diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-09 13:08:37 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-09 13:08:37 +0000 |
commit | 971e619d8602fa52b1bfcb3ea65b7ab96be85318 (patch) | |
tree | 26feb2498c72b796e07b86349d17f544046de279 /tests/py/ip | |
parent | Initial commit. (diff) | |
download | nftables-971e619d8602fa52b1bfcb3ea65b7ab96be85318.tar.xz nftables-971e619d8602fa52b1bfcb3ea65b7ab96be85318.zip |
Adding upstream version 1.0.9.upstream/1.0.9upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'tests/py/ip')
93 files changed, 15726 insertions, 0 deletions
diff --git a/tests/py/ip/chains.t b/tests/py/ip/chains.t new file mode 100644 index 0000000..fc3745e --- /dev/null +++ b/tests/py/ip/chains.t @@ -0,0 +1,15 @@ +# filter chains available are: input, output, forward, prerouting, postrouting +:filter-input;type filter hook input priority 0 +:filter-pre;type filter hook prerouting priority 0 +:filter-forw;type filter hook forward priority 0 +:filter-out;type filter hook output priority 0 +:filter-post;type filter hook postrouting priority 0 +# nat chains available are: input, output, prerouting, postrouting +:nat-input-t;type nat hook input priority 0 +:nat-pre-t;type nat hook prerouting priority 0 +:nat-out-t;type nat hook output priority 0 +:nat-post-t;type nat hook postrouting priority 0 +# route chain available are: output +:route-out-t;type route hook output priority 0 + +*ip;test-ip4;filter-input,filter-pre,filter-forw,filter-out,filter-post,nat-input-t,nat-pre-t,nat-out-t,nat-post-t,route-out-t diff --git a/tests/py/ip/ct.t b/tests/py/ip/ct.t new file mode 100644 index 0000000..a0a2228 --- /dev/null +++ b/tests/py/ip/ct.t @@ -0,0 +1,36 @@ +:output;type filter hook output priority 0 + +*ip;test-ip4;output + +ct original ip saddr 192.168.0.1;ok +ct reply ip saddr 192.168.0.1;ok +ct original ip daddr 192.168.0.1;ok +ct reply ip daddr 192.168.0.1;ok + +# same, but with a netmask +ct original ip saddr 192.168.1.0/24;ok +ct reply ip saddr 192.168.1.0/24;ok +ct original ip daddr 192.168.1.0/24;ok +ct reply ip daddr 192.168.1.0/24;ok + +ct l3proto ipv4;ok +ct l3proto foobar;fail + +ct protocol 6 ct original proto-dst 22;ok +ct original protocol 17 ct reply proto-src 53;ok;ct protocol 17 ct reply proto-src 53 + +# wrong address family +ct reply ip daddr dead::beef;fail + +meta mark set ct original daddr map { 1.1.1.1 : 0x00000011 };fail +meta mark set ct original ip daddr map { 1.1.1.1 : 0x00000011 };ok +meta mark set ct original saddr . meta mark map { 1.1.1.1 . 0x00000014 : 0x0000001e };fail +meta mark set ct original ip saddr . meta mark map { 1.1.1.1 . 0x00000014 : 0x0000001e };ok +ct original saddr . meta mark { 1.1.1.1 . 0x00000014 };fail +ct original ip saddr . meta mark { 1.1.1.1 . 0x00000014 };ok +ct mark set ip dscp << 2 | 0x10;ok +ct mark set ip dscp << 26 | 0x10;ok +ct mark set ip dscp & 0x0f << 1;ok;ct mark set ip dscp & af33 +ct mark set ip dscp & 0x0f << 2;ok;ct mark set ip dscp & 0x3c +ct mark set ip dscp | 0x04;ok +ct mark set ip dscp | 1 << 20;ok;ct mark set ip dscp | 0x100000 diff --git a/tests/py/ip/ct.t.json b/tests/py/ip/ct.t.json new file mode 100644 index 0000000..915632a --- /dev/null +++ b/tests/py/ip/ct.t.json @@ -0,0 +1,481 @@ +# ct original ip saddr 192.168.0.1 +[ + { + "match": { + "left": { + "ct": { + "dir": "original", + "key": "ip saddr" + } + }, + "op": "==", + "right": "192.168.0.1" + } + } +] + +# ct reply ip saddr 192.168.0.1 +[ + { + "match": { + "left": { + "ct": { + "dir": "reply", + "key": "ip saddr" + } + }, + "op": "==", + "right": "192.168.0.1" + } + } +] + +# ct original ip daddr 192.168.0.1 +[ + { + "match": { + "left": { + "ct": { + "dir": "original", + "key": "ip daddr" + } + }, + "op": "==", + "right": "192.168.0.1" + } + } +] + +# ct reply ip daddr 192.168.0.1 +[ + { + "match": { + "left": { + "ct": { + "dir": "reply", + "key": "ip daddr" + } + }, + "op": "==", + "right": "192.168.0.1" + } + } +] + +# ct original ip saddr 192.168.1.0/24 +[ + { + "match": { + "left": { + "ct": { + "dir": "original", + "key": "ip saddr" + } + }, + "op": "==", + "right": { + "prefix": { + "addr": "192.168.1.0", + "len": 24 + } + } + } + } +] + +# ct reply ip saddr 192.168.1.0/24 +[ + { + "match": { + "left": { + "ct": { + "dir": "reply", + "key": "ip saddr" + } + }, + "op": "==", + "right": { + "prefix": { + "addr": "192.168.1.0", + "len": 24 + } + } + } + } +] + +# ct original ip daddr 192.168.1.0/24 +[ + { + "match": { + "left": { + "ct": { + "dir": "original", + "key": "ip daddr" + } + }, + "op": "==", + "right": { + "prefix": { + "addr": "192.168.1.0", + "len": 24 + } + } + } + } +] + +# ct reply ip daddr 192.168.1.0/24 +[ + { + "match": { + "left": { + "ct": { + "dir": "reply", + "key": "ip daddr" + } + }, + "op": "==", + "right": { + "prefix": { + "addr": "192.168.1.0", + "len": 24 + } + } + } + } +] + +# ct l3proto ipv4 +[ + { + "match": { + "left": { + "ct": { + "key": "l3proto" + } + }, + "op": "==", + "right": "ipv4" + } + } +] + +# ct protocol 6 ct original proto-dst 22 +[ + { + "match": { + "left": { + "ct": { + "key": "protocol" + } + }, + "op": "==", + "right": 6 + } + }, + { + "match": { + "left": { + "ct": { + "dir": "original", + "key": "proto-dst" + } + }, + "op": "==", + "right": 22 + } + } +] + +# ct original protocol 17 ct reply proto-src 53 +[ + { + "match": { + "left": { + "ct": { + "dir": "original", + "key": "protocol" + } + }, + "op": "==", + "right": 17 + } + }, + { + "match": { + "left": { + "ct": { + "dir": "reply", + "key": "proto-src" + } + }, + "op": "==", + "right": 53 + } + } +] + +# meta mark set ct original ip daddr map { 1.1.1.1 : 0x00000011 } +[ + { + "mangle": { + "key": { + "meta": { + "key": "mark" + } + }, + "value": { + "map": { + "data": { + "set": [ + [ + "1.1.1.1", + 17 + ] + ] + }, + "key": { + "ct": { + "dir": "original", + "key": "ip daddr" + } + } + } + } + } + } +] + +# meta mark set ct original ip saddr . meta mark map { 1.1.1.1 . 0x00000014 : 0x0000001e } +[ + { + "mangle": { + "key": { + "meta": { + "key": "mark" + } + }, + "value": { + "map": { + "data": { + "set": [ + [ + { + "concat": [ + "1.1.1.1", + 20 + ] + }, + 30 + ] + ] + }, + "key": { + "concat": [ + { + "ct": { + "dir": "original", + "key": "ip saddr" + } + }, + { + "meta": { + "key": "mark" + } + } + ] + } + } + } + } + } +] + +# ct original ip saddr . meta mark { 1.1.1.1 . 0x00000014 } +[ + { + "match": { + "left": { + "concat": [ + { + "ct": { + "dir": "original", + "key": "ip saddr" + } + }, + { + "meta": { + "key": "mark" + } + } + ] + }, + "op": "==", + "right": { + "set": [ + { + "concat": [ + "1.1.1.1", + 20 + ] + } + ] + } + } + } +] + +# ct mark set ip dscp << 2 | 0x10 +[ + { + "mangle": { + "key": { + "ct": { + "key": "mark" + } + }, + "value": { + "|": [ + { + "<<": [ + { + "payload": { + "field": "dscp", + "protocol": "ip" + } + }, + 2 + ] + }, + 16 + ] + } + } + } +] + +# ct mark set ip dscp << 26 | 0x10 +[ + { + "mangle": { + "key": { + "ct": { + "key": "mark" + } + }, + "value": { + "|": [ + { + "<<": [ + { + "payload": { + "field": "dscp", + "protocol": "ip" + } + }, + 26 + ] + }, + 16 + ] + } + } + } +] + +# ct mark set ip dscp & 0x0f << 1 +[ + { + "mangle": { + "key": { + "ct": { + "key": "mark" + } + }, + "value": { + "&": [ + { + "payload": { + "field": "dscp", + "protocol": "ip" + } + }, + "af33" + ] + } + } + } +] + +# ct mark set ip dscp & 0x0f << 2 +[ + { + "mangle": { + "key": { + "ct": { + "key": "mark" + } + }, + "value": { + "&": [ + { + "payload": { + "field": "dscp", + "protocol": "ip" + } + }, + 60 + ] + } + } + } +] + +# ct mark set ip dscp | 0x04 +[ + { + "mangle": { + "key": { + "ct": { + "key": "mark" + } + }, + "value": { + "|": [ + { + "payload": { + "field": "dscp", + "protocol": "ip" + } + }, + 4 + ] + } + } + } +] + +# ct mark set ip dscp | 1 << 20 +[ + { + "mangle": { + "key": { + "ct": { + "key": "mark" + } + }, + "value": { + "|": [ + { + "payload": { + "field": "dscp", + "protocol": "ip" + } + }, + 1048576 + ] + } + } + } +] diff --git a/tests/py/ip/ct.t.json.output b/tests/py/ip/ct.t.json.output new file mode 100644 index 0000000..cf4abae --- /dev/null +++ b/tests/py/ip/ct.t.json.output @@ -0,0 +1,27 @@ +# ct original protocol 17 ct reply proto-src 53 +[ + { + "match": { + "left": { + "ct": { + "key": "protocol" + } + }, + "op": "==", + "right": 17 + } + }, + { + "match": { + "left": { + "ct": { + "dir": "reply", + "key": "proto-src" + } + }, + "op": "==", + "right": 53 + } + } +] + diff --git a/tests/py/ip/ct.t.payload b/tests/py/ip/ct.t.payload new file mode 100644 index 0000000..692011d --- /dev/null +++ b/tests/py/ip/ct.t.payload @@ -0,0 +1,136 @@ +# ct original ip saddr 192.168.0.1 +ip test-ip4 output + [ ct load src_ip => reg 1 , dir original ] + [ cmp eq reg 1 0x0100a8c0 ] + +# ct reply ip saddr 192.168.0.1 +ip test-ip4 output + [ ct load src_ip => reg 1 , dir reply ] + [ cmp eq reg 1 0x0100a8c0 ] + +# ct original ip daddr 192.168.0.1 +ip test-ip4 output + [ ct load dst_ip => reg 1 , dir original ] + [ cmp eq reg 1 0x0100a8c0 ] + +# ct reply ip daddr 192.168.0.1 +ip test-ip4 output + [ ct load dst_ip => reg 1 , dir reply ] + [ cmp eq reg 1 0x0100a8c0 ] + +# ct original ip saddr 192.168.1.0/24 +ip test-ip4 output + [ ct load src_ip => reg 1 , dir original ] + [ cmp eq reg 1 0x0001a8c0 ] + +# ct reply ip saddr 192.168.1.0/24 +ip test-ip4 output + [ ct load src_ip => reg 1 , dir reply ] + [ cmp eq reg 1 0x0001a8c0 ] + +# ct original ip daddr 192.168.1.0/24 +ip test-ip4 output + [ ct load dst_ip => reg 1 , dir original ] + [ cmp eq reg 1 0x0001a8c0 ] + +# ct reply ip daddr 192.168.1.0/24 +ip test-ip4 output + [ ct load dst_ip => reg 1 , dir reply ] + [ cmp eq reg 1 0x0001a8c0 ] + +# ct l3proto ipv4 +ip test-ip4 output + [ ct load l3protocol => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + +# ct protocol 6 ct original proto-dst 22 +ip test-ip4 output + [ ct load protocol => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ ct load proto_dst => reg 1 , dir original ] + [ cmp eq reg 1 0x00001600 ] + +# ct original protocol 17 ct reply proto-src 53 +ip test-ip4 output + [ ct load protocol => reg 1 , dir original ] + [ cmp eq reg 1 0x00000011 ] + [ ct load proto_src => reg 1 , dir reply ] + [ cmp eq reg 1 0x00003500 ] + +# meta mark set ct original ip daddr map { 1.1.1.1 : 0x00000011 } +__map%d test-ip4 b +__map%d test-ip4 0 + element 01010101 : 00000011 0 [end] +ip + [ ct load dst_ip => reg 1 , dir original ] + [ lookup reg 1 set __map%d dreg 1 ] + [ meta set mark with reg 1 ] + +# meta mark set ct original ip saddr . meta mark map { 1.1.1.1 . 0x00000014 : 0x0000001e } +__map%d test-ip4 b +__map%d test-ip4 0 + element 01010101 00000014 : 0000001e 0 [end] +ip + [ ct load src_ip => reg 1 , dir original ] + [ meta load mark => reg 9 ] + [ lookup reg 1 set __map%d dreg 1 ] + [ meta set mark with reg 1 ] + +# ct original ip saddr . meta mark { 1.1.1.1 . 0x00000014 } +__set%d test-ip4 3 +__set%d test-ip4 0 + element 01010101 00000014 : 0 [end] +ip + [ ct load src_ip => reg 1 , dir original ] + [ meta load mark => reg 9 ] + [ lookup reg 1 set __set%d ] + +# ct mark set ip dscp << 2 | 0x10 +ip test-ip4 output + [ payload load 1b @ network header + 1 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 >> 0x00000002 ) ] + [ bitwise reg 1 = ( reg 1 << 0x00000002 ) ] + [ bitwise reg 1 = ( reg 1 & 0xffffffef ) ^ 0x00000010 ] + [ ct set mark with reg 1 ] + +# ct mark set ip dscp << 26 | 0x10 +ip + [ payload load 1b @ network header + 1 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 >> 0x00000002 ) ] + [ bitwise reg 1 = ( reg 1 << 0x0000001a ) ] + [ bitwise reg 1 = ( reg 1 & 0xffffffef ) ^ 0x00000010 ] + [ ct set mark with reg 1 ] + +# ct mark set ip dscp & 0x0f << 1 +ip test-ip4 output + [ payload load 1b @ network header + 1 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 >> 0x00000002 ) ] + [ bitwise reg 1 = ( reg 1 & 0x0000001e ) ^ 0x00000000 ] + [ ct set mark with reg 1 ] + +# ct mark set ip dscp & 0x0f << 2 +ip test-ip4 output + [ payload load 1b @ network header + 1 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 >> 0x00000002 ) ] + [ bitwise reg 1 = ( reg 1 & 0x0000003c ) ^ 0x00000000 ] + [ ct set mark with reg 1 ] + +# ct mark set ip dscp | 0x04 +ip test-ip4 output + [ payload load 1b @ network header + 1 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 >> 0x00000002 ) ] + [ bitwise reg 1 = ( reg 1 & 0xfffffffb ) ^ 0x00000004 ] + [ ct set mark with reg 1 ] + +# ct mark set ip dscp | 1 << 20 +ip test-ip4 output + [ payload load 1b @ network header + 1 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 >> 0x00000002 ) ] + [ bitwise reg 1 = ( reg 1 & 0xffefffff ) ^ 0x00100000 ] + [ ct set mark with reg 1 ] diff --git a/tests/py/ip/dnat.t b/tests/py/ip/dnat.t new file mode 100644 index 0000000..881571d --- /dev/null +++ b/tests/py/ip/dnat.t @@ -0,0 +1,23 @@ +:prerouting;type nat hook prerouting priority 0 + +*ip;test-ip4;prerouting + +iifname "eth0" tcp dport 80-90 dnat to 192.168.3.2;ok +iifname "eth0" tcp dport != 80-90 dnat to 192.168.3.2;ok +iifname "eth0" tcp dport {80, 90, 23} dnat to 192.168.3.2;ok +iifname "eth0" tcp dport != {80, 90, 23} dnat to 192.168.3.2;ok +iifname "eth0" tcp dport != 23-34 dnat to 192.168.3.2;ok +iifname "eth0" tcp dport 81 dnat to 192.168.3.2:8080;ok +iifname "eth0" tcp dport 81 dnat to 192.168.3.2:8080-8999;ok +iifname "eth0" tcp dport 81 dnat to 192.168.3.2-192.168.3.4:8080;ok +iifname "eth0" tcp dport 81 dnat to 192.168.3.2-192.168.3.4:8080-8999;ok + +dnat to ct mark map { 0x00000014 : 1.2.3.4};ok +dnat to ct mark . ip daddr map { 0x00000014 . 1.1.1.1 : 1.2.3.4};ok + +dnat ip to ip saddr . tcp dport map { 192.168.1.2 . 80 : 10.141.10.0/24 . 8888 - 8999 };ok +dnat ip to ip saddr . tcp dport map { 192.168.1.2 . 80 : 10.141.10.0/24 . 80 };ok +dnat ip to ip saddr . tcp dport map { 192.168.1.2 . 80 : 10.141.10.2 . 8888 - 8999 };ok +ip daddr 192.168.0.1 dnat ip to tcp dport map { 443 : 10.141.10.4 . 8443, 80 : 10.141.10.4 . 8080 };ok +meta l4proto 6 dnat ip to iifname . ip saddr map { "enp2s0" . 10.1.1.136 : 1.1.2.69 . 22, "enp2s0" . 10.1.1.1-10.1.1.135 : 1.1.2.66-1.84.236.78 . 22 };ok +dnat ip to iifname . ip saddr map { "enp2s0" . 10.1.1.136 : 1.1.2.69/32, "enp2s0" . 10.1.1.1-10.1.1.135 : 1.1.2.66-1.84.236.78 };ok diff --git a/tests/py/ip/dnat.t.json b/tests/py/ip/dnat.t.json new file mode 100644 index 0000000..fe15d07 --- /dev/null +++ b/tests/py/ip/dnat.t.json @@ -0,0 +1,743 @@ +# iifname "eth0" tcp dport 80-90 dnat to 192.168.3.2 +[ + { + "match": { + "left": { + "meta": { "key": "iifname" } + }, + "op": "==", + "right": "eth0" + } + }, + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "tcp" + } + }, + "op": "==", + "right": { + "range": [ 80, 90 ] + } + } + }, + { + "dnat": { + "addr": "192.168.3.2" + } + } +] + +# iifname "eth0" tcp dport != 80-90 dnat to 192.168.3.2 +[ + { + "match": { + "left": { + "meta": { "key": "iifname" } + }, + "op": "==", + "right": "eth0" + } + }, + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "tcp" + } + }, + "op": "!=", + "right": { + "range": [ 80, 90 ] + } + } + }, + { + "dnat": { + "addr": "192.168.3.2" + } + } +] + +# iifname "eth0" tcp dport {80, 90, 23} dnat to 192.168.3.2 +[ + { + "match": { + "left": { + "meta": { "key": "iifname" } + }, + "op": "==", + "right": "eth0" + } + }, + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "tcp" + } + }, + "op": "==", + "right": { + "set": [ + 23, + 80, + 90 + ] + } + } + }, + { + "dnat": { + "addr": "192.168.3.2" + } + } +] + +# iifname "eth0" tcp dport != {80, 90, 23} dnat to 192.168.3.2 +[ + { + "match": { + "left": { + "meta": { "key": "iifname" } + }, + "op": "==", + "right": "eth0" + } + }, + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "tcp" + } + }, + "op": "!=", + "right": { + "set": [ + 23, + 80, + 90 + ] + } + } + }, + { + "dnat": { + "addr": "192.168.3.2" + } + } +] + +# iifname "eth0" tcp dport != 23-34 dnat to 192.168.3.2 +[ + { + "match": { + "left": { + "meta": { "key": "iifname" } + }, + "op": "==", + "right": "eth0" + } + }, + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "tcp" + } + }, + "op": "!=", + "right": { + "range": [ 23, 34 ] + } + } + }, + { + "dnat": { + "addr": "192.168.3.2" + } + } +] + +# iifname "eth0" tcp dport 81 dnat to 192.168.3.2:8080 +[ + { + "match": { + "left": { + "meta": { "key": "iifname" } + }, + "op": "==", + "right": "eth0" + } + }, + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "tcp" + } + }, + "op": "==", + "right": 81 + } + }, + { + "dnat": { + "addr": "192.168.3.2", + "port": 8080 + } + } +] + +# dnat to ct mark map { 0x00000014 : 1.2.3.4} +[ + { + "dnat": { + "addr": { + "map": { + "key": { + "ct": { + "key": "mark" + } + }, + "data": { + "set": [ + [ + "0x00000014", + "1.2.3.4" + ] + ] + } + } + } + } + } +] + +# dnat to ct mark . ip daddr map { 0x00000014 . 1.1.1.1 : 1.2.3.4} +[ + { + "dnat": { + "addr": { + "map": { + "key": { + "concat": [ + { + "ct": { + "key": "mark" + } + }, + { + "payload": { + "field": "daddr", + "protocol": "ip" + } + } + ] + }, + "data": { + "set": [ + [ + { + "concat": [ + "0x00000014", + "1.1.1.1" + ] + }, + "1.2.3.4" + ] + ] + } + } + } + } + } +] + +# iifname "eth0" tcp dport 81 dnat to 192.168.3.2:8080-8999 +[ + { + "match": { + "left": { + "meta": { + "key": "iifname" + } + }, + "op": "==", + "right": "eth0" + } + }, + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "tcp" + } + }, + "op": "==", + "right": 81 + } + }, + { + "dnat": { + "addr": "192.168.3.2", + "port": { + "range": [ + 8080, + 8999 + ] + } + } + } +] + +# iifname "eth0" tcp dport 81 dnat to 192.168.3.2-192.168.3.4:8080-8999 +[ + { + "match": { + "left": { + "meta": { + "key": "iifname" + } + }, + "op": "==", + "right": "eth0" + } + }, + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "tcp" + } + }, + "op": "==", + "right": 81 + } + }, + { + "dnat": { + "addr": { + "range": [ + "192.168.3.2", + "192.168.3.4" + ] + }, + "port": { + "range": [ + 8080, + 8999 + ] + } + } + } +] + +# iifname "eth0" tcp dport 81 dnat to 192.168.3.2-192.168.3.4:8080 +[ + { + "match": { + "left": { + "meta": { + "key": "iifname" + } + }, + "op": "==", + "right": "eth0" + } + }, + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "tcp" + } + }, + "op": "==", + "right": 81 + } + }, + { + "dnat": { + "addr": { + "range": [ + "192.168.3.2", + "192.168.3.4" + ] + }, + "port": 8080 + } + } +] + +# dnat ip to ip saddr . tcp dport map { 192.168.1.2 . 80 : 10.141.10.2 . 8888 - 8999 } +[ + { + "dnat": { + "addr": { + "map": { + "data": { + "set": [ + [ + { + "concat": [ + "192.168.1.2", + 80 + ] + }, + { + "concat": [ + "10.141.10.2", + { + "range": [ + 8888, + 8999 + ] + } + ] + } + ] + ] + }, + "key": { + "concat": [ + { + "payload": { + "field": "saddr", + "protocol": "ip" + } + }, + { + "payload": { + "field": "dport", + "protocol": "tcp" + } + } + ] + } + } + }, + "family": "ip" + } + } +] + +# dnat ip to ip saddr . tcp dport map { 192.168.1.2 . 80 : 10.141.10.0/24 . 8888 - 8999 } +[ + { + "dnat": { + "addr": { + "map": { + "data": { + "set": [ + [ + { + "concat": [ + "192.168.1.2", + 80 + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "10.141.10.0", + "len": 24 + } + }, + { + "range": [ + 8888, + 8999 + ] + } + ] + } + ] + ] + }, + "key": { + "concat": [ + { + "payload": { + "field": "saddr", + "protocol": "ip" + } + }, + { + "payload": { + "field": "dport", + "protocol": "tcp" + } + } + ] + } + } + }, + "family": "ip" + } + } +] + +# dnat ip to ip saddr . tcp dport map { 192.168.1.2 . 80 : 10.141.10.0/24 . 80 } +[ + { + "dnat": { + "addr": { + "map": { + "data": { + "set": [ + [ + { + "concat": [ + "192.168.1.2", + 80 + ] + }, + { + "concat": [ + { + "prefix": { + "addr": "10.141.10.0", + "len": 24 + } + }, + 80 + ] + } + ] + ] + }, + "key": { + "concat": [ + { + "payload": { + "field": "saddr", + "protocol": "ip" + } + }, + { + "payload": { + "field": "dport", + "protocol": "tcp" + } + } + ] + } + } + }, + "family": "ip" + } + } +] + +# ip daddr 192.168.0.1 dnat ip to tcp dport map { 443 : 10.141.10.4 . 8443, 80 : 10.141.10.4 . 8080 } +[ + { + "match": { + "left": { + "payload": { + "field": "daddr", + "protocol": "ip" + } + }, + "op": "==", + "right": "192.168.0.1" + } + }, + { + "dnat": { + "addr": { + "map": { + "data": { + "set": [ + [ + 80, + { + "concat": [ + "10.141.10.4", + 8080 + ] + } + ], + [ + 443, + { + "concat": [ + "10.141.10.4", + 8443 + ] + } + ] + ] + }, + "key": { + "payload": { + "field": "dport", + "protocol": "tcp" + } + } + } + }, + "family": "ip" + } + } +] + +# meta l4proto 6 dnat ip to iifname . ip saddr map { "enp2s0" . 10.1.1.136 : 1.1.2.69 . 22, "enp2s0" . 10.1.1.1-10.1.1.135 : 1.1.2.66-1.84.236.78 . 22 } +[ + { + "match": { + "left": { + "meta": { + "key": "l4proto" + } + }, + "op": "==", + "right": 6 + } + }, + { + "dnat": { + "addr": { + "map": { + "data": { + "set": [ + [ + { + "concat": [ + "enp2s0", + "10.1.1.136" + ] + }, + { + "concat": [ + "1.1.2.69", + 22 + ] + } + ], + [ + { + "concat": [ + "enp2s0", + { + "range": [ + "10.1.1.1", + "10.1.1.135" + ] + } + ] + }, + { + "concat": [ + { + "range": [ + "1.1.2.66", + "1.84.236.78" + ] + }, + 22 + ] + } + ] + ] + }, + "key": { + "concat": [ + { + "meta": { + "key": "iifname" + } + }, + { + "payload": { + "field": "saddr", + "protocol": "ip" + } + } + ] + } + } + }, + "family": "ip" + } + } +] + +# dnat ip to iifname . ip saddr map { "enp2s0" . 10.1.1.136 : 1.1.2.69/32, "enp2s0" . 10.1.1.1-10.1.1.135 : 1.1.2.66-1.84.236.78 } +[ + { + "dnat": { + "addr": { + "map": { + "data": { + "set": [ + [ + { + "concat": [ + "enp2s0", + "10.1.1.136" + ] + }, + { + "prefix": { + "addr": "1.1.2.69", + "len": 32 + } + } + ], + [ + { + "concat": [ + "enp2s0", + { + "range": [ + "10.1.1.1", + "10.1.1.135" + ] + } + ] + }, + { + "range": [ + "1.1.2.66", + "1.84.236.78" + ] + } + ] + ] + }, + "key": { + "concat": [ + { + "meta": { + "key": "iifname" + } + }, + { + "payload": { + "field": "saddr", + "protocol": "ip" + } + } + ] + } + } + }, + "family": "ip" + } + } +] + diff --git a/tests/py/ip/dnat.t.json.output b/tests/py/ip/dnat.t.json.output new file mode 100644 index 0000000..4f2c6df --- /dev/null +++ b/tests/py/ip/dnat.t.json.output @@ -0,0 +1,65 @@ +# dnat to ct mark map { 0x00000014 : 1.2.3.4} +[ + { + "dnat": { + "addr": { + "map": { + "key": { + "ct": { + "key": "mark" + } + }, + "data": { + "set": [ + [ + 20, + "1.2.3.4" + ] + ] + } + } + } + } + } +] + +# dnat to ct mark . ip daddr map { 0x00000014 . 1.1.1.1 : 1.2.3.4} +[ + { + "dnat": { + "addr": { + "map": { + "key": { + "concat": [ + { + "ct": { + "key": "mark" + } + }, + { + "payload": { + "field": "daddr", + "protocol": "ip" + } + } + ] + }, + "data": { + "set": [ + [ + { + "concat": [ + 20, + "1.1.1.1" + ] + }, + "1.2.3.4" + ] + ] + } + } + } + } + } +] + diff --git a/tests/py/ip/dnat.t.payload.ip b/tests/py/ip/dnat.t.payload.ip new file mode 100644 index 0000000..439c6ab --- /dev/null +++ b/tests/py/ip/dnat.t.payload.ip @@ -0,0 +1,204 @@ +# iifname "eth0" tcp dport 80-90 dnat to 192.168.3.2 +ip test-ip4 prerouting + [ meta load iifname => reg 1 ] + [ cmp eq reg 1 0x30687465 0x00000000 0x00000000 0x00000000 ] + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp gte reg 1 0x00005000 ] + [ cmp lte reg 1 0x00005a00 ] + [ immediate reg 1 0x0203a8c0 ] + [ nat dnat ip addr_min reg 1 ] + +# iifname "eth0" tcp dport != 80-90 dnat to 192.168.3.2 +ip test-ip4 prerouting + [ meta load iifname => reg 1 ] + [ cmp eq reg 1 0x30687465 0x00000000 0x00000000 0x00000000 ] + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ range neq reg 1 0x00005000 0x00005a00 ] + [ immediate reg 1 0x0203a8c0 ] + [ nat dnat ip addr_min reg 1 ] + +# iifname "eth0" tcp dport {80, 90, 23} dnat to 192.168.3.2 +__set%d test-ip4 3 +__set%d test-ip4 0 + element 00005000 : 0 [end] element 00005a00 : 0 [end] element 00001700 : 0 [end] +ip test-ip4 prerouting + [ meta load iifname => reg 1 ] + [ cmp eq reg 1 0x30687465 0x00000000 0x00000000 0x00000000 ] + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ lookup reg 1 set __set%d ] + [ immediate reg 1 0x0203a8c0 ] + [ nat dnat ip addr_min reg 1 ] + +# iifname "eth0" tcp dport != {80, 90, 23} dnat to 192.168.3.2 +__set%d test-ip4 3 +__set%d test-ip4 0 + element 00005000 : 0 [end] element 00005a00 : 0 [end] element 00001700 : 0 [end] +ip test-ip4 prerouting + [ meta load iifname => reg 1 ] + [ cmp eq reg 1 0x30687465 0x00000000 0x00000000 0x00000000 ] + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ lookup reg 1 set __set%d 0x1 ] + [ immediate reg 1 0x0203a8c0 ] + [ nat dnat ip addr_min reg 1 ] + +# iifname "eth0" tcp dport != 23-34 dnat to 192.168.3.2 +ip test-ip4 prerouting + [ meta load iifname => reg 1 ] + [ cmp eq reg 1 0x30687465 0x00000000 0x00000000 0x00000000 ] + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ range neq reg 1 0x00001700 0x00002200 ] + [ immediate reg 1 0x0203a8c0 ] + [ nat dnat ip addr_min reg 1 ] + +# iifname "eth0" tcp dport 81 dnat to 192.168.3.2:8080 +ip test-ip4 prerouting + [ meta load iifname => reg 1 ] + [ cmp eq reg 1 0x30687465 0x00000000 0x00000000 0x00000000 ] + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x00005100 ] + [ immediate reg 1 0x0203a8c0 ] + [ immediate reg 2 0x0000901f ] + [ nat dnat ip addr_min reg 1 proto_min reg 2 flags 0x2 ] + +# dnat to ct mark map { 0x00000014 : 1.2.3.4} +__map%d test-ip4 b +__map%d test-ip4 0 + element 00000014 : 04030201 0 [end] +ip test-ip4 prerouting + [ ct load mark => reg 1 ] + [ lookup reg 1 set __map%d dreg 1 ] + [ nat dnat ip addr_min reg 1 ] + +# dnat to ct mark . ip daddr map { 0x00000014 . 1.1.1.1 : 1.2.3.4} +__map%d test-ip4 b +__map%d test-ip4 0 + element 00000014 01010101 : 04030201 0 [end] +ip test-ip4 output + [ ct load mark => reg 1 ] + [ payload load 4b @ network header + 16 => reg 9 ] + [ lookup reg 1 set __map%d dreg 1 ] + [ nat dnat ip addr_min reg 1 ] + +# dnat ip to ip saddr . tcp dport map { 192.168.1.2 . 80 : 10.141.10.0/24 . 