55s, 1m28s}
+ct expiration {33-55};ok;ct expiration { 33s-55s}
+ct expiration != {33-55};ok;ct expiration != { 33s-55s}
ct helper "ftp";ok
ct helper "12345678901234567";fail
}
]
+# ct expiration {33-55}
+[
+ {
+ "match": {
+ "left": {
+ "ct": {
+ "key": "expiration"
+ }
+ },
+ "op": "==",
+ "right": {
+ "set": [
+ {
+ "range": [ 33, 55 ]
+ }
+ ]
+ }
+ }
+ }
+]
+
+# ct expiration != {33-55}
+[
+ {
+ "match": {
+ "left": {
+ "ct": {
+ "key": "expiration"
+ }
+ },
+ "op": "!=",
+ "right": {
+ "set": [
+ {
+ "range": [ 33, 55 ]
+ }
+ ]
+ }
+ }
+ }
+]
+
# ct helper "ftp"
[
{
[ ct load expiration => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
+# ct expiration {33-55}
+__set%d test-ip4 7
+__set%d test-ip4 0
+ element 00000000 : 1 [end] element e8800000 : 0 [end] element d9d60000 : 1 [end]
+ip test-ip4 output
+ [ ct load expiration => reg 1 ]
+ [ byteorder reg 1 = hton(reg 1, 4, 4) ]
+ [ lookup reg 1 set __set%d ]
+
+# ct expiration != {33-55}
+__set%d test-ip4 7
+__set%d test-ip4 0
+ element 00000000 : 1 [end] element e8800000 : 0 [end] element d9d60000 : 1 [end]
+ip test-ip4 output
+ [ ct load expiration => reg 1 ]
+ [ byteorder reg 1 = hton(reg 1, 4, 4) ]
+ [ lookup reg 1 set __set%d 0x1 ]
+
# ct helper "ftp"
ip test-ip4 output
[ ct load helper => reg 1 ]
meta length { 33-55, 67-88};ok
meta length { 33-55, 56-88, 100-120};ok;meta length { 33-88, 100-120}
meta length != { 33, 55, 67, 88};ok
+meta length { 33-55};ok
+meta length != { 33-55};ok
meta protocol { ip, arp, ip6, vlan };ok;meta protocol { ip6, ip, vlan, arp}
meta protocol != {ip, arp, ip6, vlan};ok
meta l4proto != 33-45;ok
meta l4proto { 33, 55, 67, 88};ok;meta l4proto { 33, 55, 67, 88}
meta l4proto != { 33, 55, 67, 88};ok
+meta l4proto { 33-55};ok
meta l4proto != { 33-55};ok
meta priority root;ok
meta oif "lo" accept;ok;oif "lo" accept
meta oif != "lo" accept;ok;oif != "lo" accept
meta oif {"lo"} accept;ok;oif {"lo"} accept
+meta oif != {"lo"} accept;ok;oif != {"lo"} accept
meta oifname "dummy0";ok;oifname "dummy0"
meta oifname != "dummy0";ok;oifname != "dummy0"
meta skuid eq 3000 accept;ok;meta skuid 3000 accept
meta skuid 3001-3005 accept;ok;meta skuid 3001-3005 accept
meta skuid != 2001-2005 accept;ok;meta skuid != 2001-2005 accept
+meta skuid { 2001-2005} accept;ok;meta skuid { 2001-2005} accept
+meta skuid != { 2001-2005} accept;ok;meta skuid != { 2001-2005} accept
meta skgid {"bin", "root", "daemon"} accept;ok;meta skgid { 0, 1, 2} accept
meta skgid != {"bin", "root", "daemon"} accept;ok;meta skgid != { 1, 0, 2} accept
meta skgid eq 3000 accept;ok;meta skgid 3000 accept
meta skgid 2001-2005 accept;ok;meta skgid 2001-2005 accept
meta skgid != 2001-2005 accept;ok;meta skgid != 2001-2005 accept
+meta skgid { 2001-2005} accept;ok;meta skgid { 2001-2005} accept
+meta skgid != { 2001-2005} accept;ok;meta skgid != { 2001-2005} accept
# BUG: meta nftrace 2 and meta nftrace 1
# $ sudo nft add rule ip test input meta nftrace 2
meta iifgroup != 0;ok;iifgroup != "default"
meta iifgroup "default";ok;iifgroup "default"
meta iifgroup != "default";ok;iifgroup != "default"
+meta iifgroup {"default"};ok;iifgroup {"default"}
+meta iifgroup != {"default"};ok;iifgroup != {"default"}
meta iifgroup { 11,33};ok;iifgroup { 11,33}
meta iifgroup {11-33};ok;iifgroup {11-33}
meta iifgroup != { 11,33};ok;iifgroup != { 11,33}
meta oifgroup != 0;ok;oifgroup != "default"
meta oifgroup "default";ok;oifgroup "default"
meta oifgroup != "default";ok;oifgroup != "default"
+meta oifgroup {"default"};ok;oifgroup {"default"}
+meta oifgroup != {"default"};ok;oifgroup != {"default"}
meta oifgroup { 11,33};ok;oifgroup { 11,33}
+meta oifgroup {11-33};ok;oifgroup {11-33}
+meta oifgroup != { 11,33};ok;oifgroup != { 11,33}
+meta oifgroup != {11-33};ok;oifgroup != {11-33}
meta cgroup 1048577;ok;meta cgroup 1048577
meta cgroup != 1048577;ok;meta cgroup != 1048577
meta cgroup != { 1048577, 1048578};ok;meta cgroup != { 1048577, 1048578}
meta cgroup 1048577-1048578;ok;meta cgroup 1048577-1048578
meta cgroup != 1048577-1048578;ok;meta cgroup != 1048577-1048578
+meta cgroup {1048577-1048578};ok;meta cgroup { 1048577-1048578}
+meta cgroup != { 1048577-1048578};ok;meta cgroup != { 1048577-1048578}
meta iif . meta oif { "lo" . "lo" };ok;iif . oif { "lo" . "lo" }
meta iif . meta oif . meta mark { "lo" . "lo" . 0x0000000a };ok;iif . oif . meta mark { "lo" . "lo" . 0x0000000a }
}
]
+# meta length { 33-55}
+[
+ {
+ "match": {
+ "left": {
+ "meta": { "key": "length" }
+ },
+ "op": "==",
+ "right": {
+ "set": [
+ { "range": [ 33, 55 ] }
+ ]
+ }
+ }
+ }
+]
+
+# meta length != { 33-55}
+[
+ {
+ "match": {
+ "left": {
+ "meta": { "key": "length" }
+ },
+ "op": "!=",
+ "right": {
+ "set": [
+ { "range": [ 33, 55 ] }
+ ]
+ }
+ }
+ }
+]
+
# meta protocol { ip, arp, ip6, vlan }
[
{
}
]
+# meta l4proto { 33-55}
+[
+ {
+ "match": {
+ "left": {
+ "meta": { "key": "l4proto" }
+ },
+ "op": "==",
+ "right": {
+ "set": [
+ { "range": [ 33, 55 ] }
+ ]
+ }
+ }
+ }
+]
+
# meta l4proto != { 33-55}
[
{
}
]
+# meta oif != {"lo"} accept
+[
+ {
+ "match": {
+ "left": {
+ "meta": { "key": "oif" }
+ },
+ "op": "!=",
+ "right": {
+ "set": [
+ "lo"
+ ]
+ }
+ }
+ },
+ {
+ "accept": null
+ }
+]
+
# meta oifname "dummy0"
[
{
}
]
+# meta skuid { 2001-2005} accept
+[
+ {
+ "match": {
+ "left": {
+ "meta": { "key": "skuid" }
+ },
+ "op": "==",
+ "right": {
+ "set": [
+ { "range": [ 2001, 2005 ] }
+ ]
+ }
+ }
+ },
+ {
+ "accept": null
+ }
+]
+
+# meta skuid != { 2001-2005} accept
+[
+ {
+ "match": {
+ "left": {
+ "meta": { "key": "skuid" }
+ },
+ "op": "!=",
+ "right": {
+ "set": [
+ { "range": [ 2001, 2005 ] }
+ ]
+ }
+ }
+ },
+ {
+ "accept": null
+ }
+]
+
# meta skgid {"bin", "root", "daemon"} accept
[
{
}
]
+# meta skgid { 2001-2005} accept
+[
+ {
+ "match": {
+ "left": {
+ "meta": { "key": "skgid" }
+ },
+ "op": "==",
+ "right": {
+ "set": [
+ { "range": [ 2001, 2005 ] }
+ ]
+ }
+ }
+ },
+ {
+ "accept": null
+ }
+]
+
+# meta skgid != { 2001-2005} accept
+[
+ {
+ "match": {
+ "left": {
+ "meta": { "key": "skgid" }
+ },
+ "op": "!=",
+ "right": {
+ "set": [
+ { "range": [ 2001, 2005 ] }
+ ]
+ }
+ }
+ },
+ {
+ "accept": null
+ }
+]
+
# meta mark set 0xffffffc8 xor 0x16
[
{
}
]
+# meta oifgroup {11-33}
+[
+ {
+ "match": {
+ "left": {
+ "meta": { "key": "oifgroup" }
+ },
+ "op": "==",
+ "right": {
+ "set": [
+ { "range": [ 11, 33 ] }
+ ]
+ }
+ }
+ }
+]
+
# meta oifgroup != { 11,33}
[
{
[ meta load len => reg 1 ]
[ lookup reg 1 set __set%d ]
+# meta length { 33-55}
+__set%d test-ip4 7
+__set%d test-ip4 0
+ element 00000000 : 1 [end] element 21000000 : 0 [end] element 38000000 : 1 [end]
+ip test-ip4 input
+ [ meta load len => reg 1 ]
+ [ byteorder reg 1 = hton(reg 1, 4, 4) ]
+ [ lookup reg 1 set __set%d ]
+
# meta length { 33-55, 67-88}
__set%d test-ip4 7
__set%d test-ip4 0
[ meta load len => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
+# meta length != { 33-55}
+__set%d test-ip4 7
+__set%d test-ip4 0
+ element 00000000 : 1 [end] element 21000000 : 0 [end] element 38000000 : 1 [end]
+ip test-ip4 input
+ [ meta load len => reg 1 ]
+ [ byteorder reg 1 = hton(reg 1, 4, 4) ]
+ [ lookup reg 1 set __set%d 0x1 ]
+
# meta protocol { ip, arp, ip6, vlan }
__set%d test-ip4 3
__set%d test-ip4 0
[ meta load l4proto => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
+# meta l4proto { 33-55}
+__set%d test-ip4 7
+__set%d test-ip4 0
+ element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end]
+ip test-ip4 input
+ [ meta load l4proto => reg 1 ]
+ [ byteorder reg 1 = hton(reg 1, 2, 1) ]
+ [ lookup reg 1 set __set%d ]
+
# meta l4proto != { 33-55}
__set%d test-ip4 7
__set%d test-ip4 0
[ lookup reg 1 set __set%d ]
[ immediate reg 0 accept ]
+# meta oif != {"lo"} accept
+__set%d test-ip4 3
+__set%d test-ip4 0
+ element 00000001 : 0 [end]
+ip test-ip4 input
+ [ meta load oif => reg 1 ]
+ [ lookup reg 1 set __set%d 0x1 ]
+ [ immediate reg 0 accept ]
+
# meta oifname "dummy0"
ip test-ip4 input
[ meta load oifname => reg 1 ]
[ range neq reg 1 0xd1070000 0xd5070000 ]
[ immediate reg 0 accept ]
+# meta skuid { 2001-2005} accept
+__set%d test-ip4 7
+__set%d test-ip4 0
+ element 00000000 : 1 [end] element d1070000 : 0 [end] element d6070000 : 1 [end]
+ip test-ip4 input
+ [ meta load skuid => reg 1 ]
+ [ byteorder reg 1 = hton(reg 1, 4, 4) ]
+ [ lookup reg 1 set __set%d ]
+ [ immediate reg 0 accept ]
+
+# meta skuid != { 2001-2005} accept
+__set%d test-ip4 7
+__set%d test-ip4 0
+ element 00000000 : 1 [end] element d1070000 : 0 [end] element d6070000 : 1 [end]
+ip test-ip4 input
+ [ meta load skuid => reg 1 ]
+ [ byteorder reg 1 = hton(reg 1, 4, 4) ]
+ [ lookup reg 1 set __set%d 0x1 ]
+ [ immediate reg 0 accept ]
+
# meta skgid {"bin", "root", "daemon"} accept
__set%d test-ip4 3
__set%d test-ip4 0
[ range neq reg 1 0xd1070000 0xd5070000 ]
[ immediate reg 0 accept ]
+# meta skgid { 2001-2005} accept
+__set%d test-ip4 7
+__set%d test-ip4 0
+ element 00000000 : 1 [end] element d1070000 : 0 [end] element d6070000 : 1 [end]
+ip test-ip4 input
+ [ meta load skgid => reg 1 ]
+ [ byteorder reg 1 = hton(reg 1, 4, 4) ]
+ [ lookup reg 1 set __set%d ]
+ [ immediate reg 0 accept ]
+
+# meta skgid != { 2001-2005} accept
+__set%d test-ip4 7
+__set%d test-ip4 0
+ element 00000000 : 1 [end] element d1070000 : 0 [end] element d6070000 : 1 [end]
+ip test-ip4 input
+ [ meta load skgid => reg 1 ]
+ [ byteorder reg 1 = hton(reg 1, 4, 4) ]
+ [ lookup reg 1 set __set%d 0x1 ]
+ [ immediate reg 0 accept ]
+
# meta mark set 0xffffffc8 xor 0x16
ip test-ip4 input
[ immediate reg 1 0xffffffde ]
[ meta load iifgroup => reg 1 ]
[ lookup reg 1 set __set%d ]
+# meta iifgroup != {"default"}
+__set%d test-ip4 3
+__set%d test-ip4 0
+ element 00000000 : 0 [end]
+ip test-ip4 input
+ [ meta load iifgroup => reg 1 ]
+ [ lookup reg 1 set __set%d 0x1 ]
+
# meta iifgroup { 11,33}
__set%d test-ip4 3
__set%d test-ip4 0
[ meta load oifgroup => reg 1 ]
[ cmp neq reg 1 0x00000000 ]
+# meta oifgroup {"default"}
+__set%d test-ip4 3
+__set%d test-ip4 0
+ element 00000000 : 0 [end]
+ip test-ip4 input
+ [ meta load oifgroup => reg 1 ]
+ [ lookup reg 1 set __set%d ]
+
# meta oifgroup != {"default"}
__set%d test-ip4 3
__set%d test-ip4 0
[ byteorder reg 1 = hton(reg 1, 4, 4) ]
[ lookup reg 1 set __set%d ]
+# meta oifgroup != { 11,33}
+__set%d test-ip4 3
+__set%d test-ip4 0
+ element 0000000b : 0 [end] element 00000021 : 0 [end]
+ip test-ip4 input
+ [ meta load oifgroup => reg 1 ]
+ [ lookup reg 1 set __set%d 0x1 ]
+
+# meta oifgroup != {11-33}
+__set%d test-ip4 7
+__set%d test-ip4 0
+ element 00000000 : 1 [end] element 0b000000 : 0 [end] element 22000000 : 1 [end]
+ip test-ip4 input
+ [ meta load oifgroup => reg 1 ]
+ [ byteorder reg 1 = hton(reg 1, 4, 4) ]
+ [ lookup reg 1 set __set%d 0x1 ]
+
# meta cgroup 1048577
ip test-ip4 input
[ meta load cgroup => reg 1 ]
arp htype != 33-45;ok
arp htype { 33, 55, 67, 88};ok
arp htype != { 33, 55, 67, 88};ok
+arp htype { 33-55};ok
+arp htype != { 33-55};ok
arp ptype 0x0800;ok;arp ptype ip
arp hlen != 33-45;ok
arp hlen { 33, 55, 67, 88};ok
arp hlen != { 33, 55, 67, 88};ok
+arp hlen { 33-55};ok
+arp hlen != { 33-55};ok
arp plen 22;ok
arp plen != 233;ok
arp plen != 33-45;ok
arp plen { 33, 55, 67, 88};ok
arp plen != { 33, 55, 67, 88};ok
+arp plen { 33-55};ok
+arp plen != {33-55};ok
arp operation {nak, inreply, inrequest, rreply, rrequest, reply, request};ok
arp operation != {nak, inreply, inrequest, rreply, rrequest, reply, request};ok
}
]
+# arp htype { 33-55}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "htype",
+ "protocol": "arp"
+ }
+ },
+ "op": "==",
+ "right": {
+ "set": [
+ { "range": [ 33, 55 ] }
+ ]
+ }
+ }
+ }
+]
+
+# arp htype != { 33-55}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "htype",
+ "protocol": "arp"
+ }
+ },
+ "op": "!=",
+ "right": {
+ "set": [
+ { "range": [ 33, 55 ] }
+ ]
+ }
+ }
+ }
+]
+
# arp ptype 0x0800
[
{
}
]
+# arp hlen { 33-55}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "hlen",
+ "protocol": "arp"
+ }
+ },
+ "op": "==",
+ "right": {
+ "set": [
+ { "range": [ 33, 55 ] }
+ ]
+ }
+ }
+ }
+]
+
+# arp hlen != { 33-55}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "hlen",
+ "protocol": "arp"
+ }
+ },
+ "op": "!=",
+ "right": {
+ "set": [
+ { "range": [ 33, 55 ] }
+ ]
+ }
+ }
+ }
+]
+
# arp plen 22
[
{
}
]
+# arp plen { 33-55}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "plen",
+ "protocol": "arp"
+ }
+ },
+ "op": "==",
+ "right": {
+ "set": [
+ { "range": [ 33, 55 ] }
+ ]
+ }
+ }
+ }
+]
+
+# arp plen != {33-55}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "plen",
+ "protocol": "arp"
+ }
+ },
+ "op": "!=",
+ "right": {
+ "set": [
+ { "range": [ 33, 55 ] }
+ ]
+ }
+ }
+ }
+]
+
# arp operation {nak, inreply, inrequest, rreply, rrequest, reply, request}
[
{
[ payload load 2b @ network header + 0 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
+# arp htype { 33-55}
+__set%d test-arp 7
+__set%d test-arp 0
+ element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end]
+arp test-arp input
+ [ payload load 2b @ network header + 0 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
+
+# arp htype != { 33-55}
+__set%d test-arp 7
+__set%d test-arp 0
+ element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end]
+arp test-arp input
+ [ payload load 2b @ network header + 0 => reg 1 ]
+ [ lookup reg 1 set __set%d 0x1 ]
+
# arp ptype 0x0800
arp test-arp input
[ payload load 2b @ network header + 2 => reg 1 ]
[ payload load 1b @ network header + 4 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
+# arp hlen { 33-55}
+__set%d test-arp 7
+__set%d test-arp 0
+ element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end]
+arp test-arp input
+ [ payload load 1b @ network header + 4 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
+
+# arp hlen != { 33-55}
+__set%d test-arp 7
+__set%d test-arp 0
+ element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end]
+arp test-arp input
+ [ payload load 1b @ network header + 4 => reg 1 ]
+ [ lookup reg 1 set __set%d 0x1 ]
+
# arp plen 22
arp test-arp input
[ payload load 1b @ network header + 5 => reg 1 ]
[ payload load 1b @ network header + 5 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
+# arp plen { 33-55}
+__set%d test-arp 7
+__set%d test-arp 0
+ element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end]
+arp test-arp input
+ [ payload load 1b @ network header + 5 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
+
+# arp plen != {33-55}
+__set%d test-arp 7
+__set%d test-arp 0
+ element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end]
+arp test-arp input
+ [ payload load 1b @ network header + 5 => reg 1 ]
+ [ lookup reg 1 set __set%d 0x1 ]
+
# arp operation {nak, inreply, inrequest, rreply, rrequest, reply, request}
__set%d test-arp 3
__set%d test-arp 0
ah hdrlength 11-23;ok
ah hdrlength != 11-23;ok
+ah hdrlength { 11-23};ok
+ah hdrlength != { 11-23};ok
ah hdrlength {11, 23, 44 };ok
ah hdrlength != {11, 23, 44 };ok
ah reserved != 33-45;ok
ah reserved {23, 100};ok
ah reserved != {23, 100};ok
+ah reserved { 33-55};ok
+ah reserved != { 33-55};ok
ah spi 111;ok
ah spi != 111;ok
ah spi != 111-222;ok
ah spi {111, 122};ok
ah spi != {111, 122};ok
+ah spi { 111-122};ok
+ah spi != { 111-122};ok
# sequence
ah sequence 123;ok
ah sequence != 123;ok
ah sequence {23, 25, 33};ok
ah sequence != {23, 25, 33};ok
+ah sequence { 23-33};ok
+ah sequence != { 23-33};ok
ah sequence 23-33;ok
ah sequence != 23-33;ok
}
]
+# ah hdrlength { 11-23}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "hdrlength",
+ "protocol": "ah"
+ }
+ },
+ "op": "==",
+ "right": {
+ "set": [
+ { "range": [ 11, 23 ] }
+ ]
+ }
+ }
+ }
+]
+
+# ah hdrlength != { 11-23}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "hdrlength",
+ "protocol": "ah"
+ }
+ },
+ "op": "!=",
+ "right": {
+ "set": [
+ { "range": [ 11, 23 ] }
+ ]
+ }
+ }
+ }
+]
+
# ah hdrlength {11, 23, 44 }
[
{
}
]
+# ah reserved { 33-55}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "reserved",
+ "protocol": "ah"
+ }
+ },
+ "op": "==",
+ "right": {
+ "set": [
+ { "range": [ 33, 55 ] }
+ ]
+ }
+ }
+ }
+]
+
+# ah reserved != { 33-55}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "reserved",
+ "protocol": "ah"
+ }
+ },
+ "op": "!=",
+ "right": {
+ "set": [
+ { "range": [ 33, 55 ] }