8888 - 8999 } +__map%d test-ip4 b size 1 +__map%d test-ip4 0 + element 0201a8c0 00005000 : 000a8d0a 0000b822 ff0a8d0a 00002723 0 [end] +ip + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ payload load 2b @ transport header + 2 => reg 9 ] + [ lookup reg 1 set __map%d dreg 1 ] + [ nat dnat ip addr_min reg 1 addr_max reg 10 proto_min reg 9 proto_max reg 11 ] + +# dnat ip to ip saddr . tcp dport map { 192.168.1.2 . 80 : 10.141.10.0/24 . 80 } +__map%d test-ip4 b size 1 +__map%d test-ip4 0 + element 0201a8c0 00005000 : 000a8d0a 00005000 ff0a8d0a 00005000 0 [end] +ip + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ payload load 2b @ transport header + 2 => reg 9 ] + [ lookup reg 1 set __map%d dreg 1 ] + [ nat dnat ip addr_min reg 1 addr_max reg 10 proto_min reg 9 proto_max reg 11 ] + +# dnat ip to ip saddr . tcp dport map { 192.168.1.2 . 80 : 10.141.10.2 . 8888 - 8999 } +__map%d test-ip4 b size 1 +__map%d test-ip4 0 + element 0201a8c0 00005000 : 020a8d0a 0000b822 020a8d0a 00002723 0 [end] +ip + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ payload load 2b @ transport header + 2 => reg 9 ] + [ lookup reg 1 set __map%d dreg 1 ] + [ nat dnat ip addr_min reg 1 addr_max reg 10 proto_min reg 9 proto_max reg 11 ] + +# iifname "eth0" tcp dport 81 dnat to 192.168.3.2:8080-8999 +ip + [ meta load iifname => reg 1 ] + [ cmp eq reg 1 0x30687465 0x00000000 0x00000000 0x00000000 ] + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x00005100 ] + [ immediate reg 1 0x0203a8c0 ] + [ immediate reg 2 0x0000901f ] + [ immediate reg 3 0x00002723 ] + [ nat dnat ip addr_min reg 1 proto_min reg 2 proto_max reg 3 flags 0x2 ] + +# iifname "eth0" tcp dport 81 dnat to 192.168.3.2-192.168.3.4:8080 +ip + [ meta load iifname => reg 1 ] + [ cmp eq reg 1 0x30687465 0x00000000 0x00000000 0x00000000 ] + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x00005100 ] + [ immediate reg 1 0x0203a8c0 ] + [ immediate reg 2 0x0403a8c0 ] + [ immediate reg 3 0x0000901f ] + [ nat dnat ip addr_min reg 1 addr_max reg 2 proto_min reg 3 flags 0x2 ] + +# iifname "eth0" tcp dport 81 dnat to 192.168.3.2-192.168.3.4:8080-8999 +ip + [ meta load iifname => reg 1 ] + [ cmp eq reg 1 0x30687465 0x00000000 0x00000000 0x00000000 ] + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x00005100 ] + [ immediate reg 1 0x0203a8c0 ] + [ immediate reg 2 0x0403a8c0 ] + [ immediate reg 3 0x0000901f ] + [ immediate reg 4 0x00002723 ] + [ nat dnat ip addr_min reg 1 addr_max reg 2 proto_min reg 3 proto_max reg 4 flags 0x2 ] + +# ip daddr 192.168.0.1 dnat ip to tcp dport map { 443 : 10.141.10.4 . 8443, 80 : 10.141.10.4 . 8080 } +__map%d test-ip4 b size 2 +__map%d test-ip4 0 + element 0000bb01 : 040a8d0a 0000fb20 0 [end] element 00005000 : 040a8d0a 0000901f 0 [end] +ip + [ payload load 4b @ network header + 16 => reg 1 ] + [ cmp eq reg 1 0x0100a8c0 ] + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ lookup reg 1 set __map%d dreg 1 ] + [ nat dnat ip addr_min reg 1 proto_min reg 9 ] + +# meta l4proto 6 dnat ip to iifname . ip saddr map { "enp2s0" . 10.1.1.136 : 1.1.2.69 . 22, "enp2s0" . 10.1.1.1-10.1.1.135 : 1.1.2.66-1.84.236.78 . 22 } +__map%d test-ip4 8f size 2 +__map%d test-ip4 0 + element 32706e65 00003073 00000000 00000000 8801010a - 32706e65 00003073 00000000 00000000 8801010a : 45020101 00001600 45020101 00001600 0 [end] element 32706e65 00003073 00000000 00000000 0101010a - 32706e65 00003073 00000000 00000000 8701010a : 42020101 00001600 4eec5401 00001600 0 [end] +ip test-ip4 prerouting + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ meta load iifname => reg 1 ] + [ payload load 4b @ network header + 12 => reg 2 ] + [ lookup reg 1 set __map%d dreg 1 ] + [ nat dnat ip addr_min reg 1 addr_max reg 10 proto_min reg 9 proto_max reg 11 ] + +# dnat ip to iifname . ip saddr map { "enp2s0" . 10.1.1.136 : 1.1.2.69/32, "enp2s0" . 10.1.1.1-10.1.1.135 : 1.1.2.66-1.84.236.78 } +__map%d test-ip4 8f size 2 +__map%d test-ip4 0 + element 32706e65 00003073 00000000 00000000 8801010a - 32706e65 00003073 00000000 00000000 8801010a : 45020101 45020101 0 [end] element 32706e65 00003073 00000000 00000000 0101010a - 32706e65 00003073 00000000 00000000 8701010a : 42020101 4eec5401 0 [end] +ip test-ip4 prerouting + [ meta load iifname => reg 1 ] + [ payload load 4b @ network header + 12 => reg 2 ] + [ lookup reg 1 set __map%d dreg 1 ] + [ nat dnat ip addr_min reg 1 addr_max reg 9 ] + diff --git a/tests/py/ip/dup.t b/tests/py/ip/dup.t new file mode 100644 index 0000000..700031c --- /dev/null +++ b/tests/py/ip/dup.t @@ -0,0 +1,7 @@ +:input;type filter hook input priority 0 + +*ip;test-ip4;input + +dup to 192.168.2.1;ok +dup to 192.168.2.1 device "lo";ok +dup to ip saddr map { 192.168.2.120 : 192.168.2.1 } device "lo";ok diff --git a/tests/py/ip/dup.t.json b/tests/py/ip/dup.t.json new file mode 100644 index 0000000..aa1e826 --- /dev/null +++ b/tests/py/ip/dup.t.json @@ -0,0 +1,46 @@ +# dup to 192.168.2.1 +[ + { + "dup": { + "addr": "192.168.2.1" + } + } +] + +# dup to 192.168.2.1 device "lo" +[ + { + "dup": { + "addr": "192.168.2.1", + "dev": "lo" + } + } +] + +# dup to ip saddr map { 192.168.2.120 : 192.168.2.1 } device "lo" +[ + { + "dup": { + "addr": { + "map": { + "key": { + "payload": { + "field": "saddr", + "protocol": "ip" + } + }, + "data": { + "set": [ + [ + "192.168.2.120", + "192.168.2.1" + ] + ] + } + } + }, + "dev": "lo" + } + } +] + diff --git a/tests/py/ip/dup.t.payload b/tests/py/ip/dup.t.payload new file mode 100644 index 0000000..347dc07 --- /dev/null +++ b/tests/py/ip/dup.t.payload @@ -0,0 +1,21 @@ +# dup to 192.168.2.1 +ip test-ip4 test + [ immediate reg 1 0x0102a8c0 ] + [ dup sreg_addr 1 ] + +# dup to 192.168.2.1 device "lo" +ip test-ip4 test + [ immediate reg 1 0x0102a8c0 ] + [ immediate reg 2 0x00000001 ] + [ dup sreg_addr 1 sreg_dev 2 ] + +# dup to ip saddr map { 192.168.2.120 : 192.168.2.1 } device "lo" +__map%d test-ip4 b +__map%d test-ip4 0 + element 7802a8c0 : 0102a8c0 0 [end] +ip test-ip4 test + [ payload load 4b @ network header + 12 => reg 1 ] + [ lookup reg 1 set __map%d dreg 1 ] + [ immediate reg 2 0x00000001 ] + [ dup sreg_addr 1 sreg_dev 2 ] + diff --git a/tests/py/ip/ether.t b/tests/py/ip/ether.t new file mode 100644 index 0000000..e1d302c --- /dev/null +++ b/tests/py/ip/ether.t @@ -0,0 +1,8 @@ +:input;type filter hook input priority 0 + +*ip;test-ip;input + +tcp dport 22 iiftype ether ip daddr 1.2.3.4 ether saddr 00:0f:54:0c:11:4 accept;ok;tcp dport 22 ip daddr 1.2.3.4 ether saddr 00:0f:54:0c:11:04 accept +tcp dport 22 ip daddr 1.2.3.4 ether saddr 00:0f:54:0c:11:04;ok +tcp dport 22 ether saddr 00:0f:54:0c:11:04 ip daddr 1.2.3.4;ok +ether saddr 00:0f:54:0c:11:04 ip daddr 1.2.3.4 accept;ok diff --git a/tests/py/ip/ether.t.json b/tests/py/ip/ether.t.json new file mode 100644 index 0000000..355c7fc --- /dev/null +++ b/tests/py/ip/ether.t.json @@ -0,0 +1,163 @@ +# tcp dport 22 iiftype ether ip daddr 1.2.3.4 ether saddr 00:0f:54:0c:11:4 accept +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "tcp" + } + }, + "op": "==", + "right": 22 + } + }, + { + "match": { + "left": { + "meta": { "key": "iiftype" } + }, + "op": "==", + "right": "ether" + } + }, + { + "match": { + "left": { + "payload": { + "field": "daddr", + "protocol": "ip" + } + }, + "op": "==", + "right": "1.2.3.4" + } + }, + { + "match": { + "left": { + "payload": { + "field": "saddr", + "protocol": "ether" + } + }, + "op": "==", + "right": "00:0f:54:0c:11:04" + } + }, + { + "accept": null + } +] + +# tcp dport 22 ip daddr 1.2.3.4 ether saddr 00:0f:54:0c:11:04 +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "tcp" + } + }, + "op": "==", + "right": 22 + } + }, + { + "match": { + "left": { + "payload": { + "field": "daddr", + "protocol": "ip" + } + }, + "op": "==", + "right": "1.2.3.4" + } + }, + { + "match": { + "left": { + "payload": { + "field": "saddr", + "protocol": "ether" + } + }, + "op": "==", + "right": "00:0f:54:0c:11:04" + } + } +] + +# tcp dport 22 ether saddr 00:0f:54:0c:11:04 ip daddr 1.2.3.4 +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "tcp" + } + }, + "op": "==", + "right": 22 + } + }, + { + "match": { + "left": { + "payload": { + "field": "saddr", + "protocol": "ether" + } + }, + "op": "==", + "right": "00:0f:54:0c:11:04" + } + }, + { + "match": { + "left": { + "payload": { + "field": "daddr", + "protocol": "ip" + } + }, + "op": "==", + "right": "1.2.3.4" + } + } +] + +# ether saddr 00:0f:54:0c:11:04 ip daddr 1.2.3.4 accept +[ + { + "match": { + "left": { + "payload": { + "field": "saddr", + "protocol": "ether" + } + }, + "op": "==", + "right": "00:0f:54:0c:11:04" + } + }, + { + "match": { + "left": { + "payload": { + "field": "daddr", + "protocol": "ip" + } + }, + "op": "==", + "right": "1.2.3.4" + } + }, + { + "accept": null + } +] + diff --git a/tests/py/ip/ether.t.json.output b/tests/py/ip/ether.t.json.output new file mode 100644 index 0000000..1e5dd50 --- /dev/null +++ b/tests/py/ip/ether.t.json.output @@ -0,0 +1,43 @@ +# tcp dport 22 iiftype ether ip daddr 1.2.3.4 ether saddr 00:0f:54:0c:11:4 accept +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "tcp" + } + }, + "op": "==", + "right": 22 + } + }, + { + "match": { + "left": { + "payload": { + "field": "daddr", + "protocol": "ip" + } + }, + "op": "==", + "right": "1.2.3.4" + } + }, + { + "match": { + "left": { + "payload": { + "field": "saddr", + "protocol": "ether" + } + }, + "op": "==", + "right": "00:0f:54:0c:11:04" + } + }, + { + "accept": null + } +] + diff --git a/tests/py/ip/ether.t.payload b/tests/py/ip/ether.t.payload new file mode 100644 index 0000000..bd7c8f1 --- /dev/null +++ b/tests/py/ip/ether.t.payload @@ -0,0 +1,50 @@ +# tcp dport 22 iiftype ether ip daddr 1.2.3.4 ether saddr 00:0f:54:0c:11:4 accept +ip test-ip input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x00001600 ] + [ meta load iiftype => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ payload load 4b @ network header + 16 => reg 1 ] + [ cmp eq reg 1 0x04030201 ] + [ payload load 6b @ link header + 6 => reg 1 ] + [ cmp eq reg 1 0x0c540f00 0x00000411 ] + [ immediate reg 0 accept ] + +# tcp dport 22 ether saddr 00:0f:54:0c:11:04 ip daddr 1.2.3.4 +ip test-ip input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x00001600 ] + [ meta load iiftype => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ payload load 6b @ link header + 6 => reg 1 ] + [ cmp eq reg 1 0x0c540f00 0x00000411 ] + [ payload load 4b @ network header + 16 => reg 1 ] + [ cmp eq reg 1 0x04030201 ] + +# tcp dport 22 ip daddr 1.2.3.4 ether saddr 00:0f:54:0c:11:04 +ip test-ip input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x00001600 ] + [ payload load 4b @ network header + 16 => reg 1 ] + [ cmp eq reg 1 0x04030201 ] + [ meta load iiftype => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ payload load 6b @ link header + 6 => reg 1 ] + [ cmp eq reg 1 0x0c540f00 0x00000411 ] + +# ether saddr 00:0f:54:0c:11:04 ip daddr 1.2.3.4 accept +ip test-ip input + [ meta load iiftype => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ payload load 6b @ link header + 6 => reg 1 ] + [ cmp eq reg 1 0x0c540f00 0x00000411 ] + [ payload load 4b @ network header + 16 => reg 1 ] + [ cmp eq reg 1 0x04030201 ] + [ immediate reg 0 accept ] + diff --git a/tests/py/ip/flowtable.t b/tests/py/ip/flowtable.t new file mode 100644 index 0000000..086c6cf --- /dev/null +++ b/tests/py/ip/flowtable.t @@ -0,0 +1,5 @@ +:input;type filter hook input priority 0 + +*ip;test-ip;input + +meter xyz size 8192 { ip saddr timeout 30s counter};ok diff --git a/tests/py/ip/flowtable.t.json b/tests/py/ip/flowtable.t.json new file mode 100644 index 0000000..a03cc9d --- /dev/null +++ b/tests/py/ip/flowtable.t.json @@ -0,0 +1,24 @@ +# meter xyz size 8192 { ip saddr timeout 30s counter} +[ + { + "meter": { + "key": { + "elem": { + "timeout": 30, + "val": { + "payload": { + "field": "saddr", + "protocol": "ip" + } + } + } + }, + "name": "xyz", + "size": 8192, + "stmt": { + "counter": null + } + } + } +] + diff --git a/tests/py/ip/flowtable.t.payload b/tests/py/ip/flowtable.t.payload new file mode 100644 index 0000000..c0aad39 --- /dev/null +++ b/tests/py/ip/flowtable.t.payload @@ -0,0 +1,7 @@ +# meter xyz size 8192 { ip saddr timeout 30s counter} +xyz test-ip 31 +xyz test-ip 0 +ip test-ip input + [ payload load 4b @ network header + 12 => reg 1 ] + [ dynset update reg_key 1 set xyz timeout 30000ms expr [ counter pkts 0 bytes 0 ] ] + diff --git a/tests/py/ip/hash.t b/tests/py/ip/hash.t new file mode 100644 index 0000000..cbfc7ee --- /dev/null +++ b/tests/py/ip/hash.t @@ -0,0 +1,10 @@ +:pre;type nat hook prerouting priority 0 +*ip;test-ip4;pre + +ct mark set jhash ip saddr . ip daddr mod 2 seed 0xdeadbeef;ok +ct mark set jhash ip saddr . ip daddr mod 2;ok +ct mark set jhash ip saddr . ip daddr mod 2 seed 0x0;ok +ct mark set jhash ip saddr . ip daddr mod 2 seed 0xdeadbeef offset 100;ok +ct mark set jhash ip saddr . ip daddr mod 2 offset 100;ok +dnat to jhash ip saddr mod 2 seed 0xdeadbeef map { 0 : 192.168.20.100, 1 : 192.168.30.100 };ok +ct mark set symhash mod 2 offset 100;ok diff --git a/tests/py/ip/hash.t.json b/tests/py/ip/hash.t.json new file mode 100644 index 0000000..a95cf22 --- /dev/null +++ b/tests/py/ip/hash.t.json @@ -0,0 +1,230 @@ +# ct mark set jhash ip saddr . ip daddr mod 2 seed 0xdeadbeef +[ + { + "mangle": { + "key": { + "ct": { + "key": "mark" + } + }, + "value": { + "jhash": { + "expr": { + "concat": [ + { + "payload": { + "field": "saddr", + "protocol": "ip" + } + }, + { + "payload": { + "field": "daddr", + "protocol": "ip" + } + } + ] + }, + "mod": 2, + "seed": 3735928559 + } + } + } + } +] + +# ct mark set jhash ip saddr . ip daddr mod 2 +[ + { + "mangle": { + "key": { + "ct": { + "key": "mark" + } + }, + "value": { + "jhash": { + "expr": { + "concat": [ + { + "payload": { + "field": "saddr", + "protocol": "ip" + } + }, + { + "payload": { + "field": "daddr", + "protocol": "ip" + } + } + ] + }, + "mod": 2 + } + } + } + } +] + +# ct mark set jhash ip saddr . ip daddr mod 2 seed 0x0 +[ + { + "mangle": { + "key": { + "ct": { + "key": "mark" + } + }, + "value": { + "jhash": { + "expr": { + "concat": [ + { + "payload": { + "field": "saddr", + "protocol": "ip" + } + }, + { + "payload": { + "field": "daddr", + "protocol": "ip" + } + } + ] + }, + "mod": 2, + "seed": 0 + } + } + } + } +] + +# ct mark set jhash ip saddr . ip daddr mod 2 seed 0xdeadbeef offset 100 +[ + { + "mangle": { + "key": { + "ct": { + "key": "mark" + } + }, + "value": { + "jhash": { + "expr": { + "concat": [ + { + "payload": { + "field": "saddr", + "protocol": "ip" + } + }, + { + "payload": { + "field": "daddr", + "protocol": "ip" + } + } + ] + }, + "mod": 2, + "offset": 100, + "seed": 3735928559 + } + } + } + } +] + +# ct mark set jhash ip saddr . ip daddr mod 2 offset 100 +[ + { + "mangle": { + "key": { + "ct": { + "key": "mark" + } + }, + "value": { + "jhash": { + "expr": { + "concat": [ + { + "payload": { + "field": "saddr", + "protocol": "ip" + } + }, + { + "payload": { + "field": "daddr", + "protocol": "ip" + } + } + ] + }, + "mod": 2, + "offset": 100 + } + } + } + } +] + +# dnat to jhash ip saddr mod 2 seed 0xdeadbeef map { 0 : 192.168.20.100, 1 : 192.168.30.100 } +[ + { + "dnat": { + "addr": { + "map": { + "key": { + "jhash": { + "expr": { + "payload": { + "field": "saddr", + "protocol": "ip" + } + }, + "mod": 2, + "seed": 3735928559 + } + }, + "data": { + "set": [ + [ + 0, + "192.168.20.100" + ], + [ + 1, + "192.168.30.100" + ] + ] + } + } + } + } + } +] + +# ct mark set symhash mod 2 offset 100 +[ + { + "mangle": { + "key": { + "ct": { + "key": "mark" + } + }, + "value": { + "symhash": { + "mod": 2, + "offset": 100 + } + } + } + } +] + diff --git a/tests/py/ip/hash.t.payload b/tests/py/ip/hash.t.payload new file mode 100644 index 0000000..fefe492 --- /dev/null +++ b/tests/py/ip/hash.t.payload @@ -0,0 +1,49 @@ +# ct mark set jhash ip saddr . ip daddr mod 2 seed 0xdeadbeef +ip test-ip4 pre + [ payload load 4b @ network header + 12 => reg 2 ] + [ payload load 4b @ network header + 16 => reg 13 ] + [ hash reg 1 = jhash(reg 2, 8, 0xdeadbeef) % mod 2 ] + [ ct set mark with reg 1 ] + +# ct mark set jhash ip saddr . ip daddr mod 2 +ip test-ip4 pre + [ payload load 4b @ network header + 12 => reg 2 ] + [ payload load 4b @ network header + 16 => reg 13 ] + [ hash reg 1 = jhash(reg 2, 8, 0x0) % mod 2 ] + [ ct set mark with reg 1 ] + +# ct mark set jhash ip saddr . ip daddr mod 2 seed 0x0 +ip test-ip4 pre + [ payload load 4b @ network header + 12 => reg 2 ] + [ payload load 4b @ network header + 16 => reg 13 ] + [ hash reg 1 = jhash(reg 2, 8, 0x0) % mod 2 ] + [ ct set mark with reg 1 ] + +# ct mark set jhash ip saddr . ip daddr mod 2 seed 0xdeadbeef offset 100 +ip test-ip4 pre + [ payload load 4b @ network header + 12 => reg 2 ] + [ payload load 4b @ network header + 16 => reg 13 ] + [ hash reg 1 = jhash(reg 2, 8, 0xdeadbeef) % mod 2 offset 100 ] + [ ct set mark with reg 1 ] + +# ct mark set jhash ip saddr . ip daddr mod 2 offset 100 +ip test-ip4 pre + [ payload load 4b @ network header + 12 => reg 2 ] + [ payload load 4b @ network header + 16 => reg 13 ] + [ hash reg 1 = jhash(reg 2, 8, 0x0) % mod 2 offset 100 ] + [ ct set mark with reg 1 ] + +# dnat to jhash ip saddr mod 2 seed 0xdeadbeef map { 0 : 192.168.20.100, 1 : 192.168.30.100 } +__map%d test-ip4 b +__map%d test-ip4 0 + element 00000000 : 6414a8c0 0 [end] element 00000001 : 641ea8c0 0 [end] +ip test-ip4 pre + [ payload load 4b @ network header + 12 => reg 2 ] + [ hash reg 1 = jhash(reg 2, 4, 0xdeadbeef) % mod 2 ] + [ lookup reg 1 set __map%d dreg 1 ] + [ nat dnat ip addr_min reg 1 ] + +# ct mark set symhash mod 2 offset 100 +ip test-ip4 pre + [ hash reg 1 = symhash() % mod 2 offset 100 ] + [ ct set mark with reg 1 ] diff --git a/tests/py/ip/icmp.t b/tests/py/ip/icmp.t new file mode 100644 index 0000000..7ddf8b3 --- /dev/null +++ b/tests/py/ip/icmp.t @@ -0,0 +1,77 @@ +# BUG: There is a bug with icmp protocol and inet family. +# *inet;test-inet +:input;type filter hook input priority 0 + +*ip;test-ip4;input + +icmp type echo-reply accept;ok +icmp type destination-unreachable accept;ok +icmp type source-quench accept;ok +icmp type redirect accept;ok +icmp type echo-request accept;ok +icmp type time-exceeded accept;ok +icmp type parameter-problem accept;ok +icmp type timestamp-request accept;ok +icmp type timestamp-reply accept;ok +icmp type info-request accept;ok +icmp type info-reply accept;ok +icmp type address-mask-request accept;ok +icmp type address-mask-reply accept;ok +icmp type router-advertisement accept;ok +icmp type router-solicitation accept;ok +icmp type {echo-reply, destination-unreachable, source-quench, redirect, echo-request, time-exceeded, parameter-problem, timestamp-request, timestamp-reply, info-request, info-reply, address-mask-request, address-mask-reply, router-advertisement, router-solicitation} accept;ok +icmp type != {echo-reply, destination-unreachable, source-quench};ok + +icmp code 111 accept;ok +icmp code != 111 accept;ok +icmp code 33-55;ok +icmp code != 33-55;ok +icmp code { 2, 4, 54, 33, 56};ok;icmp code { prot-unreachable, frag-needed, 33, 54, 56} +icmp code != { prot-unreachable, frag-needed, 33, 54, 56};ok + +icmp checksum 12343 accept;ok +icmp checksum != 12343 accept;ok +icmp checksum 11-343 accept;ok +icmp checksum != 11-343 accept;ok +icmp checksum { 1111, 222, 343} accept;ok +icmp checksum != { 1111, 222, 343} accept;ok + +icmp id 1245 log;ok;icmp type { echo-reply, echo-request} icmp id 1245 log +icmp id 22;ok;icmp type { echo-reply, echo-request} icmp id 22 +icmp id != 233;ok;icmp type { echo-reply, echo-request} icmp id != 233 +icmp id 33-45;ok;icmp type { echo-reply, echo-request} icmp id 33-45 +icmp id != 33-45;ok;icmp type { echo-reply, echo-request} icmp id != 33-45 + +icmp id { 22, 34, 333};ok;icmp type { echo-request, echo-reply} icmp id { 22, 34, 333} +icmp id != { 22, 34, 333};ok;icmp type { echo-request, echo-reply} icmp id != { 22, 34, 333} + +icmp sequence 22;ok;icmp type { echo-reply, echo-request} icmp sequence 22 +icmp sequence != 233;ok;icmp type { echo-reply, echo-request} icmp sequence != 233 +icmp sequence 33-45;ok;icmp type { echo-reply, echo-request} icmp sequence 33-45 +icmp sequence != 33-45;ok;icmp type { echo-reply, echo-request} icmp sequence != 33-45 +icmp sequence { 33, 55, 67, 88};ok;icmp type { echo-request, echo-reply} icmp sequence { 33, 55, 67, 88} +icmp sequence != { 33, 55, 67, 88};ok;icmp type { echo-request, echo-reply} icmp sequence != { 33, 55, 67, 88} +icmp id 1 icmp sequence 2;ok;icmp type { echo-reply, echo-request} icmp id 1 icmp sequence 2 +icmp type { echo-reply, echo-request} icmp id 1 icmp sequence 2;ok +icmp type echo-reply icmp id 1;ok + +icmp mtu 33;ok +icmp mtu 22-33;ok +icmp mtu 22;ok +icmp mtu != 233;ok +icmp mtu 33-45;ok +icmp mtu != 33-45;ok +icmp mtu { 33, 55, 67, 88};ok +icmp mtu != { 33, 55, 67, 88};ok + +icmp gateway 22;ok +icmp gateway != 233;ok +icmp gateway 33-45;ok +icmp gateway != 33-45;ok +icmp gateway { 33, 55, 67, 88};ok +icmp gateway != { 33, 55, 67, 88};ok +icmp gateway != 34;ok +icmp gateway != { 333, 334};ok + +icmp code 1 icmp type 2;ok;icmp type 2 icmp code host-unreachable +icmp code != 1 icmp type 2 icmp mtu 5;fail diff --git a/tests/py/ip/icmp.t.json b/tests/py/ip/icmp.t.json new file mode 100644 index 0000000..4f05250 --- /dev/null +++ b/tests/py/ip/icmp.t.json @@ -0,0 +1,1494 @@ +# icmp type echo-reply accept +[ + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "icmp" + } + }, + "op": "==", + "right": "echo-reply" + } + }, + { + "accept": null + } +] + +# icmp type destination-unreachable accept +[ + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "icmp" + } + }, + "op": "==", + "right": "destination-unreachable" + } + }, + { + "accept": null + } +] + +# icmp type source-quench accept +[ + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "icmp" + } + }, + "op": "==", + "right": "source-quench" + } + }, + { + "accept": null + } +] + +# icmp type redirect accept +[ + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "icmp" + } + }, + "op": "==", + "right": "redirect" + } + }, + { + "accept": null + } +] + +# icmp type echo-request accept +[ + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "icmp" + } + }, + "op": "==", + "right": "echo-request" + } + }, + { + "accept": null + } +] + +# icmp type time-exceeded accept +[ + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "icmp" + } + }, + "op": "==", + "right": "time-exceeded" + } + }, + { + "accept": null + } +] + +# icmp type parameter-problem accept +[ + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "icmp" + } + }, + "op": "==", + "right": "parameter-problem" + } + }, + { + "accept": null + } +] + +# icmp type timestamp-request accept +[ + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "icmp" + } + }, + "op": "==", + "right": "timestamp-request" + } + }, + { + "accept": null + } +] + +# icmp type timestamp-reply accept +[ + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "icmp" + } + }, + "op": "==", + "right": "timestamp-reply" + } + }, + { + "accept": null + } +] + +# icmp type info-request accept +[ + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "icmp" + } + }, + "op": "==", + "right": "info-request" + } + }, + { + "accept": null + } +] + +# icmp type info-reply accept +[ + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "icmp" + } + }, + "op": "==", + "right": "info-reply" + } + }, + { + "accept": null + } +] + +# icmp type address-mask-request accept +[ + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "icmp" + } + }, + "op": "==", + "right": "address-mask-request" + } + }, + { + "accept": null + } +] + +# icmp type address-mask-reply accept +[ + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "icmp" + } + }, + "op": "==", + "right": "address-mask-reply" + } + }, + { + "accept": null + } +] + +# icmp type router-advertisement accept +[ + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "icmp" + } + }, + "op": "==", + "right": "router-advertisement" + } + }, + { + "accept": null + } +] + +# icmp type router-solicitation accept +[ + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "icmp" + } + }, + "op": "==", + "right": "router-solicitation" + } + }, + { + "accept": null + } +] + +# icmp type {echo-reply, destination-unreachable, source-quench, redirect, echo-request, time-exceeded, parameter-problem, timestamp-request, timestamp-reply, info-request, info-reply, address-mask-request, address-mask-reply, router-advertisement, router-solicitation} accept +[ + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "icmp" + } + }, + "op": "==", + "right": { + "set": [ + "echo-reply", + "destination-unreachable", + "source-quench", + "redirect", + "echo-request", + "router-advertisement", + "router-solicitation", + "time-exceeded", + "parameter-problem", + "timestamp-request", + "timestamp-reply", + "info-request", + "info-reply", + "address-mask-request", + "address-mask-reply" + ] + } + } + }, + { + "accept": null + } +] + +# icmp type != {echo-reply, destination-unreachable, source-quench} +[ + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "icmp" + } + }, + "op": "!=", + "right": { + "set": [ + "echo-reply", + "destination-unreachable", + "source-quench" + ] + } + } + } +] + +# icmp code 111 accept +[ + { + "match": { + "left": { + "payload": { + "field": "code", + "protocol": "icmp" + } + }, + "op": "==", + "right": 111 + } + }, + { + "accept": null + } +] + +# icmp code != 111 accept +[ + { + "match": { + "left": { + "payload": { + "field": "code", + "protocol": "icmp" + } + }, + "op": "!=", + "right": 111 + } + }, + { + "accept": null + } +] + +# icmp code 33-55 +[ + { + "match": { + "left": { + "payload": { + "field": "code", + "protocol": "icmp" + } + }, + "op": "==", + "right": { + "range": [ + 33, + 55 + ] + } + } + } +] + +# icmp code != 33-55 +[ + { + "match": { + "left": { + "payload": { + "field": "code", + "protocol": "icmp" + } + }, + "op": "!=", + "right": { + "range": [ + 33, + 55 + ] + } + } + } +] + +# icmp code { 2, 4, 54, 33, 56} +[ + { + "match": { + "left": { + "payload": { + "field": "code", + "protocol": "icmp" + } + }, + "op": "==", + "right": { + "set": [ + 2, + 4, + 33, + 54, + 56 + ] + } + } + } +] + +# icmp code != { prot-unreachable, frag-needed, 33, 54, 56} +[ + { + "match": { + "left": { + "payload": { + "field": "code", + "protocol": "icmp" + } + }, + "op": "!