+ ]
+ }
+ }
+ }
+]
+
# ah spi 111
[
{
}
]
+# ah spi { 111-122}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "spi",
+ "protocol": "ah"
+ }
+ },
+ "op": "==",
+ "right": {
+ "set": [
+ { "range": [ 111, 122 ] }
+ ]
+ }
+ }
+ }
+]
+
+# ah spi != { 111-122}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "spi",
+ "protocol": "ah"
+ }
+ },
+ "op": "!=",
+ "right": {
+ "set": [
+ { "range": [ 111, 122 ] }
+ ]
+ }
+ }
+ }
+]
+
# ah sequence 123
[
{
}
]
+# ah sequence { 23-33}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "sequence",
+ "protocol": "ah"
+ }
+ },
+ "op": "==",
+ "right": {
+ "set": [
+ { "range": [ 23, 33 ] }
+ ]
+ }
+ }
+ }
+]
+
+# ah sequence != { 23-33}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "sequence",
+ "protocol": "ah"
+ }
+ },
+ "op": "!=",
+ "right": {
+ "set": [
+ { "range": [ 23, 33 ] }
+ ]
+ }
+ }
+ }
+]
+
# ah sequence 23-33
[
{
[ payload load 1b @ transport header + 1 => reg 1 ]
[ range neq reg 1 0x0000000b 0x00000017 ]
+# ah hdrlength { 11-23}
+__set%d test-inet 7
+__set%d test-inet 0
+ element 00000000 : 1 [end] element 0000000b : 0 [end] element 00000018 : 1 [end]
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000033 ]
+ [ payload load 1b @ transport header + 1 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
+
+# ah hdrlength != { 11-23}
+__set%d test-inet 7
+__set%d test-inet 0
+ element 00000000 : 1 [end] element 0000000b : 0 [end] element 00000018 : 1 [end]
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000033 ]
+ [ payload load 1b @ transport header + 1 => reg 1 ]
+ [ lookup reg 1 set __set%d 0x1 ]
+
# ah hdrlength {11, 23, 44 }
__set%d test-inet 3
__set%d test-inet 0
[ payload load 2b @ transport header + 2 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
+# ah reserved { 33-55}
+__set%d test-inet 7
+__set%d test-inet 0
+ element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end]
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000033 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
+
+# ah reserved != { 33-55}
+__set%d test-inet 7
+__set%d test-inet 0
+ element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end]
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000033 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ lookup reg 1 set __set%d 0x1 ]
+
# ah spi 111
inet test-inet input
[ meta load l4proto => reg 1 ]
[ payload load 4b @ transport header + 4 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
+# ah spi { 111-122}
+__set%d test-inet 7
+__set%d test-inet 0
+ element 00000000 : 1 [end] element 6f000000 : 0 [end] element 7b000000 : 1 [end]
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000033 ]
+ [ payload load 4b @ transport header + 4 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
+
+# ah spi != { 111-122}
+__set%d test-inet 7
+__set%d test-inet 0
+ element 00000000 : 1 [end] element 6f000000 : 0 [end] element 7b000000 : 1 [end]
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000033 ]
+ [ payload load 4b @ transport header + 4 => reg 1 ]
+ [ lookup reg 1 set __set%d 0x1 ]
+
# ah sequence 123
inet test-inet input
[ meta load l4proto => reg 1 ]
[ payload load 4b @ transport header + 8 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
+# ah sequence { 23-33}
+__set%d test-inet 7
+__set%d test-inet 0
+ element 00000000 : 1 [end] element 17000000 : 0 [end] element 22000000 : 1 [end]
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000033 ]
+ [ payload load 4b @ transport header + 8 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
+
+# ah sequence != { 23-33}
+__set%d test-inet 7
+__set%d test-inet 0
+ element 00000000 : 1 [end] element 17000000 : 0 [end] element 22000000 : 1 [end]
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000033 ]
+ [ payload load 4b @ transport header + 8 => reg 1 ]
+ [ lookup reg 1 set __set%d 0x1 ]
+
# ah sequence 23-33
inet test-inet input
[ meta load l4proto => reg 1 ]
comp flags != 0x33-0x45;ok
comp flags {0x33, 0x55, 0x67, 0x88};ok
comp flags != {0x33, 0x55, 0x67, 0x88};ok
+comp flags { 0x33-0x55};ok
+comp flags != { 0x33-0x55};ok
comp cpi 22;ok
comp cpi != 233;ok
comp cpi != 33-45;ok
comp cpi {33, 55, 67, 88};ok
comp cpi != {33, 55, 67, 88};ok
+comp cpi { 33-55};ok
+comp cpi != { 33-55};ok
}
]
+# comp flags { 0x33-0x55}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "flags",
+ "protocol": "comp"
+ }
+ },
+ "op": "==",
+ "right": {
+ "set": [
+ { "range": [ "0x33", "0x55" ] }
+ ]
+ }
+ }
+ }
+]
+
+# comp flags != { 0x33-0x55}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "flags",
+ "protocol": "comp"
+ }
+ },
+ "op": "!=",
+ "right": {
+ "set": [
+ { "range": [ "0x33", "0x55" ] }
+ ]
+ }
+ }
+ }
+]
+
# comp cpi 22
[
{
}
}
]
+
+# comp cpi { 33-55}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "cpi",
+ "protocol": "comp"
+ }
+ },
+ "op": "==",
+ "right": {
+ "set": [
+ { "range": [ 33, 55 ] }
+ ]
+ }
+ }
+ }
+]
+
+# comp cpi != { 33-55}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "cpi",
+ "protocol": "comp"
+ }
+ },
+ "op": "!=",
+ "right": {
+ "set": [
+ { "range": [ 33, 55 ] }
+ ]
+ }
+ }
+ }
+]
+
[ payload load 1b @ transport header + 1 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
+# comp flags { 0x33-0x55}
+__set%d test-inet 7
+__set%d test-inet 0
+ element 00000000 : 1 [end] element 00000033 : 0 [end] element 00000056 : 1 [end]
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x0000006c ]
+ [ payload load 1b @ transport header + 1 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
+
+# comp flags != { 0x33-0x55}
+__set%d test-inet 7
+__set%d test-inet 0
+ element 00000000 : 1 [end] element 00000033 : 0 [end] element 00000056 : 1 [end]
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x0000006c ]
+ [ payload load 1b @ transport header + 1 => reg 1 ]
+ [ lookup reg 1 set __set%d 0x1 ]
+
# comp cpi 22
inet test-inet input
[ meta load l4proto => reg 1 ]
[ payload load 2b @ transport header + 2 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
+# comp cpi { 33-55}
+__set%d test-inet 7
+__set%d test-inet 0
+ element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end]
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x0000006c ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
+
+# comp cpi != { 33-55}
+__set%d test-inet 7
+__set%d test-inet 0
+ element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end]
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x0000006c ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ lookup reg 1 set __set%d 0x1 ]
+
dccp sport {23, 24, 25};ok
dccp sport != {23, 24, 25};ok
+dccp sport { 20-50 };ok
dccp sport ftp-data - re-mail-ck;ok;dccp sport 20-50
dccp sport 20-50;ok
+dccp sport { 20-50};ok
+dccp sport != { 20-50};ok
# dccp dport 21-35;ok
# dccp dport != 21-35;ok
dccp dport {23, 24, 25};ok
dccp dport != {23, 24, 25};ok
+dccp dport { 20-50};ok
+dccp dport != { 20-50};ok
dccp type {request, response, data, ack, dataack, closereq, close, reset, sync, syncack};ok
dccp type != {request, response, data, ack, dataack, closereq, close, reset, sync, syncack};ok
}
]
+# dccp sport { 20-50 }
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "sport",
+ "protocol": "dccp"
+ }
+ },
+ "op": "==",
+ "right": {
+ "set": [
+ { "range": [ 20, 50 ] }
+ ]
+ }
+ }
+ }
+]
+
# dccp sport ftp-data - re-mail-ck
[
{
}
]
+# dccp sport { 20-50}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "sport",
+ "protocol": "dccp"
+ }
+ },
+ "op": "==",
+ "right": {
+ "set": [
+ { "range": [ 20, 50 ] }
+ ]
+ }
+ }
+ }
+]
+
+# dccp sport != { 20-50}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "sport",
+ "protocol": "dccp"
+ }
+ },
+ "op": "!=",
+ "right": {
+ "set": [
+ { "range": [ 20, 50 ] }
+ ]
+ }
+ }
+ }
+]
+
# dccp dport {23, 24, 25}
[
{
}
]
+# dccp dport { 20-50}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "dport",
+ "protocol": "dccp"
+ }
+ },
+ "op": "==",
+ "right": {
+ "set": [
+ { "range": [ 20, 50 ] }
+ ]
+ }
+ }
+ }
+]
+
+# dccp dport != { 20-50}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "dport",
+ "protocol": "dccp"
+ }
+ },
+ "op": "!=",
+ "right": {
+ "set": [
+ { "range": [ 20, 50 ] }
+ ]
+ }
+ }
+ }
+]
+
# dccp type {request, response, data, ack, dataack, closereq, close, reset, sync, syncack}
[
{
[ payload load 2b @ transport header + 0 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
+# dccp sport { 20-50 }
+__set%d test-ip4 7
+__set%d test-ip4 0
+ element 00000000 : 1 [end] element 00001400 : 0 [end] element 00003300 : 1 [end]
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000021 ]
+ [ payload load 2b @ transport header + 0 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
+
# dccp sport ftp-data - re-mail-ck
inet test-inet input
[ meta load l4proto => reg 1 ]
[ cmp gte reg 1 0x00001400 ]
[ cmp lte reg 1 0x00003200 ]
+# dccp sport { 20-50}
+__set%d test-ip4 7
+__set%d test-ip4 0
+ element 00000000 : 1 [end] element 00001400 : 0 [end] element 00003300 : 1 [end]
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000021 ]
+ [ payload load 2b @ transport header + 0 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
+
+# dccp sport != { 20-50}
+__set%d test-ip4 7
+__set%d test-ip4 0
+ element 00000000 : 1 [end] element 00001400 : 0 [end] element 00003300 : 1 [end]
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000021 ]
+ [ payload load 2b @ transport header + 0 => reg 1 ]
+ [ lookup reg 1 set __set%d 0x1 ]
+
# dccp dport {23, 24, 25}
__set%d test-ip4 3
__set%d test-ip4 0
[ payload load 2b @ transport header + 2 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
+# dccp dport { 20-50}
+__set%d test-ip4 7
+__set%d test-ip4 0
+ element 00000000 : 1 [end] element 00001400 : 0 [end] element 00003300 : 1 [end]
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000021 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
+
+# dccp dport != { 20-50}
+__set%d test-ip4 7
+__set%d test-ip4 0
+ element 00000000 : 1 [end] element 00001400 : 0 [end] element 00003300 : 1 [end]
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000021 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ lookup reg 1 set __set%d 0x1 ]
+
# dccp type {request, response, data, ack, dataack, closereq, close, reset, sync, syncack}
__set%d test-inet 3
__set%d test-inet 0
esp spi != 111-222;ok
esp spi { 100, 102};ok
esp spi != { 100, 102};ok
+esp spi { 100-102};ok
+- esp spi {100-102};ok
esp sequence 22;ok
esp sequence 22-24;ok
esp sequence != 22-24;ok
esp sequence { 22, 24};ok
esp sequence != { 22, 24};ok
+esp sequence { 22-25};ok
+esp sequence != { 22-25};ok
}
]
+# esp spi { 100-102}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "spi",
+ "protocol": "esp"
+ }
+ },
+ "op": "==",
+ "right": {
+ "set": [
+ { "range": [ 100, 102 ] }
+ ]
+ }
+ }
+ }
+]
+
# esp sequence 22
[
{
}
}
]
+
+# esp sequence { 22-25}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "sequence",
+ "protocol": "esp"
+ }
+ },
+ "op": "==",
+ "right": {
+ "set": [
+ { "range": [ 22, 25 ] }
+ ]
+ }
+ }
+ }
+]
+
+# esp sequence != { 22-25}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "sequence",
+ "protocol": "esp"
+ }
+ },
+ "op": "!=",
+ "right": {
+ "set": [
+ { "range": [ 22, 25 ] }
+ ]
+ }
+ }
+ }
+]
+
[ payload load 4b @ transport header + 0 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
+# esp spi { 100-102}
+__set%d test-inet 7
+__set%d test-inet 0
+ element 00000000 : 1 [end] element 64000000 : 0 [end] element 67000000 : 1 [end]
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000032 ]
+ [ payload load 4b @ transport header + 0 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
+
+# esp spi != { 100-102}
+__set%d test-inet 7
+__set%d test-inet 0
+ element 00000000 : 1 [end] element 64000000 : 0 [end] element 67000000 : 1 [end]
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000032 ]
+ [ payload load 4b @ transport header + 0 => reg 1 ]
+ [ lookup reg 1 set __set%d 0x1 ]
+
# esp sequence 22
inet test-inet input
[ meta load l4proto => reg 1 ]
[ payload load 4b @ transport header + 4 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
+# esp sequence { 22-25}
+__set%d test-inet 7
+__set%d test-inet 0
+ element 00000000 : 1 [end] element 16000000 : 0 [end] element 1a000000 : 1 [end]
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000032 ]
+ [ payload load 4b @ transport header + 4 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
+
+# esp sequence != { 22-25}
+__set%d test-inet 7
+__set%d test-inet 0
+ element 00000000 : 1 [end] element 16000000 : 0 [end] element 1a000000 : 1 [end]
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000032 ]
+ [ payload load 4b @ transport header + 4 => reg 1 ]
+ [ lookup reg 1 set __set%d 0x1 ]
+
sctp sport != 23-44;ok
sctp sport { 23, 24, 25};ok
sctp sport != { 23, 24, 25};ok
+sctp sport { 23-44};ok
+sctp sport != { 23-44};ok
sctp dport 23;ok
sctp dport != 23;ok
sctp dport != 23-44;ok
sctp dport { 23, 24, 25};ok
sctp dport != { 23, 24, 25};ok
+sctp dport { 23-44};ok
+sctp dport != { 23-44};ok
sctp checksum 1111;ok
sctp checksum != 11;ok
sctp checksum != 32-111;ok
sctp checksum { 22, 33, 44};ok
sctp checksum != { 22, 33, 44};ok
+sctp checksum { 22-44};ok
+sctp checksum != { 22-44};ok
sctp vtag 22;ok
sctp vtag != 233;ok
sctp vtag != 33-45;ok
sctp vtag {33, 55, 67, 88};ok
sctp vtag != {33, 55, 67, 88};ok
+sctp vtag { 33-55};ok
+sctp vtag != { 33-55};ok
}
]
+# sctp sport { 23-44}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "sport",
+ "protocol": "sctp"
+ }
+ },
+ "op": "==",
+ "right": {
+ "set": [
+ { "range": [ 23, 44 ] }
+ ]
+ }
+ }
+ }
+]
+
+# sctp sport != { 23-44}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "sport",
+ "protocol": "sctp"
+ }
+ },
+ "op": "!=",
+ "right": {
+ "set": [
+ { "range": [ 23, 44 ] }
+ ]
+ }
+ }
+ }
+]
+
# sctp dport 23
[
{
}
]
+# sctp dport { 23-44}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "dport",
+ "protocol": "sctp"
+ }
+ },
+ "op": "==",
+ "right": {
+ "set": [
+ { "range": [ 23, 44 ] }
+ ]
+ }
+ }
+ }
+]
+
+# sctp dport != { 23-44}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "dport",
+ "protocol": "sctp"
+ }
+ },
+ "op": "!=",
+ "right": {
+ "set": [
+ { "range": [ 23, 44 ] }
+ ]
+ }
+ }
+ }
+]
+
# sctp checksum 1111
[
{
}
]
+# sctp checksum { 22-44}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "checksum",
+ "protocol": "sctp"
+ }
+ },
+ "op": "==",
+ "right": {
+ "set": [
+ { "range": [ 22, 44 ] }
+ ]
+ }
+ }
+ }
+]
+
+# sctp checksum != { 22-44}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "checksum",
+ "protocol": "sctp"
+ }
+ },
+ "op": "!=",
+ "right": {
+ "set": [
+ { "range": [ 22, 44 ] }
+ ]
+ }
+ }
+ }
+]
+
# sctp vtag 22
[
{
}
}
]
+
+# sctp vtag { 33-55}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "vtag",
+ "protocol": "sctp"
+ }
+ },
+ "op": "==",
+ "right": {
+ "set": [
+ { "range": [ 33, 55 ] }
+ ]
+ }
+ }
+ }
+]
+
+# sctp vtag != { 33-55}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "vtag",
+ "protocol": "sctp"
+ }
+ },
+ "op": "!=",
+ "right": {
+ "set": [
+ { "range": [ 33, 55 ] }
+ ]
+ }
+ }
+ }
+]
+
[ payload load 2b @ transport header + 0 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
+# sctp sport { 23-44}
+__set%d test-inet 7
+__set%d test-inet 0
+ element 00000000 : 1 [end] element 00001700 : 0 [end] element 00002d00 : 1 [end]
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000084 ]
+ [ payload load 2b @ transport header + 0 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
+
+# sctp sport != { 23-44}
+__set%d test-inet 7
+__set%d test-inet 0
+ element 00000000 : 1 [end] element 00001700 : 0 [end] element 00002d00 : 1 [end]
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000084 ]
+ [ payload load 2b @ transport header + 0 => reg 1 ]
+ [ lookup reg 1 set __set%d 0x1 ]
+
# sctp dport 23
inet test-inet input
[ meta load l4proto => reg 1 ]
[ payload load 2b @ transport header + 2 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
+# sctp dport { 23-44}
+__set%d test-inet 7
+__set%d test-inet 0
+ element 00000000 : 1 [end] element 00001700 : 0 [end] element 00002d00 : 1 [end]
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000084 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
+
+# sctp dport != { 23-44}
+__set%d test-inet 7
+__set%d test-inet 0
+ element 00000000 : 1 [end] element 00001700 : 0 [end] element 00002d00 : 1 [end]
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000084 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ lookup reg 1 set __set%d 0x1 ]
+
# sctp checksum 1111
inet test-inet input
[ meta load l4proto => reg 1 ]
[ payload load 4b @ transport header + 8 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
+# sctp checksum { 22-44}
+__set%d test-inet 7
+__set%d test-inet 0
+ element 00000000 : 1 [end] element 16000000 : 0 [end] element 2d000000 : 1 [end]
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000084 ]
+ [ payload load 4b @ transport header + 8 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
+
+# sctp checksum != { 22-44}
+__set%d test-inet 7
+__set%d test-inet 0
+ element 00000000 : 1 [end] element 16000000 : 0 [end] element 2d000000 : 1 [end]
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000084 ]
+ [ payload load 4b @ transport header + 8 => reg 1 ]
+ [ lookup reg 1 set __set%d 0x1 ]
+
# sctp vtag 22
inet test-inet input
[ meta load l4proto => reg 1 ]
[ payload load 4b @ transport header + 4 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
+# sctp vtag { 33-55}
+__set%d test-inet 7
+__set%d test-inet 0
+ element 00000000 : 1 [end] element 21000000 : 0 [end] element 38000000 : 1 [end]
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000084 ]
+ [ payload load 4b @ transport header + 4 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
+
+# sctp vtag != { 33-55}
+__set%d test-inet 7
+__set%d test-inet 0
+ element 00000000 : 1 [end] element 21000000 : 0 [end] element 38000000 : 1 [end]
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000084 ]
+ [ payload load 4b @ transport header + 4 => reg 1 ]
+ [ lookup reg 1 set __set%d 0x1 ]
+
tcp dport != 33-45;ok
tcp dport { 33, 55, 67, 88};ok
tcp dport != { 33, 55, 67, 88};ok
+tcp dport { 33-55};ok
+tcp dport != { 33-55};ok
tcp dport {telnet, http, https} accept;ok;tcp dport { 443, 23, 80} accept
tcp dport vmap { 22 : accept, 23 : drop };ok
tcp dport vmap { 25:accept, 28:drop };ok
tcp sport != 33-45;ok
tcp sport { 33, 55, 67, 88};ok
tcp sport != { 33, 55, 67, 88};ok
+tcp sport { 33-55};ok
+tcp sport != { 33-55};ok
tcp sport vmap { 25:accept, 28:drop };ok
tcp sport 8080 drop;ok
tcp sequence != 33-45;ok
tcp sequence { 33, 55, 67, 88};ok
tcp sequence != { 33, 55, 67, 88};ok
+tcp sequence { 33-55};ok
+tcp sequence != { 33-55};ok
tcp ackseq 42949672 drop;ok
tcp ackseq 22;ok
tcp ackseq != 33-45;ok
tcp ackseq { 33, 55, 67, 88};ok
tcp ackseq != { 33, 55, 67, 88};ok
+tcp ackseq { 33-55};ok
+tcp ackseq != { 33-55};ok
- tcp doff 22;ok
- tcp doff != 233;ok
- tcp doff != 33-45;ok
- tcp doff { 33, 55, 67, 88};ok
- tcp doff != { 33, 55, 67, 88};ok
+- tcp doff { 33-55};ok
+- tcp doff != { 33-55};ok
# BUG reserved
# BUG: It is accepted but it is not shown then. tcp reserver
tcp window != 33-45;ok
tcp window { 33, 55, 67, 88};ok
tcp window != { 33, 55, 67, 88};ok
+tcp window { 33-55};ok
+tcp window != { 33-55};ok
tcp checksum 22;ok
tcp checksum != 233;ok
tcp checksum != 33-45;ok
tcp checksum { 33, 55, 67, 88};ok
tcp checksum != { 33, 55, 67, 88};ok
+tcp checksum { 33-55};ok
+tcp checksum != { 33-55};ok
tcp urgptr 1234 accept;ok
tcp urgptr 22;ok
tcp urgptr != 33-45;ok
tcp urgptr { 33, 55, 67, 88};ok
tcp urgptr != { 33, 55, 67, 88};ok
+tcp urgptr { 33-55};ok
+tcp urgptr != { 33-55};ok
tcp doff 8;ok
}
]
+# tcp dport { 33-55}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "dport",
+ "protocol": "tcp"
+ }
+ },
+ "op": "==",
+ "right": {
+ "set": [
+ { "range": [ 33, 55 ] }
+ ]
+ }
+ }
+ }
+]
+
+# tcp dport != { 33-55}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "dport",
+ "protocol": "tcp"
+ }
+ },
+ "op": "!=",
+ "right": {
+ "set": [
+ { "range": [ 33, 55 ] }
+ ]
+ }
+ }
+ }
+]
+
# tcp dport {telnet, http, https} accept
[
{
}
]
+# tcp sport { 33-55}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "sport",
+ "protocol": "tcp"
+ }
+ },
+ "op": "==",
+ "right": {
+ "set": [
+ { "range": [ 33, 55 ] }
+ ]
+ }
+ }
+ }
+]
+
+# tcp sport != { 33-55}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "sport",
+ "protocol": "tcp"
+ }
+ },
+ "op": "!=",
+ "right": {
+ "set": [
+ { "range": [ 33, 55 ] }
+ ]
+ }
+ }
+ }
+]
+
# tcp sport vmap { 25:accept, 28:drop }
[
{
}
]
+# tcp sequence { 33-55}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "sequence",
+ "protocol": "tcp"
+ }
+ },
+ "op": "==",
+ "right": {
+ "set": [
+ { "range": [ 33, 55 ] }
+ ]
+ }
+ }
+ }
+]
+
+# tcp sequence != { 33-55}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "sequence",
+ "protocol": "tcp"
+ }
+ },
+ "op": "!=",
+ "right": {
+ "set": [
+ { "range": [ 33, 55 ] }
+ ]
+ }
+ }
+ }
+]
+
# tcp ackseq 42949672 drop
[
{
}
]
+# tcp ackseq { 33-55}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "ackseq",
+ "protocol": "tcp"
+ }
+ },
+ "op": "==",
+ "right": {
+ "set": [
+ { "range": [ 33, 55 ] }
+ ]
+ }
+ }
+ }
+]
+
+# tcp ackseq != { 33-55}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "ackseq",
+ "protocol": "tcp"
+ }
+ },
+ "op": "!=",
+ "right": {
+ "set": [
+ { "range": [ 33, 55 ] }
+ ]
+ }
+ }
+ }
+]
+
# tcp flags { fin, syn, rst, psh, ack, urg, ecn, cwr} drop
[
{
}
]
+# tcp window { 33-55}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "window",
+ "protocol": "tcp"
+ }
+ },
+ "op": "==",
+ "right": {
+ "set": [
+ { "range": [ 33, 55 ] }
+ ]
+ }
+ }
+ }
+]
+
+# tcp window != { 33-55}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "window",
+ "protocol": "tcp"
+ }
+ },
+ "op": "!=",
+ "right": {
+ "set": [
+ { "range": [ 33, 55 ] }
+ ]
+ }
+ }
+ }
+]
+
# tcp checksum 22
[
{
}
]
+# tcp checksum { 33-55}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "checksum",
+ "protocol": "tcp"
+ }
+ },
+ "op": "==",
+ "right": {
+ "set": [
+ { "range": [ 33, 55 ] }
+ ]
+ }
+ }
+ }
+]
+
+# tcp checksum != { 33-55}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "checksum",
+ "protocol": "tcp"
+ }
+ },
+ "op": "!=",
+ "right": {
+ "set": [
+ { "range": [ 33, 55 ] }
+ ]
+ }
+ }
+ }
+]
+
# tcp urgptr 1234 accept
[
{
}
]
+# tcp urgptr { 33-55}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "urgptr",
+ "protocol": "tcp"
+ }
+ },
+ "op": "==",
+ "right": {
+ "set": [
+ { "range": [ 33, 55 ] }
+ ]
+ }
+ }
+ }
+]
+
+# tcp urgptr != { 33-55}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "urgptr",
+ "protocol": "tcp"
+ }
+ },
+ "op": "!=",
+ "right": {
+ "set": [
+ { "range": [ 33, 55 ] }
+ ]
+ }
+ }
+ }
+]
+
# tcp doff 8
[
{
[ payload load 2b @ transport header + 2 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
+# tcp dport { 33-55}
+__set%d test-inet 7
+__set%d test-inet 0
+ element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end]
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
+
+# tcp dport != { 33-55}
+__set%d test-inet 7
+__set%d test-inet 0
+ element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end]
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ lookup reg 1 set __set%d 0x1 ]
+
# tcp dport {telnet, http, https} accept
__set%d test-inet 3
__set%d test-inet 0
[ payload load 2b @ transport header + 0 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
+# tcp sport { 33-55}
+__set%d test-inet 7
+__set%d test-inet 0
+ element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end]
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 2b @ transport header + 0 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
+
+# tcp sport != { 33-55}
+__set%d test-inet 7
+__set%d test-inet 0
+ element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end]
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 2b @ transport header + 0 => reg 1 ]
+ [ lookup reg 1 set __set%d 0x1 ]
+
# tcp sport vmap { 25:accept, 28:drop }
__map%d test-inet b
__map%d test-inet 0
[ payload load 4b @ transport header + 4 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
+# tcp sequence { 33-55}
+__set%d test-inet 7
+__set%d test-inet 0
+ element 00000000 : 1 [end] element 21000000 : 0 [end] element 38000000 : 1 [end]
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 4b @ transport header + 4 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
+
+# tcp sequence != { 33-55}
+__set%d test-inet 7
+__set%d test-inet 0
+ element 00000000 : 1 [end] element 21000000 : 0 [end] element 38000000 : 1 [end]
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 4b @ transport header + 4 => reg 1 ]
+ [ lookup reg 1 set __set%d 0x1 ]
+
# tcp ackseq 42949672 drop
inet test-inet input
[ meta load l4proto => reg 1 ]
[ payload load 2b @ transport header + 18 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
+# tcp urgptr { 33-55}
+__set%d test-inet 7
+__set%d test-inet 0
+ element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end]
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 2b @ transport header + 18 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
+
+# tcp urgptr != { 33-55}
+__set%d test-inet 7
+__set%d test-inet 0
+ element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end]
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 2b @ transport header + 18 => reg 1 ]
+ [ lookup reg 1 set __set%d 0x1 ]
+
# tcp doff 8
inet test-inet input
[ meta load l4proto => reg 1 ]
udp sport != 50-60 accept;ok
udp sport { 49, 50} drop;ok
udp sport != { 50, 60} accept;ok
+udp sport { 12-40};ok
+udp sport != { 13-24};ok
udp dport set {1, 2, 3};fail
udp dport != 50-60 accept;ok
udp dport { 49, 50} drop;ok
udp dport != { 50, 60} accept;ok
+udp dport { 70-75} accept;ok
+udp dport != { 50-60} accept;ok
udp length 6666;ok
udp length != 6666;ok
udp length != 50-65 accept;ok
udp length { 50, 65} accept;ok
udp length != { 50, 65} accept;ok
+udp length { 35-50};ok
+udp length != { 35-50};ok
udp checksum 6666 drop;ok
udp checksum != { 444, 555} accept;ok
udp checksum != 33-45;ok
udp checksum { 33, 55, 67, 88};ok
udp checksum != { 33, 55, 67, 88};ok
+udp checksum { 33-55};ok
+udp checksum != { 33-55};ok
# limit impact to lo
iif "lo" udp checksum set 0;ok
}
]
+# udp sport { 12-40}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "sport",
+ "protocol": "udp"
+ }
+ },
+ "op": "==",
+ "right": {
+ "set": [
+ { "range": [ 12, 40 ] }
+ ]
+ }
+ }
+ }
+]
+
+# udp sport != { 13-24}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "sport",
+ "protocol": "udp"
+ }
+ },
+ "op": "!=",
+ "right": {
+ "set": [
+ { "range": [ 13, 24 ] }
+ ]
+ }
+ }
+ }
+]
+
# udp dport 80 accept
[
{
}
]
+# udp dport { 70-75} accept
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "dport",
+ "protocol": "udp"
+ }
+ },
+ "op": "==",
+ "right": {
+ "set": [
+ { "range": [ 70, 75 ] }
+ ]
+ }
+ }
+ },
+ {
+ "accept": null
+ }
+]
+
+# udp dport != { 50-60} accept
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "dport",
+ "protocol": "udp"
+ }
+ },
+ "op": "!=",
+ "right": {
+ "set": [
+ { "range": [ 50, 60 ] }
+ ]
+ }
+ }
+ },
+ {
+ "accept": null
+ }
+]
+
# udp length 6666
[
{
}
]
+# udp length { 35-50}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "length",
+ "protocol": "udp"
+ }
+ },
+ "op": "==",
+ "right": {
+ "set": [
+ { "range": [ 35, 50 ] }
+ ]
+ }
+ }
+ }
+]
+
+# udp length != { 35-50}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "length",
+ "protocol": "udp"
+ }
+ },
+ "op": "!=",
+ "right": {
+ "set": [
+ { "range": [ 35, 50 ] }
+ ]
+ }
+ }
+ }
+]
+
# udp checksum 6666 drop
[
{
}
]
+# udp checksum { 33-55}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "checksum",
+ "protocol": "udp"
+ }
+ },
+ "op": "==",
+ "right": {
+ "set": [
+ { "range": [ 33, 55 ] }
+ ]
+ }
+ }
+ }
+]
+
+# udp checksum != { 33-55}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "checksum",
+ "protocol": "udp"
+ }
+ },
+ "op": "!=",
+ "right": {
+ "set": [
+ { "range": [ 33, 55 ] }
+ ]
+ }
+ }
+ }
+]
+
# iif "lo" udp checksum set 0
[
{
[ lookup reg 1 set __set%d 0x1 ]
[ immediate reg 0 accept ]
+# udp sport { 12-40}
+__set%d test-inet 7
+__set%d test-inet 0
+ element 00000000 : 1 [end] element 00000c00 : 0 [end] element 00002900 : 1 [end]
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000011 ]
+ [ payload load 2b @ transport header + 0 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
+
+# udp sport != { 13-24}
+__set%d test-inet 7
+__set%d test-inet 0
+ element 00000000 : 1 [end] element 00000d00 : 0 [end] element 00001900 : 1 [end]
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000011 ]
+ [ payload load 2b @ transport header + 0 => reg 1 ]
+ [ lookup reg 1 set __set%d 0x1 ]
+
# udp dport 80 accept
inet test-inet input
[ meta load l4proto => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
[ immediate reg 0 accept ]
+# udp dport { 70-75} accept
+__set%d test-inet 7
+__set%d test-inet 0
+ element 00000000 : 1 [end] element 00004600 : 0 [end] element 00004c00 : 1 [end]
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000011 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
+ [ immediate reg 0 accept ]
+
+# udp dport != { 50-60} accept
+__set%d test-inet 7
+__set%d test-inet 0
+ element 00000000 : 1 [end] element 00003200 : 0 [end] element 00003d00 : 1 [end]
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000011 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ lookup reg 1 set __set%d 0x1 ]
+ [ immediate reg 0 accept ]
+
# udp length 6666
inet test-inet input
[ meta load l4proto => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
[ immediate reg 0 accept ]
+# udp length { 35-50}
+__set%d test-inet 7
+__set%d test-inet 0
+ element 00000000 : 1 [end] element 00002300 : 0 [end] element 00003300 : 1 [end]
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000011 ]
+ [ payload load 2b @ transport header + 4 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
+
+# udp length != { 35-50}
+__set%d test-inet 7
+__set%d test-inet 0
+ element 00000000 : 1 [end] element 00002300 : 0 [end] element 00003300 : 1 [end]
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000011 ]
+ [ payload load 2b @ transport header + 4 => reg 1 ]
+ [ lookup reg 1 set __set%d 0x1 ]
+
# udp checksum 6666 drop
inet test-inet input
[ meta load l4proto => reg 1 ]
[ payload load 2b @ transport header + 6 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
+# udp checksum { 33-55}
+__set%d test-inet 7
+__set%d test-inet 0
+ element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end]
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000011 ]
+ [ payload load 2b @ transport header + 6 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
+
+# udp checksum != { 33-55}
+__set%d test-inet 7
+__set%d test-inet 0
+ element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end]
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000011 ]
+ [ payload load 2b @ transport header + 6 => reg 1 ]
+ [ lookup reg 1 set __set%d 0x1 ]
+
# iif "lo" udp checksum set 0
inet test-inet input
[ meta load iif => reg 1 ]
udplite sport != 50-60 accept;ok
udplite sport { 49, 50} drop;ok
udplite sport != { 49, 50} accept;ok
+udplite sport { 12-40};ok
+udplite sport != { 12-40};ok
udplite dport 80 accept;ok
udplite dport != 60 accept;ok
udplite dport != 50-60 accept;ok
udplite dport { 49, 50} drop;ok
udplite dport != { 49, 50} accept;ok
+udplite dport { 70-75} accept;ok
+udplite dport != { 70-75} accept;ok
- udplite csumcov 6666;ok
- udplite csumcov != 6666;ok
- udplite csumcov != 50-65 accept;ok
- udplite csumcov { 50, 65} accept;ok
- udplite csumcov != { 50, 65} accept;ok
+- udplite csumcov { 35-50};ok
+- udplite csumcov != { 35-50};ok
udplite checksum 6666 drop;ok
udplite checksum != { 444, 555} accept;ok
udplite checksum != 33-45;ok
udplite checksum { 33, 55, 67, 88};ok
udplite checksum != { 33, 55, 67, 88};ok
+udplite checksum { 33-55};ok
+udplite checksum != { 33-55};ok
}
]
+# udplite sport { 12-40}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "sport",
+ "protocol": "udplite"
+ }
+ },
+ "op": "==",
+ "right": {
+ "set": [
+ { "range": [ 12, 40 ] }
+ ]
+ }
+ }
+ }
+]
+
+# udplite sport != { 12-40}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "sport",
+ "protocol": "udplite"
+ }
+ },
+ "op": "!=",
+ "right": {
+ "set": [
+ { "range": [ 12, 40 ] }
+ ]
+ }
+ }
+ }
+]
+
# udplite dport 80 accept
[
{
}
]