=", + "right": { + "set": [ + "prot-unreachable", + "frag-needed", + 33, + 54, + 56 + ] + } + } + } +] + +# icmp checksum 12343 accept +[ + { + "match": { + "left": { + "payload": { + "field": "checksum", + "protocol": "icmp" + } + }, + "op": "==", + "right": 12343 + } + }, + { + "accept": null + } +] + +# icmp checksum != 12343 accept +[ + { + "match": { + "left": { + "payload": { + "field": "checksum", + "protocol": "icmp" + } + }, + "op": "!=", + "right": 12343 + } + }, + { + "accept": null + } +] + +# icmp checksum 11-343 accept +[ + { + "match": { + "left": { + "payload": { + "field": "checksum", + "protocol": "icmp" + } + }, + "op": "==", + "right": { + "range": [ + 11, + 343 + ] + } + } + }, + { + "accept": null + } +] + +# icmp checksum != 11-343 accept +[ + { + "match": { + "left": { + "payload": { + "field": "checksum", + "protocol": "icmp" + } + }, + "op": "!=", + "right": { + "range": [ + 11, + 343 + ] + } + } + }, + { + "accept": null + } +] + +# icmp checksum { 1111, 222, 343} accept +[ + { + "match": { + "left": { + "payload": { + "field": "checksum", + "protocol": "icmp" + } + }, + "op": "==", + "right": { + "set": [ + 222, + 343, + 1111 + ] + } + } + }, + { + "accept": null + } +] + +# icmp checksum != { 1111, 222, 343} accept +[ + { + "match": { + "left": { + "payload": { + "field": "checksum", + "protocol": "icmp" + } + }, + "op": "!=", + "right": { + "set": [ + 222, + 343, + 1111 + ] + } + } + }, + { + "accept": null + } +] + +# icmp id 1245 log +[ + { + "match": { + "left": { + "payload": { + "field": "id", + "protocol": "icmp" + } + }, + "op": "==", + "right": 1245 + } + }, + { + "log": null + } +] + +# icmp id 22 +[ + { + "match": { + "left": { + "payload": { + "field": "id", + "protocol": "icmp" + } + }, + "op": "==", + "right": 22 + } + } +] + +# icmp id != 233 +[ + { + "match": { + "left": { + "payload": { + "field": "id", + "protocol": "icmp" + } + }, + "op": "!=", + "right": 233 + } + } +] + +# icmp id 33-45 +[ + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "icmp" + } + }, + "op": "==", + "right": { + "set": [ + "echo-reply", + "echo-request" + ] + } + } + }, + { + "match": { + "left": { + "payload": { + "field": "id", + "protocol": "icmp" + } + }, + "op": "==", + "right": { + "range": [ + 33, + 45 + ] + } + } + } +] + +# icmp id != 33-45 +[ + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "icmp" + } + }, + "op": "==", + "right": { + "set": [ + "echo-reply", + "echo-request" + ] + } + } + }, + { + "match": { + "left": { + "payload": { + "field": "id", + "protocol": "icmp" + } + }, + "op": "!=", + "right": { + "range": [ + 33, + 45 + ] + } + } + } +] + +# icmp id { 22, 34, 333} +[ + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "icmp" + } + }, + "op": "==", + "right": { + "set": [ + "echo-reply", + "echo-request" + ] + } + } + }, + { + "match": { + "left": { + "payload": { + "field": "id", + "protocol": "icmp" + } + }, + "op": "==", + "right": { + "set": [ + 22, + 34, + 333 + ] + } + } + } +] + +# icmp id != { 22, 34, 333} +[ + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "icmp" + } + }, + "op": "==", + "right": { + "set": [ + "echo-reply", + "echo-request" + ] + } + } + }, + { + "match": { + "left": { + "payload": { + "field": "id", + "protocol": "icmp" + } + }, + "op": "!=", + "right": { + "set": [ + 22, + 34, + 333 + ] + } + } + } +] + +# icmp sequence 22 +[ + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "icmp" + } + }, + "op": "==", + "right": { + "set": [ + "echo-reply", + "echo-request" + ] + } + } + }, + { + "match": { + "left": { + "payload": { + "field": "sequence", + "protocol": "icmp" + } + }, + "op": "==", + "right": 22 + } + } +] + +# icmp sequence != 233 +[ + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "icmp" + } + }, + "op": "==", + "right": { + "set": [ + "echo-reply", + "echo-request" + ] + } + } + }, + { + "match": { + "left": { + "payload": { + "field": "sequence", + "protocol": "icmp" + } + }, + "op": "!=", + "right": 233 + } + } +] + +# icmp sequence 33-45 +[ + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "icmp" + } + }, + "op": "==", + "right": { + "set": [ + "echo-reply", + "echo-request" + ] + } + } + }, + { + "match": { + "left": { + "payload": { + "field": "sequence", + "protocol": "icmp" + } + }, + "op": "==", + "right": { + "range": [ + 33, + 45 + ] + } + } + } +] + +# icmp sequence != 33-45 +[ + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "icmp" + } + }, + "op": "==", + "right": { + "set": [ + "echo-reply", + "echo-request" + ] + } + } + }, + { + "match": { + "left": { + "payload": { + "field": "sequence", + "protocol": "icmp" + } + }, + "op": "!=", + "right": { + "range": [ + 33, + 45 + ] + } + } + } +] + +# icmp sequence { 33, 55, 67, 88} +[ + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "icmp" + } + }, + "op": "==", + "right": { + "set": [ + "echo-reply", + "echo-request" + ] + } + } + }, + { + "match": { + "left": { + "payload": { + "field": "sequence", + "protocol": "icmp" + } + }, + "op": "==", + "right": { + "set": [ + 33, + 55, + 67, + 88 + ] + } + } + } +] + +# icmp sequence != { 33, 55, 67, 88} +[ + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "icmp" + } + }, + "op": "==", + "right": { + "set": [ + "echo-reply", + "echo-request" + ] + } + } + }, + { + "match": { + "left": { + "payload": { + "field": "sequence", + "protocol": "icmp" + } + }, + "op": "!=", + "right": { + "set": [ + 33, + 55, + 67, + 88 + ] + } + } + } +] + +# icmp id 1 icmp sequence 2 +[ + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "icmp" + } + }, + "op": "==", + "right": { + "set": [ + "echo-reply", + "echo-request" + ] + } + } + }, + { + "match": { + "left": { + "payload": { + "field": "id", + "protocol": "icmp" + } + }, + "op": "==", + "right": 1 + } + }, + { + "match": { + "left": { + "payload": { + "field": "sequence", + "protocol": "icmp" + } + }, + "op": "==", + "right": 2 + } + } +] + +# icmp type { echo-reply, echo-request} icmp id 1 icmp sequence 2 +[ + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "icmp" + } + }, + "op": "==", + "right": { + "set": [ + "echo-reply", + "echo-request" + ] + } + } + }, + { + "match": { + "left": { + "payload": { + "field": "id", + "protocol": "icmp" + } + }, + "op": "==", + "right": 1 + } + }, + { + "match": { + "left": { + "payload": { + "field": "sequence", + "protocol": "icmp" + } + }, + "op": "==", + "right": 2 + } + } +] + +# icmp type echo-reply icmp id 1 +[ + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "icmp" + } + }, + "op": "==", + "right": "echo-reply" + } + }, + { + "match": { + "left": { + "payload": { + "field": "id", + "protocol": "icmp" + } + }, + "op": "==", + "right": 1 + } + } +] + +# icmp mtu 33 +[ + { + "match": { + "left": { + "payload": { + "field": "mtu", + "protocol": "icmp" + } + }, + "op": "==", + "right": 33 + } + } +] + +# icmp mtu 22-33 +[ + { + "match": { + "left": { + "payload": { + "field": "mtu", + "protocol": "icmp" + } + }, + "op": "==", + "right": { + "range": [ + 22, + 33 + ] + } + } + } +] + +# icmp mtu 22 +[ + { + "match": { + "left": { + "payload": { + "field": "mtu", + "protocol": "icmp" + } + }, + "op": "==", + "right": 22 + } + } +] + +# icmp mtu != 233 +[ + { + "match": { + "left": { + "payload": { + "field": "mtu", + "protocol": "icmp" + } + }, + "op": "!=", + "right": 233 + } + } +] + +# icmp mtu 33-45 +[ + { + "match": { + "left": { + "payload": { + "field": "mtu", + "protocol": "icmp" + } + }, + "op": "==", + "right": { + "range": [ + 33, + 45 + ] + } + } + } +] + +# icmp mtu != 33-45 +[ + { + "match": { + "left": { + "payload": { + "field": "mtu", + "protocol": "icmp" + } + }, + "op": "!=", + "right": { + "range": [ + 33, + 45 + ] + } + } + } +] + +# icmp mtu { 33, 55, 67, 88} +[ + { + "match": { + "left": { + "payload": { + "field": "mtu", + "protocol": "icmp" + } + }, + "op": "==", + "right": { + "set": [ + 33, + 55, + 67, + 88 + ] + } + } + } +] + +# icmp mtu != { 33, 55, 67, 88} +[ + { + "match": { + "left": { + "payload": { + "field": "mtu", + "protocol": "icmp" + } + }, + "op": "!=", + "right": { + "set": [ + 33, + 55, + 67, + 88 + ] + } + } + } +] + +# icmp gateway 22 +[ + { + "match": { + "left": { + "payload": { + "field": "gateway", + "protocol": "icmp" + } + }, + "op": "==", + "right": 22 + } + } +] + +# icmp gateway != 233 +[ + { + "match": { + "left": { + "payload": { + "field": "gateway", + "protocol": "icmp" + } + }, + "op": "!=", + "right": 233 + } + } +] + +# icmp gateway 33-45 +[ + { + "match": { + "left": { + "payload": { + "field": "gateway", + "protocol": "icmp" + } + }, + "op": "==", + "right": { + "range": [ + 33, + 45 + ] + } + } + } +] + +# icmp gateway != 33-45 +[ + { + "match": { + "left": { + "payload": { + "field": "gateway", + "protocol": "icmp" + } + }, + "op": "!=", + "right": { + "range": [ + 33, + 45 + ] + } + } + } +] + +# icmp gateway { 33, 55, 67, 88} +[ + { + "match": { + "left": { + "payload": { + "field": "gateway", + "protocol": "icmp" + } + }, + "op": "==", + "right": { + "set": [ + 33, + 55, + 67, + 88 + ] + } + } + } +] + +# icmp gateway != { 33, 55, 67, 88} +[ + { + "match": { + "left": { + "payload": { + "field": "gateway", + "protocol": "icmp" + } + }, + "op": "!=", + "right": { + "set": [ + 33, + 55, + 67, + 88 + ] + } + } + } +] + +# icmp gateway != 34 +[ + { + "match": { + "left": { + "payload": { + "field": "gateway", + "protocol": "icmp" + } + }, + "op": "!=", + "right": 34 + } + } +] + +# icmp gateway != { 333, 334} +[ + { + "match": { + "left": { + "payload": { + "field": "gateway", + "protocol": "icmp" + } + }, + "op": "!=", + "right": { + "set": [ + 333, + 334 + ] + } + } + } +] + +# icmp code 1 icmp type 2 +[ + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "icmp" + } + }, + "op": "==", + "right": 2 + } + }, + { + "match": { + "left": { + "payload": { + "field": "code", + "protocol": "icmp" + } + }, + "op": "==", + "right": "host-unreachable" + } + } +] diff --git a/tests/py/ip/icmp.t.json.output b/tests/py/ip/icmp.t.json.output new file mode 100644 index 0000000..5a07585 --- /dev/null +++ b/tests/py/ip/icmp.t.json.output @@ -0,0 +1,169 @@ +# icmp code { 2, 4, 54, 33, 56} +[ + { + "match": { + "left": { + "payload": { + "field": "code", + "protocol": "icmp" + } + }, + "op": "==", + "right": { + "set": [ + "prot-unreachable", + "frag-needed", + 33, + 54, + 56 + ] + } + } + } +] + +# icmp id 1245 log +[ + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "icmp" + } + }, + "op": "==", + "right": { + "set": [ + "echo-reply", + "echo-request" + ] + } + } + }, + { + "match": { + "left": { + "payload": { + "field": "id", + "protocol": "icmp" + } + }, + "op": "==", + "right": 1245 + } + }, + { + "log": null + } +] + +# icmp id 22 +[ + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "icmp" + } + }, + "op": "==", + "right": { + "set": [ + "echo-reply", + "echo-request" + ] + } + } + }, + { + "match": { + "left": { + "payload": { + "field": "id", + "protocol": "icmp" + } + }, + "op": "==", + "right": 22 + } + } +] + +# icmp id != 233 +[ + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "icmp" + } + }, + "op": "==", + "right": { + "set": [ + "echo-reply", + "echo-request" + ] + } + } + }, + { + "match": { + "left": { + "payload": { + "field": "id", + "protocol": "icmp" + } + }, + "op": "!=", + "right": 233 + } + } +] + +# icmp id { 33-55} +[ + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "icmp" + } + }, + "op": "==", + "right": { + "set": [ + "echo-reply", + "echo-request" + ] + } + } + }, + { + "match": { + "left": { + "payload": { + "field": "id", + "protocol": "icmp" + } + }, + "op": "==", + "right": { + "set": [ + { + "range": [ + 33, + 55 + ] + } + ] + } + } + } +] + + diff --git a/tests/py/ip/icmp.t.payload.ip b/tests/py/ip/icmp.t.payload.ip new file mode 100644 index 0000000..3bc6de3 --- /dev/null +++ b/tests/py/ip/icmp.t.payload.ip @@ -0,0 +1,619 @@ +# icmp type echo-reply accept +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ payload load 1b @ transport header + 0 => reg 1 ] + [ cmp eq reg 1 0x00000000 ] + [ immediate reg 0 accept ] + +# icmp type destination-unreachable accept +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ payload load 1b @ transport header + 0 => reg 1 ] + [ cmp eq reg 1 0x00000003 ] + [ immediate reg 0 accept ] + +# icmp type source-quench accept +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ payload load 1b @ transport header + 0 => reg 1 ] + [ cmp eq reg 1 0x00000004 ] + [ immediate reg 0 accept ] + +# icmp type redirect accept +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ payload load 1b @ transport header + 0 => reg 1 ] + [ cmp eq reg 1 0x00000005 ] + [ immediate reg 0 accept ] + +# icmp type echo-request accept +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ payload load 1b @ transport header + 0 => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ immediate reg 0 accept ] + +# icmp type time-exceeded accept +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ payload load 1b @ transport header + 0 => reg 1 ] + [ cmp eq reg 1 0x0000000b ] + [ immediate reg 0 accept ] + +# icmp type parameter-problem accept +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ payload load 1b @ transport header + 0 => reg 1 ] + [ cmp eq reg 1 0x0000000c ] + [ immediate reg 0 accept ] + +# icmp type timestamp-request accept +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ payload load 1b @ transport header + 0 => reg 1 ] + [ cmp eq reg 1 0x0000000d ] + [ immediate reg 0 accept ] + +# icmp type timestamp-reply accept +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ payload load 1b @ transport header + 0 => reg 1 ] + [ cmp eq reg 1 0x0000000e ] + [ immediate reg 0 accept ] + +# icmp type info-request accept +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ payload load 1b @ transport header + 0 => reg 1 ] + [ cmp eq reg 1 0x0000000f ] + [ immediate reg 0 accept ] + +# icmp type info-reply accept +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ payload load 1b @ transport header + 0 => reg 1 ] + [ cmp eq reg 1 0x00000010 ] + [ immediate reg 0 accept ] + +# icmp type address-mask-request accept +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ payload load 1b @ transport header + 0 => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ immediate reg 0 accept ] + +# icmp type address-mask-reply accept +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ payload load 1b @ transport header + 0 => reg 1 ] + [ cmp eq reg 1 0x00000012 ] + [ immediate reg 0 accept ] + +# icmp type != {echo-reply, destination-unreachable, source-quench} +__set%d test-ip4 3 +__set%d test-ip4 0 + element 00000000 : 0 [end] element 00000003 : 0 [end] element 00000004 : 0 [end] +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ payload load 1b @ transport header + 0 => reg 1 ] + [ lookup reg 1 set __set%d 0x1 ] + +# icmp code 111 accept +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ payload load 1b @ transport header + 1 => reg 1 ] + [ cmp eq reg 1 0x0000006f ] + [ immediate reg 0 accept ] + +# icmp code != 111 accept +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ payload load 1b @ transport header + 1 => reg 1 ] + [ cmp neq reg 1 0x0000006f ] + [ immediate reg 0 accept ] + +# icmp code 33-55 +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ payload load 1b @ transport header + 1 => reg 1 ] + [ cmp gte reg 1 0x00000021 ] + [ cmp lte reg 1 0x00000037 ] + +# icmp code != 33-55 +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ payload load 1b @ transport header + 1 => reg 1 ] + [ range neq reg 1 0x00000021 0x00000037 ] + +# icmp code { 2, 4, 54, 33, 56} +__set%d test-ip4 3 +__set%d test-ip4 0 + element 00000002 : 0 [end] element 00000004 : 0 [end] element 00000036 : 0 [end] element 00000021 : 0 [end] element 00000038 : 0 [end] +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ payload load 1b @ transport header + 1 => reg 1 ] + [ lookup reg 1 set __set%d ] + +# icmp code != { prot-unreachable, frag-needed, 33, 54, 56} +__set%d test-ip4 3 +__set%d test-ip4 0 + element 00000002 : 0 [end] element 00000004 : 0 [end] element 00000036 : 0 [end] element 00000021 : 0 [end] element 00000038 : 0 [end] +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ payload load 1b @ transport header + 1 => reg 1 ] + [ lookup reg 1 set __set%d 0x1 ] + +# icmp checksum 12343 accept +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x00003730 ] + [ immediate reg 0 accept ] + +# icmp checksum != 12343 accept +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp neq reg 1 0x00003730 ] + [ immediate reg 0 accept ] + +# icmp checksum 11-343 accept +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp gte reg 1 0x00000b00 ] + [ cmp lte reg 1 0x00005701 ] + [ immediate reg 0 accept ] + +# icmp checksum != 11-343 accept +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ range neq reg 1 0x00000b00 0x00005701 ] + [ immediate reg 0 accept ] + +# icmp checksum { 1111, 222, 343} accept +__set%d test-ip4 3 +__set%d test-ip4 0 + element 00005704 : 0 [end] element 0000de00 : 0 [end] element 00005701 : 0 [end] +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ lookup reg 1 set __set%d ] + [ immediate reg 0 accept ] + +# icmp checksum != { 1111, 222, 343} accept +__set%d test-ip4 3 +__set%d test-ip4 0 + element 00005704 : 0 [end] element 0000de00 : 0 [end] element 00005701 : 0 [end] +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ lookup reg 1 set __set%d 0x1 ] + [ immediate reg 0 accept ] + +# icmp id 1245 log +__set%d test-ip4 3 +__set%d test-ip4 0 + element 00000008 : 0 [end] element 00000000 : 0 [end] +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ payload load 1b @ transport header + 0 => reg 1 ] + [ lookup reg 1 set __set%d ] + [ payload load 2b @ transport header + 4 => reg 1 ] + [ cmp eq reg 1 0x0000dd04 ] + [ log ] + +# icmp id 22 +__set%d test-ip4 3 +__set%d test-ip4 0 + element 00000008 : 0 [end] element 00000000 : 0 [end] +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ payload load 1b @ transport header + 0 => reg 1 ] + [ lookup reg 1 set __set%d ] + [ payload load 2b @ transport header + 4 => reg 1 ] + [ cmp eq reg 1 0x00001600 ] + +# icmp id != 233 +__set%d test-ip4 3 +__set%d test-ip4 0 + element 00000008 : 0 [end] element 00000000 : 0 [end] +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ payload load 1b @ transport header + 0 => reg 1 ] + [ lookup reg 1 set __set%d ] + [ payload load 2b @ transport header + 4 => reg 1 ] + [ cmp neq reg 1 0x0000e900 ] + +# icmp id 33-45 +__set%d test-ip4 3 +__set%d test-ip4 input + element 00000008 : 0 [end] element 00000000 : 0 [end] +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ payload load 1b @ transport header + 0 => reg 1 ] + [ lookup reg 1 set __set%d ] + [ payload load 2b @ transport header + 4 => reg 1 ] + [ cmp gte reg 1 0x00002100 ] + [ cmp lte reg 1 0x00002d00 ] + +# icmp id != 33-45 +__set%d test-ip4 3 +__set%d test-ip4 0 + element 00000008 : 0 [end] element 00000000 : 0 [end] +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ payload load 1b @ transport header + 0 => reg 1 ] + [ lookup reg 1 set __set%d ] + [ payload load 2b @ transport header + 4 => reg 1 ] + [ range neq reg 1 0x00002100 0x00002d00 ] + +# icmp id { 22, 34, 333} +__set%d test-ip4 3 +__set%d test-ip4 0 + element 00000008 : 0 [end] element 00000000 : 0 [end] +__set%d test-ip4 3 +__set%d test-ip4 0 + element 00001600 : 0 [end] element 00002200 : 0 [end] element 00004d01 : 0 [end] +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ payload load 1b @ transport header + 0 => reg 1 ] + [ lookup reg 1 set __set%d ] + [ payload load 2b @ transport header + 4 => reg 1 ] + [ lookup reg 1 set __set%d ] + +# icmp id != { 22, 34, 333} +__set%d test-ip4 3 +__set%d test-ip4 0 + element 00000008 : 0 [end] element 00000000 : 0 [end] +__set%d test-ip4 3 +__set%d test-ip4 0 + element 00001600 : 0 [end] element 00002200 : 0 [end] element 00004d01 : 0 [end] +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ payload load 1b @ transport header + 0 => reg 1 ] + [ lookup reg 1 set __set%d ] + [ payload load 2b @ transport header + 4 => reg 1 ] + [ lookup reg 1 set __set%d 0x1 ] + +# icmp sequence 22 +__set%d test-ip4 3 +__set%d test-ip4 0 + element 00000008 : 0 [end] element 00000000 : 0 [end] +ip + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ payload load 1b @ transport header + 0 => reg 1 ] + [ lookup reg 1 set __set%d ] + [ payload load 2b @ transport header + 6 => reg 1 ] + [ cmp eq reg 1 0x00001600 ] + +# icmp sequence != 233 +__set%d test-ip4 3 +__set%d test-ip4 0 + element 00000008 : 0 [end] element 00000000 : 0 [end] +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ payload load 1b @ transport header + 0 => reg 1 ] + [ lookup reg 1 set __set%d ] + [ payload load 2b @ transport header + 6 => reg 1 ] + [ cmp neq reg 1 0x0000e900 ] + +# icmp sequence 33-45 +__set%d test-ip4 3 +__set%d test-ip4 0 + element 00000008 : 0 [end] element 00000000 : 0 [end] +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ payload load 1b @ transport header + 0 => reg 1 ] + [ lookup reg 1 set __set%d ] + [ payload load 2b @ transport header + 6 => reg 1 ] + [ cmp gte reg 1 0x00002100 ] + [ cmp lte reg 1 0x00002d00 ] + +# icmp sequence != 33-45 +__set%d test-ip4 3 +__set%d test-ip4 0 + element 00000008 : 0 [end] element 00000000 : 0 [end] +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ payload load 1b @ transport header + 0 => reg 1 ] + [ lookup reg 1 set __set%d ] + [ payload load 2b @ transport header + 6 => reg 1 ] + [ range neq reg 1 0x00002100 0x00002d00 ] + +# icmp sequence { 33, 55, 67, 88} +__set%d test-ip4 3 +__set%d test-ip4 0 + element 00000008 : 0 [end] element 00000000 : 0 [end] +__set%d test-ip4 3 +__set%d test-ip4 0 + element 00002100 : 0 [end] element 00003700 : 0 [end] element 00004300 : 0 [end] element 00005800 : 0 [end] +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ payload load 1b @ transport header + 0 => reg 1 ] + [ lookup reg 1 set __set%d ] + [ payload load 2b @ transport header + 6 => reg 1 ] + [ lookup reg 1 set __set%d ] + +# icmp sequence != { 33, 55, 67, 88} +__set%d test-ip4 3 +__set%d test-ip4 0 + element 00000008 : 0 [end] element 00000000 : 0 [end] +__set%d test-ip4 3 +__set%d test-ip4 0 + element 00002100 : 0 [end] element 00003700 : 0 [end] element 00004300 : 0 [end] element 00005800 : 0 [end] +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ payload load 1b @ transport header + 0 => reg 1 ] + [ lookup reg 1 set __set%d ] + [ payload load 2b @ transport header + 6 => reg 1 ] + [ lookup reg 1 set __set%d 0x1 ] + +# icmp id 1 icmp sequence 2 +__set%d test-ip4 3 +__set%d test-ip4 0 + element 00000008 : 0 [end] element 00000000 : 0 [end] +ip + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ payload load 1b @ transport header + 0 => reg 1 ] + [ lookup reg 1 set __set%d ] + [ payload load 4b @ transport header + 4 => reg 1 ] + [ cmp eq reg 1 0x02000100 ] + +# icmp type { echo-reply, echo-request} icmp id 1 icmp sequence 2 +__set%d test-ip4 3 +__set%d test-ip4 0 + element 00000000 : 0 [end] element 00000008 : 0 [end] +ip + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ payload load 1b @ transport header + 0 => reg 1 ] + [ lookup reg 1 set __set%d ] + [ payload load 4b @ transport header + 4 => reg 1 ] + [ cmp eq reg 1 0x02000100 ] + +# icmp type echo-reply icmp id 1 +ip + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ payload load 1b @ transport header + 0 => reg 1 ] + [ cmp eq reg 1 0x00000000 ] + [ payload load 2b @ transport header + 4 => reg 1 ] + [ cmp eq reg 1 0x00000100 ] + +# icmp mtu 33 +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ payload load 1b @ transport header + 0 => reg 1 ] + [ cmp eq reg 1 0x00000003 ] + [ payload load 2b @ transport header + 6 => reg 1 ] + [ cmp eq reg 1 0x00002100 ] + +# icmp mtu 22-33 +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ payload load 1b @ transport header + 0 => reg 1 ] + [ cmp eq reg 1 0x00000003 ] + [ payload load 2b @ transport header + 6 => reg 1 ] + [ cmp gte reg 1 0x00001600 ] + [ cmp lte reg 1 0x00002100 ] + +# icmp mtu 22 +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ payload load 1b @ transport header + 0 => reg 1 ] + [ cmp eq reg 1 0x00000003 ] + [ payload load 2b @ transport header + 6 => reg 1 ] + [ cmp eq reg 1 0x00001600 ] + +# icmp mtu != 233 +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ payload load 1b @ transport header + 0 => reg 1 ] + [ cmp eq reg 1 0x00000003 ] + [ payload load 2b @ transport header + 6 => reg 1 ] + [ cmp neq reg 1 0x0000e900 ] + +# icmp mtu 33-45 +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ payload load 1b @ transport header + 0 => reg 1 ] + [ cmp eq reg 1 0x00000003 ] + [ payload load 2b @ transport header + 6 => reg 1 ] + [ cmp gte reg 1 0x00002100 ] + [ cmp lte reg 1 0x00002d00 ] + +# icmp mtu != 33-45 +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ payload load 1b @ transport header + 0 => reg 1 ] + [ cmp eq reg 1 0x00000003 ] + [ payload load 2b @ transport header + 6 => reg 1 ] + [ range neq reg 1 0x00002100 0x00002d00 ] + +# icmp mtu { 33, 55, 67, 88} +__set%d test-ip4 3 +__set%d test-ip4 0 + element 00002100 : 0 [end] element 00003700 : 0 [end] element 00004300 : 0 [end] element 00005800 : 0 [end] +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ payload load 1b @ transport header + 0 => reg 1 ] + [ cmp eq reg 1 0x00000003 ] + [ payload load 2b @ transport header + 6 => reg 1 ] + [ lookup reg 1 set __set%d ] + +# icmp mtu != { 33, 55, 67, 88} +__set%d test-ip4 3 +__set%d test-ip4 0 + element 00002100 : 0 [end] element 00003700 : 0 [end] element 00004300 : 0 [end] element 00005800 : 0 [end] +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ payload load 1b @ transport header + 0 => reg 1 ] + [ cmp eq reg 1 0x00000003 ] + [ payload load 2b @ transport header + 6 => reg 1 ] + [ lookup reg 1 set __set%d 0x1 ] + +# icmp