+# udplite dport { 70-75} accept
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "dport",
+ "protocol": "udplite"
+ }
+ },
+ "op": "==",
+ "right": {
+ "set": [
+ { "range": [ 70, 75 ] }
+ ]
+ }
+ }
+ },
+ {
+ "accept": null
+ }
+]
+
+# udplite dport != { 70-75} accept
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "dport",
+ "protocol": "udplite"
+ }
+ },
+ "op": "!=",
+ "right": {
+ "set": [
+ { "range": [ 70, 75 ] }
+ ]
+ }
+ }
+ },
+ {
+ "accept": null
+ }
+]
+
# udplite checksum 6666 drop
[
{
}
}
]
+
+# udplite checksum { 33-55}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "checksum",
+ "protocol": "udplite"
+ }
+ },
+ "op": "==",
+ "right": {
+ "set": [
+ { "range": [ 33, 55 ] }
+ ]
+ }
+ }
+ }
+]
+
+# udplite checksum != { 33-55}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "checksum",
+ "protocol": "udplite"
+ }
+ },
+ "op": "!=",
+ "right": {
+ "set": [
+ { "range": [ 33, 55 ] }
+ ]
+ }
+ }
+ }
+]
+
[ lookup reg 1 set __set%d 0x1 ]
[ immediate reg 0 accept ]
+# udplite sport { 12-40}
+__set%d test-ip4 7
+__set%d test-ip4 0
+ element 00000000 : 1 [end] element 00000c00 : 0 [end] element 00002900 : 1 [end]
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000088 ]
+ [ payload load 2b @ transport header + 0 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
+
+# udplite sport != { 12-40}
+__set%d test-ip4 7
+__set%d test-ip4 0
+ element 00000000 : 1 [end] element 00000c00 : 0 [end] element 00002900 : 1 [end]
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000088 ]
+ [ payload load 2b @ transport header + 0 => reg 1 ]
+ [ lookup reg 1 set __set%d 0x1 ]
+
# udplite dport 80 accept
inet test-inet input
[ meta load l4proto => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
[ immediate reg 0 accept ]
+# udplite dport { 70-75} accept
+__set%d test-ip4 7
+__set%d test-ip4 0
+ element 00000000 : 1 [end] element 00004600 : 0 [end] element 00004c00 : 1 [end]
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000088 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
+ [ immediate reg 0 accept ]
+
+# udplite dport != { 70-75} accept
+__set%d test-ip4 7
+__set%d test-ip4 0
+ element 00000000 : 1 [end] element 00004600 : 0 [end] element 00004c00 : 1 [end]
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000088 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ lookup reg 1 set __set%d 0x1 ]
+ [ immediate reg 0 accept ]
+
# udplite checksum 6666 drop
inet test-inet input
[ meta load l4proto => reg 1 ]
[ payload load 2b @ transport header + 6 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
+# udplite checksum { 33-55}
+__set%d test-ip4 7
+__set%d test-ip4 0
+ element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end]
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000088 ]
+ [ payload load 2b @ transport header + 6 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
+
+# udplite checksum != { 33-55}
+__set%d test-ip4 7
+__set%d test-ip4 0
+ element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end]
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000088 ]
+ [ payload load 2b @ transport header + 6 => reg 1 ]
+ [ lookup reg 1 set __set%d 0x1 ]
+
icmp code != 111 accept;ok
icmp code 33-55;ok
icmp code != 33-55;ok
+icmp code { 33-55};ok
+icmp code != { 33-55};ok
icmp code { 2, 4, 54, 33, 56};ok;icmp code { prot-unreachable, 4, 33, 54, 56}
icmp code != { prot-unreachable, 4, 33, 54, 56};ok
icmp checksum != 12343 accept;ok
icmp checksum 11-343 accept;ok
icmp checksum != 11-343 accept;ok
+icmp checksum { 11-343} accept;ok
+icmp checksum != { 11-343} accept;ok
icmp checksum { 1111, 222, 343} accept;ok
icmp checksum != { 1111, 222, 343} accept;ok
icmp id != 233;ok
icmp id 33-45;ok
icmp id != 33-45;ok
+icmp id { 33-55};ok
+icmp id != { 33-55};ok
icmp id { 22, 34, 333};ok
icmp id != { 22, 34, 333};ok
icmp sequence != 33-45;ok
icmp sequence { 33, 55, 67, 88};ok
icmp sequence != { 33, 55, 67, 88};ok
+icmp sequence { 33-55};ok
+icmp sequence != { 33-55};ok
icmp mtu 33;ok
icmp mtu 22-33;ok
+icmp mtu { 22-33};ok
+icmp mtu != { 22-33};ok
icmp mtu 22;ok
icmp mtu != 233;ok
icmp mtu 33-45;ok
icmp mtu != 33-45;ok
icmp mtu { 33, 55, 67, 88};ok
icmp mtu != { 33, 55, 67, 88};ok
+icmp mtu { 33-55};ok
+icmp mtu != { 33-55};ok
icmp gateway 22;ok
icmp gateway != 233;ok
icmp gateway != 33-45;ok
icmp gateway { 33, 55, 67, 88};ok
icmp gateway != { 33, 55, 67, 88};ok
+icmp gateway { 33-55};ok
+icmp gateway != { 33-55};ok
icmp gateway != 34;ok
icmp gateway != { 333, 334};ok
}
]
+# icmp code { 33-55}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "code",
+ "protocol": "icmp"
+ }
+ },
+ "op": "==",
+ "right": {
+ "set": [
+ { "range": [ 33, 55 ] }
+ ]
+ }
+ }
+ }
+]
+
+# icmp code != { 33-55}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "code",
+ "protocol": "icmp"
+ }
+ },
+ "op": "!=",
+ "right": {
+ "set": [
+ { "range": [ 33, 55 ] }
+ ]
+ }
+ }
+ }
+]
+
# icmp code { 2, 4, 54, 33, 56}
[
{
}
]
+# icmp checksum { 11-343} accept
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "checksum",
+ "protocol": "icmp"
+ }
+ },
+ "op": "==",
+ "right": {
+ "set": [
+ { "range": [ 11, 343 ] }
+ ]
+ }
+ }
+ },
+ {
+ "accept": null
+ }
+]
+
+# icmp checksum != { 11-343} accept
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "checksum",
+ "protocol": "icmp"
+ }
+ },
+ "op": "!=",
+ "right": {
+ "set": [
+ { "range": [ 11, 343 ] }
+ ]
+ }
+ }
+ },
+ {
+ "accept": null
+ }
+]
+
# icmp checksum { 1111, 222, 343} accept
[
{
}
]
+# icmp id { 33-55}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "id",
+ "protocol": "icmp"
+ }
+ },
+ "op": "==",
+ "right": {
+ "set": [
+ { "range": [ 33, 55 ] }
+ ]
+ }
+ }
+ }
+]
+
+# icmp id != { 33-55}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "id",
+ "protocol": "icmp"
+ }
+ },
+ "op": "!=",
+ "right": {
+ "set": [
+ { "range": [ 33, 55 ] }
+ ]
+ }
+ }
+ }
+]
+
# icmp id { 22, 34, 333}
[
{
}
]
+# icmp sequence { 33-55}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "sequence",
+ "protocol": "icmp"
+ }
+ },
+ "op": "==",
+ "right": {
+ "set": [
+ { "range": [ 33, 55 ] }
+ ]
+ }
+ }
+ }
+]
+
+# icmp sequence != { 33-55}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "sequence",
+ "protocol": "icmp"
+ }
+ },
+ "op": "!=",
+ "right": {
+ "set": [
+ { "range": [ 33, 55 ] }
+ ]
+ }
+ }
+ }
+]
+
# icmp mtu 33
[
{
}
]
+# icmp mtu { 22-33}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "mtu",
+ "protocol": "icmp"
+ }
+ },
+ "op": "==",
+ "right": {
+ "set": [
+ { "range": [ 22, 33 ] }
+ ]
+ }
+ }
+ }
+]
+
+# icmp mtu != { 22-33}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "mtu",
+ "protocol": "icmp"
+ }
+ },
+ "op": "!=",
+ "right": {
+ "set": [
+ { "range": [ 22, 33 ] }
+ ]
+ }
+ }
+ }
+]
+
# icmp mtu 22
[
{
}
]
+# icmp mtu { 33-55}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "mtu",
+ "protocol": "icmp"
+ }
+ },
+ "op": "==",
+ "right": {
+ "set": [
+ { "range": [ 33, 55 ] }
+ ]
+ }
+ }
+ }
+]
+
+# icmp mtu != { 33-55}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "mtu",
+ "protocol": "icmp"
+ }
+ },
+ "op": "!=",
+ "right": {
+ "set": [
+ { "range": [ 33, 55 ] }
+ ]
+ }
+ }
+ }
+]
+
# icmp gateway 22
[
{
}
]
+# icmp gateway { 33-55}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "gateway",
+ "protocol": "icmp"
+ }
+ },
+ "op": "==",
+ "right": {
+ "set": [
+ { "range": [ 33, 55 ] }
+ ]
+ }
+ }
+ }
+]
+
+# icmp gateway != { 33-55}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "gateway",
+ "protocol": "icmp"
+ }
+ },
+ "op": "!=",
+ "right": {
+ "set": [
+ { "range": [ 33, 55 ] }
+ ]
+ }
+ }
+ }
+]
+
# icmp gateway != 34
[
{
[ payload load 1b @ transport header + 1 => reg 1 ]
[ range neq reg 1 0x00000021 0x00000037 ]
+# icmp code { 33-55}
+__set%d test-ip4 7
+__set%d test-ip4 0
+ element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end]
+ip test-ip4 input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+ [ payload load 1b @ transport header + 1 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
+
+# icmp code != { 33-55}
+__set%d test-ip4 7
+__set%d test-ip4 0
+ element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end]
+ip test-ip4 input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+ [ payload load 1b @ transport header + 1 => reg 1 ]
+ [ lookup reg 1 set __set%d 0x1 ]
+
# icmp code { 2, 4, 54, 33, 56}
__set%d test-ip4 3
__set%d test-ip4 0
[ range neq reg 1 0x00000b00 0x00005701 ]
[ immediate reg 0 accept ]
+# icmp checksum { 11-343} accept
+__set%d test-ip4 7
+__set%d test-ip4 0
+ element 00000000 : 1 [end] element 00000b00 : 0 [end] element 00005801 : 1 [end]
+ip test-ip4 input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
+ [ immediate reg 0 accept ]
+
+# icmp checksum != { 11-343} accept
+__set%d test-ip4 7
+__set%d test-ip4 0
+ element 00000000 : 1 [end] element 00000b00 : 0 [end] element 00005801 : 1 [end]
+ip test-ip4 input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ lookup reg 1 set __set%d 0x1 ]
+ [ immediate reg 0 accept ]
+
# icmp checksum { 1111, 222, 343} accept
__set%d test-ip4 3
__set%d test-ip4 0
[ payload load 2b @ transport header + 4 => reg 1 ]
[ range neq reg 1 0x00002100 0x00002d00 ]
+# icmp id { 33-55}
+__set%d test-ip4 7
+__set%d test-ip4 0
+ element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end]
+ip test-ip4 input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+ [ payload load 2b @ transport header + 4 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
+
+# icmp id != { 33-55}
+__set%d test-ip4 7
+__set%d test-ip4 0
+ element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end]
+ip test-ip4 input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+ [ payload load 2b @ transport header + 4 => reg 1 ]
+ [ lookup reg 1 set __set%d 0x1 ]
+
# icmp id { 22, 34, 333}
__set%d test-ip4 3
__set%d test-ip4 0
[ payload load 2b @ transport header + 6 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
+# icmp sequence { 33-55}
+__set%d test-ip4 7
+__set%d test-ip4 0
+ element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end]
+ip test-ip4 input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+ [ payload load 2b @ transport header + 6 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
+
+# icmp sequence != { 33-55}
+__set%d test-ip4 7
+__set%d test-ip4 0
+ element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end]
+ip test-ip4 input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+ [ payload load 2b @ transport header + 6 => reg 1 ]
+ [ lookup reg 1 set __set%d 0x1 ]
+
# icmp mtu 33
ip test-ip4 input
[ meta load l4proto => reg 1 ]
[ cmp gte reg 1 0x00001600 ]
[ cmp lte reg 1 0x00002100 ]
+# icmp mtu { 22-33}
+__set%d test-ip4 7
+__set%d test-ip4 0
+ element 00000000 : 1 [end] element 00001600 : 0 [end] element 00002200 : 1 [end]
+ip test-ip4 input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+ [ payload load 2b @ transport header + 6 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
+
+# icmp mtu != { 22-33}
+__set%d test-ip4 7
+__set%d test-ip4 0
+ element 00000000 : 1 [end] element 00001600 : 0 [end] element 00002200 : 1 [end]
+ip test-ip4 input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+ [ payload load 2b @ transport header + 6 => reg 1 ]
+ [ lookup reg 1 set __set%d 0x1 ]
+
# icmp mtu 22
ip test-ip4 input
[ meta load l4proto => reg 1 ]
[ payload load 2b @ transport header + 6 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
+# icmp mtu { 33-55}
+__set%d test-ip4 7
+__set%d test-ip4 0
+ element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end]
+ip test-ip4 input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+ [ payload load 2b @ transport header + 6 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
+
+# icmp mtu != { 33-55}
+__set%d test-ip4 7
+__set%d test-ip4 0
+ element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end]
+ip test-ip4 input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+ [ payload load 2b @ transport header + 6 => reg 1 ]
+ [ lookup reg 1 set __set%d 0x1 ]
+
# icmp gateway 22
ip test-ip4 input
[ meta load l4proto => reg 1 ]
[ payload load 4b @ transport header + 4 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
+# icmp gateway { 33-55}
+__set%d test-ip4 7
+__set%d test-ip4 0
+ element 00000000 : 1 [end] element 21000000 : 0 [end] element 38000000 : 1 [end]
+ip test-ip4 input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+ [ payload load 4b @ transport header + 4 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
+
+# icmp gateway != { 33-55}
+__set%d test-ip4 7
+__set%d test-ip4 0
+ element 00000000 : 1 [end] element 21000000 : 0 [end] element 38000000 : 1 [end]
+ip test-ip4 input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+ [ payload load 4b @ transport header + 4 => reg 1 ]
+ [ lookup reg 1 set __set%d 0x1 ]
+
# icmp gateway != 34
ip test-ip4 input
[ meta load l4proto => reg 1 ]
ip length != 333-453;ok
ip length { 333, 553, 673, 838};ok
ip length != { 333, 553, 673, 838};ok
+ip length { 333-535};ok
+ip length != { 333-535};ok
ip id 22;ok
ip id != 233;ok
ip id != 33-45;ok
ip id { 33, 55, 67, 88};ok
ip id != { 33, 55, 67, 88};ok
+ip id { 33-55};ok
+ip id != { 33-55};ok
ip frag-off 222 accept;ok
ip frag-off != 233;ok
ip frag-off != 33-45;ok
ip frag-off { 33, 55, 67, 88};ok
ip frag-off != { 33, 55, 67, 88};ok
+ip frag-off { 33-55};ok
+ip frag-off != { 33-55};ok
ip ttl 0 drop;ok
ip ttl 233;ok
ip ttl != 45-50;ok
ip ttl {43, 53, 45 };ok
ip ttl != {43, 53, 45 };ok
+ip ttl { 33-55};ok
+ip ttl != { 33-55};ok
ip protocol tcp;ok;ip protocol 6
ip protocol != tcp;ok;ip protocol != 6
ip checksum != 33-45;ok
ip checksum { 33, 55, 67, 88};ok
ip checksum != { 33, 55, 67, 88};ok
+ip checksum { 33-55};ok
+ip checksum != { 33-55};ok
ip saddr set {192.19.1.2, 191.1.22.1};fail
ip daddr 172.16.0.0-172.31.255.255;ok
ip daddr 192.168.3.1-192.168.4.250;ok
ip daddr != 192.168.0.1-192.168.0.250;ok
+ip daddr { 192.168.0.1-192.168.0.250};ok
+ip daddr != { 192.168.0.1-192.168.0.250};ok
ip daddr { 192.168.5.1, 192.168.5.2, 192.168.5.3 } accept;ok
ip daddr != { 192.168.5.1, 192.168.5.2, 192.168.5.3 } accept;ok
}
]
+# ip length { 333-535}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "length",
+ "protocol": "ip"
+ }
+ },
+ "op": "==",
+ "right": {
+ "set": [
+ { "range": [ 333, 535 ] }
+ ]
+ }
+ }
+ }
+]
+
+# ip length != { 333-535}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "length",
+ "protocol": "ip"
+ }
+ },
+ "op": "!=",
+ "right": {
+ "set": [
+ { "range": [ 333, 535 ] }
+ ]
+ }
+ }
+ }
+]
+
# ip id 22
[
{
}
]
+# ip id { 33-55}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "id",
+ "protocol": "ip"
+ }
+ },
+ "op": "==",
+ "right": {
+ "set": [
+ { "range": [ 33, 55 ] }
+ ]
+ }
+ }
+ }
+]
+
+# ip id != { 33-55}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "id",
+ "protocol": "ip"
+ }
+ },
+ "op": "!=",
+ "right": {
+ "set": [
+ { "range": [ 33, 55 ] }
+ ]
+ }
+ }
+ }
+]
+
# ip frag-off 222 accept
[
{
}
]
+# ip frag-off { 33-55}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "frag-off",
+ "protocol": "ip"
+ }
+ },
+ "op": "==",
+ "right": {
+ "set": [
+ { "range": [ 33, 55 ] }
+ ]
+ }
+ }
+ }
+]
+
+# ip frag-off != { 33-55}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "frag-off",
+ "protocol": "ip"
+ }
+ },
+ "op": "!=",
+ "right": {
+ "set": [
+ { "range": [ 33, 55 ] }
+ ]
+ }
+ }
+ }
+]
+
# ip ttl 0 drop
[
{
}
]
+# ip ttl { 33-55}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "ttl",
+ "protocol": "ip"
+ }
+ },
+ "op": "==",
+ "right": {
+ "set": [
+ { "range": [ 33, 55 ] }
+ ]
+ }
+ }
+ }
+]
+
+# ip ttl != { 33-55}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "ttl",
+ "protocol": "ip"
+ }
+ },
+ "op": "!=",
+ "right": {
+ "set": [
+ { "range": [ 33, 55 ] }
+ ]
+ }
+ }
+ }
+]
+
# ip protocol tcp
[
{
}
]
+# ip checksum { 33-55}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "checksum",
+ "protocol": "ip"
+ }
+ },
+ "op": "==",
+ "right": {
+ "set": [
+ { "range": [ 33, 55 ] }
+ ]
+ }
+ }
+ }
+]
+
+# ip checksum != { 33-55}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "checksum",
+ "protocol": "ip"
+ }
+ },
+ "op": "!=",
+ "right": {
+ "set": [
+ { "range": [ 33, 55 ] }
+ ]
+ }
+ }
+ }
+]
+
# ip saddr 192.168.2.0/24
[
{
}
]
+# ip daddr { 192.168.0.1-192.168.0.250}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "daddr",
+ "protocol": "ip"
+ }
+ },
+ "op": "==",
+ "right": {
+ "set": [
+ { "range": [ "192.168.0.1", "192.168.0.250" ] }
+ ]
+ }
+ }
+ }
+]
+
+# ip daddr != { 192.168.0.1-192.168.0.250}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "daddr",
+ "protocol": "ip"
+ }
+ },
+ "op": "!=",
+ "right": {
+ "set": [
+ { "range": [ "192.168.0.1", "192.168.0.250" ] }
+ ]
+ }
+ }
+ }
+]
+
# ip daddr { 192.168.5.1, 192.168.5.2, 192.168.5.3 } accept
[
{
[ payload load 2b @ network header + 2 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
+# ip length { 333-535}
+__set%d test-bridge 7 size 3
+__set%d test-bridge 0
+ element 00000000 : 1 [end] element 00004d01 : 0 [end] element 00001802 : 1 [end]
+bridge test-bridge input
+ [ payload load 2b @ link header + 12 => reg 1 ]
+ [ cmp eq reg 1 0x00000008 ]
+ [ payload load 2b @ network header + 2 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
+
+# ip length != { 333-535}
+__set%d test-bridge 7 size 3
+__set%d test-bridge 0
+ element 00000000 : 1 [end] element 00004d01 : 0 [end] element 00001802 : 1 [end]
+bridge test-bridge input
+ [ payload load 2b @ link header + 12 => reg 1 ]
+ [ cmp eq reg 1 0x00000008 ]
+ [ payload load 2b @ network header + 2 => reg 1 ]
+ [ lookup reg 1 set __set%d 0x1 ]
+
# ip id 22
bridge test-bridge input
[ payload load 2b @ link header + 12 => reg 1 ]
[ payload load 2b @ network header + 4 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
+# ip id { 33-55}
+__set%d test-bridge 7 size 3
+__set%d test-bridge 0
+ element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end]
+bridge test-bridge input
+ [ payload load 2b @ link header + 12 => reg 1 ]
+ [ cmp eq reg 1 0x00000008 ]
+ [ payload load 2b @ network header + 4 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
+
+# ip id != { 33-55}
+__set%d test-bridge 7 size 3
+__set%d test-bridge 0
+ element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end]
+bridge test-bridge input
+ [ payload load 2b @ link header + 12 => reg 1 ]
+ [ cmp eq reg 1 0x00000008 ]
+ [ payload load 2b @ network header + 4 => reg 1 ]
+ [ lookup reg 1 set __set%d 0x1 ]
+
# ip frag-off 222 accept
bridge test-bridge input
[ payload load 2b @ link header + 12 => reg 1 ]
[ payload load 2b @ network header + 6 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
+# ip frag-off { 33-55}
+__set%d test-bridge 7 size 3
+__set%d test-bridge 0
+ element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end]
+bridge test-bridge input
+ [ payload load 2b @ link header + 12 => reg 1 ]
+ [ cmp eq reg 1 0x00000008 ]
+ [ payload load 2b @ network header + 6 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
+
+# ip frag-off != { 33-55}
+__set%d test-bridge 7 size 3
+__set%d test-bridge 0
+ element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end]
+bridge test-bridge input
+ [ payload load 2b @ link header + 12 => reg 1 ]
+ [ cmp eq reg 1 0x00000008 ]
+ [ payload load 2b @ network header + 6 => reg 1 ]
+ [ lookup reg 1 set __set%d 0x1 ]
+
# ip ttl 0 drop
bridge test-bridge input
[ payload load 2b @ link header + 12 => reg 1 ]
[ payload load 1b @ network header + 8 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
+# ip ttl { 33-55}
+__set%d test-bridge 7 size 3
+__set%d test-bridge 0
+ element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end]
+bridge test-bridge input
+ [ payload load 2b @ link header + 12 => reg 1 ]
+ [ cmp eq reg 1 0x00000008 ]
+ [ payload load 1b @ network header + 8 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
+
+# ip ttl != { 33-55}
+__set%d test-bridge 7 size 3
+__set%d test-bridge 0
+ element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end]
+bridge test-bridge input
+ [ payload load 2b @ link header + 12 => reg 1 ]
+ [ cmp eq reg 1 0x00000008 ]
+ [ payload load 1b @ network header + 8 => reg 1 ]
+ [ lookup reg 1 set __set%d 0x1 ]
+
# ip protocol tcp
bridge test-bridge input
[ payload load 2b @ link header + 12 => reg 1 ]
[ payload load 2b @ network header + 10 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
+# ip checksum { 33-55}
+__set%d test-bridge 7 size 3
+__set%d test-bridge 0
+ element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end]
+bridge test-bridge input
+ [ payload load 2b @ link header + 12 => reg 1 ]
+ [ cmp eq reg 1 0x00000008 ]
+ [ payload load 2b @ network header + 10 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
+
+# ip checksum != { 33-55}
+__set%d test-bridge 7 size 3
+__set%d test-bridge 0
+ element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end]
+bridge test-bridge input
+ [ payload load 2b @ link header + 12 => reg 1 ]
+ [ cmp eq reg 1 0x00000008 ]
+ [ payload load 2b @ network header + 10 => reg 1 ]
+ [ lookup reg 1 set __set%d 0x1 ]
+
# ip saddr 192.168.2.0/24
bridge test-bridge input
[ payload load 2b @ link header + 12 => reg 1 ]
[ payload load 4b @ network header + 16 => reg 1 ]
[ range neq reg 1 0x0100a8c0 0xfa00a8c0 ]
+# ip daddr { 192.168.0.1-192.168.0.250}
+__set%d test-bridge 7 size 3
+__set%d test-bridge 0
+ element 00000000 : 1 [end] element 0100a8c0 : 0 [end] element fb00a8c0 : 1 [end]
+bridge test-bridge input
+ [ payload load 2b @ link header + 12 => reg 1 ]
+ [ cmp eq reg 1 0x00000008 ]
+ [ payload load 4b @ network header + 16 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
+
+# ip daddr != { 192.168.0.1-192.168.0.250}
+__set%d test-bridge 7 size 3
+__set%d test-bridge 0
+ element 00000000 : 1 [end] element 0100a8c0 : 0 [end] element fb00a8c0 : 1 [end]
+bridge test-bridge input
+ [ payload load 2b @ link header + 12 => reg 1 ]
+ [ cmp eq reg 1 0x00000008 ]
+ [ payload load 4b @ network header + 16 => reg 1 ]
+ [ lookup reg 1 set __set%d 0x1 ]
+
# ip daddr { 192.168.5.1, 192.168.5.2, 192.168.5.3 } accept
__set%d test-bridge 3 size 3
__set%d test-bridge 0
[ payload load 2b @ network header + 2 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
+# ip length { 333-535}
+__set%d test-inet 7
+__set%d test-inet 0
+ element 00000000 : 1 [end] element 00004d01 : 0 [end] element 00001802 : 1 [end]
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x00000002 ]
+ [ payload load 2b @ network header + 2 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
+
+# ip length != { 333-535}
+__set%d test-inet 7
+__set%d test-inet 0
+ element 00000000 : 1 [end] element 00004d01 : 0 [end] element 00001802 : 1 [end]
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x00000002 ]
+ [ payload load 2b @ network header + 2 => reg 1 ]
+ [ lookup reg 1 set __set%d 0x1 ]
+
# ip id 22
inet test-inet input
[ meta load nfproto => reg 1 ]
[ payload load 2b @ network header + 4 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
+# ip id { 33-55}
+__set%d test-inet 7
+__set%d test-inet 0
+ element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end]
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x00000002 ]
+ [ payload load 2b @ network header + 4 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
+
+# ip id != { 33-55}
+__set%d test-inet 7
+__set%d test-inet 0
+ element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end]
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x00000002 ]
+ [ payload load 2b @ network header + 4 => reg 1 ]
+ [ lookup reg 1 set __set%d 0x1 ]
+
# ip frag-off 222 accept
inet test-inet input
[ meta load nfproto => reg 1 ]
[ payload load 2b @ network header + 6 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
+# ip frag-off { 33-55}
+__set%d test-inet 7
+__set%d test-inet 0
+ element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end]
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x00000002 ]
+ [ payload load 2b @ network header + 6 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
+
+# ip frag-off != { 33-55}
+__set%d test-inet 7
+__set%d test-inet 0
+ element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end]
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x00000002 ]
+ [ payload load 2b @ network header + 6 => reg 1 ]
+ [ lookup reg 1 set __set%d 0x1 ]
+
# ip ttl 0 drop
inet test-inet input
[ meta load nfproto => reg 1 ]
[ payload load 1b @ network header + 8 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
+# ip ttl { 33-55}
+__set%d test-inet 7
+__set%d test-inet 0
+ element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end]
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x00000002 ]
+ [ payload load 1b @ network header + 8 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
+
+# ip ttl != { 33-55}
+__set%d test-inet 7
+__set%d test-inet 0
+ element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end]
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x00000002 ]
+ [ payload load 1b @ network header + 8 => reg 1 ]
+ [ lookup reg 1 set __set%d 0x1 ]
+
# ip protocol tcp
inet test-inet input
[ meta load nfproto => reg 1 ]
[ payload load 2b @ network header + 10 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
+# ip checksum { 33-55}
+__set%d test-inet 7
+__set%d test-inet 0
+ element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end]
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x00000002 ]
+ [ payload load 2b @ network header + 10 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
+
+# ip checksum != { 33-55}
+__set%d test-inet 7
+__set%d test-inet 0
+ element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end]
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x00000002 ]
+ [ payload load 2b @ network header + 10 => reg 1 ]
+ [ lookup reg 1 set __set%d 0x1 ]
+
# ip saddr 192.168.2.0/24
inet test-inet input
[ meta load nfproto => reg 1 ]
[ payload load 4b @ network header + 16 => reg 1 ]
[ range neq reg 1 0x0100a8c0 0xfa00a8c0 ]
+# ip daddr { 192.168.0.1-192.168.0.250}
+__set%d test-inet 7
+__set%d test-inet 0
+ element 00000000 : 1 [end] element 0100a8c0 : 0 [end] element fb00a8c0 : 1 [end]
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x00000002 ]
+ [ payload load 4b @ network header + 16 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
+
+# ip daddr != { 192.168.0.1-192.168.0.250}
+__set%d test-inet 7
+__set%d test-inet 0
+ element 00000000 : 1 [end] element 0100a8c0 : 0 [end] element fb00a8c0 : 1 [end]
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x00000002 ]
+ [ payload load 4b @ network header + 16 => reg 1 ]
+ [ lookup reg 1 set __set%d 0x1 ]
+
# ip daddr { 192.168.5.1, 192.168.5.2, 192.168.5.3 } accept
__set%d test-inet 3
__set%d test-inet 0
[ payload load 2b @ network header + 2 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
+# ip length { 333-535}
+__set%d test-netdev 7
+__set%d test-netdev 0
+ element 00000000 : 1 [end] element 00004d01 : 0 [end] element 00001802 : 1 [end]
+netdev test-netdev ingress
+ [ meta load protocol => reg 1 ]
+ [ cmp eq reg 1 0x00000008 ]
+ [ payload load 2b @ network header + 2 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
+
+# ip length != { 333-535}
+__set%d test-netdev 7
+__set%d test-netdev 0
+ element 00000000 : 1 [end] element 00004d01 : 0 [end] element 00001802 : 1 [end]
+netdev test-netdev ingress
+ [ meta load protocol => reg 1 ]
+ [ cmp eq reg 1 0x00000008 ]
+ [ payload load 2b @ network header + 2 => reg 1 ]
+ [ lookup reg 1 set __set%d 0x1 ]
+
# ip id 22
netdev test-netdev ingress
[ meta load protocol => reg 1 ]
[ payload load 2b @ network header + 4 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
+# ip id { 33-55}
+__set%d test-netdev 7
+__set%d test-netdev 0
+ element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end]
+netdev test-netdev ingress
+ [ meta load protocol => reg 1 ]
+ [ cmp eq reg 1 0x00000008 ]
+ [ payload load 2b @ network header + 4 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
+
+# ip id != { 33-55}
+__set%d test-netdev 7
+__set%d test-netdev 0
+ element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end]
+netdev test-netdev ingress
+ [ meta load protocol => reg 1 ]
+ [ cmp eq reg 1 0x00000008 ]
+ [ payload load 2b @ network header + 4 => reg 1 ]
+ [ lookup reg 1 set __set%d 0x1 ]
+
# ip frag-off 222 accept
netdev test-netdev ingress
[ meta load protocol => reg 1 ]
[ cmp neq reg 1 0x0000e900 ]
# ip frag-off 33-45
-netdev test-netdev ingress
+netdev test-netdev ingress
[ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x00000008 ]
[ payload load 2b @ network header + 6 => reg 1 ]
[ cmp lte reg 1 0x00002d00 ]
# ip frag-off != 33-45
-netdev test-netdev ingress
+netdev test-netdev ingress
[ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x00000008 ]
[ payload load 2b @ network header + 6 => reg 1 ]
[ payload load 2b @ network header + 6 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
+# ip frag-off { 33-55}
+__set%d test-netdev 7
+__set%d test-netdev 0
+ element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end]
+netdev test-netdev ingress
+ [ meta load protocol => reg 1 ]
+ [ cmp eq reg 1 0x00000008 ]
+ [ payload load 2b @ network header + 6 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
+
+# ip frag-off != { 33-55}
+__set%d test-netdev 7
+__set%d test-netdev 0
+ element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end]
+netdev test-netdev ingress
+ [ meta load protocol => reg 1 ]
+ [ cmp eq reg 1 0x00000008 ]
+ [ payload load 2b @ network header + 6 => reg 1 ]
+ [ lookup reg 1 set __set%d 0x1 ]
+
# ip ttl 0 drop
netdev test-netdev ingress
[ meta load protocol => reg 1 ]
[ payload load 1b @ network header + 8 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
+# ip ttl { 33-55}
+__set%d test-netdev 7
+__set%d test-netdev 0
+ element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end]
+netdev test-netdev ingress
+ [ meta load protocol => reg 1 ]
+ [ cmp eq reg 1 0x00000008 ]
+ [ payload load 1b @ network header + 8 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
+
+# ip ttl != { 33-55}
+__set%d test-netdev 7
+__set%d test-netdev 0
+ element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end]
+netdev test-netdev ingress
+ [ meta load protocol => reg 1 ]
+ [ cmp eq reg 1 0x00000008 ]
+ [ payload load 1b @ network header + 8 => reg 1 ]
+ [ lookup reg 1 set __set%d 0x1 ]
+
# ip protocol { icmp, esp, ah, comp, udp, udplite, tcp, dccp, sctp} accept
__set%d test-netdev 3
__set%d test-netdev 0
[ payload load 2b @ network header + 10 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
+# ip checksum { 33-55}
+__set%d test-netdev 7
+__set%d test-netdev 0
+ element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end]
+netdev test-netdev ingress
+ [ meta load protocol => reg 1 ]
+ [ cmp eq reg 1 0x00000008 ]
+ [ payload load 2b @ network header + 10 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
+
+# ip checksum != { 33-55}
+__set%d test-netdev 7
+__set%d test-netdev 0
+ element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end]
+netdev test-netdev ingress
+ [ meta load protocol => reg 1 ]
+ [ cmp eq reg 1 0x00000008 ]
+ [ payload load 2b @ network header + 10 => reg 1 ]
+ [ lookup reg 1 set __set%d 0x1 ]
+
# ip saddr 192.168.2.0/24
netdev test-netdev ingress
[ meta load protocol => reg 1 ]
[ payload load 4b @ network header + 16 => reg 1 ]
[ range neq reg 1 0x0100a8c0 0xfa00a8c0 ]
+# ip daddr { 192.168.0.1-192.168.0.250}
+__set%d test-netdev 7
+__set%d test-netdev 0
+ element 00000000 : 1 [end] element 0100a8c0 : 0 [end] element fb00a8c0 : 1 [end]
+netdev test-netdev ingress
+ [ meta load protocol => reg 1 ]
+ [ cmp eq reg 1 0x00000008 ]
+ [ payload load 4b @ network header + 16 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
+
+# ip daddr != { 192.168.0.1-192.168.0.250}
+__set%d test-netdev 7
+__set%d test-netdev 0
+ element 00000000 : 1 [end] element 0100a8c0 : 0 [end] element fb00a8c0 : 1 [end]
+netdev test-netdev ingress
+ [ meta load protocol => reg 1 ]
+ [ cmp eq reg 1 0x00000008 ]
+ [ payload load 4b @ network header + 16 => reg 1 ]
+ [ lookup reg 1 set __set%d 0x1 ]
+
# ip daddr { 192.168.5.1, 192.168.5.2, 192.168.5.3 } accept
__set%d test-netdev 3
__set%d test-netdev 0
dst nexthdr != 33-45;ok
dst nexthdr { 33, 55, 67, 88};ok
dst nexthdr != { 33, 55, 67, 88};ok
+dst nexthdr { 33-55};ok
+dst nexthdr != { 33-55};ok
dst nexthdr { udplite, ipcomp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp};ok;dst nexthdr { 51, 50, 17, 136, 58, 6, 33, 132, 108}