gateway 22 +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ payload load 1b @ transport header + 0 => reg 1 ] + [ cmp eq reg 1 0x00000005 ] + [ payload load 4b @ transport header + 4 => reg 1 ] + [ cmp eq reg 1 0x16000000 ] + +# icmp gateway != 233 +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ payload load 1b @ transport header + 0 => reg 1 ] + [ cmp eq reg 1 0x00000005 ] + [ payload load 4b @ transport header + 4 => reg 1 ] + [ cmp neq reg 1 0xe9000000 ] + +# icmp gateway 33-45 +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ payload load 1b @ transport header + 0 => reg 1 ] + [ cmp eq reg 1 0x00000005 ] + [ payload load 4b @ transport header + 4 => reg 1 ] + [ cmp gte reg 1 0x21000000 ] + [ cmp lte reg 1 0x2d000000 ] + +# icmp gateway != 33-45 +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ payload load 1b @ transport header + 0 => reg 1 ] + [ cmp eq reg 1 0x00000005 ] + [ payload load 4b @ transport header + 4 => reg 1 ] + [ range neq reg 1 0x21000000 0x2d000000 ] + +# icmp gateway { 33, 55, 67, 88} +__set%d test-ip4 3 +__set%d test-ip4 0 + element 21000000 : 0 [end] element 37000000 : 0 [end] element 43000000 : 0 [end] element 58000000 : 0 [end] +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ payload load 1b @ transport header + 0 => reg 1 ] + [ cmp eq reg 1 0x00000005 ] + [ payload load 4b @ transport header + 4 => reg 1 ] + [ lookup reg 1 set __set%d ] + +# icmp gateway != { 33, 55, 67, 88} +__set%d test-ip4 3 +__set%d test-ip4 0 + element 21000000 : 0 [end] element 37000000 : 0 [end] element 43000000 : 0 [end] element 58000000 : 0 [end] +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ payload load 1b @ transport header + 0 => reg 1 ] + [ cmp eq reg 1 0x00000005 ] + [ payload load 4b @ transport header + 4 => reg 1 ] + [ lookup reg 1 set __set%d 0x1 ] + +# icmp gateway != 34 +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ payload load 1b @ transport header + 0 => reg 1 ] + [ cmp eq reg 1 0x00000005 ] + [ payload load 4b @ transport header + 4 => reg 1 ] + [ cmp neq reg 1 0x22000000 ] + +# icmp gateway != { 333, 334} +__set%d test-ip4 3 +__set%d test-ip4 0 + element 4d010000 : 0 [end] element 4e010000 : 0 [end] +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ payload load 1b @ transport header + 0 => reg 1 ] + [ cmp eq reg 1 0x00000005 ] + [ payload load 4b @ transport header + 4 => reg 1 ] + [ lookup reg 1 set __set%d 0x1 ] + +# icmp type router-advertisement accept +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ payload load 1b @ transport header + 0 => reg 1 ] + [ cmp eq reg 1 0x00000009 ] + [ immediate reg 0 accept ] + +# icmp type router-solicitation accept +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ payload load 1b @ transport header + 0 => reg 1 ] + [ cmp eq reg 1 0x0000000a ] + [ immediate reg 0 accept ] + +# icmp type {echo-reply, destination-unreachable, source-quench, redirect, echo-request, time-exceeded, parameter-problem, timestamp-request, timestamp-reply, info-request, info-reply, address-mask-request, address-mask-reply, router-advertisement, router-solicitation} accept +__set%d test-ip4 3 +__set%d test-ip4 0 + element 00000000 : 0 [end] element 00000003 : 0 [end] element 00000004 : 0 [end] element 00000005 : 0 [end] element 00000008 : 0 [end] element 0000000b : 0 [end] element 0000000c : 0 [end] element 0000000d : 0 [end] element 0000000e : 0 [end] element 0000000f : 0 [end] element 00000010 : 0 [end] element 00000011 : 0 [end] element 00000012 : 0 [end] element 00000009 : 0 [end] element 0000000a : 0 [end] +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ payload load 1b @ transport header + 0 => reg 1 ] + [ lookup reg 1 set __set%d ] + [ immediate reg 0 accept ] + +# icmp code 1 icmp type 2 +ip + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ payload load 2b @ transport header + 0 => reg 1 ] + [ cmp eq reg 1 0x00000102 ] diff --git a/tests/py/ip/igmp.t b/tests/py/ip/igmp.t new file mode 100644 index 0000000..a556e47 --- /dev/null +++ b/tests/py/ip/igmp.t @@ -0,0 +1,23 @@ +# *inet;test-inet +:input;type filter hook input priority 0 + +*ip;test-ip4;input + +igmp type membership-query;ok +igmp type membership-report-v1;ok +igmp type membership-report-v2;ok +igmp type membership-report-v3;ok +igmp type leave-group;ok + +igmp type { membership-report-v1, membership-report-v2, membership-report-v3};ok +igmp type != { membership-report-v1, membership-report-v2, membership-report-v3};ok + +igmp checksum 12343;ok +igmp checksum != 12343;ok +igmp checksum 11-343;ok +igmp checksum != 11-343;ok +igmp checksum { 1111, 222, 343};ok +igmp checksum != { 1111, 222, 343};ok + +igmp mrt 10;ok +igmp mrt != 10;ok diff --git a/tests/py/ip/igmp.t.json b/tests/py/ip/igmp.t.json new file mode 100644 index 0000000..0e2a43f --- /dev/null +++ b/tests/py/ip/igmp.t.json @@ -0,0 +1,273 @@ +# igmp type membership-query +[ + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "igmp" + } + }, + "op": "==", + "right": "membership-query" + } + } +] + +# igmp type membership-report-v1 +[ + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "igmp" + } + }, + "op": "==", + "right": "membership-report-v1" + } + } +] + +# igmp type membership-report-v2 +[ + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "igmp" + } + }, + "op": "==", + "right": "membership-report-v2" + } + } +] + +# igmp type membership-report-v3 +[ + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "igmp" + } + }, + "op": "==", + "right": "membership-report-v3" + } + } +] + +# igmp type leave-group +[ + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "igmp" + } + }, + "op": "==", + "right": "leave-group" + } + } +] + +# igmp type { membership-report-v1, membership-report-v2, membership-report-v3} +[ + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "igmp" + } + }, + "op": "==", + "right": { + "set": [ + "membership-report-v1", + "membership-report-v2", + "membership-report-v3" + ] + } + } + } +] + +# igmp type != { membership-report-v1, membership-report-v2, membership-report-v3} +[ + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "igmp" + } + }, + "op": "!=", + "right": { + "set": [ + "membership-report-v1", + "membership-report-v2", + "membership-report-v3" + ] + } + } + } +] + +# igmp checksum 12343 +[ + { + "match": { + "left": { + "payload": { + "field": "checksum", + "protocol": "igmp" + } + }, + "op": "==", + "right": 12343 + } + } +] + +# igmp checksum != 12343 +[ + { + "match": { + "left": { + "payload": { + "field": "checksum", + "protocol": "igmp" + } + }, + "op": "!=", + "right": 12343 + } + } +] + +# igmp checksum 11-343 +[ + { + "match": { + "left": { + "payload": { + "field": "checksum", + "protocol": "igmp" + } + }, + "op": "==", + "right": { + "range": [ + 11, + 343 + ] + } + } + } +] + +# igmp checksum != 11-343 +[ + { + "match": { + "left": { + "payload": { + "field": "checksum", + "protocol": "igmp" + } + }, + "op": "!=", + "right": { + "range": [ + 11, + 343 + ] + } + } + } +] + +# igmp checksum { 1111, 222, 343} +[ + { + "match": { + "left": { + "payload": { + "field": "checksum", + "protocol": "igmp" + } + }, + "op": "==", + "right": { + "set": [ + 222, + 343, + 1111 + ] + } + } + } +] + +# igmp checksum != { 1111, 222, 343} +[ + { + "match": { + "left": { + "payload": { + "field": "checksum", + "protocol": "igmp" + } + }, + "op": "!=", + "right": { + "set": [ + 222, + 343, + 1111 + ] + } + } + } +] + +# igmp mrt 10 +[ + { + "match": { + "left": { + "payload": { + "field": "mrt", + "protocol": "igmp" + } + }, + "op": "==", + "right": 10 + } + } +] + +# igmp mrt != 10 +[ + { + "match": { + "left": { + "payload": { + "field": "mrt", + "protocol": "igmp" + } + }, + "op": "!=", + "right": 10 + } + } +] diff --git a/tests/py/ip/igmp.t.payload b/tests/py/ip/igmp.t.payload new file mode 100644 index 0000000..940fe2c --- /dev/null +++ b/tests/py/ip/igmp.t.payload @@ -0,0 +1,118 @@ +# igmp type membership-query +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 1b @ transport header + 0 => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + +# igmp type membership-report-v1 +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 1b @ transport header + 0 => reg 1 ] + [ cmp eq reg 1 0x00000012 ] + +# igmp type membership-report-v2 +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 1b @ transport header + 0 => reg 1 ] + [ cmp eq reg 1 0x00000016 ] + +# igmp type membership-report-v3 +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 1b @ transport header + 0 => reg 1 ] + [ cmp eq reg 1 0x00000022 ] + +# igmp type leave-group +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 1b @ transport header + 0 => reg 1 ] + [ cmp eq reg 1 0x00000017 ] + +# igmp checksum 12343 +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x00003730 ] + +# igmp checksum != 12343 +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp neq reg 1 0x00003730 ] + +# igmp checksum 11-343 +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp gte reg 1 0x00000b00 ] + [ cmp lte reg 1 0x00005701 ] + +# igmp checksum != 11-343 +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ range neq reg 1 0x00000b00 0x00005701 ] + +# igmp checksum { 1111, 222, 343} +__set%d test-ip4 3 size 3 +__set%d test-ip4 0 + element 00005704 : 0 [end] element 0000de00 : 0 [end] element 00005701 : 0 [end] +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ lookup reg 1 set __set%d ] + +# igmp checksum != { 1111, 222, 343} +__set%d test-ip4 3 size 3 +__set%d test-ip4 0 + element 00005704 : 0 [end] element 0000de00 : 0 [end] element 00005701 : 0 [end] +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ lookup reg 1 set __set%d 0x1 ] + +# igmp type { membership-report-v1, membership-report-v2, membership-report-v3} +__set%d test-ip4 3 size 3 +__set%d test-ip4 0 + element 00000012 : 0 [end] element 00000016 : 0 [end] element 00000022 : 0 [end] +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 1b @ transport header + 0 => reg 1 ] + [ lookup reg 1 set __set%d ] + +# igmp type != { membership-report-v1, membership-report-v2, membership-report-v3} +__set%d test-ip4 3 size 3 +__set%d test-ip4 0 + element 00000012 : 0 [end] element 00000016 : 0 [end] element 00000022 : 0 [end] +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 1b @ transport header + 0 => reg 1 ] + [ lookup reg 1 set __set%d 0x1 ] + +# igmp mrt 10 +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 1b @ transport header + 1 => reg 1 ] + [ cmp eq reg 1 0x0000000a ] + +# igmp mrt != 10 +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 1b @ transport header + 1 => reg 1 ] + [ cmp neq reg 1 0x0000000a ] + diff --git a/tests/py/ip/ip.t b/tests/py/ip/ip.t new file mode 100644 index 0000000..720d9ae --- /dev/null +++ b/tests/py/ip/ip.t @@ -0,0 +1,135 @@ +:input;type filter hook input priority 0 +:ingress;type filter hook ingress device lo priority 0 +:egress;type filter hook egress device lo priority 0 + +*ip;test-ip4;input +*inet;test-inet;input +*bridge;test-bridge;input +*netdev;test-netdev;ingress,egress + +- ip version 2;ok + +# bug ip hdrlength +- ip hdrlength 10;ok +- ip hdrlength != 5;ok +- ip hdrlength 5-8;ok +- ip hdrlength != 3-13;ok +- ip hdrlength {3, 5, 6, 8};ok +- ip hdrlength != {3, 5, 7, 8};ok +- ip hdrlength { 3-5};ok +- ip hdrlength != { 3-59};ok +# ip hdrlength 12 +# <cmdline>:1:1-38: Error: Could not process rule: Invalid argument +# add rule ip test input ip hdrlength 12 +# ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +# <cmdline>:1:37-38: Error: Value 22 exceeds valid range 0-15 +# add rule ip test input ip hdrlength 22 + +ip dscp cs1;ok +ip dscp != cs1;ok +ip dscp 0x38;ok;ip dscp cs7 +ip dscp != 0x20;ok;ip dscp != cs4 +ip dscp {cs0, cs1, cs2, cs3, cs4, cs5, cs6, cs7, af11, af12, af13, af21, af22, af23, af31, af32, af33, af41, af42, af43, ef};ok +- ip dscp {0x08, 0x10, 0x18, 0x20, 0x28, 0x30, 0x38, 0x00, 0x0a, 0x0c, 0x0e, 0x12, 0x14, 0x16, 0x1a, 0x1c, 0x1e, 0x22, 0x24, 0x26, 0x2e};ok +ip dscp != {cs0, cs3};ok +ip dscp vmap { cs1 : continue , cs4 : accept } counter;ok + +ip length 232;ok +ip length != 233;ok +ip length 333-435;ok +ip length != 333-453;ok +ip length { 333, 553, 673, 838};ok +ip length != { 333, 553, 673, 838};ok + +ip id 22;ok +ip id != 233;ok +ip id 33-45;ok +ip id != 33-45;ok +ip id { 33, 55, 67, 88};ok +ip id != { 33, 55, 67, 88};ok + +ip frag-off 0xde accept;ok +ip frag-off != 0xe9;ok +ip frag-off 0x21-0x2d;ok +ip frag-off != 0x21-0x2d;ok +ip frag-off { 0x21, 0x37, 0x43, 0x58};ok +ip frag-off != { 0x21, 0x37, 0x43, 0x58};ok +ip frag-off & 0x1fff != 0x0;ok +ip frag-off & 0x2000 != 0x0;ok +ip frag-off & 0x4000 != 0x0;ok + +ip ttl 0 drop;ok +ip ttl 233;ok +ip ttl 33-55;ok +ip ttl != 45-50;ok +ip ttl {43, 53, 45 };ok +ip ttl != {43, 53, 45 };ok + +ip protocol tcp;ok;ip protocol 6 +ip protocol != tcp;ok;ip protocol != 6 +ip protocol { icmp, esp, ah, comp, udp, udplite, tcp, dccp, sctp} accept;ok;ip protocol { 33, 136, 17, 51, 50, 6, 132, 1, 108} accept +ip protocol != { icmp, esp, ah, comp, udp, udplite, tcp, dccp, sctp} accept;ok;ip protocol != { 33, 136, 17, 51, 50, 6, 132, 1, 108} accept + +ip protocol 255;ok +ip protocol 256;fail + +ip checksum 13172 drop;ok +ip checksum 22;ok +ip checksum != 233;ok +ip checksum 33-45;ok +ip checksum != 33-45;ok +ip checksum { 33, 55, 67, 88};ok +ip checksum != { 33, 55, 67, 88};ok + +ip saddr set {192.19.1.2, 191.1.22.1};fail + +ip saddr 192.168.2.0/24;ok +ip saddr != 192.168.2.0/24;ok +ip saddr 192.168.3.1 ip daddr 192.168.3.100;ok +ip saddr != 1.1.1.1;ok +ip saddr 1.1.1.1;ok +ip daddr 192.168.0.1-192.168.0.250;ok +ip daddr 10.0.0.0-10.255.255.255;ok +ip daddr 172.16.0.0-172.31.255.255;ok +ip daddr 192.168.3.1-192.168.4.250;ok +ip daddr != 192.168.0.1-192.168.0.250;ok +ip daddr { 192.168.5.1, 192.168.5.2, 192.168.5.3 } accept;ok +ip daddr != { 192.168.5.1, 192.168.5.2, 192.168.5.3 } accept;ok + +ip daddr 192.168.1.2-192.168.1.55;ok +ip daddr != 192.168.1.2-192.168.1.55;ok +ip saddr 192.168.1.3-192.168.33.55;ok +ip saddr != 192.168.1.3-192.168.33.55;ok + +ip daddr 192.168.0.1;ok +ip daddr 192.168.0.1 drop;ok +ip daddr 192.168.0.2;ok + +ip saddr & 0xff == 1;ok;ip saddr & 0.0.0.255 == 0.0.0.1 +ip saddr & 0.0.0.255 < 0.0.0.127;ok + +ip saddr & 0xffff0000 == 0xffff0000;ok;ip saddr 255.255.0.0/16 + +ip version 4 ip hdrlength 5;ok +ip hdrlength 0;ok +ip hdrlength 15;ok +ip hdrlength vmap { 0-4 : drop, 5 : accept, 6 : continue } counter;ok +ip hdrlength 16;fail + +# limit impact to lo +iif "lo" ip daddr set 127.0.0.1;ok +iif "lo" ip checksum set 0;ok +iif "lo" ip id set 0;ok +iif "lo" ip ecn set 1;ok;iif "lo" ip ecn set ect1 +iif "lo" ip ecn set ce;ok +iif "lo" ip ttl set 23;ok +iif "lo" ip protocol set 1;ok + +iif "lo" ip dscp set af23;ok +iif "lo" ip dscp set cs0;ok + +ip saddr . ip daddr { 192.0.2.1 . 10.0.0.1-10.0.0.2 };ok +ip saddr . ip daddr vmap { 192.168.5.1-192.168.5.128 . 192.168.6.1-192.168.6.128 : accept };ok + +ip saddr 1.2.3.4 ip daddr 3.4.5.6;ok +ip saddr 1.2.3.4 counter ip daddr 3.4.5.6;ok diff --git a/tests/py/ip/ip.t.json b/tests/py/ip/ip.t.json new file mode 100644 index 0000000..882c94e --- /dev/null +++ b/tests/py/ip/ip.t.json @@ -0,0 +1,1811 @@ +# ip dscp cs1 +[ + { + "match": { + "left": { + "payload": { + "field": "dscp", + "protocol": "ip" + } + }, + "op": "==", + "right": "cs1" + } + } +] + +# ip dscp != cs1 +[ + { + "match": { + "left": { + "payload": { + "field": "dscp", + "protocol": "ip" + } + }, + "op": "!=", + "right": "cs1" + } + } +] + +# ip dscp 0x38 +[ + { + "match": { + "left": { + "payload": { + "field": "dscp", + "protocol": "ip" + } + }, + "op": "==", + "right": "0x38" + } + } +] + +# ip dscp != 0x20 +[ + { + "match": { + "left": { + "payload": { + "field": "dscp", + "protocol": "ip" + } + }, + "op": "!=", + "right": "0x20" + } + } +] + +# ip dscp {cs0, cs1, cs2, cs3, cs4, cs5, cs6, cs7, af11, af12, af13, af21, af22, af23, af31, af32, af33, af41, af42, af43, ef} +[ + { + "match": { + "left": { + "payload": { + "field": "dscp", + "protocol": "ip" + } + }, + "op": "==", + "right": { + "set": [ + "cs0", + "cs1", + "cs2", + "cs3", + "cs4", + "cs5", + "cs6", + "cs7", + "af11", + "af12", + "af13", + "af21", + "af22", + "af23", + "af31", + "af32", + "af33", + "af41", + "af42", + "af43", + "ef" + ] + } + } + } +] + +# ip dscp != {cs0, cs3} +[ + { + "match": { + "left": { + "payload": { + "field": "dscp", + "protocol": "ip" + } + }, + "op": "!=", + "right": { + "set": [ + "cs0", + "cs3" + ] + } + } + } +] + +# ip dscp vmap { cs1 : continue , cs4 : accept } counter +[ + { + "vmap": { + "key": { + "payload": { + "field": "dscp", + "protocol": "ip" + } + }, + "data": { + "set": [ + [ + "cs1", + { + "continue": null + } + ], + [ + "cs4", + { + "accept": null + } + ] + ] + } + } + }, + { + "counter": null + } +] + +# ip length 232 +[ + { + "match": { + "left": { + "payload": { + "field": "length", + "protocol": "ip" + } + }, + "op": "==", + "right": 232 + } + } +] + +# ip length != 233 +[ + { + "match": { + "left": { + "payload": { + "field": "length", + "protocol": "ip" + } + }, + "op": "!=", + "right": 233 + } + } +] + +# ip length 333-435 +[ + { + "match": { + "left": { + "payload": { + "field": "length", + "protocol": "ip" + } + }, + "op": "==", + "right": { + "range": [ 333, 435 ] + } + } + } +] + +# ip length != 333-453 +[ + { + "match": { + "left": { + "payload": { + "field": "length", + "protocol": "ip" + } + }, + "op": "!=", + "right": { + "range": [ 333, 453 ] + } + } + } +] + +# ip length { 333, 553, 673, 838} +[ + { + "match": { + "left": { + "payload": { + "field": "length", + "protocol": "ip" + } + }, + "op": "==", + "right": { + "set": [ + 333, + 553, + 673, + 838 + ] + } + } + } +] + +# ip length != { 333, 553, 673, 838} +[ + { + "match": { + "left": { + "payload": { + "field": "length", + "protocol": "ip" + } + }, + "op": "!=", + "right": { + "set": [ + 333, + 553, + 673, + 838 + ] + } + } + } +] + +# ip id 22 +[ + { + "match": { + "left": { + "payload": { + "field": "id", + "protocol": "ip" + } + }, + "op": "==", + "right": 22 + } + } +] + +# ip id != 233 +[ + { + "match": { + "left": { + "payload": { + "field": "id", + "protocol": "ip" + } + }, + "op": "!=", + "right": 233 + } + } +] + +# ip id 33-45 +[ + { + "match": { + "left": { + "payload": { + "field": "id", + "protocol": "ip" + } + }, + "op": "==", + "right": { + "range": [ 33, 45 ] + } + } + } +] + +# ip id != 33-45 +[ + { + "match": { + "left": { + "payload": { + "field": "id", + "protocol": "ip" + } + }, + "op": "!=", + "right": { + "range": [ 33, 45 ] + } + } + } +] + +# ip id { 33, 55, 67, 88} +[ + { + "match": { + "left": { + "payload": { + "field": "id", + "protocol": "ip" + } + }, + "op": "==", + "right": { + "set": [ + 33, + 55, + 67, + 88 + ] + } + } + } +] + +# ip id != { 33, 55, 67, 88} +[ + { + "match": { + "left": { + "payload": { + "field": "id", + "protocol": "ip" + } + }, + "op": "!=", + "right": { + "set": [ + 33, + 55, + 67, + 88 + ] + } + } + } +] + +# ip frag-off 0xde accept +[ + { + "match": { + "left": { + "payload": { + "field": "frag-off", + "protocol": "ip" + } + }, + "op": "==", + "right": 222 + } + }, + { + "accept": null + } +] + +# ip frag-off != 0xe9 +[ + { + "match": { + "left": { + "payload": { + "field": "frag-off", + "protocol": "ip" + } + }, + "op": "!=", + "right": 233 + } + } +] + +# ip frag-off 0x21-0x2d +[ + { + "match": { + "left": { + "payload": { + "field": "frag-off", + "protocol": "ip" + } + }, + "op": "==", + "right": { + "range": [ 33, 45 ] + } + } + } +] + +# ip frag-off != 0x21-0x2d +[ + { + "match": { + "left": { + "payload": { + "field": "frag-off", + "protocol": "ip" + } + }, + "op": "!=", + "right": { + "range": [ 33, 45 ] + } + } + } +] + +# ip frag-off { 0x21, 0x37, 0x43, 0x58} +[ + { + "match": { + "left": { + "payload": { + "field": "frag-off", + "protocol": "ip" + } + }, + "op": "==", + "right": { + "set": [ + 33, + 55, + 67, + 88 + ] + } + } + } +] + +# ip frag-off != { 0x21, 0x37, 0x43, 0x58} +[ + { + "match": { + "left": { + "payload": { + "field": "frag-off", + "protocol": "ip" + } + }, + "op": "!=", + "right": { + "set": [ + 33, + 55, + 67, + 88 + ] + } + } + } +] + +# ip frag-off & 0x1fff != 0x0 +[ + { + "match": { + "left": { + "&": [ + { + "payload": { + "field": "frag-off", + "protocol": "ip" + } + }, + 8191 + ] + }, + "op": "!=", + "right": 0 + } + } +] + +# ip frag-off & 0x2000 != 0x0 +[ + { + "match": { + "left": { + "&": [ + { + "payload": { + "field": "frag-off", + "protocol": "ip" + } + }, + 8192 + ] + }, + "op": "!=", + "right": 0 + } + } +] + +# ip frag-off & 0x4000 != 0x0 +[ + { + "match": { + "left": { + "&": [ + { + "payload": { + "field": "frag-off", + "protocol": "ip" + } + }, + 16384 + ] + }, + "op": "!=", + "right": 0 + } + } +] + +# ip ttl 0 drop +[ + { + "match": { + "left": { + "payload": { + "field": "ttl", + "protocol": "ip" + } + }, + "op": "==", + "right": 0 + } + }, + { + "drop": null + } +] + +# ip ttl 233 +[ + { + "match": { + "left": { + "payload": { + "field": "ttl", + "protocol": "ip" + } + }, + "op": "==", + "right": 233 + } + } +] + +# ip ttl 33-55 +[ + { + "match": { + "left": { + "payload": { + "field": "ttl", + "protocol": "ip" + } + }, + "op": "==", + "right": { + "range": [ 33, 55 ] + } + } + } +] + +# ip ttl != 45-50 +[ + { + "match": { + "left": { + "payload": { + "field": "ttl", + "protocol": "ip" + } + }, + "op": "!=", + "right": { + "range": [ 45, 50 ] + } + } + } +] + +# ip ttl {43, 53, 45 } +[ + { + "match": { + "left": { + "payload": { + "field": "ttl", + "protocol": "ip" + } + }, + "op": "==", + "right": { + "set": [ + 43, + 45, + 53 + ] + } + } + } +] + +# ip ttl != {43, 53, 45 } +[ + { + "match": { + "left": { + "payload": { + "field": "ttl", + "protocol": "ip" + } + }, + "op": "!=", + "right": { + "set": [ + 43, + 45, + 53 + ] + } + } + } +] + +# ip protocol tcp +[ + { + "match": { + "left": { + "payload": { + "field": "protocol", + "protocol": "ip" + } + }, + "op": "==", + "right": "tcp" + } + } +] + +# ip protocol != tcp +[ + { + "match": { + "left": { + "payload": { + "field": "protocol", + "protocol": "ip" + } + }, + "op": "!=", + "right": "tcp" + } + } +] + +# ip protocol { icmp, esp, ah, comp, udp, udplite, tcp, dccp, sctp} accept +[ + { + "match": { + "left": { + "payload": { + "field": "protocol", + "protocol": "ip" + } + }, + "op": "==", + "right": { + "set": [ + "icmp", + "esp", + "ah", + "comp", + "udp", + "udplite", + "tcp", + "dccp", + "sctp" + ] + } + } + }, + { + "accept": null + } +] + +# ip protocol != { icmp, esp, ah, comp, udp, udplite, tcp, dccp, sctp} accept +[ + { + "match": { + "left": { + "payload": { + "field": "protocol", + "protocol": "ip" + } + }, + "op": "!=", + "right": { + "set": [ + "icmp", + "esp", + "ah", + "comp", + "udp", + "udplite", + "tcp", + "dccp", + "sctp" + ] + } + } + }, + { + "accept": null + } +] + +# ip protocol 255 +[ + { + "match": { + "left": { + "payload": { + "field": "protocol", + "protocol": "ip" + } + }, + "op": "==", + "right": 255 + } + } +] + +# ip checksum 13172 drop +[ + { + "match": { + "left": { + "payload": { + "field": "checksum", + "protocol": "ip" + } + }, + "op": "==", + "right": 13172 + } + }, + { + "drop": null + } +] + +# ip checksum 22 +[ + { + "match": { + "left": { + "payload": { + "field": "checksum", + "protocol": "ip" + } + }, + "op": "==", + "right": 22 + } + } +] + +# ip checksum != 233 +[ + { + "match": { + "left": { + "payload": { + "field": "checksum", + "protocol": "ip" + } + }, + "op": "!=", + "right": 233 + } + } +] + +# ip checksum 33-45 +[ + { + "match": { + "left": { + "payload": { + "field": "checksum", + "protocol": "ip" + } + }, + "op": "==", + "right": { + "range": [ 33, 45 ] + } + } + } +] + +# ip checksum != 33-45 +[ + { + "match": { + "left": { + "payload": { + "field": "checksum", + "protocol": "ip" + } + }, + "op": "!=", + "right": { + "range": [ 33, 45 ] + } + } + } +] + +# ip checksum { 33, 55, 67, 88} +[ + { + "match": { + "left": { + "payload": { + "field": "checksum", + "protocol": "ip" + } + }, + "op": "==", + "right": { + "set": [ + 33, + 55, + 67, + 88 + ] + } + } + } +] + +# ip checksum != { 33, 55, 67, 88} +[ + { + "match": { + "left": { + "payload": { + "field": "checksum", + "protocol": "ip" + } + }, + "op": "!=", + "right": { + "set": [ + 33, + 55, + 67, + 88 + ] + } + } + } +] + +# ip saddr 192.168.2.0/24 +[ + { + "match": { + "left": { + "payload": { + "field": "saddr", + "protocol": "ip" + } + }, + "op": "==", + "right": { + "prefix": { + "addr": "192.168.2.0", + "len": 24 + } + } + } + } +] + +# ip saddr != 192.168.2.0/24 +[ + { + "match": { + "left": { + "payload": { + "field": "saddr", + "protocol": "ip" + } + }, + "op": "!=", + "right": { + "prefix": { + "addr": "192.168.2.0", + "len": 24 + } + } + } + } +] + +# ip saddr 192.168.3.1 ip daddr 192.168.3.100 +[ + { + "match": { + "left": { + "payload": { + "field": "saddr", + "protocol": "ip" + } + }, + "op": "==", + "right": "192.168.3.1" + } + }, + { + "match": { + "left": { + "payload": { + "field": "daddr", + "protocol": "ip" + } + }, + "op": "==", + "right": "192.168.3.100" + } + } +] + +# ip saddr != 1.1.1.1 +[ + { + "match": { + "left": { + "payload": { + "field": "saddr", + "protocol": "ip" + } + }, + "op": "!=", + "right": "1.1.1.1" + } + } +] + +# ip saddr 1.1.1.1 +[ + { + "match": { + "left": { + "payload": { + "field": "saddr", + "protocol": "ip" + } + }, + "op": "==", + "right": "1.1.1.1" + } + } +] + +# ip daddr 192.168.0.1-192.168.0.250 +[ + { + "match": { + "left": { + "payload": { + "field": "daddr", + "protocol": "ip" + } + }, + "op": "==", + "right": { + "range": [ "192.168.0.1", "192.168.0.250" ] + } + } + } +] + +# ip daddr 10.0.0.0-10.255.255.255 +[ + { + "match": { + "left": { + "payload": { + "field": "daddr", + "protocol": "ip" + } + }, + "op": "==", + "right": { + "range": [ "10.0.0.0", "10.255.255.255" ] + } + } + } +] + +# ip daddr 172.16.0.0-172.31.255.255 +[ + { + "match": { + "left": { + "payload": { + "field": "daddr", + "protocol": "ip" + } + }, + "op": "==", + "right": { + "range": [ "172.16.0.0", "172.31.255.255" ] + } + } + } +] + +# ip daddr 192.168.3.1-192.168.4.250 +[ + { + "match": { + "left": { + "payload": { + "field": "daddr", + "protocol": "ip" + } + }, + "op": "==", + "right": { + "range": [ "192.168.3.1", "192.168.4.250" ] + } + } + } +] + +# ip daddr != 192.168.0.1-192.168.0.250 +[ + { + "match": { + "left": { + "payload": { + "field": "daddr", + "protocol": "ip" + } + }, + "op": "!