dst nexthdr != { udplite, ipcomp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp};ok;dst nexthdr != { 51, 50, 17, 136, 58, 6, 33, 132, 108}
dst nexthdr icmp;ok;dst nexthdr 1
dst hdrlength != 33-45;ok
dst hdrlength { 33, 55, 67, 88};ok
dst hdrlength != { 33, 55, 67, 88};ok
+dst hdrlength { 33-55};ok
+dst hdrlength != { 33-55};ok
}
]
+# dst nexthdr { 33-55}
+[
+ {
+ "match": {
+ "left": {
+ "exthdr": {
+ "field": "nexthdr",
+ "name": "dst"
+ }
+ },
+ "op": "==",
+ "right": {
+ "set": [
+ { "range": [ 33, 55 ] }
+ ]
+ }
+ }
+ }
+]
+
+# dst nexthdr != { 33-55}
+[
+ {
+ "match": {
+ "left": {
+ "exthdr": {
+ "field": "nexthdr",
+ "name": "dst"
+ }
+ },
+ "op": "!=",
+ "right": {
+ "set": [
+ { "range": [ 33, 55 ] }
+ ]
+ }
+ }
+ }
+]
+
# dst nexthdr { udplite, ipcomp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp}
[
{
}
}
]
+
+# dst hdrlength { 33-55}
+[
+ {
+ "match": {
+ "left": {
+ "exthdr": {
+ "field": "hdrlength",
+ "name": "dst"
+ }
+ },
+ "op": "==",
+ "right": {
+ "set": [
+ { "range": [ 33, 55 ] }
+ ]
+ }
+ }
+ }
+]
+
+# dst hdrlength != { 33-55}
+[
+ {
+ "match": {
+ "left": {
+ "exthdr": {
+ "field": "hdrlength",
+ "name": "dst"
+ }
+ },
+ "op": "!=",
+ "right": {
+ "set": [
+ { "range": [ 33, 55 ] }
+ ]
+ }
+ }
+ }
+]
+
[ exthdr load 1b @ 60 + 0 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
+# dst nexthdr { 33-55}
+__set%d test-inet 7
+__set%d test-inet 0
+ element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end]
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x0000000a ]
+ [ exthdr load 1b @ 60 + 0 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
+
+# dst nexthdr != { 33-55}
+__set%d test-inet 7
+__set%d test-inet 0
+ element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end]
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x0000000a ]
+ [ exthdr load 1b @ 60 + 0 => reg 1 ]
+ [ lookup reg 1 set __set%d 0x1 ]
+
# dst nexthdr { udplite, ipcomp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp}
__set%d test-inet 3
__set%d test-inet 0
[ exthdr load 1b @ 60 + 1 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
+# dst hdrlength { 33-55}
+__set%d test-ip6 7
+__set%d test-ip6 0
+ element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end]
+ip6 test-ip6 input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x0000000a ]
+ [ exthdr load 1b @ 60 + 1 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
+
+# dst hdrlength != { 33-55}
+__set%d test-ip6 7
+__set%d test-ip6 0
+ element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end]
+ip6 test-ip6 input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x0000000a ]
+ [ exthdr load 1b @ 60 + 1 => reg 1 ]
+ [ lookup reg 1 set __set%d 0x1 ]
+
[ exthdr load 1b @ 60 + 0 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
+# dst nexthdr { 33-55}
+__set%d test-ip6 7
+__set%d test-ip6 0
+ element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end]
+ip6 test-ip6 input
+ [ exthdr load 1b @ 60 + 0 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
+
+# dst nexthdr != { 33-55}
+__set%d test-ip6 7
+__set%d test-ip6 0
+ element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end]
+ip6 test-ip6 input
+ [ exthdr load 1b @ 60 + 0 => reg 1 ]
+ [ lookup reg 1 set __set%d 0x1 ]
+
# dst nexthdr { udplite, ipcomp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp}
__set%d test-ip6 3
__set%d test-ip6 0
[ exthdr load 1b @ 60 + 1 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
+# dst hdrlength { 33-55}
+__set%d test-ip6 7
+__set%d test-ip6 0
+ element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end]
+ip6 test-ip6 input
+ [ exthdr load 1b @ 60 + 1 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
+
+# dst hdrlength != { 33-55}
+__set%d test-ip6 7
+__set%d test-ip6 0
+ element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end]
+ip6 test-ip6 input
+ [ exthdr load 1b @ 60 + 1 => reg 1 ]
+ [ lookup reg 1 set __set%d 0x1 ]
+
+
frag reserved != 33-45;ok
frag reserved { 33, 55, 67, 88};ok
frag reserved != { 33, 55, 67, 88};ok
+frag reserved { 33-55};ok
+frag reserved != { 33-55};ok
frag frag-off 22;ok
frag frag-off != 233;ok
frag frag-off != 33-45;ok
frag frag-off { 33, 55, 67, 88};ok
frag frag-off != { 33, 55, 67, 88};ok
+frag frag-off { 33-55};ok
+frag frag-off != { 33-55};ok
frag reserved2 1;ok
frag more-fragments 0;ok
frag id != 33-45;ok
frag id { 33, 55, 67, 88};ok
frag id != { 33, 55, 67, 88};ok
+frag id { 33-55};ok
+frag id != { 33-55};ok
}
]
+# frag reserved { 33-55}
+[
+ {
+ "match": {
+ "left": {
+ "exthdr": {
+ "field": "reserved",
+ "name": "frag"
+ }
+ },
+ "op": "==",
+ "right": {
+ "set": [
+ { "range": [ 33, 55 ] }
+ ]
+ }
+ }
+ }
+]
+
+# frag reserved != { 33-55}
+[
+ {
+ "match": {
+ "left": {
+ "exthdr": {
+ "field": "reserved",
+ "name": "frag"
+ }
+ },
+ "op": "!=",
+ "right": {
+ "set": [
+ { "range": [ 33, 55 ] }
+ ]
+ }
+ }
+ }
+]
+
# frag frag-off 22
[
{
}
]
+# frag frag-off { 33-55}
+[
+ {
+ "match": {
+ "left": {
+ "exthdr": {
+ "field": "frag-off",
+ "name": "frag"
+ }
+ },
+ "op": "==",
+ "right": {
+ "set": [
+ { "range": [ 33, 55 ] }
+ ]
+ }
+ }
+ }
+]
+
+# frag frag-off != { 33-55}
+[
+ {
+ "match": {
+ "left": {
+ "exthdr": {
+ "field": "frag-off",
+ "name": "frag"
+ }
+ },
+ "op": "!=",
+ "right": {
+ "set": [
+ { "range": [ 33, 55 ] }
+ ]
+ }
+ }
+ }
+]
+
# frag reserved2 1
[
{
}
}
]
+
+# frag id { 33-55}
+[
+ {
+ "match": {
+ "left": {
+ "exthdr": {
+ "field": "id",
+ "name": "frag"
+ }
+ },
+ "op": "==",
+ "right": {
+ "set": [
+ { "range": [ 33, 55 ] }
+ ]
+ }
+ }
+ }
+]
+
+# frag id != { 33-55}
+[
+ {
+ "match": {
+ "left": {
+ "exthdr": {
+ "field": "id",
+ "name": "frag"
+ }
+ },
+ "op": "!=",
+ "right": {
+ "set": [
+ { "range": [ 33, 55 ] }
+ ]
+ }
+ }
+ }
+]
+
[ exthdr load 1b @ 44 + 1 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
+# frag reserved { 33-55}
+__set%d test-inet 7
+__set%d test-inet 0
+ element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end]
+inet test-inet output
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x0000000a ]
+ [ exthdr load 1b @ 44 + 1 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
+
+# frag reserved != { 33-55}
+__set%d test-inet 7
+__set%d test-inet 0
+ element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end]
+inet test-inet output
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x0000000a ]
+ [ exthdr load 1b @ 44 + 1 => reg 1 ]
+ [ lookup reg 1 set __set%d 0x1 ]
+
# frag frag-off 22
inet test-inet output
[ meta load nfproto => reg 1 ]
[ bitwise reg 1 = (reg=1 & 0x0000f8ff ) ^ 0x00000000 ]
[ lookup reg 1 set __set%d 0x1 ]
+# frag frag-off { 33-55}
+__set%d test-inet 7
+__set%d test-inet 0
+ element 00000000 : 1 [end] element 00000801 : 0 [end] element 0000b901 : 1 [end]
+inet test-inet output
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x0000000a ]
+ [ exthdr load 2b @ 44 + 2 => reg 1 ]
+ [ bitwise reg 1 = (reg=1 & 0x0000f8ff ) ^ 0x00000000 ]
+ [ lookup reg 1 set __set%d ]
+
+# frag frag-off != { 33-55}
+__set%d test-inet 7
+__set%d test-inet 0
+ element 00000000 : 1 [end] element 00000801 : 0 [end] element 0000b901 : 1 [end]
+inet test-inet output
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x0000000a ]
+ [ exthdr load 2b @ 44 + 2 => reg 1 ]
+ [ bitwise reg 1 = (reg=1 & 0x0000f8ff ) ^ 0x00000000 ]
+ [ lookup reg 1 set __set%d 0x1 ]
+
# frag more-fragments 1
inet test-inet output
[ meta load nfproto => reg 1 ]
[ exthdr load 4b @ 44 + 4 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
+# frag id { 33-55}
+__set%d test-inet 7
+__set%d test-inet 0
+ element 00000000 : 1 [end] element 21000000 : 0 [end] element 38000000 : 1 [end]
+inet test-inet output
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x0000000a ]
+ [ exthdr load 4b @ 44 + 4 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
+
+# frag id != { 33-55}
+__set%d test-inet 7
+__set%d test-inet 0
+ element 00000000 : 1 [end] element 21000000 : 0 [end] element 38000000 : 1 [end]
+inet test-inet output
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x0000000a ]
+ [ exthdr load 4b @ 44 + 4 => reg 1 ]
+ [ lookup reg 1 set __set%d 0x1 ]
+
# frag reserved2 1
inet test-inet output
[ meta load nfproto => reg 1 ]
[ exthdr load 1b @ 44 + 1 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
+# frag reserved { 33-55}
+__set%d test-ip6 7
+__set%d test-ip6 0
+ element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end]
+ip6 test-ip6 output
+ [ exthdr load 1b @ 44 + 1 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
+
+# frag reserved != { 33-55}
+__set%d test-ip6 7
+__set%d test-ip6 0
+ element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end]
+ip6 test-ip6 output
+ [ exthdr load 1b @ 44 + 1 => reg 1 ]
+ [ lookup reg 1 set __set%d 0x1 ]
+
# frag frag-off 22
ip6 test-ip6 output
[ exthdr load 2b @ 44 + 2 => reg 1 ]
[ bitwise reg 1 = (reg=1 & 0x0000f8ff ) ^ 0x00000000 ]
[ lookup reg 1 set __set%d 0x1 ]
+# frag frag-off { 33-55}
+__set%d test-ip6 7
+__set%d test-ip6 0
+ element 00000000 : 1 [end] element 00000801 : 0 [end] element 0000b901 : 1 [end]
+ip6 test-ip6 output
+ [ exthdr load 2b @ 44 + 2 => reg 1 ]
+ [ bitwise reg 1 = (reg=1 & 0x0000f8ff ) ^ 0x00000000 ]
+ [ lookup reg 1 set __set%d ]
+
+# frag frag-off != { 33-55}
+__set%d test-ip6 7
+__set%d test-ip6 0
+ element 00000000 : 1 [end] element 00000801 : 0 [end] element 0000b901 : 1 [end]
+ip6 test-ip6 output
+ [ exthdr load 2b @ 44 + 2 => reg 1 ]
+ [ bitwise reg 1 = (reg=1 & 0x0000f8ff ) ^ 0x00000000 ]
+ [ lookup reg 1 set __set%d 0x1 ]
+
# frag more-fragments 1
ip6 test-ip6 output
[ exthdr load 1b @ 44 + 3 => reg 1 ]
[ exthdr load 4b @ 44 + 4 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
+# frag id { 33-55}
+__set%d test-ip6 7
+__set%d test-ip6 0
+ element 00000000 : 1 [end] element 21000000 : 0 [end] element 38000000 : 1 [end]
+ip6 test-ip6 output
+ [ exthdr load 4b @ 44 + 4 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
+
+# frag id != { 33-55}
+__set%d test-ip6 7
+__set%d test-ip6 0
+ element 00000000 : 1 [end] element 21000000 : 0 [end] element 38000000 : 1 [end]
+ip6 test-ip6 output
+ [ exthdr load 4b @ 44 + 4 => reg 1 ]
+ [ lookup reg 1 set __set%d 0x1 ]
+
# frag reserved2 1
ip6 test-ip6 output
[ exthdr load 1b @ 44 + 3 => reg 1 ]
hbh hdrlength != 33-45;ok
hbh hdrlength {33, 55, 67, 88};ok
hbh hdrlength != {33, 55, 67, 88};ok
+hbh hdrlength { 33-55};ok
+hbh hdrlength != { 33-55};ok
hbh nexthdr {esp, ah, comp, udp, udplite, tcp, dccp, sctp, icmpv6};ok;hbh nexthdr { 58, 136, 51, 50, 6, 17, 132, 33, 108}
hbh nexthdr != {esp, ah, comp, udp, udplite, tcp, dccp, sctp, icmpv6};ok;hbh nexthdr != { 58, 136, 51, 50, 6, 17, 132, 33, 108}
hbh nexthdr != 33-45;ok
hbh nexthdr {33, 55, 67, 88};ok
hbh nexthdr != {33, 55, 67, 88};ok
+hbh nexthdr { 33-55};ok
+hbh nexthdr != { 33-55};ok
hbh nexthdr ip;ok;hbh nexthdr 0
hbh nexthdr != ip;ok;hbh nexthdr != 0
}
]
+# hbh hdrlength { 33-55}
+[
+ {
+ "match": {
+ "left": {
+ "exthdr": {
+ "field": "hdrlength",
+ "name": "hbh"
+ }
+ },
+ "op": "==",
+ "right": {
+ "set": [
+ { "range": [ 33, 55 ] }
+ ]
+ }
+ }
+ }
+]
+
+# hbh hdrlength != { 33-55}
+[
+ {
+ "match": {
+ "left": {
+ "exthdr": {
+ "field": "hdrlength",
+ "name": "hbh"
+ }
+ },
+ "op": "!=",
+ "right": {
+ "set": [
+ { "range": [ 33, 55 ] }
+ ]
+ }
+ }
+ }
+]
+
# hbh nexthdr {esp, ah, comp, udp, udplite, tcp, dccp, sctp, icmpv6}
[
{
}
]
+# hbh nexthdr { 33-55}
+[
+ {
+ "match": {
+ "left": {
+ "exthdr": {
+ "field": "nexthdr",
+ "name": "hbh"
+ }
+ },
+ "op": "==",
+ "right": {
+ "set": [
+ { "range": [ 33, 55 ] }
+ ]
+ }
+ }
+ }
+]
+
+# hbh nexthdr != { 33-55}
+[
+ {
+ "match": {
+ "left": {
+ "exthdr": {
+ "field": "nexthdr",
+ "name": "hbh"
+ }
+ },
+ "op": "!=",
+ "right": {
+ "set": [
+ { "range": [ 33, 55 ] }
+ ]
+ }
+ }
+ }
+]
+
# hbh nexthdr ip
[
{
[ exthdr load 1b @ 0 + 1 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
+# hbh hdrlength { 33-55}
+__set%d test-inet 7
+__set%d test-inet 0
+ element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end]
+inet test-inet filter-input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x0000000a ]
+ [ exthdr load 1b @ 0 + 1 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
+
+# hbh hdrlength != { 33-55}
+__set%d test-inet 7
+__set%d test-inet 0
+ element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end]
+inet test-inet filter-input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x0000000a ]
+ [ exthdr load 1b @ 0 + 1 => reg 1 ]
+ [ lookup reg 1 set __set%d 0x1 ]
+
# hbh nexthdr {esp, ah, comp, udp, udplite, tcp, dccp, sctp, icmpv6}
__set%d test-inet 3
__set%d test-inet 0
[ exthdr load 1b @ 0 + 0 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
+# hbh nexthdr { 33-55}
+__set%d test-inet 7
+__set%d test-inet 0
+ element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end]
+inet test-inet filter-input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x0000000a ]
+ [ exthdr load 1b @ 0 + 0 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
+
+# hbh nexthdr != { 33-55}
+__set%d test-inet 7
+__set%d test-inet 0
+ element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end]
+inet test-inet filter-input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x0000000a ]
+ [ exthdr load 1b @ 0 + 0 => reg 1 ]
+ [ lookup reg 1 set __set%d 0x1 ]
+
# hbh nexthdr ip
inet test-inet filter-input
[ meta load nfproto => reg 1 ]
[ exthdr load 1b @ 0 + 1 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
+# hbh hdrlength { 33-55}
+__set%d test-ip6 7
+__set%d test-ip6 0
+ element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end]
+ip6 test-ip6 filter-input
+ [ exthdr load 1b @ 0 + 1 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
+
+# hbh hdrlength != { 33-55}
+__set%d test-ip6 7
+__set%d test-ip6 0
+ element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end]
+ip6 test-ip6 filter-input
+ [ exthdr load 1b @ 0 + 1 => reg 1 ]
+ [ lookup reg 1 set __set%d 0x1 ]
+
# hbh nexthdr {esp, ah, comp, udp, udplite, tcp, dccp, sctp, icmpv6}
__set%d test-ip6 3
__set%d test-ip6 0
[ exthdr load 1b @ 0 + 0 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
+# hbh nexthdr { 33-55}
+__set%d test-ip6 7
+__set%d test-ip6 0
+ element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end]
+ip6 test-ip6 filter-input
+ [ exthdr load 1b @ 0 + 0 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
+
+# hbh nexthdr != { 33-55}
+__set%d test-ip6 7
+__set%d test-ip6 0
+ element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end]
+ip6 test-ip6 filter-input
+ [ exthdr load 1b @ 0 + 0 => reg 1 ]
+ [ lookup reg 1 set __set%d 0x1 ]
+
# hbh nexthdr ip
ip6 test-ip6 filter-input
[ exthdr load 1b @ 0 + 0 => reg 1 ]
icmpv6 code 3-66;ok
icmpv6 code {5, 6, 7} accept;ok;icmpv6 code {policy-fail, reject-route, 7} accept
icmpv6 code != {policy-fail, reject-route, 7} accept;ok
+icmpv6 code { 3-66};ok
+icmpv6 code != { 3-66};ok
icmpv6 checksum 2222 log;ok
icmpv6 checksum != 2222 log;ok
icmpv6 checksum != 2222 log;ok
icmpv6 checksum { 222, 226};ok
icmpv6 checksum != { 222, 226};ok
+icmpv6 checksum { 222-226};ok
+icmpv6 checksum != { 222-226};ok
# BUG: icmpv6 parameter-problem, pptr, mtu, packet-too-big
# [ICMP6HDR_PPTR] = ICMP6HDR_FIELD("parameter-problem", icmp6_pptr),
icmpv6 mtu != 33-45;ok
icmpv6 mtu {33, 55, 67, 88};ok
icmpv6 mtu != {33, 55, 67, 88};ok
+icmpv6 mtu {33-55};ok
+icmpv6 mtu != {33-55};ok
- icmpv6 id 2;ok
- icmpv6 id != 233;ok
icmpv6 id != 33-45;ok
icmpv6 id {33, 55, 67, 88};ok
icmpv6 id != {33, 55, 67, 88};ok
+icmpv6 id {33-55};ok
+icmpv6 id != {33-55};ok
icmpv6 sequence 2;ok
icmpv6 sequence {3, 4, 5, 6, 7} accept;ok
icmpv6 sequence != {2, 4};ok
icmpv6 sequence 2-4;ok
icmpv6 sequence != 2-4;ok
+icmpv6 sequence { 2-4};ok
+icmpv6 sequence != { 2-4};ok
- icmpv6 max-delay 22;ok
- icmpv6 max-delay != 233;ok
icmpv6 max-delay != 33-45;ok
icmpv6 max-delay {33, 55, 67, 88};ok
icmpv6 max-delay != {33, 55, 67, 88};ok
+icmpv6 max-delay {33-55};ok
+icmpv6 max-delay != {33-55};ok
}
]
+# icmpv6 code { 3-66}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "code",
+ "protocol": "icmpv6"
+ }
+ },
+ "op": "==",
+ "right": {
+ "set": [
+ { "range": [ 3, 66 ] }
+ ]
+ }
+ }
+ }
+]
+
+# icmpv6 code != { 3-66}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "code",
+ "protocol": "icmpv6"
+ }
+ },
+ "op": "!=",
+ "right": {
+ "set": [
+ { "range": [ 3, 66 ] }
+ ]
+ }
+ }
+ }
+]
+
# icmpv6 checksum 2222 log
[
{
}
]
+# icmpv6 checksum { 222-226}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "checksum",
+ "protocol": "icmpv6"
+ }
+ },
+ "op": "==",
+ "right": {
+ "set": [
+ { "range": [ 222, 226 ] }
+ ]
+ }
+ }
+ }
+]
+
+# icmpv6 checksum != { 222-226}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "checksum",
+ "protocol": "icmpv6"
+ }
+ },
+ "op": "!=",
+ "right": {
+ "set": [
+ { "range": [ 222, 226 ] }
+ ]
+ }
+ }
+ }
+]
+
# icmpv6 mtu 22
[
{
}
]
+# icmpv6 mtu {33-55}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "mtu",
+ "protocol": "icmpv6"
+ }
+ },
+ "op": "==",
+ "right": {
+ "set": [
+ { "range": [ 33, 55 ] }
+ ]
+ }
+ }
+ }
+]
+
+# icmpv6 mtu != {33-55}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "mtu",
+ "protocol": "icmpv6"
+ }
+ },
+ "op": "!=",
+ "right": {
+ "set": [
+ { "range": [ 33, 55 ] }
+ ]
+ }
+ }
+ }
+]
+
# icmpv6 id 33-45
[
{
}
]
+# icmpv6 id {33-55}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "id",
+ "protocol": "icmpv6"
+ }
+ },
+ "op": "==",
+ "right": {
+ "set": [
+ { "range": [ 33, 55 ] }
+ ]
+ }
+ }
+ }
+]
+
+# icmpv6 id != {33-55}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "id",
+ "protocol": "icmpv6"
+ }
+ },
+ "op": "!=",
+ "right": {
+ "set": [
+ { "range": [ 33, 55 ] }
+ ]
+ }
+ }
+ }
+]
+
# icmpv6 sequence 2
[
{
}
]
+# icmpv6 sequence { 2-4}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "sequence",
+ "protocol": "icmpv6"
+ }
+ },
+ "op": "==",
+ "right": {
+ "set": [
+ { "range": [ 2, 4 ] }
+ ]
+ }
+ }
+ }
+]
+
+# icmpv6 sequence != { 2-4}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "sequence",
+ "protocol": "icmpv6"
+ }
+ },
+ "op": "!=",
+ "right": {
+ "set": [
+ { "range": [ 2, 4 ] }
+ ]
+ }
+ }
+ }
+]
+
# icmpv6 max-delay 33-45
[
{
}
}
]
+
+# icmpv6 max-delay {33-55}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "max-delay",
+ "name": "icmpv6"
+ }
+ },
+ "op": "==",
+ "right": {
+ "set": [
+ { "range": [ 33, 55 ] }
+ ]
+ }
+ }
+ }
+]
+
+# icmpv6 max-delay != {33-55}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "max-delay",
+ "name": "icmpv6"
+ }
+ },
+ "op": "!=",
+ "right": {
+ "set": [
+ { "range": [ 33, 55 ] }
+ ]
+ }
+ }
+ }
+]
+
[ lookup reg 1 set __set%d 0x1 ]
[ immediate reg 0 accept ]
+# icmpv6 code { 3-66}
+__set%d test-ip6 7
+__set%d test-ip6 0
+ element 00000000 : 1 [end] element 00000003 : 0 [end] element 00000043 : 1 [end]
+ip6 test-ip6 input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x0000003a ]
+ [ payload load 1b @ transport header + 1 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
+
+# icmpv6 code != { 3-66}
+__set%d test-ip6 7
+__set%d test-ip6 0
+ element 00000000 : 1 [end] element 00000003 : 0 [end] element 00000043 : 1 [end]
+ip6 test-ip6 input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x0000003a ]
+ [ payload load 1b @ transport header + 1 => reg 1 ]
+ [ lookup reg 1 set __set%d 0x1 ]
+
# icmpv6 checksum 2222 log
ip6 test-ip6 input
[ meta load l4proto => reg 1 ]
[ payload load 2b @ transport header + 2 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
+# icmpv6 checksum { 222-226}
+__set%d test-ip6 7
+__set%d test-ip6 0
+ element 00000000 : 1 [end] element 0000de00 : 0 [end] element 0000e300 : 1 [end]
+ip6 test-ip6 input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x0000003a ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
+
+# icmpv6 checksum != { 222-226}
+__set%d test-ip6 7
+__set%d test-ip6 0
+ element 00000000 : 1 [end] element 0000de00 : 0 [end] element 0000e300 : 1 [end]
+ip6 test-ip6 input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x0000003a ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ lookup reg 1 set __set%d 0x1 ]
+
# icmpv6 mtu 22
ip6 test-ip6 input
[ meta load l4proto => reg 1 ]
[ payload load 4b @ transport header + 4 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
+# icmpv6 mtu {33-55}
+__set%d test-ip6 7
+__set%d test-ip6 0
+ element 00000000 : 1 [end] element 21000000 : 0 [end] element 38000000 : 1 [end]
+ip6 test-ip6 input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x0000003a ]
+ [ payload load 4b @ transport header + 4 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
+
+# icmpv6 mtu != {33-55}
+__set%d test-ip6 7
+__set%d test-ip6 0
+ element 00000000 : 1 [end] element 21000000 : 0 [end] element 38000000 : 1 [end]
+ip6 test-ip6 input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x0000003a ]
+ [ payload load 4b @ transport header + 4 => reg 1 ]
+ [ lookup reg 1 set __set%d 0x1 ]
# icmpv6 id 33-45
ip6 test-ip6 input
[ payload load 2b @ transport header + 4 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
+# icmpv6 id {33-55}
+__set%d test-ip6 7
+__set%d test-ip6 0
+ element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end]
+ip6 test-ip6 input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x0000003a ]
+ [ payload load 2b @ transport header + 4 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
+
+# icmpv6 id != {33-55}
+__set%d test-ip6 7
+__set%d test-ip6 0
+ element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end]
+ip6 test-ip6 input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x0000003a ]
+ [ payload load 2b @ transport header + 4 => reg 1 ]
+ [ lookup reg 1 set __set%d 0x1 ]
+
# icmpv6 sequence 2
ip6 test-ip6 input
[ meta load l4proto => reg 1 ]
[ payload load 2b @ transport header + 6 => reg 1 ]
[ range neq reg 1 0x00000200 0x00000400 ]
+# icmpv6 sequence { 2-4}
+__set%d test-ip6 7
+__set%d test-ip6 0
+ element 00000000 : 1 [end] element 00000200 : 0 [end] element 00000500 : 1 [end]
+ip6 test-ip6 input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x0000003a ]
+ [ payload load 2b @ transport header + 6 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
+
+# icmpv6 sequence != { 2-4}
+__set%d test-ip6 7
+__set%d test-ip6 0
+ element 00000000 : 1 [end] element 00000200 : 0 [end] element 00000500 : 1 [end]
+ip6 test-ip6 input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x0000003a ]
+ [ payload load 2b @ transport header + 6 => reg 1 ]
+ [ lookup reg 1 set __set%d 0x1 ]
+
# icmpv6 max-delay 33-45
ip6 test-ip6 input
[ meta load l4proto => reg 1 ]
[ payload load 2b @ transport header + 4 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
+# icmpv6 max-delay {33-55}
+__set%d test-ip6 7
+__set%d test-ip6 0
+ element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end]
+ip6 test-ip6 input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x0000003a ]
+ [ payload load 2b @ transport header + 4 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
+
+# icmpv6 max-delay != {33-55}
+__set%d test-ip6 7
+__set%d test-ip6 0
+ element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end]
+ip6 test-ip6 input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x0000003a ]
+ [ payload load 2b @ transport header + 4 => reg 1 ]
+ [ lookup reg 1 set __set%d 0x1 ]
+
ip6 flowlabel { 33, 55, 67, 88};ok
# BUG ip6 flowlabel { 5046528, 2883584, 13522432 }
ip6 flowlabel != { 33, 55, 67, 88};ok
+ip6 flowlabel { 33-55};ok
+ip6 flowlabel != { 33-55};ok
ip6 flowlabel vmap { 0 : accept, 2 : continue } ;ok
ip6 length 22;ok
ip6 length != 33-45;ok
ip6 length { 33, 55, 67, 88};ok
ip6 length != {33, 55, 67, 88};ok
+ip6 length { 33-55};ok
+ip6 length != { 33-55};ok
ip6 nexthdr {udp, ah, comp, udplite, tcp, dccp, sctp};ok;ip6 nexthdr { 132, 51, 108, 136, 17, 33, 6}
ip6 nexthdr {esp, ah, comp, udp, udplite, tcp, dccp, sctp, icmpv6};ok;ip6 nexthdr { 6, 136, 108, 33, 50, 17, 132, 58, 51}
ip6 nexthdr != {esp, ah, comp, udp, udplite, tcp, dccp, sctp, icmpv6};ok;ip6 nexthdr != { 6, 136, 108, 33, 50, 17, 132, 58, 51}
ip6 nexthdr esp;ok;ip6 nexthdr 50
ip6 nexthdr != esp;ok;ip6 nexthdr != 50
+ip6 nexthdr { 33-44};ok
+ip6 nexthdr != { 33-44};ok
ip6 nexthdr 33-44;ok
ip6 nexthdr != 33-44;ok
ip6 hoplimit != 33-45;ok
ip6 hoplimit {33, 55, 67, 88};ok
ip6 hoplimit != {33, 55, 67, 88};ok
+ip6 hoplimit {33-55};ok
+ip6 hoplimit != {33-55};ok
# from src/scanner.l
# v680 (({hex4}:){7}{hex4})
}
]
+# ip6 flowlabel { 33-55}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "flowlabel",
+ "protocol": "ip6"
+ }
+ },
+ "op": "==",
+ "right": {
+ "set": [
+ { "range": [ 33, 55 ] }
+ ]
+ }
+ }
+ }
+]
+
+# ip6 flowlabel != { 33-55}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "flowlabel",
+ "protocol": "ip6"
+ }
+ },
+ "op": "!=",
+ "right": {
+ "set": [
+ { "range": [ 33, 55 ] }
+ ]
+ }
+ }
+ }
+]
+
# ip6 flowlabel vmap { 0 : accept, 2 : continue }
[
{
}
]
+# ip6 length { 33-55}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "length",
+ "protocol": "ip6"
+ }
+ },
+ "op": "==",
+ "right": {
+ "set": [
+ {
+ "range": [ 33, 55 ]
+ }
+ ]
+ }
+ }
+ }
+]
+
+# ip6 length != { 33-55}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "length",
+ "protocol": "ip6"
+ }
+ },
+ "op": "!=",
+ "right": {
+ "set": [
+ { "range": [ 33, 55 ] }
+ ]
+ }
+ }
+ }
+]
+
# ip6 nexthdr {udp, ah, comp, udplite, tcp, dccp, sctp}
[
{
}
]
+# ip6 nexthdr { 33-44}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "nexthdr",
+ "protocol": "ip6"
+ }
+ },
+ "op": "==",
+ "right": {
+ "set": [
+ { "range": [ 33, 44 ] }
+ ]
+ }
+ }
+ }
+]
+
+# ip6 nexthdr != { 33-44}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "nexthdr",
+ "protocol": "ip6"
+ }
+ },
+ "op": "!=",
+ "right": {
+ "set": [
+ { "range": [ 33, 44 ] }
+ ]
+ }
+ }
+ }
+]
+
# ip6 nexthdr 33-44
[
{
}
]
+# ip6 hoplimit {33-55}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "hoplimit",
+ "protocol": "ip6"
+ }
+ },
+ "op": "==",
+ "right": {
+ "set": [
+ { "range": [ 33, 55 ] }
+ ]
+ }
+ }
+ }
+]
+
+# ip6 hoplimit != {33-55}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "hoplimit",
+ "protocol": "ip6"
+ }
+ },
+ "op": "!=",
+ "right": {
+ "set": [
+ { "range": [ 33, 55 ] }
+ ]
+ }
+ }
+ }
+]
+
# ip6 saddr 1234:1234:1234:1234:1234:1234:1234:1234
[
{
[ bitwise reg 1 = (reg=1 & 0x00ffff0f ) ^ 0x00000000 ]
[ lookup reg 1 set __set%d 0x1 ]
+# ip6 flowlabel { 33-55}
+__set%d test-inet 7
+__set%d test-inet 0
+ element 00000000 : 1 [end] element 00210000 : 0 [end] element 00380000 : 1 [end]
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x0000000a ]
+ [ payload load 3b @ network header + 1 => reg 1 ]
+ [ bitwise reg 1 = (reg=1 & 0x00ffff0f ) ^ 0x00000000 ]
+ [ lookup reg 1 set __set%d ]
+
+# ip6 flowlabel != { 33-55}
+__set%d test-inet 7
+__set%d test-inet 0
+ element 00000000 : 1 [end] element 00210000 : 0 [end] element 00380000 : 1 [end]
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x0000000a ]
+ [ payload load 3b @ network header + 1 => reg 1 ]
+ [ bitwise reg 1 = (reg=1 & 0x00ffff0f ) ^ 0x00000000 ]
+ [ lookup reg 1 set __set%d 0x1 ]
+
# ip6 flowlabel vmap { 0 : accept, 2 : continue }
__map%d test-inet b size 2
__map%d test-inet 0
[ payload load 2b @ network header + 4 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
+# ip6 length { 33-55}
+__set%d test-inet 7
+__set%d test-inet 0
+ element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end]
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x0000000a ]
+ [ payload load 2b @ network header + 4 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
+
+# ip6 length != { 33-55}
+__set%d test-inet 7
+__set%d test-inet 0
+ element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end]
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x0000000a ]
+ [ payload load 2b @ network header + 4 => reg 1 ]
+ [ lookup reg 1 set __set%d 0x1 ]
+
# ip6 nexthdr {udp, ah, comp, udplite, tcp, dccp, sctp}
__set%d test-inet 3
__set%d test-inet 0
[ payload load 1b @ network header + 6 => reg 1 ]
[ cmp neq reg 1 0x00000032 ]
+# ip6 nexthdr { 33-44}
+__set%d test-inet 7
+__set%d test-inet 0
+ element 00000000 : 1 [end] element 00000021 : 0 [end] element 0000002d : 1 [end]
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x0000000a ]
+ [ payload load 1b @ network header + 6 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
+
+# ip6 nexthdr != { 33-44}
+__set%d test-inet 7
+__set%d test-inet 0
+ element 00000000 : 1 [end] element 00000021 : 0 [end] element 0000002d : 1 [end]
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x0000000a ]
+ [ payload load 1b @ network header + 6 => reg 1 ]
+ [ lookup reg 1 set __set%d 0x1 ]
+
# ip6 nexthdr 33-44
inet test-inet input
[ meta load nfproto => reg 1 ]
[ payload load 1b @ network header + 7 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
+# ip6 hoplimit {33-55}
+__set%d test-inet 7
+__set%d test-inet 0
+ element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end]
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x0000000a ]
+ [ payload load 1b @ network header + 7 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
+
+# ip6 hoplimit != {33-55}
+__set%d test-inet 7
+__set%d test-inet 0
+ element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end]
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x0000000a ]
+ [ payload load 1b @ network header + 7 => reg 1 ]
+ [ lookup reg 1 set __set%d 0x1 ]
+
# ip6 saddr 1234:1234:1234:1234:1234:1234:1234:1234
inet test-inet input
[ meta load nfproto => reg 1 ]
[ bitwise reg 1 = (reg=1 & 0x00ffff0f ) ^ 0x00000000 ]
[ lookup reg 1 set __set%d 0x1 ]
+# ip6 flowlabel { 33-55}
+__set%d test-ip6 7
+__set%d test-ip6 0
+ element 00000000 : 1 [end] element 00210000 : 0 [end] element 00380000 : 1 [end]
+ip6 test-ip6 input
+ [ payload load 3b @ network header + 1 => reg 1 ]
+ [ bitwise reg 1 = (reg=1 & 0x00ffff0f ) ^ 0x00000000 ]
+ [ lookup reg 1 set __set%d ]
+
+# ip6 flowlabel != { 33-55}
+__set%d test-ip6 7
+__set%d test-ip6 0
+ element 00000000 : 1 [end] element 00210000 : 0 [end] element 00380000 : 1 [end]
+ip6 test-ip6 input
+ [ payload load 3b @ network header + 1 => reg 1 ]
+ [ bitwise reg 1 = (reg=1 & 0x00ffff0f ) ^ 0x00000000 ]
+ [ lookup reg 1 set __set%d 0x1 ]
+
# ip6 flowlabel vmap { 0 : accept, 2 : continue }
__map%d test-ip6 b size 2
__map%d test-ip6 0
[ payload load 2b @ network header + 4 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
+# ip6 length { 33-55}
+__set%d test-ip6 7
+__set%d test-ip6 0
+ element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end]
+ip6 test-ip6 input
+ [ payload load 2b @ network header + 4 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
+
+# ip6 length != { 33-55}
+__set%d test-ip6 7
+__set%d test-ip6 0
+ element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end]
+ip6 test-ip6 input
+ [ payload load 2b @ network header + 4 => reg 1 ]
+ [ lookup reg 1 set __set%d 0x1 ]
+
# ip6 nexthdr {udp, ah, comp, udplite, tcp, dccp, sctp}
__set%d test-ip6 3
__set%d test-ip6 0
[ payload load 1b @ network header + 6 => reg 1 ]
[ cmp neq reg 1 0x00000032 ]
+# ip6 nexthdr { 33-44}
+__set%d test-ip6 7
+__set%d test-ip6 0
+ element 00000000 : 1 [end] element 00000021 : 0 [end] element 0000002d : 1 [end]
+ip6 test-ip6 input
+ [ payload load 1b @ network header + 6 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
+
+# ip6 nexthdr != { 33-44}
+__set%d test-ip6 7
+__set%d test-ip6 0
+ element 00000000 : 1 [end] element 00000021 : 0 [end] element 0000002d : 1 [end]
+ip6 test-ip6 input
+ [ payload load 1b @ network header + 6 => reg 1 ]
+ [ lookup reg 1 set __set%d 0x1 ]
+
# ip6 nexthdr 33-44
ip6 test-ip6 input
[ payload load 1b @ network header + 6 => reg 1 ]
[ payload load 1b @ network header + 7 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
+# ip6 hoplimit {33-55}
+__set%d test-ip6 7
+__set%d test-ip6 0
+ element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end]
+ip6 test-ip6 input
+ [ payload load 1b @ network header + 7 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
+
+# ip6 hoplimit != {33-55}
+__set%d test-ip6 7
+__set%d test-ip6 0
+ element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end]
+ip6 test-ip6 input
+ [ payload load 1b @ network header + 7 => reg 1 ]
+ [ lookup reg 1 set __set%d 0x1 ]
+
# ip6 saddr 1234:1234:1234:1234:1234:1234:1234:1234
ip6 test-ip6 input
[ payload load 16b @ network header + 8 => reg 1 ]
mh nexthdr != 33-45;ok
mh nexthdr { 33, 55, 67, 88 };ok