=", + "right": { + "range": [ "192.168.0.1", "192.168.0.250" ] + } + } + } +] + +# ip daddr { 192.168.5.1, 192.168.5.2, 192.168.5.3 } accept +[ + { + "match": { + "left": { + "payload": { + "field": "daddr", + "protocol": "ip" + } + }, + "op": "==", + "right": { + "set": [ + "192.168.5.1", + "192.168.5.2", + "192.168.5.3" + ] + } + } + }, + { + "accept": null + } +] + +# ip daddr != { 192.168.5.1, 192.168.5.2, 192.168.5.3 } accept +[ + { + "match": { + "left": { + "payload": { + "field": "daddr", + "protocol": "ip" + } + }, + "op": "!=", + "right": { + "set": [ + "192.168.5.1", + "192.168.5.2", + "192.168.5.3" + ] + } + } + }, + { + "accept": null + } +] + +# ip daddr 192.168.1.2-192.168.1.55 +[ + { + "match": { + "left": { + "payload": { + "field": "daddr", + "protocol": "ip" + } + }, + "op": "==", + "right": { + "range": [ "192.168.1.2", "192.168.1.55" ] + } + } + } +] + +# ip daddr != 192.168.1.2-192.168.1.55 +[ + { + "match": { + "left": { + "payload": { + "field": "daddr", + "protocol": "ip" + } + }, + "op": "!=", + "right": { + "range": [ "192.168.1.2", "192.168.1.55" ] + } + } + } +] + +# ip saddr 192.168.1.3-192.168.33.55 +[ + { + "match": { + "left": { + "payload": { + "field": "saddr", + "protocol": "ip" + } + }, + "op": "==", + "right": { + "range": [ "192.168.1.3", "192.168.33.55" ] + } + } + } +] + +# ip saddr != 192.168.1.3-192.168.33.55 +[ + { + "match": { + "left": { + "payload": { + "field": "saddr", + "protocol": "ip" + } + }, + "op": "!=", + "right": { + "range": [ "192.168.1.3", "192.168.33.55" ] + } + } + } +] + +# ip daddr 192.168.0.1 +[ + { + "match": { + "left": { + "payload": { + "field": "daddr", + "protocol": "ip" + } + }, + "op": "==", + "right": "192.168.0.1" + } + } +] + +# ip daddr 192.168.0.1 drop +[ + { + "match": { + "left": { + "payload": { + "field": "daddr", + "protocol": "ip" + } + }, + "op": "==", + "right": "192.168.0.1" + } + }, + { + "drop": null + } +] + +# ip daddr 192.168.0.2 +[ + { + "match": { + "left": { + "payload": { + "field": "daddr", + "protocol": "ip" + } + }, + "op": "==", + "right": "192.168.0.2" + } + } +] + +# ip saddr & 0xff == 1 +[ + { + "match": { + "left": { + "&": [ + { + "payload": { + "field": "saddr", + "protocol": "ip" + } + }, + "0xff" + ] + }, + "op": "==", + "right": 1 + } + } +] + +# ip saddr & 0.0.0.255 < 0.0.0.127 +[ + { + "match": { + "left": { + "&": [ + { + "payload": { + "field": "saddr", + "protocol": "ip" + } + }, + "0.0.0.255" + ] + }, + "op": "<", + "right": "0.0.0.127" + } + } +] + +# ip saddr & 0xffff0000 == 0xffff0000 +[ + { + "match": { + "left": { + "&": [ + { + "payload": { + "field": "saddr", + "protocol": "ip" + } + }, + "0xffff0000" + ] + }, + "op": "==", + "right": "0xffff0000" + } + } +] + +# ip version 4 ip hdrlength 5 +[ + { + "match": { + "left": { + "payload": { + "field": "version", + "protocol": "ip" + } + }, + "op": "==", + "right": 4 + } + }, + { + "match": { + "left": { + "payload": { + "field": "hdrlength", + "protocol": "ip" + } + }, + "op": "==", + "right": 5 + } + } +] + +# ip hdrlength 0 +[ + { + "match": { + "left": { + "payload": { + "field": "hdrlength", + "protocol": "ip" + } + }, + "op": "==", + "right": 0 + } + } +] + +# ip hdrlength 15 +[ + { + "match": { + "left": { + "payload": { + "field": "hdrlength", + "protocol": "ip" + } + }, + "op": "==", + "right": 15 + } + } +] + +# ip hdrlength vmap { 0-4 : drop, 5 : accept, 6 : continue } counter +[ + { + "vmap": { + "key": { + "payload": { + "field": "hdrlength", + "protocol": "ip" + } + }, + "data": { + "set": [ + [ + { "range": [ 0, 4 ] }, + { "drop": null } + ], + [ + 5, + { "accept": null } + ], + [ + 6, + { "continue": null } + ] + ] + } + } + }, + { + "counter": null + } +] + +# iif "lo" ip daddr set 127.0.0.1 +[ + { + "match": { + "left": { + "meta": { "key": "iif" } + }, + "op": "==", + "right": "lo" + } + }, + { + "mangle": { + "key": { + "payload": { + "field": "daddr", + "protocol": "ip" + } + }, + "value": "127.0.0.1" + } + } +] + +# iif "lo" ip checksum set 0 +[ + { + "match": { + "left": { + "meta": { "key": "iif" } + }, + "op": "==", + "right": "lo" + } + }, + { + "mangle": { + "key": { + "payload": { + "field": "checksum", + "protocol": "ip" + } + }, + "value": 0 + } + } +] + +# iif "lo" ip id set 0 +[ + { + "match": { + "left": { + "meta": { "key": "iif" } + }, + "op": "==", + "right": "lo" + } + }, + { + "mangle": { + "key": { + "payload": { + "field": "id", + "protocol": "ip" + } + }, + "value": 0 + } + } +] + +# iif "lo" ip ecn set 1 +[ + { + "match": { + "left": { + "meta": { "key": "iif" } + }, + "op": "==", + "right": "lo" + } + }, + { + "mangle": { + "key": { + "payload": { + "field": "ecn", + "protocol": "ip" + } + }, + "value": 1 + } + } +] + +# iif "lo" ip ecn set ce +[ + { + "match": { + "left": { + "meta": { "key": "iif" } + }, + "op": "==", + "right": "lo" + } + }, + { + "mangle": { + "key": { + "payload": { + "field": "ecn", + "protocol": "ip" + } + }, + "value": "ce" + } + } +] + +# iif "lo" ip ttl set 23 +[ + { + "match": { + "left": { + "meta": { "key": "iif" } + }, + "op": "==", + "right": "lo" + } + }, + { + "mangle": { + "key": { + "payload": { + "field": "ttl", + "protocol": "ip" + } + }, + "value": 23 + } + } +] + +# iif "lo" ip protocol set 1 +[ + { + "match": { + "left": { + "meta": { "key": "iif" } + }, + "op": "==", + "right": "lo" + } + }, + { + "mangle": { + "key": { + "payload": { + "field": "protocol", + "protocol": "ip" + } + }, + "value": 1 + } + } +] + +# iif "lo" ip dscp set af23 +[ + { + "match": { + "left": { + "meta": { "key": "iif" } + }, + "op": "==", + "right": "lo" + } + }, + { + "mangle": { + "key": { + "payload": { + "field": "dscp", + "protocol": "ip" + } + }, + "value": "af23" + } + } +] + +# iif "lo" ip dscp set cs0 +[ + { + "match": { + "left": { + "meta": { "key": "iif" } + }, + "op": "==", + "right": "lo" + } + }, + { + "mangle": { + "key": { + "payload": { + "field": "dscp", + "protocol": "ip" + } + }, + "value": "cs0" + } + } +] + +# ip saddr . ip daddr { 192.0.2.1 . 10.0.0.1-10.0.0.2 } +[ + { + "match": { + "left": { + "concat": [ + { + "payload": { + "field": "saddr", + "protocol": "ip" + } + }, + { + "payload": { + "field": "daddr", + "protocol": "ip" + } + } + ] + }, + "op": "==", + "right": { + "set": [ + { + "concat": [ + "192.0.2.1", + { + "range": [ + "10.0.0.1", + "10.0.0.2" + ] + } + ] + } + ] + } + } + } +] + +# ip saddr . ip daddr vmap { 192.168.5.1-192.168.5.128 . 192.168.6.1-192.168.6.128 : accept } +[ + { + "vmap": { + "data": { + "set": [ + [ + { + "concat": [ + { + "range": [ + "192.168.5.1", + "192.168.5.128" + ] + }, + { + "range": [ + "192.168.6.1", + "192.168.6.128" + ] + } + ] + }, + { + "accept": null + } + ] + ] + }, + "key": { + "concat": [ + { + "payload": { + "field": "saddr", + "protocol": "ip" + } + }, + { + "payload": { + "field": "daddr", + "protocol": "ip" + } + } + ] + } + } + } +] + +# ip saddr 1.2.3.4 ip daddr 3.4.5.6 +[ + { + "match": { + "left": { + "payload": { + "field": "saddr", + "protocol": "ip" + } + }, + "op": "==", + "right": "1.2.3.4" + } + }, + { + "match": { + "left": { + "payload": { + "field": "daddr", + "protocol": "ip" + } + }, + "op": "==", + "right": "3.4.5.6" + } + } +] + +# ip saddr 1.2.3.4 counter ip daddr 3.4.5.6 +[ + { + "match": { + "left": { + "payload": { + "field": "saddr", + "protocol": "ip" + } + }, + "op": "==", + "right": "1.2.3.4" + } + }, + { + "counter": { + "bytes": 0, + "packets": 0 + } + }, + { + "match": { + "left": { + "payload": { + "field": "daddr", + "protocol": "ip" + } + }, + "op": "==", + "right": "3.4.5.6" + } + } +] diff --git a/tests/py/ip/ip.t.json.got b/tests/py/ip/ip.t.json.got new file mode 100644 index 0000000..07ab4e3 --- /dev/null +++ b/tests/py/ip/ip.t.json.got @@ -0,0 +1,62 @@ +# ip frag-off & 0x1fff != 0x0 +[ + { + "match": { + "left": { + "&": [ + { + "payload": { + "field": "frag-off", + "protocol": "ip" + } + }, + 8191 + ] + }, + "op": "!=", + "right": 0 + } + } +] + +# ip frag-off & 0x2000 != 0x0 +[ + { + "match": { + "left": { + "&": [ + { + "payload": { + "field": "frag-off", + "protocol": "ip" + } + }, + 8192 + ] + }, + "op": "!=", + "right": 0 + } + } +] + +# ip frag-off & 0x4000 != 0x0 +[ + { + "match": { + "left": { + "&": [ + { + "payload": { + "field": "frag-off", + "protocol": "ip" + } + }, + 16384 + ] + }, + "op": "!=", + "right": 0 + } + } +] diff --git a/tests/py/ip/ip.t.json.output b/tests/py/ip/ip.t.json.output new file mode 100644 index 0000000..b201cda --- /dev/null +++ b/tests/py/ip/ip.t.json.output @@ -0,0 +1,232 @@ +# ip dscp 0x38 +[ + { + "match": { + "left": { + "payload": { + "field": "dscp", + "protocol": "ip" + } + }, + "op": "==", + "right": "cs7" + } + } +] + +# ip dscp != 0x20 +[ + { + "match": { + "left": { + "payload": { + "field": "dscp", + "protocol": "ip" + } + }, + "op": "!=", + "right": "cs4" + } + } +] + +# ip dscp {cs0, cs1, cs2, cs3, cs4, cs5, cs6, cs7, af11, af12, af13, af21, af22, af23, af31, af32, af33, af41, af42, af43, ef} +[ + { + "match": { + "left": { + "payload": { + "field": "dscp", + "protocol": "ip" + } + }, + "op": "==", + "right": { + "set": [ + "cs0", + "cs1", + "af11", + "af12", + "af13", + "cs2", + "af21", + "af22", + "af23", + "cs3", + "af31", + "af32", + "af33", + "cs4", + "af41", + "af42", + "af43", + "cs5", + "ef", + "cs6", + "cs7" + ] + } + } + } +] + +# ip protocol tcp +[ + { + "match": { + "left": { + "payload": { + "field": "protocol", + "protocol": "ip" + } + }, + "op": "==", + "right": 6 + } + } +] + +# ip protocol != tcp +[ + { + "match": { + "left": { + "payload": { + "field": "protocol", + "protocol": "ip" + } + }, + "op": "!=", + "right": 6 + } + } +] + +# ip protocol { icmp, esp, ah, comp, udp, udplite, tcp, dccp, sctp} accept +[ + { + "match": { + "left": { + "payload": { + "field": "protocol", + "protocol": "ip" + } + }, + "op": "==", + "right": { + "set": [ + 1, + 6, + 17, + 33, + 50, + 51, + 108, + 132, + 136 + ] + } + } + }, + { + "accept": null + } +] + +# ip protocol != { icmp, esp, ah, comp, udp, udplite, tcp, dccp, sctp} accept +[ + { + "match": { + "left": { + "payload": { + "field": "protocol", + "protocol": "ip" + } + }, + "op": "!=", + "right": { + "set": [ + 1, + 6, + 17, + 33, + 50, + 51, + 108, + 132, + 136 + ] + } + } + }, + { + "accept": null + } +] + +# ip saddr & 0xff == 1 +[ + { + "match": { + "left": { + "&": [ + { + "payload": { + "field": "saddr", + "protocol": "ip" + } + }, + "0.0.0.255" + ] + }, + "op": "==", + "right": "0.0.0.1" + } + } +] + +# ip saddr & 0xffff0000 == 0xffff0000 +[ + { + "match": { + "left": { + "payload": { + "field": "saddr", + "protocol": "ip" + } + }, + "op": "==", + "right": { + "prefix": { + "addr": "255.255.0.0", + "len": 16 + } + } + } + } +] + +# iif "lo" ip ecn set 1 +[ + { + "match": { + "left": { + "meta": { "key": "iif" } + }, + "op": "==", + "right": "lo" + } + }, + { + "mangle": { + "key": { + "payload": { + "field": "ecn", + "protocol": "ip" + } + }, + "value": "ect1" + } + } +] + diff --git a/tests/py/ip/ip.t.payload b/tests/py/ip/ip.t.payload new file mode 100644 index 0000000..43605a3 --- /dev/null +++ b/tests/py/ip/ip.t.payload @@ -0,0 +1,558 @@ +# ip dscp cs1 +ip test-ip4 input + [ payload load 1b @ network header + 1 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000020 ] + +# ip dscp != cs1 +ip test-ip4 input + [ payload load 1b @ network header + 1 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ] + [ cmp neq reg 1 0x00000020 ] + +# ip dscp 0x38 +ip test-ip4 input + [ payload load 1b @ network header + 1 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ] + [ cmp eq reg 1 0x000000e0 ] + +# ip dscp != 0x20 +ip test-ip4 input + [ payload load 1b @ network header + 1 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ] + [ cmp neq reg 1 0x00000080 ] + +# ip dscp {cs0, cs1, cs2, cs3, cs4, cs5, cs6, cs7, af11, af12, af13, af21, af22, af23, af31, af32, af33, af41, af42, af43, ef} +__set%d test-ip4 3 +__set%d test-ip4 0 + element 00000020 : 0 [end] element 00000040 : 0 [end] element 00000060 : 0 [end] element 00000080 : 0 [end] element 000000a0 : 0 [end] element 000000c0 : 0 [end] element 000000e0 : 0 [end] element 00000000 : 0 [end] element 00000028 : 0 [end] element 00000030 : 0 [end] element 00000038 : 0 [end] element 00000048 : 0 [end] element 00000050 : 0 [end] element 00000058 : 0 [end] element 00000068 : 0 [end] element 00000070 : 0 [end] element 00000078 : 0 [end] element 00000088 : 0 [end] element 00000090 : 0 [end] element 00000098 : 0 [end] element 000000b8 : 0 [end] +ip test-ip4 input + [ payload load 1b @ network header + 1 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ] + [ lookup reg 1 set __set%d ] + +# ip dscp != {cs0, cs3} +__set%d test-ip4 3 +__set%d test-ip4 0 + element 00000000 : 0 [end] element 00000060 : 0 [end] +ip test-ip4 input + [ payload load 1b @ network header + 1 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ] + [ lookup reg 1 set __set%d 0x1 ] + +# ip dscp vmap { cs1 : continue , cs4 : accept } counter +__map%d test-ip4 b size 2 +__map%d test-ip4 0 + element 00000020 : continue 0 [end] element 00000080 : accept 0 [end] +ip test-ip4 input + [ payload load 1b @ network header + 1 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ] + [ lookup reg 1 set __map%d dreg 0 ] + [ counter pkts 0 bytes 0 ] + +# ip length 232 +ip test-ip4 input + [ payload load 2b @ network header + 2 => reg 1 ] + [ cmp eq reg 1 0x0000e800 ] + +# ip length != 233 +ip test-ip4 input + [ payload load 2b @ network header + 2 => reg 1 ] + [ cmp neq reg 1 0x0000e900 ] + +# ip length 333-435 +ip test-ip4 input + [ payload load 2b @ network header + 2 => reg 1 ] + [ cmp gte reg 1 0x00004d01 ] + [ cmp lte reg 1 0x0000b301 ] + +# ip length != 333-453 +ip test-ip4 input + [ payload load 2b @ network header + 2 => reg 1 ] + [ range neq reg 1 0x00004d01 0x0000c501 ] + +# ip length { 333, 553, 673, 838} +__set%d test-ip4 3 +__set%d test-ip4 0 + element 00004d01 : 0 [end] element 00002902 : 0 [end] element 0000a102 : 0 [end] element 00004603 : 0 [end] +ip test-ip4 input + [ payload load 2b @ network header + 2 => reg 1 ] + [ lookup reg 1 set __set%d ] + +# ip length != { 333, 553, 673, 838} +__set%d test-ip4 3 +__set%d test-ip4 0 + element 00004d01 : 0 [end] element 00002902 : 0 [end] element 0000a102 : 0 [end] element 00004603 : 0 [end] +ip test-ip4 input + [ payload load 2b @ network header + 2 => reg 1 ] + [ lookup reg 1 set __set%d 0x1 ] + +# ip id 22 +ip test-ip4 input + [ payload load 2b @ network header + 4 => reg 1 ] + [ cmp eq reg 1 0x00001600 ] + +# ip id != 233 +ip test-ip4 input + [ payload load 2b @ network header + 4 => reg 1 ] + [ cmp neq reg 1 0x0000e900 ] + +# ip id 33-45 +ip test-ip4 input + [ payload load 2b @ network header + 4 => reg 1 ] + [ cmp gte reg 1 0x00002100 ] + [ cmp lte reg 1 0x00002d00 ] + +# ip id != 33-45 +ip test-ip4 input + [ payload load 2b @ network header + 4 => reg 1 ] + [ range neq reg 1 0x00002100 0x00002d00 ] + +# ip id { 33, 55, 67, 88} +__set%d test-ip4 3 +__set%d test-ip4 0 + element 00002100 : 0 [end] element 00003700 : 0 [end] element 00004300 : 0 [end] element 00005800 : 0 [end] +ip test-ip4 input + [ payload load 2b @ network header + 4 => reg 1 ] + [ lookup reg 1 set __set%d ] + +# ip id != { 33, 55, 67, 88} +__set%d test-ip4 3 +__set%d test-ip4 0 + element 00002100 : 0 [end] element 00003700 : 0 [end] element 00004300 : 0 [end] element 00005800 : 0 [end] +ip test-ip4 input + [ payload load 2b @ network header + 4 => reg 1 ] + [ lookup reg 1 set __set%d 0x1 ] + +# ip frag-off 0xde accept +ip test-ip4 input + [ payload load 2b @ network header + 6 => reg 1 ] + [ cmp eq reg 1 0x0000de00 ] + [ immediate reg 0 accept ] + +# ip frag-off != 0xe9 +ip test-ip4 input + [ payload load 2b @ network header + 6 => reg 1 ] + [ cmp neq reg 1 0x0000e900 ] + +# ip frag-off 0x21-0x2d +ip test-ip4 input + [ payload load 2b @ network header + 6 => reg 1 ] + [ cmp gte reg 1 0x00002100 ] + [ cmp lte reg 1 0x00002d00 ] + +# ip frag-off != 0x21-0x2d +ip test-ip4 input + [ payload load 2b @ network header + 6 => reg 1 ] + [ range neq reg 1 0x00002100 0x00002d00 ] + +# ip frag-off { 0x21, 0x37, 0x43, 0x58} +__set%d test-ip4 3 +__set%d test-ip4 0 + element 00002100 : 0 [end] element 00003700 : 0 [end] element 00004300 : 0 [end] element 00005800 : 0 [end] +ip test-ip4 input + [ payload load 2b @ network header + 6 => reg 1 ] + [ lookup reg 1 set __set%d ] + +# ip frag-off != { 0x21, 0x37, 0x43, 0x58} +__set%d test-ip4 3 +__set%d test-ip4 0 + element 00002100 : 0 [end] element 00003700 : 0 [end] element 00004300 : 0 [end] element 00005800 : 0 [end] +ip test-ip4 input + [ payload load 2b @ network header + 6 => reg 1 ] + [ lookup reg 1 set __set%d 0x1 ] + +# ip frag-off & 0x1fff != 0x0 +ip test-ip4 input + [ payload load 2b @ network header + 6 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff1f ) ^ 0x00000000 ] + [ cmp neq reg 1 0x00000000 ] + +# ip frag-off & 0x2000 != 0x0 +ip test-ip4 input + [ payload load 2b @ network header + 6 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x00000020 ) ^ 0x00000000 ] + [ cmp neq reg 1 0x00000000 ] + +# ip frag-off & 0x4000 != 0x0 +ip test-ip4 input + [ payload load 2b @ network header + 6 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x00000040 ) ^ 0x00000000 ] + [ cmp neq reg 1 0x00000000 ] + +# ip ttl 0 drop +ip test-ip4 input + [ payload load 1b @ network header + 8 => reg 1 ] + [ cmp eq reg 1 0x00000000 ] + [ immediate reg 0 drop ] + +# ip ttl 233 +ip test-ip4 input + [ payload load 1b @ network header + 8 => reg 1 ] + [ cmp eq reg 1 0x000000e9 ] + +# ip ttl 33-55 +ip test-ip4 input + [ payload load 1b @ network header + 8 => reg 1 ] + [ cmp gte reg 1 0x00000021 ] + [ cmp lte reg 1 0x00000037 ] + +# ip ttl != 45-50 +ip test-ip4 input + [ payload load 1b @ network header + 8 => reg 1 ] + [ range neq reg 1 0x0000002d 0x00000032 ] + +# ip ttl {43, 53, 45 } +__set%d test-ip4 3 +__set%d test-ip4 0 + element 0000002b : 0 [end] element 00000035 : 0 [end] element 0000002d : 0 [end] +ip test-ip4 input + [ payload load 1b @ network header + 8 => reg 1 ] + [ lookup reg 1 set __set%d ] + +# ip ttl != {43, 53, 45 } +__set%d test-ip4 3 +__set%d test-ip4 0 + element 0000002b : 0 [end] element 00000035 : 0 [end] element 0000002d : 0 [end] +ip test-ip4 input + [ payload load 1b @ network header + 8 => reg 1 ] + [ lookup reg 1 set __set%d 0x1 ] + +# ip protocol tcp +ip test-ip4 input + [ payload load 1b @ network header + 9 => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + +# ip protocol != tcp +ip test-ip4 input + [ payload load 1b @ network header + 9 => reg 1 ] + [ cmp neq reg 1 0x00000006 ] + +# ip protocol { icmp, esp, ah, comp, udp, udplite, tcp, dccp, sctp} accept +__set%d test-ip4 3 +__set%d test-ip4 0 + element 00000001 : 0 [end] element 00000032 : 0 [end] element 00000033 : 0 [end] element 0000006c : 0 [end] element 00000011 : 0 [end] element 00000088 : 0 [end] element 00000006 : 0 [end] element 00000021 : 0 [end] element 00000084 : 0 [end] +ip test-ip4 input + [ payload load 1b @ network header + 9 => reg 1 ] + [ lookup reg 1 set __set%d ] + [ immediate reg 0 accept ] + +# ip protocol != { icmp, esp, ah, comp, udp, udplite, tcp, dccp, sctp} accept +__set%d test-ip4 3 +__set%d test-ip4 0 + element 00000001 : 0 [end] element 00000032 : 0 [end] element 00000033 : 0 [end] element 0000006c : 0 [end] element 00000011 : 0 [end] element 00000088 : 0 [end] element 00000006 : 0 [end] element 00000021 : 0 [end] element 00000084 : 0 [end] +ip test-ip4 input + [ payload load 1b @ network header + 9 => reg 1 ] + [ lookup reg 1 set __set%d 0x1 ] + [ immediate reg 0 accept ] + +# ip protocol 255 +ip test-ip4 input + [ payload load 1b @ network header + 9 => reg 1 ] + [ cmp eq reg 1 0x000000ff ] + +# ip checksum 13172 drop +ip test-ip4 input + [ payload load 2b @ network header + 10 => reg 1 ] + [ cmp eq reg 1 0x00007433 ] + [ immediate reg 0 drop ] + +# ip checksum 22 +ip test-ip4 input + [ payload load 2b @ network header + 10 => reg 1 ] + [ cmp eq reg 1 0x00001600 ] + +# ip checksum != 233 +ip test-ip4 input + [ payload load 2b @ network header + 10 => reg 1 ] + [ cmp neq reg 1 0x0000e900 ] + +# ip checksum 33-45 +ip test-ip4 input + [ payload load 2b @ network header + 10 => reg 1 ] + [ cmp gte reg 1 0x00002100 ] + [ cmp lte reg 1 0x00002d00 ] + +# ip checksum != 33-45 +ip test-ip4 input + [ payload load 2b @ network header + 10 => reg 1 ] + [ range neq reg 1 0x00002100 0x00002d00 ] + +# ip checksum { 33, 55, 67, 88} +__set%d test-ip4 3 +__set%d test-ip4 0 + element 00002100 : 0 [end] element 00003700 : 0 [end] element 00004300 : 0 [end] element 00005800 : 0 [end] +ip test-ip4 input + [ payload load 2b @ network header + 10 => reg 1 ] + [ lookup reg 1 set __set%d ] + +# ip checksum != { 33, 55, 67, 88} +__set%d test-ip4 3 +__set%d test-ip4 0 + element 00002100 : 0 [end] element 00003700 : 0 [end] element 00004300 : 0 [end] element 00005800 : 0 [end] +ip test-ip4 input + [ payload load 2b @ network header + 10 => reg 1 ] + [ lookup reg 1 set __set%d 0x1 ] + +# ip saddr 192.168.2.0/24 +ip test-ip4 input + [ payload load 3b @ network header + 12 => reg 1 ] + [ cmp eq reg 1 0x0002a8c0 ] + +# ip saddr != 192.168.2.0/24 +ip test-ip4 input + [ payload load 3b @ network header + 12 => reg 1 ] + [ cmp neq reg 1 0x0002a8c0 ] + +# ip saddr 192.168.3.1 ip daddr 192.168.3.100 +ip test-ip4 input + [ payload load 4b @ network header + 12 => reg 1 ] + [ cmp eq reg 1 0x0103a8c0 ] + [ payload load 4b @ network header + 16 => reg 1 ] + [ cmp eq reg 1 0x6403a8c0 ] + +# ip saddr != 1.1.1.1 +ip test-ip4 input + [ payload load 4b @ network header + 12 => reg 1 ] + [ cmp neq reg 1 0x01010101 ] + +# ip saddr 1.1.1.1 +ip test-ip4 input + [ payload load 4b @ network header + 12 => reg 1 ] + [ cmp eq reg 1 0x01010101 ] + +# ip daddr 192.168.0.1-192.168.0.250 +ip test-ip4 input + [ payload load 4b @ network header + 16 => reg 1 ] + [ cmp gte reg 1 0x0100a8c0 ] + [ cmp lte reg 1 0xfa00a8c0 ] + +# ip daddr 10.0.0.0-10.255.255.255 +ip test-ip4 input + [ payload load 4b @ network header + 16 => reg 1 ] + [ cmp gte reg 1 0x0000000a ] + [ cmp lte reg 1 0xffffff0a ] + +# ip daddr 172.16.0.0-172.31.255.255 +ip test-ip4 input + [ payload load 4b @ network header + 16 => reg 1 ] + [ cmp gte reg 1 0x000010ac ] + [ cmp lte reg 1 0xffff1fac ] + +# ip daddr 192.168.3.1-192.168.4.250 +ip test-ip4 input + [ payload load 4b @ network header + 16 => reg 1 ] + [ cmp gte reg 1 0x0103a8c0 ] + [ cmp lte reg 1 0xfa04a8c0 ] + +# ip daddr != 192.168.0.1-192.168.0.250 +ip test-ip4 input + [ payload load 4b @ network header + 16 => reg 1 ] + [ range neq reg 1 0x0100a8c0 0xfa00a8c0 ] + +# ip daddr { 192.168.5.1, 192.168.5.2, 192.168.5.3 } accept +__set%d test-ip4 3 +__set%d test-ip4 0 + element 0105a8c0 : 0 [end] element 0205a8c0 : 0 [end] element 0305a8c0 : 0 [end] +ip test-ip4 input + [ payload load 4b @ network header + 16 => reg 1 ] + [ lookup reg 1 set __set%d ] + [ immediate reg 0 accept ] + +# ip daddr != { 192.168.5.1, 192.168.5.2, 192.168.5.3 } accept +__set%d test-ip4 3 +__set%d test-ip4 0 + element 0105a8c0 : 0 [end] element 0205a8c0 : 0 [end] element 0305a8c0 : 0 [end] +ip test-ip4 input + [ payload load 4b @ network header + 16 => reg 1 ] + [ lookup reg 1 set __set%d 0x1 ] + [ immediate reg 0 accept ] + +# ip daddr 192.168.1.2-192.168.1.55 +ip test-ip4 input + [ payload load 4b @ network header + 16 => reg 1 ] + [ cmp gte reg 1 0x0201a8c0 ] + [ cmp lte reg 1 0x3701a8c0 ] + +# ip daddr != 192.168.1.2-192.168.1.55 +ip test-ip4 input + [ payload load 4b @ network header + 16 => reg 1 ] + [ range neq reg 1 0x0201a8c0 0x3701a8c0 ] + +# ip saddr 192.168.1.3-192.168.33.55 +ip test-ip4 input + [ payload load 4b @ network header + 12 => reg 1 ] + [ cmp gte reg 1 0x0301a8c0 ] + [ cmp lte reg 1 0x3721a8c0 ] + +# ip saddr != 192.168.1.3-192.168.33.55 +ip test-ip4 input + [ payload load 4b @ network header + 12 => reg 1 ] + [ range neq reg 1 0x0301a8c0 0x3721a8c0 ] + +# ip daddr 192.168.0.1 +ip test-ip4 input + [ payload load 4b @ network header + 16 => reg 1 ] + [ cmp eq reg 1 0x0100a8c0 ] + +# ip daddr 192.168.0.1 drop +ip test-ip4 input + [ payload load 4b @ network header + 16 => reg 1 ] + [ cmp eq reg 1 0x0100a8c0 ] + [ immediate reg 0 drop ] + +# ip daddr 192.168.0.2 +ip test-ip4 input + [ payload load 4b @ network header + 16 => reg 1 ] + [ cmp eq reg 1 0x0200a8c0 ] + +# ip saddr & 0xff == 1 +ip test-ip4 input + [ payload load 4b @ network header + 12 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0xff000000 ) ^ 0x00000000 ] + [ cmp eq reg 1 0x01000000 ] + +# ip saddr & 0.0.0.255 < 0.0.0.127 +ip test-ip4 input + [ payload load 4b @ network header + 12 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0xff000000 ) ^ 0x00000000 ] + [ cmp lt reg 1 0x7f000000 ] + +# ip saddr & 0xffff0000 == 0xffff0000 +ip test-ip4 input + [ payload load 4b @ network header + 12 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ffff ) ^ 0x00000000 ] + [ cmp eq reg 1 0x0000ffff ] + +# ip version 4 ip hdrlength 5 +ip test-ip4 input + [ payload load 1b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x000000f0 ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000040 ] + [ payload load 1b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000000f ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000005 ] + +# ip hdrlength 0 +ip test-ip4 input + [ payload load 1b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000000f ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000000 ] + +# ip hdrlength 15 +ip test-ip4 input + [ payload load 1b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000000f ) ^ 0x00000000 ] + [ cmp eq reg 1 0x0000000f ] + +# ip hdrlength vmap { 0-4 : drop, 5 : accept, 6 : continue } counter +__map%d test-ip4 f size 4 +__map%d test-ip4 0 + element 00000000 : drop 0 [end] element 00000005 : accept 0 [end] element 00000006 : continue 0 [end] element 00000007 : 1 [end] +ip test-ip4 input + [ payload load 1b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000000f ) ^ 0x00000000 ] + [ lookup reg 1 set __map%d dreg 0 ] + [ counter pkts 0 bytes 0 ] + +# iif "lo" ip daddr set 127.0.0.1 +ip test-ip4 input + [ meta load iif => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ immediate reg 1 0x0100007f ] + [ payload write reg 1 => 4b @ network header + 16 csum_type 1 csum_off 10 csum_flags 0x1 ] + +# iif "lo" ip checksum set 0 +ip test-ip4 input + [ meta load iif => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ immediate reg 1 0x00000000 ] + [ payload write reg 1 => 2b @ network header + 10 csum_type 1 csum_off 10 csum_flags 0x0 ] + +# iif "lo" ip id set 0 +ip test-ip4 input + [ meta load iif => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ immediate reg 1 0x00000000 ] + [ payload write reg 1 => 2b @ network header + 4 csum_type 1 csum_off 10 csum_flags 0x0 ] + +# iif "lo" ip ecn set 1 +ip test-ip4 input + [ meta load iif => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000fcff ) ^ 0x00000100 ] + [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ] + +# iif "lo" ip ecn set ce +ip test-ip4 input + [ meta load iif => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000fcff ) ^ 0x00000300 ] + [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ] + +# iif "lo" ip dscp set af23 +ip test-ip4 input + [ meta load iif => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x000003ff ) ^ 0x00005800 ] + [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ] + +# iif "lo" ip dscp set cs0 +ip test-ip4 input + [ meta load iif => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x000003ff ) ^ 0x00000000 ] + [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ] + +# iif "lo" ip ttl set 23 +ip test-ip4 input + [ meta load iif => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ payload load 2b @ network header + 8 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff00 ) ^ 0x00000017 ] + [ payload write reg 1 => 2b @ network header + 8 csum_type 1 csum_off 10 csum_flags 0x0 ] + +# iif "lo" ip protocol set 1 +ip test-ip4 input + [ meta load iif => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ payload load 2b @ network header + 8 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x000000ff ) ^ 0x00000100 ] + [ payload write reg 1 => 2b @ network header + 8 csum_type 1 csum_off 10 csum_flags 0x1 ] + +# ip saddr . ip daddr { 192.0.2.1 . 10.0.0.1-10.0.0.2 } +__set%d test-ip4 87 size 1 +__set%d test-ip4 0 + element 010200c0 0100000a - 010200c0 0200000a : 0 [end] +ip + [ payload load 4b @ network header + 12 => reg 1 ] + [ payload load 4b @ network header + 16 => reg 9 ] + [ lookup reg 1 set __set%d ] + +# ip saddr . ip daddr vmap { 192.168.5.1-192.168.5.128 . 192.168.6.1-192.168.6.128 : accept } +__map%d test-ip4 8f size 1 +__map%d test-ip4 0 + element 0105a8c0 0106a8c0 - 8005a8c0 8006a8c0 : accept 0 [end] +ip + [ payload load 4b @ network header + 12 => reg 1 ] + [ payload load 4b @ network header + 16 => reg 9 ] + [ lookup reg 1 set __map%d dreg 0 ] + +# ip saddr 1.2.3.4 ip daddr 3.4.5.6 +ip test-ip4 input + [ payload load 4b @ network header + 12 => reg 1 ] + [ cmp eq reg 1 0x04030201 ] + [ payload load 4b @ network header + 16 => reg 1 ] + [ cmp eq reg 1 0x06050403 ] + +# ip saddr 1.2.3.4 counter ip daddr 3.4.5.6 +ip test-ip4 input + [ payload load 4b @ network header + 12 => reg 1 ] + [ cmp eq reg 1 0x04030201 ] + [ counter pkts 0 bytes 0 ] + [ payload load 4b @ network header + 16 => reg 1 ] + [ cmp eq reg 1 0x06050403 ] diff --git a/tests/py/ip/ip.t.payload.bridge b/tests/py/ip/ip.t.payload.bridge new file mode 100644 index 0000000..e506f30 --- /dev/null +++ b/tests/py/ip/ip.t.payload.bridge @@ -0,0 +1,728 @@ +# ip dscp cs1 +bridge test-bridge input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 1b @ network header + 1 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000020 ] + +# ip dscp != cs1 +bridge test-bridge input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 1b @ network header + 1 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ] + [ cmp neq reg 1 0x00000020 ] + +# ip dscp 0x38 +bridge test-bridge input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 1b @ network header + 1 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ] + [ cmp eq reg 1 0x000000e0 ] + +# ip dscp != 0x20 +bridge test-bridge input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 1b @ network header + 1 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ] + [ cmp neq reg 1 0x00000080 ] + +# ip dscp {cs0, cs1, cs2, cs3, cs4, cs5, cs6, cs7, af11, af12, af13, af21, af22, af23, af31, af32, af33, af41, af42, af43, ef} +__set%d test-bridge 3 size 21 +__set%d test-bridge 0 + element 00000000 : 0 [end] element 00000020 : 0 [end] element 00000040 : 0 [end] element 00000060 : 0 [end] element 00000080 : 0 [end] element 000000a0 : 0 [end] element 000000c0 : 0 [end] element 000000e0 : 0 [end] element 00000028 : 0 [end] element 00000030 : 0 [end] element 00000038 : 0 [end] element 00000048 : 0 [end] element 00000050 : 0 [end] element 00000058 : 0 [end] element 00000068 : 0 [end] element 00000070 : 0 [end] element 00000078 : 0 [end] element 00000088 : 0 [end] element 00000090 : 0 [end] element 00000098 : 0 [end] element 000000b8 : 0 [end] +bridge test-bridge input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 1b @ network header + 1 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ] + [ lookup reg 1 set __set%d ] + +# ip dscp != {cs0, cs3} +__set%d test-bridge 3 size 2 +__set%d test-bridge 0 + element 00000000 : 0 [end] element 00000060 : 0 [end] +bridge test-bridge input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 1b @ network header + 1 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ] + [ lookup reg 1 set __set%d 0x1 ] + +# ip dscp vmap { cs1 : continue , cs4 : accept } counter +__map%d test-bridge b size 2 +__map%d test-bridge 0 + element 00000020 : continue 0 [end] element 00000080 : accept 0 [end] +bridge test-bridge input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 1b @ network header + 1 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ] + [ lookup reg 1 set __map%d dreg 0 ] + [ counter pkts 0 bytes 0 ] + +# ip length 232 +bridge test-bridge input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 2b @ network header + 2 => reg 1 ] + [ cmp eq reg 1 0x0000e800 ] + +# ip length != 233 +bridge test-bridge input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 2b @ network header + 2 => reg 1 ] + [ cmp neq reg 1 0x0000e900 ] + +# ip length 333-435 +bridge test-bridge input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 2b @ network header + 2 => reg 1 ] + [ cmp gte reg 1 0x00004d01 ] + [ cmp lte reg 1 0x0000b301 ] + +# ip length != 333-453 +bridge test-bridge input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 2b @ network header + 2 => reg 1 ] + [ range neq reg 1 0x00004d01 0x0000c501 ] + +# ip length { 333, 553, 673, 838} +__set%d test-bridge 3 size 4 +__set%d test-bridge 0 + element 00004d01 : 0 [end] element 00002902 : 0 [end] element 0000a102 : 0 [end] element 00004603 : 0 [end] +bridge test-bridge input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 2b @ network header + 2 => reg 1 ] + [ lookup reg 1 set __set%d ] + +# ip length != { 333, 553, 673, 838} +__set%d test-bridge 3 size 4 +__set%d test-bridge 0 + element 00004d01 : 0 [end] element 00002902 : 0 [end] element 0000a102 : 0 [end] element 00004603 : 0 [end] +bridge test-bridge input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 2b @ network header + 2 => reg 1 ] + [ lookup reg 1 set __set%d 0x1 ] + +# ip id 22 +bridge test-bridge input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 2b @ network header + 4 => reg 1 ] + [ cmp eq reg 1 0x00001600 ] + +# ip id != 233 +bridge test-bridge input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 2b @ network header + 4 => reg 1 ] + [ cmp neq reg 1 0x0000e900 ] + +# ip id 33-45 +bridge test-bridge input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 2b @ network header + 4 => reg 1 ] + [ cmp gte reg 1 0x00002100 ] + [ cmp lte reg 1 0x00002d00 ] + +# ip id != 33-45 +bridge test-bridge input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 2b @ network header + 4 => reg 1 ] + [ range neq reg 1 0x00002100 0x00002d00 ] + +# ip id { 33, 55, 67, 88} +__set%d test-bridge 3 size 4 +__set%d test-bridge 0 + element 00002100 : 0 [end] element 00003700 : 0 [end] element 00004300 : 0 [end] element 00005800 : 0 [end] +bridge test-bridge input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 2b @ network header + 4 => reg 1 ] + [ lookup reg 1 set __set%d ] + +# ip id != { 33, 55, 67, 88} +__set%d test-bridge 3 size 4 +__set%d test-bridge 0 + element 00002100 : 0 [end] element 00003700 : 0 [end] element 00004300 : 0 [end] element 00005800 : 0 [end] +bridge test-bridge input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 2b @ network header + 4 => reg 1 ] + [ lookup reg 1 set __set%d 0x1 ] + +# ip frag-off 0xde accept +bridge test-bridge input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 2b @ network header + 6 => reg 1 ] + [ cmp eq reg 1 0x0000de00 ] + [ immediate reg 0 accept ] + +# ip frag-off != 0xe9 +bridge test-bridge input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 2b @ network header + 6 => reg 1 ] + [ cmp neq reg 1 0x0000e900 ] + +# ip frag-off 0x21-0x2d +bridge test-bridge input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 2b @ network header + 6 => reg 1 ] + [ cmp gte reg 1 0x00002100 ] + [ cmp lte reg 1 0x00002d00 ] + +# ip frag-off != 0x21-0x2d +bridge test-bridge input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 2b @ network header + 6 => reg 1 ] + [ range neq reg 1 0x00002100 0x00002d00 ] + +# ip frag-off { 0x21, 0x37, 0x43, 0x58} +__set%d test-bridge 3 size 4 +__set%d test-bridge 0 + element 00002100 : 0 [end] element 00003700 : 0 [end] element 00004300 : 0 [end] element 00005800 : 0 [end] +bridge test-bridge input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 2b @ network header + 6 => reg 1 ] + [ lookup reg 1 set __set%d ] + +# ip frag-off != { 0x21, 0x37, 0x43, 0x58} +__set%d test-bridge 3 size 4 +__set%d test-bridge 0 + element 00002100 : 0 [end] element 00003700 : 0 [end] element 00004300 : 0 [end] element 00005800 : 0 [end] +bridge test-bridge input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 2b @ network header + 6 => reg 1 ] + [ lookup reg 1 set __set%d 0x1 ] + +# ip frag-off & 0x1fff != 0x0 +bridge test-bridge input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 2b @ network header + 6 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff1f ) ^ 0x00000000 ] + [ cmp neq reg 1 0x00000000 ] + +# ip frag-off & 0x2000 != 0x0 +bridge test-bridge input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 2b @ network header + 6 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x00000020 ) ^ 0x00000000 ] + [ cmp neq reg 1 0x00000000 ] + +# ip frag-off & 0x4000 != 0x0 +bridge test-bridge input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 2b @ network header + 6 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x00000040 ) ^ 0x00000000 ] + [ cmp neq reg 1 0x00000000 ] + +# ip ttl 0 drop +bridge test-bridge input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 1b @ network header + 8 => reg 1 ] + [ cmp eq reg 1 0x00000000 ] + [ immediate reg 0 drop ] + +# ip ttl 233 +bridge test-bridge input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 1b @ network header + 8 => reg 1 ] + [ cmp eq reg 1 0x000000e9 ] + +# ip ttl 33-55 +bridge test-bridge input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 1b @ network header + 8 => reg 1 ] + [ cmp gte reg 1 0x00000021 ] + [ cmp lte reg 1 0x00000037 ] + +# ip ttl != 45-50 +bridge test-bridge input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 1b @ network header + 8 => reg 1 ] + [ range neq reg 1 0x0000002d 0x00000032 ] + +# ip ttl {43, 53, 45 } +__set%d test-bridge 3 size 3 +__set%d test-bridge 0 + element 0000002b : 0 [end] element 00000035 : 0 [end] element 0000002d : 0 [end] +bridge test-bridge input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 1b @ network header + 8 => reg 1 ] + [ lookup reg 1 set __set%d ] + +# ip ttl != {43, 53, 45 } +__set%d test-bridge 3 size 3 +__set%d test-bridge 0 + element 0000002b : 0 [end] element 00000035 : 0 [end] element 0000002d : 0 [end] +bridge test-bridge input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 1b @ network header + 8 => reg 1 ] + [ lookup reg 1 set __set%d 0x1 ] + +# ip protocol tcp +bridge test-bridge input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 1b @ network header + 9 => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + +# ip protocol != tcp +bridge test-bridge input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 1b @ network header + 9 => reg 1 ] + [ cmp neq reg 1 0x00000006 ] + +# ip protocol { icmp, esp, ah, comp, udp, udplite, tcp, dccp, sctp} accept +__set%d test-bridge 3 size 9 +__set%d test-bridge 0 + element 00000001 : 0 [end] element 00000032 : 0 [end] element 00000033 : 0 [end] element 0000006c : 0 [end] element 00000011 : 0 [end] element 00000088 : 0 [end] element 00000006 : 0 [end] element 00000021 : 0 [end] element 00000084 : 0 [end] +bridge test-bridge input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 1b @ network header + 9 => reg 1 ] + [ lookup reg 1 set __set%d ] + [ immediate reg 0 accept ] + +# ip protocol != { icmp, esp, ah, comp, udp, udplite, tcp, dccp, sctp} accept +__set%d test-bridge 3 size 9 +__set%d test-bridge 0 + element 00000001 : 0 [end] element 00000032 : 0 [end] element 00000033 : 0 [end] element 0000006c : 0 [end] element 00000011 : 0 [end] element 00000088 : 0 [end] element 00000006 : 0 [end] element 00000021 : 0 [end] element 00000084 : 0 [end] +bridge test-bridge input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 1b @ network header + 9 => reg 1 ] + [ lookup reg 1 set __set%d 0x1 ] + [ immediate reg 0 accept ] + +# ip protocol 255 +bridge test-bridge input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 1b @ network header + 9 => reg 1 ] + [ cmp eq reg 1 0x000000ff ] + +# ip checksum 13172 drop +bridge test-bridge input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 2b @ network header + 10 => reg 1 ] + [ cmp eq reg 1 0x00007433 ] + [ immediate reg 0 drop ] + +# ip checksum 22 +bridge test-bridge input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 2b @ network header + 10 => reg 1 ] + [ cmp eq reg 1 0x00001600 ] + +# ip checksum != 233 +bridge test-bridge input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 2b @ network header + 10 => reg 1 ] + [ cmp neq reg 1 0x0000e900 ] + +# ip checksum 33-45 +bridge test-bridge input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 2b @ network header + 10 => reg 1 ] + [ cmp gte reg 1 0x00002100 ] + [ cmp lte reg 1 0x00002d00 ] + +# ip checksum != 33-45 +bridge test-bridge input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 2b @ network header + 10 => reg 1 ] + [ range neq reg 1 0x00002100 0x00002d00 ] + +# ip checksum { 33, 55, 67, 88} +__set%d test-bridge 3 size 4 +__set%d test-bridge 0 + element 00002100 : 0 [end] element 00003700 : 0 [end] element 00004300 : 0 [end] element 00005800 : 0 [end] +bridge test-bridge input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 2b @ network header + 10 => reg 1 ] + [ lookup reg 1 set __set%d ] + +# ip checksum != { 33, 55, 67, 88} +__set%d test-bridge 3 size 4 +__set%d test-bridge 0 + element 00002100 : 0 [end] element 00003700 : 0 [end] element 00004300 : 0 [end] element 00005800 : 0 [end] +bridge test-bridge input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 2b @ network header + 10 => reg 1 ] + [ lookup reg 1 set __set%d 0x1 ] + +# ip saddr 192.168.2.0/24 +bridge test-bridge input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 3b @ network header + 12 => reg 1 ] + [ cmp eq reg 1 0x0002a8c0 ] + +# ip saddr != 192.168.2.0/24 +bridge test-bridge input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 3b @ network header + 12 => reg 1 ] + [ cmp neq reg 1 0x0002a8c0 ] + +# ip saddr 192.168.3.1 ip daddr 192.168.3.100 +bridge test-bridge input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ cmp eq reg 1 0x0103a8c0 ] + [ payload load 4b @ network header + 16 => reg 1 ] + [ cmp eq reg 1 0x6403a8c0 ] + +# ip saddr != 1.1.1.1 +bridge test-bridge input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ cmp neq reg 1 0x01010101 ] + +# ip saddr 1.1.1.1 +bridge test-bridge input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ cmp eq reg 1 0x01010101 ] + +# ip daddr 192.168.0.1-192.168.0.250 +bridge test-bridge input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 4b @ network header + 16 => reg 1 ] + [ cmp gte reg 1 0x0100a8c0 ] + [ cmp lte reg 1 0xfa00a8c0 ] + +# ip daddr 10.0.0.0-10.255.255.255 +bridge test-bridge input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 4b @ network header + 16 => reg 1 ] + [ cmp gte reg 1 0x0000000a ] + [ cmp lte reg 1 0xffffff0a ] + +# ip daddr 172.16.0.0-172.31.255.255 +bridge test-bridge input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 4b @ network header + 16 => reg 1 ] + [ cmp gte reg 1 0x000010ac ] + [ cmp lte reg 1 0xffff1fac ] + +# ip daddr 192.168.3.1-192.168.4.250 +bridge test-bridge input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 4b @ network header + 16 => reg 1 ] + [ cmp gte reg 1 0x0103a8c0 ] + [ cmp lte reg 1 0xfa04a8c0 ] + +# ip daddr != 192.168.0.1-192.168.0.250 +bridge test-bridge input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 4b @ network header + 16 => reg 1 ] + [ range neq reg 1 0x0100a8c0 0xfa00a8c0 ] + +# ip daddr { 192.168.5.1, 192.168.5.2, 192.168.5.3 } accept +__set%d test-bridge 3 size 3 +__set%d test-bridge 0 + element 0105a8c0 : 0 [end] element 0205a8c0 : 0 [end] element 0305a8c0 : 0 [end] +bridge test-bridge input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 4b @ network header + 16 => reg 1 ] + [ lookup reg 1 set __set%d ] + [ immediate reg 0 accept ] + +# ip daddr != { 192.168.5.1, 192.168.5.2, 192.168.5.3 } accept +__set%d test-bridge 3 size 3 +__set%d test-bridge 0 + element 0105a8c0 : 0 [end] element 0205a8c0 : 0 [end] element 0305a8c0 : 0 [end] +bridge test-bridge input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 4b @ network header + 16 => reg 1 ] + [ lookup reg 1 set __set%d 0x1 ] + [ immediate reg 0 accept ] + +# ip daddr 192.168.1.2-192.168.1.55 +bridge test-bridge input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 4b @ network header + 16 => reg 1 ] + [ cmp gte reg 1 0x0201a8c0 ] + [ cmp lte reg 1 0x3701a8c0 ] + +# ip daddr != 192.168.1.2-192.168.1.55 +bridge test-bridge input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 4b @ network header + 16 => reg 1 ] + [ range neq reg 1 0x0201a8c0 0x3701a8c0 ] + +# ip saddr 192.168.1.3-192.168.33.55 +bridge test-bridge input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ cmp gte reg 1 0x0301a8c0 ] + [ cmp lte reg 1 0x3721a8c0 ] + +# ip saddr != 192.168.1.3-192.168.33.55 +bridge test-bridge input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ range neq reg 1 0x0301a8c0 0x3721a8c0 ] + +# ip daddr 192.168.0.1 +bridge test-bridge input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 4b @ network header + 16 => reg 1 ] + [ cmp eq reg 1 0x0100a8c0 ] + +# ip daddr 192.168.0.1 drop +bridge test-bridge input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 4b @ network header + 16 => reg 1 ] + [ cmp eq reg 1 0x0100a8c0 ] + [ immediate reg 0 drop ] + +# ip daddr 192.168.0.2 +bridge test-bridge input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 4b @ network header + 16 => reg 1 ] + [ cmp eq reg 1 0x0200a8c0 ] + +# ip saddr & 0xff == 1 +bridge test-bridge input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0xff000000 ) ^ 0x00000000 ] + [ cmp eq reg 1 0x01000000 ] + +# ip saddr & 0.0.0.255 < 0.0.0.127 +bridge test-bridge input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0xff000000 ) ^ 0x00000000 ] + [ cmp lt reg 1 0x7f000000 ] + +# ip saddr & 0xffff0000 == 0xffff0000 +bridge test-bridge input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ffff ) ^ 0x00000000 ] + [ cmp eq reg 1 0x0000ffff ] + +# ip version 4 ip hdrlength 5 +bridge test-bridge input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 1b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x000000f0 ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000040 ] + [ payload load 1b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000000f ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000005 ] + +# ip hdrlength 0 +bridge test-bridge input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 1b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000000f ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000000 ] + +# ip hdrlength 15 +bridge test-bridge input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 1b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000000f ) ^ 0x00000000 ] + [ cmp eq reg 1 0x0000000f ] + +# ip hdrlength vmap { 0-4 : drop, 5 : accept, 6 : continue } counter +__map%d test-bridge f size 4 +__map%d test-bridge 0 + element 00000000 : drop 0 [end] element 00000005 : accept 0 [end] element 00000006 : continue 0 [end] element 00000007 : 1 [end] +bridge test-bridge input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 1b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000000f ) ^ 0x00000000 ] + [ lookup reg 1 set __map%d dreg 0 ] + [ counter pkts 0 bytes 0 ] + +# iif "lo" ip daddr set 127.0.0.1 +bridge test-bridge input + [ meta load iif => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ immediate reg 1 0x0100007f ] + [ payload write reg 1 => 4b @ network header + 16 csum_type 1 csum_off 10 csum_flags 0x1 ] + +# iif "lo" ip checksum set 0 +bridge test-bridge input + [ meta load iif => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ immediate reg 1 0x00000000 ] + [ payload write reg 1 => 2b @ network header + 10 csum_type 1 csum_off 10 csum_flags 0x0 ] + +# iif "lo" ip id set 0 +bridge test-bridge input + [ meta load iif => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ immediate reg 1 0x00000000 ] + [ payload write reg 1 => 2b @ network header + 4 csum_type 1 csum_off 10 csum_flags 0x0 ] + +# iif "lo" ip ecn set 1 +bridge test-bridge input + [ meta load iif => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000fcff ) ^ 0x00000100 ] + [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ] + +# iif "lo" ip ecn set ce +bridge test-bridge input + [ meta load iif => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000fcff ) ^ 0x00000300 ] + [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ] + +# iif "lo" ip ttl set 23 +bridge test-bridge input + [ meta load iif => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 2b @ network header + 8 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff00 ) ^ 0x00000017 ] + [ payload write reg 1 => 2b @ network header + 8 csum_type 1 csum_off 10 csum_flags 0x0 ] + +# iif "lo" ip protocol set 1 +bridge test-bridge input + [ meta load iif => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 2b @ network header + 8 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x000000ff ) ^ 0x00000100 ] + [ payload write reg 1 => 2b @ network header + 8 csum_type 1 csum_off 10 csum_flags 0x1 ] + +# iif "lo" ip dscp set af23 +bridge test-bridge input + [ meta load iif => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x000003ff ) ^ 0x00005800 ] + [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ] + +# iif "lo" ip dscp set cs0 +bridge test-bridge input + [ meta load iif => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x000003ff ) ^ 0x00000000 ] + [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ] + +# ip saddr . ip daddr { 192.0.2.1 . 10.0.0.1-10.0.0.2 } +__set%d test-bridge 87 size 1 +__set%d test-bridge 0 + element 010200c0 0100000a - 010200c0 0200000a : 0 [end] +bridge + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ payload load 4b @ network header + 16 => reg 9 ] + [ lookup reg 1 set __set%d ] + +# ip saddr . ip daddr vmap { 192.168.5.1-192.168.5.128 . 