mh nexthdr != { 33, 55, 67, 88 };ok
+mh nexthdr { 33-55 };ok
+mh nexthdr != { 33-55 };ok
mh hdrlength 22;ok
mh hdrlength != 233;ok
mh hdrlength != 33-45;ok
mh hdrlength { 33, 55, 67, 88 };ok
mh hdrlength != { 33, 55, 67, 88 };ok
+mh hdrlength { 33-55 };ok
+mh hdrlength != { 33-55 };ok
mh type {binding-refresh-request, home-test-init, careof-test-init, home-test, careof-test, binding-update, binding-acknowledgement, binding-error, fast-binding-update, fast-binding-acknowledgement, fast-binding-advertisement, experimental-mobility-header, home-agent-switch-message};ok
mh type home-agent-switch-message;ok
mh reserved != 33-45;ok
mh reserved { 33, 55, 67, 88};ok
mh reserved != { 33, 55, 67, 88};ok
+mh reserved { 33-55};ok
+mh reserved != { 33-55};ok
mh checksum 22;ok
mh checksum != 233;ok
mh checksum != 33-45;ok
mh checksum { 33, 55, 67, 88};ok
mh checksum != { 33, 55, 67, 88};ok
+mh checksum { 33-55};ok
+mh checksum != { 33-55};ok
}
]
+# mh nexthdr { 33-55 }
+[
+ {
+ "match": {
+ "left": {
+ "exthdr": {
+ "field": "nexthdr",
+ "name": "mh"
+ }
+ },
+ "op": "==",
+ "right": {
+ "set": [
+ {
+ "range": [ 33, 55 ]
+ }
+ ]
+ }
+ }
+ }
+]
+
+# mh nexthdr != { 33-55 }
+[
+ {
+ "match": {
+ "left": {
+ "exthdr": {
+ "field": "nexthdr",
+ "name": "mh"
+ }
+ },
+ "op": "!=",
+ "right": {
+ "set": [
+ { "range": [ 33, 55 ] }
+ ]
+ }
+ }
+ }
+]
+
# mh hdrlength 22
[
{
}
]
+# mh hdrlength { 33-55 }
+[
+ {
+ "match": {
+ "left": {
+ "exthdr": {
+ "field": "hdrlength",
+ "name": "mh"
+ }
+ },
+ "op": "==",
+ "right": {
+ "set": [
+ { "range": [ 33, 55 ] }
+ ]
+ }
+ }
+ }
+]
+
+# mh hdrlength != { 33-55 }
+[
+ {
+ "match": {
+ "left": {
+ "exthdr": {
+ "field": "hdrlength",
+ "name": "mh"
+ }
+ },
+ "op": "!=",
+ "right": {
+ "set": [
+ { "range": [ 33, 55 ] }
+ ]
+ }
+ }
+ }
+]
+
# mh type {binding-refresh-request, home-test-init, careof-test-init, home-test, careof-test, binding-update, binding-acknowledgement, binding-error, fast-binding-update, fast-binding-acknowledgement, fast-binding-advertisement, experimental-mobility-header, home-agent-switch-message}
[
{
}
]
+# mh reserved { 33-55}
+[
+ {
+ "match": {
+ "left": {
+ "exthdr": {
+ "field": "reserved",
+ "name": "mh"
+ }
+ },
+ "op": "==",
+ "right": {
+ "set": [
+ { "range": [ 33, 55 ] }
+ ]
+ }
+ }
+ }
+]
+
+# mh reserved != { 33-55}
+[
+ {
+ "match": {
+ "left": {
+ "exthdr": {
+ "field": "reserved",
+ "name": "mh"
+ }
+ },
+ "op": "!=",
+ "right": {
+ "set": [
+ { "range": [ 33, 55 ] }
+ ]
+ }
+ }
+ }
+]
+
# mh checksum 22
[
{
}
}
]
+
+# mh checksum { 33-55}
+[
+ {
+ "match": {
+ "left": {
+ "exthdr": {
+ "field": "checksum",
+ "name": "mh"
+ }
+ },
+ "op": "==",
+ "right": {
+ "set": [
+ { "range": [ 33, 55 ] }
+ ]
+ }
+ }
+ }
+]
+
+# mh checksum != { 33-55}
+[
+ {
+ "match": {
+ "left": {
+ "exthdr": {
+ "field": "checksum",
+ "name": "mh"
+ }
+ },
+ "op": "!=",
+ "right": {
+ "set": [
+ { "range": [ 33, 55 ] }
+ ]
+ }
+ }
+ }
+]
+
[ exthdr load 1b @ 135 + 0 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
+# mh nexthdr { 33-55 }
+__set%d test-inet 7
+__set%d test-inet 0
+ element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end]
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x0000000a ]
+ [ exthdr load 1b @ 135 + 0 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
+
+# mh nexthdr != { 33-55 }
+__set%d test-inet 7
+__set%d test-inet 0
+ element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end]
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x0000000a ]
+ [ exthdr load 1b @ 135 + 0 => reg 1 ]
+ [ lookup reg 1 set __set%d 0x1 ]
+
# mh hdrlength 22
inet test-inet input
[ meta load nfproto => reg 1 ]
[ exthdr load 1b @ 135 + 1 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
+# mh hdrlength { 33-55 }
+__set%d test-inet 7
+__set%d test-inet 0
+ element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end]
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x0000000a ]
+ [ exthdr load 1b @ 135 + 1 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
+
+# mh hdrlength != { 33-55 }
+__set%d test-inet 7
+__set%d test-inet 0
+ element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end]
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x0000000a ]
+ [ exthdr load 1b @ 135 + 1 => reg 1 ]
+ [ lookup reg 1 set __set%d 0x1 ]
+
# mh type {binding-refresh-request, home-test-init, careof-test-init, home-test, careof-test, binding-update, binding-acknowledgement, binding-error, fast-binding-update, fast-binding-acknowledgement, fast-binding-advertisement, experimental-mobility-header, home-agent-switch-message}
__set%d test-inet 3
__set%d test-inet 0
[ exthdr load 1b @ 135 + 3 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
+# mh reserved { 33-55}
+__set%d test-inet 7
+__set%d test-inet 0
+ element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end]
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x0000000a ]
+ [ exthdr load 1b @ 135 + 3 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
+
+# mh reserved != { 33-55}
+__set%d test-inet 7
+__set%d test-inet 0
+ element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end]
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x0000000a ]
+ [ exthdr load 1b @ 135 + 3 => reg 1 ]
+ [ lookup reg 1 set __set%d 0x1 ]
+
# mh checksum 22
inet test-inet input
[ meta load nfproto => reg 1 ]
[ exthdr load 2b @ 135 + 4 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
+# mh checksum { 33-55}
+__set%d test-inet 7
+__set%d test-inet 0
+ element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end]
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x0000000a ]
+ [ exthdr load 2b @ 135 + 4 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
+
+# mh checksum != { 33-55}
+__set%d test-inet 7
+__set%d test-inet 0
+ element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end]
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x0000000a ]
+ [ exthdr load 2b @ 135 + 4 => reg 1 ]
+ [ lookup reg 1 set __set%d 0x1 ]
+
[ exthdr load 1b @ 135 + 0 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
+# mh nexthdr { 33-55 }
+__set%d test-ip6 7
+__set%d test-ip6 0
+ element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end]
+ip6 test-ip6 input
+ [ exthdr load 1b @ 135 + 0 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
+
+# mh nexthdr != { 33-55 }
+__set%d test-ip6 7
+__set%d test-ip6 0
+ element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end]
+ip6 test-ip6 input
+ [ exthdr load 1b @ 135 + 0 => reg 1 ]
+ [ lookup reg 1 set __set%d 0x1 ]
+
# mh hdrlength 22
ip6 test-ip6 input
[ exthdr load 1b @ 135 + 1 => reg 1 ]
[ exthdr load 1b @ 135 + 1 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
+# mh hdrlength { 33-55 }
+__set%d test-ip6 7
+__set%d test-ip6 0
+ element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end]
+ip6 test-ip6 input
+ [ exthdr load 1b @ 135 + 1 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
+
+# mh hdrlength != { 33-55 }
+__set%d test-ip6 7
+__set%d test-ip6 0
+ element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end]
+ip6 test-ip6 input
+ [ exthdr load 1b @ 135 + 1 => reg 1 ]
+ [ lookup reg 1 set __set%d 0x1 ]
+
# mh type {binding-refresh-request, home-test-init, careof-test-init, home-test, careof-test, binding-update, binding-acknowledgement, binding-error, fast-binding-update, fast-binding-acknowledgement, fast-binding-advertisement, experimental-mobility-header, home-agent-switch-message}
__set%d test-ip6 3
__set%d test-ip6 0
[ exthdr load 1b @ 135 + 3 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
+# mh reserved { 33-55}
+__set%d test-ip6 7
+__set%d test-ip6 0
+ element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end]
+ip6 test-ip6 input
+ [ exthdr load 1b @ 135 + 3 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
+
+# mh reserved != { 33-55}
+__set%d test-ip6 7
+__set%d test-ip6 0
+ element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end]
+ip6 test-ip6 input
+ [ exthdr load 1b @ 135 + 3 => reg 1 ]
+ [ lookup reg 1 set __set%d 0x1 ]
+
# mh checksum 22
ip6 test-ip6 input
[ exthdr load 2b @ 135 + 4 => reg 1 ]
[ exthdr load 2b @ 135 + 4 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
+# mh checksum { 33-55}
+__set%d test-ip6 7
+__set%d test-ip6 0
+ element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end]
+ip6 test-ip6 input
+ [ exthdr load 2b @ 135 + 4 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
+
+# mh checksum != { 33-55}
+__set%d test-ip6 7
+__set%d test-ip6 0
+ element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end]
+ip6 test-ip6 input
+ [ exthdr load 2b @ 135 + 4 => reg 1 ]
+ [ lookup reg 1 set __set%d 0x1 ]
+
rt nexthdr != 33-45;ok
rt nexthdr { 33, 55, 67, 88};ok
rt nexthdr != { 33, 55, 67, 88};ok
+rt nexthdr { 33-55};ok
+rt nexthdr != { 33-55};ok
rt hdrlength 22;ok
rt hdrlength != 233;ok
rt hdrlength != 33-45;ok
rt hdrlength { 33, 55, 67, 88};ok
rt hdrlength != { 33, 55, 67, 88};ok
+rt hdrlength { 33-55};ok
+rt hdrlength != { 33-55};ok
rt type 22;ok
rt type != 233;ok
rt type != 33-45;ok
rt type { 33, 55, 67, 88};ok
rt type != { 33, 55, 67, 88};ok
+rt type { 33-55};ok
+rt type != { 33-55};ok
rt seg-left 22;ok
rt seg-left != 233;ok
rt seg-left != 33-45;ok
rt seg-left { 33, 55, 67, 88};ok
rt seg-left != { 33, 55, 67, 88};ok
+rt seg-left { 33-55};ok
+rt seg-left != { 33-55};ok
}
]
+# rt nexthdr { 33-55}
+[
+ {
+ "match": {
+ "left": {
+ "exthdr": {
+ "field": "nexthdr",
+ "name": "rt"
+ }
+ },
+ "op": "==",
+ "right": {
+ "set": [
+ { "range": [ 33, 55 ] }
+ ]
+ }
+ }
+ }
+]
+
+# rt nexthdr != { 33-55}
+[
+ {
+ "match": {
+ "left": {
+ "exthdr": {
+ "field": "nexthdr",
+ "name": "rt"
+ }
+ },
+ "op": "!=",
+ "right": {
+ "set": [
+ { "range": [ 33, 55 ] }
+ ]
+ }
+ }
+ }
+]
+
# rt hdrlength 22
[
{
}
]
+# rt hdrlength { 33-55}
+[
+ {
+ "match": {
+ "left": {
+ "exthdr": {
+ "field": "hdrlength",
+ "name": "rt"
+ }
+ },
+ "op": "==",
+ "right": {
+ "set": [
+ { "range": [ 33, 55 ] }
+ ]
+ }
+ }
+ }
+]
+
+# rt hdrlength != { 33-55}
+[
+ {
+ "match": {
+ "left": {
+ "exthdr": {
+ "field": "hdrlength",
+ "name": "rt"
+ }
+ },
+ "op": "!=",
+ "right": {
+ "set": [
+ { "range": [ 33, 55 ] }
+ ]
+ }
+ }
+ }
+]
+
# rt type 22
[
{
}
]
+# rt type { 33-55}
+[
+ {
+ "match": {
+ "left": {
+ "exthdr": {
+ "field": "type",
+ "name": "rt"
+ }
+ },
+ "op": "==",
+ "right": {
+ "set": [
+ { "range": [ 33, 55 ] }
+ ]
+ }
+ }
+ }
+]
+
+# rt type != { 33-55}
+[
+ {
+ "match": {
+ "left": {
+ "exthdr": {
+ "field": "type",
+ "name": "rt"
+ }
+ },
+ "op": "!=",
+ "right": {
+ "set": [
+ { "range": [ 33, 55 ] }
+ ]
+ }
+ }
+ }
+]
+
# rt seg-left 22
[
{
}
}
]
+
+# rt seg-left { 33-55}
+[
+ {
+ "match": {
+ "left": {
+ "exthdr": {
+ "field": "seg-left",
+ "name": "rt"
+ }
+ },
+ "op": "==",
+ "right": {
+ "set": [
+ { "range": [ 33, 55 ] }
+ ]
+ }
+ }
+ }
+]
+
+# rt seg-left != { 33-55}
+[
+ {
+ "match": {
+ "left": {
+ "exthdr": {
+ "field": "seg-left",
+ "name": "rt"
+ }
+ },
+ "op": "!=",
+ "right": {
+ "set": [
+ { "range": [ 33, 55 ] }
+ ]
+ }
+ }
+ }
+]
+
[ exthdr load 1b @ 43 + 0 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
+# rt nexthdr { 33-55}
+__set%d test-inet 7
+__set%d test-inet 0
+ element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end]
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x0000000a ]
+ [ exthdr load 1b @ 43 + 0 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
+
+# rt nexthdr != { 33-55}
+__set%d test-inet 7
+__set%d test-inet 0
+ element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end]
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x0000000a ]
+ [ exthdr load 1b @ 43 + 0 => reg 1 ]
+ [ lookup reg 1 set __set%d 0x1 ]
+
# rt hdrlength 22
inet test-inet input
[ meta load nfproto => reg 1 ]
[ exthdr load 1b @ 43 + 1 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
+# rt hdrlength { 33-55}
+__set%d test-inet 7
+__set%d test-inet 0
+ element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end]
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x0000000a ]
+ [ exthdr load 1b @ 43 + 1 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
+
+# rt hdrlength != { 33-55}
+__set%d test-inet 7
+__set%d test-inet 0
+ element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end]
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x0000000a ]
+ [ exthdr load 1b @ 43 + 1 => reg 1 ]
+ [ lookup reg 1 set __set%d 0x1 ]
+
# rt type 22
inet test-inet input
[ meta load nfproto => reg 1 ]
[ exthdr load 1b @ 43 + 2 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
+# rt type { 33-55}
+__set%d test-inet 7
+__set%d test-inet 0
+ element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end]
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x0000000a ]
+ [ exthdr load 1b @ 43 + 2 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
+
+# rt type != { 33-55}
+__set%d test-inet 7
+__set%d test-inet 0
+ element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end]
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x0000000a ]
+ [ exthdr load 1b @ 43 + 2 => reg 1 ]
+ [ lookup reg 1 set __set%d 0x1 ]
+
# rt seg-left 22
inet test-inet input
[ meta load nfproto => reg 1 ]
[ exthdr load 1b @ 43 + 3 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
+# rt seg-left { 33-55}
+__set%d test-inet 7
+__set%d test-inet 0
+ element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end]
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x0000000a ]
+ [ exthdr load 1b @ 43 + 3 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
+
+# rt seg-left != { 33-55}
+__set%d test-inet 7
+__set%d test-inet 0
+ element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end]
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x0000000a ]
+ [ exthdr load 1b @ 43 + 3 => reg 1 ]
+ [ lookup reg 1 set __set%d 0x1 ]
+
[ exthdr load 1b @ 43 + 0 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
+# rt nexthdr { 33-55}
+__set%d test-ip6 7
+__set%d test-ip6 0
+ element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end]
+ip6 test-ip6 input
+ [ exthdr load 1b @ 43 + 0 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
+
+# rt nexthdr != { 33-55}
+__set%d test-ip6 7
+__set%d test-ip6 0
+ element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end]
+ip6 test-ip6 input
+ [ exthdr load 1b @ 43 + 0 => reg 1 ]
+ [ lookup reg 1 set __set%d 0x1 ]
+
# rt hdrlength 22
ip6 test-ip6 input
[ exthdr load 1b @ 43 + 1 => reg 1 ]
[ exthdr load 1b @ 43 + 1 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
+# rt hdrlength { 33-55}
+__set%d test-ip6 7
+__set%d test-ip6 0
+ element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end]
+ip6 test-ip6 input
+ [ exthdr load 1b @ 43 + 1 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
+
+# rt hdrlength != { 33-55}
+__set%d test-ip6 7
+__set%d test-ip6 0
+ element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end]
+ip6 test-ip6 input
+ [ exthdr load 1b @ 43 + 1 => reg 1 ]
+ [ lookup reg 1 set __set%d 0x1 ]
+
# rt type 22
ip6 test-ip6 input
[ exthdr load 1b @ 43 + 2 => reg 1 ]
[ exthdr load 1b @ 43 + 2 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
+# rt type { 33-55}
+__set%d test-ip6 7
+__set%d test-ip6 0
+ element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end]
+ip6 test-ip6 input
+ [ exthdr load 1b @ 43 + 2 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
+
+# rt type != { 33-55}
+__set%d test-ip6 7
+__set%d test-ip6 0
+ element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end]
+ip6 test-ip6 input
+ [ exthdr load 1b @ 43 + 2 => reg 1 ]
+ [ lookup reg 1 set __set%d 0x1 ]
+
# rt seg-left 22
ip6 test-ip6 input
[ exthdr load 1b @ 43 + 3 => reg 1 ]
[ exthdr load 1b @ 43 + 3 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
+# rt seg-left { 33-55}
+__set%d test-ip6 7
+__set%d test-ip6 0
+ element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end]
+ip6 test-ip6 input
+ [ exthdr load 1b @ 43 + 3 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
+
+# rt seg-left != { 33-55}
+__set%d test-ip6 7
+__set%d test-ip6 0
+ element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end]
+ip6 test-ip6 input
+ [ exthdr load 1b @ 43 + 3 => reg 1 ]
+ [ lookup reg 1 set __set%d 0x1 ]
+
projects / thirdparty / nftables.git / commitdiff