192.168.6.1-192.168.6.128 : accept } +__map%d test-bridge 8f size 1 +__map%d test-bridge 0 + element 0105a8c0 0106a8c0 - 8005a8c0 8006a8c0 : accept 0 [end] +bridge + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ payload load 4b @ network header + 16 => reg 9 ] + [ lookup reg 1 set __map%d dreg 0 ] + +# ip saddr 1.2.3.4 ip daddr 3.4.5.6 +bridge test-bridge input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ cmp eq reg 1 0x04030201 ] + [ payload load 4b @ network header + 16 => reg 1 ] + [ cmp eq reg 1 0x06050403 ] + +# ip saddr 1.2.3.4 counter ip daddr 3.4.5.6 +bridge test-bridge input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ cmp eq reg 1 0x04030201 ] + [ counter pkts 0 bytes 0 ] + [ payload load 4b @ network header + 16 => reg 1 ] + [ cmp eq reg 1 0x06050403 ] diff --git a/tests/py/ip/ip.t.payload.bridge.got b/tests/py/ip/ip.t.payload.bridge.got new file mode 100644 index 0000000..e728c23 --- /dev/null +++ b/tests/py/ip/ip.t.payload.bridge.got @@ -0,0 +1,24 @@ +# ip frag-off & 0x1fff != 0x0 +bridge test-bridge input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 2b @ network header + 6 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff1f ) ^ 0x00000000 ] + [ cmp neq reg 1 0x00000000 ] + +# ip frag-off & 0x2000 != 0x0 +bridge test-bridge input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 2b @ network header + 6 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x00000020 ) ^ 0x00000000 ] + [ cmp neq reg 1 0x00000000 ] + +# ip frag-off & 0x4000 != 0x0 +bridge test-bridge input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 2b @ network header + 6 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x00000040 ) ^ 0x00000000 ] + [ cmp neq reg 1 0x00000000 ] + diff --git a/tests/py/ip/ip.t.payload.got b/tests/py/ip/ip.t.payload.got new file mode 100644 index 0000000..9a5c942 --- /dev/null +++ b/tests/py/ip/ip.t.payload.got @@ -0,0 +1,18 @@ +# ip frag-off & 0x1fff != 0x0 +ip test-ip4 input + [ payload load 2b @ network header + 6 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff1f ) ^ 0x00000000 ] + [ cmp neq reg 1 0x00000000 ] + +# ip frag-off & 0x2000 != 0x0 +ip test-ip4 input + [ payload load 2b @ network header + 6 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x00000020 ) ^ 0x00000000 ] + [ cmp neq reg 1 0x00000000 ] + +# ip frag-off & 0x4000 != 0x0 +ip test-ip4 input + [ payload load 2b @ network header + 6 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x00000040 ) ^ 0x00000000 ] + [ cmp neq reg 1 0x00000000 ] + diff --git a/tests/py/ip/ip.t.payload.inet b/tests/py/ip/ip.t.payload.inet new file mode 100644 index 0000000..a7fa0fa --- /dev/null +++ b/tests/py/ip/ip.t.payload.inet @@ -0,0 +1,728 @@ +# ip dscp cs1 +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 1b @ network header + 1 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000020 ] + +# ip dscp != cs1 +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 1b @ network header + 1 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ] + [ cmp neq reg 1 0x00000020 ] + +# ip dscp 0x38 +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 1b @ network header + 1 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ] + [ cmp eq reg 1 0x000000e0 ] + +# ip dscp != 0x20 +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 1b @ network header + 1 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ] + [ cmp neq reg 1 0x00000080 ] + +# ip dscp {cs0, cs1, cs2, cs3, cs4, cs5, cs6, cs7, af11, af12, af13, af21, af22, af23, af31, af32, af33, af41, af42, af43, ef} +__set%d test-inet 3 +__set%d test-inet 0 + element 00000020 : 0 [end] element 00000040 : 0 [end] element 00000060 : 0 [end] element 00000080 : 0 [end] element 000000a0 : 0 [end] element 000000c0 : 0 [end] element 000000e0 : 0 [end] element 00000000 : 0 [end] element 00000028 : 0 [end] element 00000030 : 0 [end] element 00000038 : 0 [end] element 00000048 : 0 [end] element 00000050 : 0 [end] element 00000058 : 0 [end] element 00000068 : 0 [end] element 00000070 : 0 [end] element 00000078 : 0 [end] element 00000088 : 0 [end] element 00000090 : 0 [end] element 00000098 : 0 [end] element 000000b8 : 0 [end] +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 1b @ network header + 1 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ] + [ lookup reg 1 set __set%d ] + +# ip dscp != {cs0, cs3} +__set%d test-inet 3 +__set%d test-inet 0 + element 00000000 : 0 [end] element 00000060 : 0 [end] +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 1b @ network header + 1 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ] + [ lookup reg 1 set __set%d 0x1 ] + +# ip dscp vmap { cs1 : continue , cs4 : accept } counter +__map%d test-inet b size 2 +__map%d test-inet 0 + element 00000020 : continue 0 [end] element 00000080 : accept 0 [end] +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 1b @ network header + 1 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ] + [ lookup reg 1 set __map%d dreg 0 ] + [ counter pkts 0 bytes 0 ] + +# ip length 232 +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 2b @ network header + 2 => reg 1 ] + [ cmp eq reg 1 0x0000e800 ] + +# ip length != 233 +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 2b @ network header + 2 => reg 1 ] + [ cmp neq reg 1 0x0000e900 ] + +# ip length 333-435 +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 2b @ network header + 2 => reg 1 ] + [ cmp gte reg 1 0x00004d01 ] + [ cmp lte reg 1 0x0000b301 ] + +# ip length != 333-453 +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 2b @ network header + 2 => reg 1 ] + [ range neq reg 1 0x00004d01 0x0000c501 ] + +# ip length { 333, 553, 673, 838} +__set%d test-inet 3 +__set%d test-inet 0 + element 00004d01 : 0 [end] element 00002902 : 0 [end] element 0000a102 : 0 [end] element 00004603 : 0 [end] +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 2b @ network header + 2 => reg 1 ] + [ lookup reg 1 set __set%d ] + +# ip length != { 333, 553, 673, 838} +__set%d test-inet 3 +__set%d test-inet 0 + element 00004d01 : 0 [end] element 00002902 : 0 [end] element 0000a102 : 0 [end] element 00004603 : 0 [end] +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 2b @ network header + 2 => reg 1 ] + [ lookup reg 1 set __set%d 0x1 ] + +# ip id 22 +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 2b @ network header + 4 => reg 1 ] + [ cmp eq reg 1 0x00001600 ] + +# ip id != 233 +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 2b @ network header + 4 => reg 1 ] + [ cmp neq reg 1 0x0000e900 ] + +# ip id 33-45 +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 2b @ network header + 4 => reg 1 ] + [ cmp gte reg 1 0x00002100 ] + [ cmp lte reg 1 0x00002d00 ] + +# ip id != 33-45 +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 2b @ network header + 4 => reg 1 ] + [ range neq reg 1 0x00002100 0x00002d00 ] + +# ip id { 33, 55, 67, 88} +__set%d test-inet 3 +__set%d test-inet 0 + element 00002100 : 0 [end] element 00003700 : 0 [end] element 00004300 : 0 [end] element 00005800 : 0 [end] +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 2b @ network header + 4 => reg 1 ] + [ lookup reg 1 set __set%d ] + +# ip id != { 33, 55, 67, 88} +__set%d test-inet 3 +__set%d test-inet 0 + element 00002100 : 0 [end] element 00003700 : 0 [end] element 00004300 : 0 [end] element 00005800 : 0 [end] +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 2b @ network header + 4 => reg 1 ] + [ lookup reg 1 set __set%d 0x1 ] + +# ip frag-off 0xde accept +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 2b @ network header + 6 => reg 1 ] + [ cmp eq reg 1 0x0000de00 ] + [ immediate reg 0 accept ] + +# ip frag-off != 0xe9 +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 2b @ network header + 6 => reg 1 ] + [ cmp neq reg 1 0x0000e900 ] + +# ip frag-off 0x21-0x2d +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 2b @ network header + 6 => reg 1 ] + [ cmp gte reg 1 0x00002100 ] + [ cmp lte reg 1 0x00002d00 ] + +# ip frag-off != 0x21-0x2d +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 2b @ network header + 6 => reg 1 ] + [ range neq reg 1 0x00002100 0x00002d00 ] + +# ip frag-off { 0x21, 0x37, 0x43, 0x58} +__set%d test-inet 3 +__set%d test-inet 0 + element 00002100 : 0 [end] element 00003700 : 0 [end] element 00004300 : 0 [end] element 00005800 : 0 [end] +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 2b @ network header + 6 => reg 1 ] + [ lookup reg 1 set __set%d ] + +# ip frag-off != { 0x21, 0x37, 0x43, 0x58} +__set%d test-inet 3 +__set%d test-inet 0 + element 00002100 : 0 [end] element 00003700 : 0 [end] element 00004300 : 0 [end] element 00005800 : 0 [end] +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 2b @ network header + 6 => reg 1 ] + [ lookup reg 1 set __set%d 0x1 ] + +# ip frag-off & 0x1fff != 0x0 +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 2b @ network header + 6 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff1f ) ^ 0x00000000 ] + [ cmp neq reg 1 0x00000000 ] + +# ip frag-off & 0x2000 != 0x0 +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 2b @ network header + 6 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x00000020 ) ^ 0x00000000 ] + [ cmp neq reg 1 0x00000000 ] + +# ip frag-off & 0x4000 != 0x0 +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 2b @ network header + 6 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x00000040 ) ^ 0x00000000 ] + [ cmp neq reg 1 0x00000000 ] + +# ip ttl 0 drop +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 1b @ network header + 8 => reg 1 ] + [ cmp eq reg 1 0x00000000 ] + [ immediate reg 0 drop ] + +# ip ttl 233 +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 1b @ network header + 8 => reg 1 ] + [ cmp eq reg 1 0x000000e9 ] + +# ip ttl 33-55 +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 1b @ network header + 8 => reg 1 ] + [ cmp gte reg 1 0x00000021 ] + [ cmp lte reg 1 0x00000037 ] + +# ip ttl != 45-50 +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 1b @ network header + 8 => reg 1 ] + [ range neq reg 1 0x0000002d 0x00000032 ] + +# ip ttl {43, 53, 45 } +__set%d test-inet 3 +__set%d test-inet 0 + element 0000002b : 0 [end] element 00000035 : 0 [end] element 0000002d : 0 [end] +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 1b @ network header + 8 => reg 1 ] + [ lookup reg 1 set __set%d ] + +# ip ttl != {43, 53, 45 } +__set%d test-inet 3 +__set%d test-inet 0 + element 0000002b : 0 [end] element 00000035 : 0 [end] element 0000002d : 0 [end] +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 1b @ network header + 8 => reg 1 ] + [ lookup reg 1 set __set%d 0x1 ] + +# ip protocol tcp +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 1b @ network header + 9 => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + +# ip protocol != tcp +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 1b @ network header + 9 => reg 1 ] + [ cmp neq reg 1 0x00000006 ] + +# ip protocol { icmp, esp, ah, comp, udp, udplite, tcp, dccp, sctp} accept +__set%d test-inet 3 +__set%d test-inet 0 + element 00000001 : 0 [end] element 00000032 : 0 [end] element 00000033 : 0 [end] element 0000006c : 0 [end] element 00000011 : 0 [end] element 00000088 : 0 [end] element 00000006 : 0 [end] element 00000021 : 0 [end] element 00000084 : 0 [end] +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 1b @ network header + 9 => reg 1 ] + [ lookup reg 1 set __set%d ] + [ immediate reg 0 accept ] + +# ip protocol != { icmp, esp, ah, comp, udp, udplite, tcp, dccp, sctp} accept +__set%d test-inet 3 +__set%d test-inet 0 + element 00000001 : 0 [end] element 00000032 : 0 [end] element 00000033 : 0 [end] element 0000006c : 0 [end] element 00000011 : 0 [end] element 00000088 : 0 [end] element 00000006 : 0 [end] element 00000021 : 0 [end] element 00000084 : 0 [end] +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 1b @ network header + 9 => reg 1 ] + [ lookup reg 1 set __set%d 0x1 ] + [ immediate reg 0 accept ] + +# ip protocol 255 +ip test-ip4 input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 1b @ network header + 9 => reg 1 ] + [ cmp eq reg 1 0x000000ff ] + +# ip checksum 13172 drop +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 2b @ network header + 10 => reg 1 ] + [ cmp eq reg 1 0x00007433 ] + [ immediate reg 0 drop ] + +# ip checksum 22 +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 2b @ network header + 10 => reg 1 ] + [ cmp eq reg 1 0x00001600 ] + +# ip checksum != 233 +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 2b @ network header + 10 => reg 1 ] + [ cmp neq reg 1 0x0000e900 ] + +# ip checksum 33-45 +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 2b @ network header + 10 => reg 1 ] + [ cmp gte reg 1 0x00002100 ] + [ cmp lte reg 1 0x00002d00 ] + +# ip checksum != 33-45 +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 2b @ network header + 10 => reg 1 ] + [ range neq reg 1 0x00002100 0x00002d00 ] + +# ip checksum { 33, 55, 67, 88} +__set%d test-inet 3 +__set%d test-inet 0 + element 00002100 : 0 [end] element 00003700 : 0 [end] element 00004300 : 0 [end] element 00005800 : 0 [end] +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 2b @ network header + 10 => reg 1 ] + [ lookup reg 1 set __set%d ] + +# ip checksum != { 33, 55, 67, 88} +__set%d test-inet 3 +__set%d test-inet 0 + element 00002100 : 0 [end] element 00003700 : 0 [end] element 00004300 : 0 [end] element 00005800 : 0 [end] +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 2b @ network header + 10 => reg 1 ] + [ lookup reg 1 set __set%d 0x1 ] + +# ip saddr 192.168.2.0/24 +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 3b @ network header + 12 => reg 1 ] + [ cmp eq reg 1 0x0002a8c0 ] + +# ip saddr != 192.168.2.0/24 +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 3b @ network header + 12 => reg 1 ] + [ cmp neq reg 1 0x0002a8c0 ] + +# ip saddr 192.168.3.1 ip daddr 192.168.3.100 +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ cmp eq reg 1 0x0103a8c0 ] + [ payload load 4b @ network header + 16 => reg 1 ] + [ cmp eq reg 1 0x6403a8c0 ] + +# ip saddr != 1.1.1.1 +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ cmp neq reg 1 0x01010101 ] + +# ip saddr 1.1.1.1 +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ cmp eq reg 1 0x01010101 ] + +# ip daddr 192.168.0.1-192.168.0.250 +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 4b @ network header + 16 => reg 1 ] + [ cmp gte reg 1 0x0100a8c0 ] + [ cmp lte reg 1 0xfa00a8c0 ] + +# ip daddr 10.0.0.0-10.255.255.255 +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 4b @ network header + 16 => reg 1 ] + [ cmp gte reg 1 0x0000000a ] + [ cmp lte reg 1 0xffffff0a ] + +# ip daddr 172.16.0.0-172.31.255.255 +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 4b @ network header + 16 => reg 1 ] + [ cmp gte reg 1 0x000010ac ] + [ cmp lte reg 1 0xffff1fac ] + +# ip daddr 192.168.3.1-192.168.4.250 +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 4b @ network header + 16 => reg 1 ] + [ cmp gte reg 1 0x0103a8c0 ] + [ cmp lte reg 1 0xfa04a8c0 ] + +# ip daddr != 192.168.0.1-192.168.0.250 +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 4b @ network header + 16 => reg 1 ] + [ range neq reg 1 0x0100a8c0 0xfa00a8c0 ] + +# ip daddr { 192.168.5.1, 192.168.5.2, 192.168.5.3 } accept +__set%d test-inet 3 +__set%d test-inet 0 + element 0105a8c0 : 0 [end] element 0205a8c0 : 0 [end] element 0305a8c0 : 0 [end] +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 4b @ network header + 16 => reg 1 ] + [ lookup reg 1 set __set%d ] + [ immediate reg 0 accept ] + +# ip daddr != { 192.168.5.1, 192.168.5.2, 192.168.5.3 } accept +__set%d test-inet 3 +__set%d test-inet 0 + element 0105a8c0 : 0 [end] element 0205a8c0 : 0 [end] element 0305a8c0 : 0 [end] +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 4b @ network header + 16 => reg 1 ] + [ lookup reg 1 set __set%d 0x1 ] + [ immediate reg 0 accept ] + +# ip daddr 192.168.1.2-192.168.1.55 +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 4b @ network header + 16 => reg 1 ] + [ cmp gte reg 1 0x0201a8c0 ] + [ cmp lte reg 1 0x3701a8c0 ] + +# ip daddr != 192.168.1.2-192.168.1.55 +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 4b @ network header + 16 => reg 1 ] + [ range neq reg 1 0x0201a8c0 0x3701a8c0 ] + +# ip saddr 192.168.1.3-192.168.33.55 +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ cmp gte reg 1 0x0301a8c0 ] + [ cmp lte reg 1 0x3721a8c0 ] + +# ip saddr != 192.168.1.3-192.168.33.55 +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ range neq reg 1 0x0301a8c0 0x3721a8c0 ] + +# ip daddr 192.168.0.1 +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 4b @ network header + 16 => reg 1 ] + [ cmp eq reg 1 0x0100a8c0 ] + +# ip daddr 192.168.0.1 drop +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 4b @ network header + 16 => reg 1 ] + [ cmp eq reg 1 0x0100a8c0 ] + [ immediate reg 0 drop ] + +# ip daddr 192.168.0.2 +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 4b @ network header + 16 => reg 1 ] + [ cmp eq reg 1 0x0200a8c0 ] + +# ip saddr & 0xff == 1 +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0xff000000 ) ^ 0x00000000 ] + [ cmp eq reg 1 0x01000000 ] + +# ip saddr & 0.0.0.255 < 0.0.0.127 +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0xff000000 ) ^ 0x00000000 ] + [ cmp lt reg 1 0x7f000000 ] + +# ip saddr & 0xffff0000 == 0xffff0000 +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ffff ) ^ 0x00000000 ] + [ cmp eq reg 1 0x0000ffff ] + +# ip version 4 ip hdrlength 5 +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 1b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x000000f0 ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000040 ] + [ payload load 1b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000000f ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000005 ] + +# ip hdrlength 0 +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 1b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000000f ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000000 ] + +# ip hdrlength 15 +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 1b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000000f ) ^ 0x00000000 ] + [ cmp eq reg 1 0x0000000f ] + +# ip hdrlength vmap { 0-4 : drop, 5 : accept, 6 : continue } counter +__map%d test-inet f size 4 +__map%d test-inet 0 + element 00000000 : drop 0 [end] element 00000005 : accept 0 [end] element 00000006 : continue 0 [end] element 00000007 : 1 [end] +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 1b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000000f ) ^ 0x00000000 ] + [ lookup reg 1 set __map%d dreg 0 ] + [ counter pkts 0 bytes 0 ] + +# iif "lo" ip daddr set 127.0.0.1 +inet test-inet input + [ meta load iif => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ immediate reg 1 0x0100007f ] + [ payload write reg 1 => 4b @ network header + 16 csum_type 1 csum_off 10 csum_flags 0x1 ] + +# iif "lo" ip checksum set 0 +inet test-inet input + [ meta load iif => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ immediate reg 1 0x00000000 ] + [ payload write reg 1 => 2b @ network header + 10 csum_type 1 csum_off 10 csum_flags 0x0 ] + +# iif "lo" ip id set 0 +inet test-inet input + [ meta load iif => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ immediate reg 1 0x00000000 ] + [ payload write reg 1 => 2b @ network header + 4 csum_type 1 csum_off 10 csum_flags 0x0 ] + +# iif "lo" ip ecn set 1 +inet test-inet input + [ meta load iif => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000fcff ) ^ 0x00000100 ] + [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ] + +# iif "lo" ip ecn set ce +inet test-netdev ingress + [ meta load iif => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000fcff ) ^ 0x00000300 ] + [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ] + +# iif "lo" ip dscp set af23 +inet test-inet input + [ meta load iif => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x000003ff ) ^ 0x00005800 ] + [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ] + +# iif "lo" ip dscp set cs0 +inet test-inet input + [ meta load iif => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x000003ff ) ^ 0x00000000 ] + [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ] + +# iif "lo" ip ttl set 23 +inet test-inet input + [ meta load iif => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 2b @ network header + 8 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff00 ) ^ 0x00000017 ] + [ payload write reg 1 => 2b @ network header + 8 csum_type 1 csum_off 10 csum_flags 0x0 ] + +# iif "lo" ip protocol set 1 +inet test-inet input + [ meta load iif => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 2b @ network header + 8 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x000000ff ) ^ 0x00000100 ] + [ payload write reg 1 => 2b @ network header + 8 csum_type 1 csum_off 10 csum_flags 0x1 ] + +# ip saddr . ip daddr { 192.0.2.1 . 10.0.0.1-10.0.0.2 } +__set%d test-inet 87 size 1 +__set%d test-inet 0 + element 010200c0 0100000a - 010200c0 0200000a : 0 [end] +inet + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ payload load 4b @ network header + 16 => reg 9 ] + [ lookup reg 1 set __set%d ] + +# ip saddr . ip daddr vmap { 192.168.5.1-192.168.5.128 . 192.168.6.1-192.168.6.128 : accept } +__map%d test-inet 8f size 1 +__map%d test-inet 0 + element 0105a8c0 0106a8c0 - 8005a8c0 8006a8c0 : accept 0 [end] +inet + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ payload load 4b @ network header + 16 => reg 9 ] + [ lookup reg 1 set __map%d dreg 0 ] + +# ip saddr 1.2.3.4 ip daddr 3.4.5.6 +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ cmp eq reg 1 0x04030201 ] + [ payload load 4b @ network header + 16 => reg 1 ] + [ cmp eq reg 1 0x06050403 ] + +# ip saddr 1.2.3.4 counter ip daddr 3.4.5.6 +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ cmp eq reg 1 0x04030201 ] + [ counter pkts 0 bytes 0 ] + [ payload load 4b @ network header + 16 => reg 1 ] + [ cmp eq reg 1 0x06050403 ] diff --git a/tests/py/ip/ip.t.payload.inet.got b/tests/py/ip/ip.t.payload.inet.got new file mode 100644 index 0000000..ac52c78 --- /dev/null +++ b/tests/py/ip/ip.t.payload.inet.got @@ -0,0 +1,24 @@ +# ip frag-off & 0x1fff != 0x0 +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 2b @ network header + 6 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff1f ) ^ 0x00000000 ] + [ cmp neq reg 1 0x00000000 ] + +# ip frag-off & 0x2000 != 0x0 +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 2b @ network header + 6 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x00000020 ) ^ 0x00000000 ] + [ cmp neq reg 1 0x00000000 ] + +# ip frag-off & 0x4000 != 0x0 +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 2b @ network header + 6 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x00000040 ) ^ 0x00000000 ] + [ cmp neq reg 1 0x00000000 ] + diff --git a/tests/py/ip/ip.t.payload.netdev b/tests/py/ip/ip.t.payload.netdev new file mode 100644 index 0000000..aebd9d6 --- /dev/null +++ b/tests/py/ip/ip.t.payload.netdev @@ -0,0 +1,728 @@ +# ip length 232 +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 2b @ network header + 2 => reg 1 ] + [ cmp eq reg 1 0x0000e800 ] + +# ip length != 233 +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 2b @ network header + 2 => reg 1 ] + [ cmp neq reg 1 0x0000e900 ] + +# ip length 333-435 +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 2b @ network header + 2 => reg 1 ] + [ cmp gte reg 1 0x00004d01 ] + [ cmp lte reg 1 0x0000b301 ] + +# ip length != 333-453 +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 2b @ network header + 2 => reg 1 ] + [ range neq reg 1 0x00004d01 0x0000c501 ] + +# ip length { 333, 553, 673, 838} +__set%d test-netdev 3 +__set%d test-netdev 0 + element 00004d01 : 0 [end] element 00002902 : 0 [end] element 0000a102 : 0 [end] element 00004603 : 0 [end] +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 2b @ network header + 2 => reg 1 ] + [ lookup reg 1 set __set%d ] + +# ip length != { 333, 553, 673, 838} +__set%d test-netdev 3 +__set%d test-netdev 0 + element 00004d01 : 0 [end] element 00002902 : 0 [end] element 0000a102 : 0 [end] element 00004603 : 0 [end] +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 2b @ network header + 2 => reg 1 ] + [ lookup reg 1 set __set%d 0x1 ] + +# ip id 22 +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 2b @ network header + 4 => reg 1 ] + [ cmp eq reg 1 0x00001600 ] + +# ip id != 233 +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 2b @ network header + 4 => reg 1 ] + [ cmp neq reg 1 0x0000e900 ] + +# ip id 33-45 +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 2b @ network header + 4 => reg 1 ] + [ cmp gte reg 1 0x00002100 ] + [ cmp lte reg 1 0x00002d00 ] + +# ip id != 33-45 +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 2b @ network header + 4 => reg 1 ] + [ range neq reg 1 0x00002100 0x00002d00 ] + +# ip id { 33, 55, 67, 88} +__set%d test-netdev 3 +__set%d test-netdev 0 + element 00002100 : 0 [end] element 00003700 : 0 [end] element 00004300 : 0 [end] element 00005800 : 0 [end] +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 2b @ network header + 4 => reg 1 ] + [ lookup reg 1 set __set%d ] + +# ip id != { 33, 55, 67, 88} +__set%d test-netdev 3 +__set%d test-netdev 0 + element 00002100 : 0 [end] element 00003700 : 0 [end] element 00004300 : 0 [end] element 00005800 : 0 [end] +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 2b @ network header + 4 => reg 1 ] + [ lookup reg 1 set __set%d 0x1 ] + +# ip frag-off 0xde accept +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 2b @ network header + 6 => reg 1 ] + [ cmp eq reg 1 0x0000de00 ] + [ immediate reg 0 accept ] + +# ip frag-off != 0xe9 +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 2b @ network header + 6 => reg 1 ] + [ cmp neq reg 1 0x0000e900 ] + +# ip frag-off 0x21-0x2d +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 2b @ network header + 6 => reg 1 ] + [ cmp gte reg 1 0x00002100 ] + [ cmp lte reg 1 0x00002d00 ] + +# ip frag-off != 0x21-0x2d +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 2b @ network header + 6 => reg 1 ] + [ range neq reg 1 0x00002100 0x00002d00 ] + +# ip frag-off { 0x21, 0x37, 0x43, 0x58} +__set%d test-netdev 3 +__set%d test-netdev 0 + element 00002100 : 0 [end] element 00003700 : 0 [end] element 00004300 : 0 [end] element 00005800 : 0 [end] +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 2b @ network header + 6 => reg 1 ] + [ lookup reg 1 set __set%d ] + +# ip frag-off != { 0x21, 0x37, 0x43, 0x58} +__set%d test-netdev 3 +__set%d test-netdev 0 + element 00002100 : 0 [end] element 00003700 : 0 [end] element 00004300 : 0 [end] element 00005800 : 0 [end] +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 2b @ network header + 6 => reg 1 ] + [ lookup reg 1 set __set%d 0x1 ] + +# ip frag-off & 0x1fff != 0x0 +netdev x y + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 2b @ network header + 6 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff1f ) ^ 0x00000000 ] + [ cmp neq reg 1 0x00000000 ] + +# ip frag-off & 0x2000 != 0x0 +netdev x y + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 2b @ network header + 6 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x00000020 ) ^ 0x00000000 ] + [ cmp neq reg 1 0x00000000 ] + +# ip frag-off & 0x4000 != 0x0 +netdev x y + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 2b @ network header + 6 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x00000040 ) ^ 0x00000000 ] + [ cmp neq reg 1 0x00000000 ] + +# ip ttl 0 drop +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 1b @ network header + 8 => reg 1 ] + [ cmp eq reg 1 0x00000000 ] + [ immediate reg 0 drop ] + +# ip ttl 33-55 +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 1b @ network header + 8 => reg 1 ] + [ cmp gte reg 1 0x00000021 ] + [ cmp lte reg 1 0x00000037 ] + +# ip ttl != 45-50 +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 1b @ network header + 8 => reg 1 ] + [ range neq reg 1 0x0000002d 0x00000032 ] + +# ip ttl {43, 53, 45 } +__set%d test-netdev 3 +__set%d test-netdev 0 + element 0000002b : 0 [end] element 00000035 : 0 [end] element 0000002d : 0 [end] +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 1b @ network header + 8 => reg 1 ] + [ lookup reg 1 set __set%d ] + +# ip ttl != {43, 53, 45 } +__set%d test-netdev 3 +__set%d test-netdev 0 + element 0000002b : 0 [end] element 00000035 : 0 [end] element 0000002d : 0 [end] +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 1b @ network header + 8 => reg 1 ] + [ lookup reg 1 set __set%d 0x1 ] + +# ip protocol { icmp, esp, ah, comp, udp, udplite, tcp, dccp, sctp} accept +__set%d test-netdev 3 +__set%d test-netdev 0 + element 00000001 : 0 [end] element 00000032 : 0 [end] element 00000033 : 0 [end] element 0000006c : 0 [end] element 00000011 : 0 [end] element 00000088 : 0 [end] element 00000006 : 0 [end] element 00000021 : 0 [end] element 00000084 : 0 [end] +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 1b @ network header + 9 => reg 1 ] + [ lookup reg 1 set __set%d ] + [ immediate reg 0 accept ] + +# ip protocol != { icmp, esp, ah, comp, udp, udplite, tcp, dccp, sctp} accept +__set%d test-netdev 3 +__set%d test-netdev 0 + element 00000001 : 0 [end] element 00000032 : 0 [end] element 00000033 : 0 [end] element 0000006c : 0 [end] element 00000011 : 0 [end] element 00000088 : 0 [end] element 00000006 : 0 [end] element 00000021 : 0 [end] element 00000084 : 0 [end] +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 1b @ network header + 9 => reg 1 ] + [ lookup reg 1 set __set%d 0x1 ] + [ immediate reg 0 accept ] + +# ip protocol 255 +ip test-ip4 input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 1b @ network header + 9 => reg 1 ] + [ cmp eq reg 1 0x000000ff ] + +# ip checksum 13172 drop +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 2b @ network header + 10 => reg 1 ] + [ cmp eq reg 1 0x00007433 ] + [ immediate reg 0 drop ] + +# ip checksum 22 +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 2b @ network header + 10 => reg 1 ] + [ cmp eq reg 1 0x00001600 ] + +# ip checksum != 233 +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 2b @ network header + 10 => reg 1 ] + [ cmp neq reg 1 0x0000e900 ] + +# ip checksum 33-45 +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 2b @ network header + 10 => reg 1 ] + [ cmp gte reg 1 0x00002100 ] + [ cmp lte reg 1 0x00002d00 ] + +# ip checksum != 33-45 +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 2b @ network header + 10 => reg 1 ] + [ range neq reg 1 0x00002100 0x00002d00 ] + +# ip checksum { 33, 55, 67, 88} +__set%d test-netdev 3 +__set%d test-netdev 0 + element 00002100 : 0 [end] element 00003700 : 0 [end] element 00004300 : 0 [end] element 00005800 : 0 [end] +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 2b @ network header + 10 => reg 1 ] + [ lookup reg 1 set __set%d ] + +# ip checksum != { 33, 55, 67, 88} +__set%d test-netdev 3 +__set%d test-netdev 0 + element 00002100 : 0 [end] element 00003700 : 0 [end] element 00004300 : 0 [end] element 00005800 : 0 [end] +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 2b @ network header + 10 => reg 1 ] + [ lookup reg 1 set __set%d 0x1 ] + +# ip saddr 192.168.2.0/24 +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 3b @ network header + 12 => reg 1 ] + [ cmp eq reg 1 0x0002a8c0 ] + +# ip saddr != 192.168.2.0/24 +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 3b @ network header + 12 => reg 1 ] + [ cmp neq reg 1 0x0002a8c0 ] + +# ip saddr 192.168.3.1 ip daddr 192.168.3.100 +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ cmp eq reg 1 0x0103a8c0 ] + [ payload load 4b @ network header + 16 => reg 1 ] + [ cmp eq reg 1 0x6403a8c0 ] + +# ip saddr 1.1.1.1 +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ cmp eq reg 1 0x01010101 ] + +# ip daddr 192.168.0.1-192.168.0.250 +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 4b @ network header + 16 => reg 1 ] + [ cmp gte reg 1 0x0100a8c0 ] + [ cmp lte reg 1 0xfa00a8c0 ] + +# ip daddr 10.0.0.0-10.255.255.255 +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 4b @ network header + 16 => reg 1 ] + [ cmp gte reg 1 0x0000000a ] + [ cmp lte reg 1 0xffffff0a ] + +# ip daddr 172.16.0.0-172.31.255.255 +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 4b @ network header + 16 => reg 1 ] + [ cmp gte reg 1 0x000010ac ] + [ cmp lte reg 1 0xffff1fac ] + +# ip daddr 192.168.3.1-192.168.4.250 +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 4b @ network header + 16 => reg 1 ] + [ cmp gte reg 1 0x0103a8c0 ] + [ cmp lte reg 1 0xfa04a8c0 ] + +# ip daddr != 192.168.0.1-192.168.0.250 +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 4b @ network header + 16 => reg 1 ] + [ range neq reg 1 0x0100a8c0 0xfa00a8c0 ] + +# ip daddr { 192.168.5.1, 192.168.5.2, 192.168.5.3 } accept +__set%d test-netdev 3 +__set%d test-netdev 0 + element 0105a8c0 : 0 [end] element 0205a8c0 : 0 [end] element 0305a8c0 : 0 [end] +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 4b @ network header + 16 => reg 1 ] + [ lookup reg 1 set __set%d ] + [ immediate reg 0 accept ] + +# ip daddr != { 192.168.5.1, 192.168.5.2, 192.168.5.3 } accept +__set%d test-netdev 3 +__set%d test-netdev 0 + element 0105a8c0 : 0 [end] element 0205a8c0 : 0 [end] element 0305a8c0 : 0 [end] +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 4b @ network header + 16 => reg 1 ] + [ lookup reg 1 set __set%d 0x1 ] + [ immediate reg 0 accept ] + +# ip daddr 192.168.1.2-192.168.1.55 +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 4b @ network header + 16 => reg 1 ] + [ cmp gte reg 1 0x0201a8c0 ] + [ cmp lte reg 1 0x3701a8c0 ] + +# ip daddr != 192.168.1.2-192.168.1.55 +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 4b @ network header + 16 => reg 1 ] + [ range neq reg 1 0x0201a8c0 0x3701a8c0 ] + +# ip saddr 192.168.1.3-192.168.33.55 +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ cmp gte reg 1 0x0301a8c0 ] + [ cmp lte reg 1 0x3721a8c0 ] + +# ip saddr != 192.168.1.3-192.168.33.55 +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ range neq reg 1 0x0301a8c0 0x3721a8c0 ] + +# ip daddr 192.168.0.1 +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 4b @ network header + 16 => reg 1 ] + [ cmp eq reg 1 0x0100a8c0 ] + +# ip daddr 192.168.0.1 drop +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 4b @ network header + 16 => reg 1 ] + [ cmp eq reg 1 0x0100a8c0 ] + [ immediate reg 0 drop ] + +# ip saddr & 0xff == 1 +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0xff000000 ) ^ 0x00000000 ] + [ cmp eq reg 1 0x01000000 ] + +# ip saddr & 0.0.0.255 < 0.0.0.127 +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0xff000000 ) ^ 0x00000000 ] + [ cmp lt reg 1 0x7f000000 ] + +# ip saddr & 0xffff0000 == 0xffff0000 +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ffff ) ^ 0x00000000 ] + [ cmp eq reg 1 0x0000ffff ] + +# ip version 4 ip hdrlength 5 +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 1b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x000000f0 ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000040 ] + [ payload load 1b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000000f ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000005 ] + +# ip hdrlength 0 +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 1b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000000f ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000000 ] + +# ip hdrlength 15 +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 1b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000000f ) ^ 0x00000000 ] + [ cmp eq reg 1 0x0000000f ] + +# ip hdrlength vmap { 0-4 : drop, 5 : accept, 6 : continue } counter +__map%d test-netdev f size 4 +__map%d test-netdev 0 + element 00000000 : drop 0 [end] element 00000005 : accept 0 [end] element 00000006 : continue 0 [end] element 00000007 : 1 [end] +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 1b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000000f ) ^ 0x00000000 ] + [ lookup reg 1 set __map%d dreg 0 ] + [ counter pkts 0 bytes 0 ] + +# ip ttl 233 +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 1b @ network header + 8 => reg 1 ] + [ cmp eq reg 1 0x000000e9 ] + +# ip protocol tcp +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 1b @ network header + 9 => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + +# ip protocol != tcp +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 1b @ network header + 9 => reg 1 ] + [ cmp neq reg 1 0x00000006 ] + +# ip saddr != 1.1.1.1 +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ cmp neq reg 1 0x01010101 ] + +# ip daddr 192.168.0.2 +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 4b @ network header + 16 => reg 1 ] + [ cmp eq reg 1 0x0200a8c0 ] + +# ip dscp cs1 +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 1b @ network header + 1 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000020 ] + +# ip dscp != cs1 +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 1b @ network header + 1 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ] + [ cmp neq reg 1 0x00000020 ] + +# ip dscp 0x38 +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 1b @ network header + 1 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ] + [ cmp eq reg 1 0x000000e0 ] + +# ip dscp != 0x20 +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 1b @ network header + 1 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ] + [ cmp neq reg 1 0x00000080 ] + +# ip dscp {cs0, cs1, cs2, cs3, cs4, cs5, cs6, cs7, af11, af12, af13, af21, af22, af23, af31, af32, af33, af41, af42, af43, ef} +__set%d test-netdev 3 +__set%d test-netdev 0 + element 00000000 : 0 [end] element 00000020 : 0 [end] element 00000040 : 0 [end] element 00000060 : 0 [end] element 00000080 : 0 [end] element 000000a0 : 0 [end] element 000000c0 : 0 [end] element 000000e0 : 0 [end] element 00000028 : 0 [end] element 00000030 : 0 [end] element 00000038 : 0 [end] element 00000048 : 0 [end] element 00000050 : 0 [end] element 00000058 : 0 [end] element 00000068 : 0 [end] element 00000070 : 0 [end] element 00000078 : 0 [end] element 00000088 : 0 [end] element 00000090 : 0 [end] element 00000098 : 0 [end] element 000000b8 : 0 [end] +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 1b @ network header + 1 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ] + [ lookup reg 1 set __set%d ] + +# ip dscp != {cs0, cs3} +__set%d test-netdev 3 +__set%d test-netdev 0 + element 00000000 : 0 [end] element 00000060 : 0 [end] +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 1b @ network header + 1 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ] + [ lookup reg 1 set __set%d 0x1 ] + +# ip dscp vmap { cs1 : continue , cs4 : accept } counter +__map%d test-netdev b size 2 +__map%d test-netdev 0 + element 00000020 : continue 0 [end] element 00000080 : accept 0 [end] +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 1b @ network header + 1 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ] + [ lookup reg 1 set __map%d dreg 0 ] + [ counter pkts 0 bytes 0 ] + +# iif "lo" ip daddr set 127.0.0.1 +netdev test-netdev ingress + [ meta load iif => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ immediate reg 1 0x0100007f ] + [ payload write reg 1 => 4b @ network header + 16 csum_type 1 csum_off 10 csum_flags 0x1 ] + +# iif "lo" ip checksum set 0 +netdev test-netdev ingress + [ meta load iif => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ immediate reg 1 0x00000000 ] + [ payload write reg 1 => 2b @ network header + 10 csum_type 1 csum_off 10 csum_flags 0x0 ] + +# iif "lo" ip id set 0 +netdev test-netdev ingress + [ meta load iif => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ immediate reg 1 0x00000000 ] + [ payload write reg 1 => 2b @ network header + 4 csum_type 1 csum_off 10 csum_flags 0x0 ] + +# iif "lo" ip ecn set 1 +netdev test-netdev ingress + [ meta load iif => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000fcff ) ^ 0x00000100 ] + [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ] + +# iif "lo" ip ecn set ce +netdev test-netdev ingress + [ meta load iif => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000fcff ) ^ 0x00000300 ] + [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ] + +# iif "lo" ip dscp set af23 +netdev test-netdev ingress + [ meta load iif => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x000003ff ) ^ 0x00005800 ] + [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ] + +# iif "lo" ip dscp set cs0 +netdev test-netdev ingress + [ meta load iif => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x000003ff ) ^ 0x00000000 ] + [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ] + +# iif "lo" ip ttl set 23 +netdev test-netdev ingress + [ meta load iif => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 2b @ network header + 8 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff00 ) ^ 0x00000017 ] + [ payload write reg 1 => 2b @ network header + 8 csum_type 1 csum_off 10 csum_flags 0x0 ] + +# iif "lo" ip protocol set 1 +netdev test-netdev ingress + [ meta load iif => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 2b @ network header + 8 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x000000ff ) ^ 0x00000100 ] + [ payload write reg 1 => 2b @ network header + 8 csum_type 1 csum_off 10 csum_flags 0x1 ] + +# ip saddr . ip daddr { 192.0.2.1 . 10.0.0.1-10.0.0.2 } +__set%d test-netdev 87 size 1 +__set%d test-netdev 0 + element 010200c0 0100000a - 010200c0 0200000a : 0 [end] +netdev + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ payload load 4b @ network header + 16 => reg 9 ] + [ lookup reg 1 set __set%d ] + +# ip saddr . ip daddr vmap { 192.168.5.1-192.168.5.128 . 192.168.6.1-192.168.6.128 : accept } +__map%d test-netdev 8f size 1 +__map%d test-netdev 0 + element 0105a8c0 0106a8c0 - 8005a8c0 8006a8c0 : accept 0 [end] +netdev + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ payload load 4b @ network header + 16 => reg 9 ] + [ lookup reg 1 set __map%d dreg 0 ] + +# ip saddr 1.2.3.4 ip daddr 3.4.5.6 +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ cmp eq reg 1 0x04030201 ] + [ payload load 4b @ network header + 16 => reg 1 ] + [ cmp eq reg 1 0x06050403 ] + +# ip saddr 1.2.3.4 counter ip daddr 3.4.5.6 +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ cmp eq reg 1 0x04030201 ] + [ counter pkts 0 bytes 0 ] + [ payload load 4b @ network header + 16 => reg 1 ] + [ cmp eq reg 1 0x06050403 ] diff --git a/tests/py/ip/ip.t.payload.netdev.got b/tests/py/ip/ip.t.payload.netdev.got new file mode 100644 index 0000000..b3e2e35 --- /dev/null +++ b/tests/py/ip/ip.t.payload.netdev.got @@ -0,0 +1,24 @@ +# ip frag-off & 0x1fff != 0x0 +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 2b @ network header + 6 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff1f ) ^ 0x00000000 ] + [ cmp neq reg 1 0x00000000 ] + +# ip frag-off & 0x2000 != 0x0 +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 2b @ network header + 6 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x00000020 ) ^ 0x00000000 ] + [ cmp neq reg 1 0x00000000 ] + +# ip frag-off & 0x4000 != 0x0 +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 2b @ network header + 6 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x00000040 ) ^ 0x00000000 ] + [ cmp neq reg 1 0x00000000 ] + diff --git a/tests/py/ip/ip_tcp.t b/tests/py/ip/ip_tcp.t new file mode 100644 index 0000000..ff398aa --- /dev/null +++ b/tests/py/ip/ip_tcp.t @@ -0,0 +1,9 @@ +:input;type filter hook input priority 0 + +*ip;test-ip;input + +# can remove ip dependency -- its redundant in ip family +ip protocol tcp tcp dport 22;ok;tcp dport 22 + +# but not here +ip protocol tcp meta mark set 1 tcp dport 22;ok;ip protocol 6 meta mark set 0x00000001 tcp dport 22 diff --git a/tests/py/ip/ip_tcp.t.json b/tests/py/ip/ip_tcp.t.json new file mode 100644 index 0000000..3757d6e --- /dev/null +++ b/tests/py/ip/ip_tcp.t.json @@ -0,0 +1,64 @@ +# ip protocol tcp tcp dport 22 +[ + { + "match": { + "left": { + "payload": { + "field": "protocol", + "protocol": "ip" + } + }, + "op": "==", + "right": "tcp" + } + }, + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "tcp" + } + }, + "op": "==", + "right": 22 + } + } +] + +# ip protocol tcp meta mark set 1 tcp dport 22 +[ + { + "match": { + "left": { + "payload": { + "field": "protocol", + "protocol": "ip" + } + }, + "op": "==", + "right": "tcp" + } + }, + { + "mangle": { + "key": { + "meta": { "key": "mark" } + }, + "value": 1 + } + }, + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "tcp" + } + }, + "op": "==", + "right": 22 + } + } +] + diff --git a/tests/py/ip/ip_tcp.t.json.output b/tests/py/ip/ip_tcp.t.json.output new file mode 100644 index 0000000..2d671df --- /dev/null +++ b/tests/py/ip/ip_tcp.t.json.output @@ -0,0 +1,52 @@ +# ip protocol tcp tcp dport 22 +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "tcp" + } + }, + "op": "==", + "right": 22 + } + } +] + +# ip protocol tcp meta mark set 1 tcp dport 22 +[ + { + "match": { + "left": { + "payload": { + "field": "protocol", + "protocol": "ip" + } + }, + "op": "==", + "right": 6 + } + }, + { + "mangle": { + "key": { + "meta": { "key": "mark" } + }, + "value": 1 + } + }, + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "tcp" + } + }, + "op": "==", + "right": 22 + } + } +] + diff --git a/tests/py/ip/ip_tcp.t.payload b/tests/py/ip/ip_tcp.t.payload new file mode 100644 index 0000000..f6f640d --- /dev/null +++ b/tests/py/ip/ip_tcp.t.payload @@ -0,0 +1,16 @@ +# ip protocol tcp tcp dport 22 +ip test-ip input + [ payload load 1b @ network header + 9 => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x00001600 ] + +# ip protocol tcp meta mark set 1 tcp dport 22 +ip test-ip input + [ payload load 1b @ network header + 9 => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ immediate reg 1 0x00000001 ] + [ meta set mark with reg 1 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x00001600 ] + diff --git a/tests/py/ip/masquerade.t b/tests/py/ip/masquerade.t new file mode 100644 index 0000000..384ac72 --- /dev/null +++ b/tests/py/ip/masquerade.t @@ -0,0 +1,30 @@ +:postrouting;type nat hook postrouting priority 0 + +*ip;test-ip4;postrouting + +# nf_nat flags combination +udp dport 53 masquerade;ok +udp dport 53 masquerade random;ok +udp dport 53 masquerade random,persistent;ok +udp dport 53 masquerade random,persistent,fully-random;ok;udp dport 53 masquerade random,fully-random,persistent +udp dport 53 masquerade random,fully-random;ok +udp dport 53 masquerade random,fully-random,persistent;ok +udp dport 53 masquerade persistent;ok +udp dport 53 masquerade persistent,random;ok;udp dport 53 masquerade random,persistent +udp dport 53 masquerade persistent,random,fully-random;ok;udp dport 53 masquerade random,fully-random,persistent +udp dport 53 masquerade persistent,fully-random;ok;udp dport 53 masquerade fully-random,persistent +udp dport 53 masquerade persistent,fully-random,random;ok;udp dport 53 masquerade random,fully-random,persistent + +# using ports +ip protocol 6 masquerade to :1024;ok +ip protocol 6 masquerade to :1024-2048;ok + +# masquerade is a terminal statement +tcp dport 22 masquerade counter packets 0 bytes 0 accept;fail +tcp sport 22 masquerade accept;fail +ip saddr 10.1.1.1 masquerade drop;fail + +# masquerade with sets +tcp dport { 1,2,3,4,5,6,7,8,101,202,303,1001,2002,3003} masquerade;ok +ip daddr 10.0.0.0-10.2.3.4 udp dport 53 counter masquerade;ok +iifname "eth0" ct state established,new tcp dport vmap {22 : drop, 222 : drop } masquerade;ok diff --git a/tests/py/ip/masquerade.t.json b/tests/py/ip/masquerade.t.json new file mode 100644 index 0000000..4a90c70 --- /dev/null +++ b/tests/py/ip/masquerade.t.json @@ -0,0 +1,429 @@ +# udp dport 53 masquerade +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 53 + } + }, + { + "masquerade": null + } +] + +# udp dport 53 masquerade random +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 53 + } + }, + { + "masquerade": { + "flags": "random" + } + } +] + +# udp dport 53 masquerade random,persistent +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 53 + } + }, + { + "masquerade": { + "flags": [ + "random", + "persistent" + ] + } + } +] + +# udp dport 53 masquerade random,persistent,fully-random +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 53 + } + }, + { + "masquerade": { + "flags": [ + "random", + "persistent", + "fully-random" + ] + } + } +] + +# udp dport 53 masquerade random,fully-random +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 53 + } + }, + { + "masquerade": { + "flags": [ + "random", + "fully-random" + ] + } + } +] + +# udp dport 53 masquerade random,fully-random,persistent +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 53 + } + }, + { + "masquerade": { + "flags": [ + "random", + "fully-random", + "persistent" + ] + } + } +] + +# udp dport 53 masquerade persistent +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 53 + } + }, + { + "masquerade": { + "flags": "persistent" + } + } +] + +# udp dport 53 masquerade persistent,random +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 53 + } + }, + { + "masquerade": { + "flags": [ + "persistent", + "random" + ] + } + } +] + +# udp dport 53 masquerade persistent,random,fully-random +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 53 + } + }, + { + "masquerade": { + "flags": [ + "persistent", + "random", + "fully-random" + ] + } + } +] + +# udp dport 53 masquerade persistent,fully-random +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 53 + } + }, + { + "masquerade": { + "flags": [ + "persistent", + "fully-random" + ] + } + } +] + +# udp dport 53 masquerade persistent,fully-random,random +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 53 + } + }, + { + "masquerade": { + "flags": [ + "persistent", + "fully-random", + "random" + ] + } + } +] + +# ip protocol 6 masquerade to :1024 +[ + { + "match": { + "left": { + "payload": { + "field": "protocol", + "protocol": "ip" + } + }, + "op": "==", + "right": 6 + } + }, + { + "masquerade": { + "port": 1024 + } + } +] + +# ip protocol 6 masquerade to :1024-2048 +[ + { + "match": { + "left": { + "payload": { + "field": "protocol", + "protocol": "ip" + } + }, + "op": "==", + "right": 6 + } + }, + { + "masquerade": { + "port": { + "range": [ 1024, 2048 ] + } + } + } +] + +# tcp dport { 1,2,3,4,5,6,7,8,101,202,303,1001,2002,3003} masquerade +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "tcp" + } + }, + "op": "==", + "right": { + "set": [ + 1, + 2, + 3, + 4, + 5, + 6, + 7, + 8, + 101, + 202, + 303, + 1001, + 2002, + 3003 + ] + } + } + }, + { + "masquerade": null + } +] + +# ip daddr 10.0.0.0-10.2.3.4 udp dport 53 counter masquerade +[ + { + "match": { + "left": { + "payload": { + "field": "daddr", + "protocol": "ip" + } + }, + "op": "==", + "right": { + "range": [ "10.0.0.0", "10.2.3.4" ] + } + } + }, + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 53 + } + }, + { + "counter": null + }, + { + "masquerade": null + } +] + +# iifname "eth0" ct state established,new tcp dport vmap {22 : drop, 222 : drop } masquerade +[ + { + "match": { + "left": { + "meta": { "key": "iifname" } + }, + "op": "==", + "right": "eth0" + } + }, + { + "match": { + "left": { + "ct": { + "key": "state" + } + }, + "op": "in", + "right": [ + "established", + "new" + ] + } + }, + { + "vmap": { + "key": { + "payload": { + "field": "dport", + "protocol": "tcp" + } + }, + "data": { + "set": [ + [ + 22, + { + "drop": null + } + ], + [ + 222, + { + "drop": null + } + ] + ] + } + } + }, + { + "masquerade": null + } +] + diff --git a/tests/py/ip/masquerade.t.json.output b/tests/py/ip/masquerade.t.json.output new file mode 100644 index 0000000..58e7e29 --- /dev/null +++ b/tests/py/ip/masquerade.t.json.output @@ -0,0 +1,123 @@ +# udp dport 53 masquerade random,persistent,fully-random +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 53 + } + }, + { + "masquerade": { + "flags": [ + "random", + "fully-random", + "persistent" + ] + } + } +] + +# udp dport 53 masquerade persistent,random +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 53 + } + }, + { + "masquerade": { + "flags": [ + "random", + "persistent" + ] + } + } +] + +# udp dport 53 masquerade persistent,random,fully-random +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 53 + } + }, + { + "masquerade": { + "flags": [ + "random", + "fully-random", + "persistent" + ] + } + } +] + +# udp dport 53 masquerade persistent,fully-random +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 53 + } + }, + { + "masquerade": { + "flags": [ + "fully-random", + "persistent" + ] + } + } +] + +# udp dport 53 masquerade persistent,fully-random,random +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 53 + } + }, + { + "masquerade": { + "flags": [ + "random", + "fully-random", + "persistent" + ] + } + } +] + diff --git a/tests/py/ip/masquerade.t.payload b/tests/py/ip/masquerade.t.payload new file mode 100644 index 0000000..79e5285 --- /dev/null +++ b/tests/py/ip/masquerade.t.payload @@ -0,0 +1,142 @@ +# udp dport 53 masquerade +ip test-ip4 postrouting + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x00003500 ] + [ masq ] + +# udp dport 53 masquerade random +ip test-ip4 postrouting + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x00003500 ] + [ masq flags 0x4 ] + +# udp dport 53 masquerade random,persistent +ip test-ip4 postrouting + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x00003500 ] + [ masq flags 0xc ] + +# udp dport 53 masquerade random,persistent,fully-random +ip test-ip4 postrouting + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x00003500 ] + [ masq flags 0x1c ] + +# udp dport 53 masquerade random,fully-random +ip test-ip4 postrouting + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x00003500 ] + [ masq flags 0x14 ] + +# udp dport 53 masquerade random,fully-random,persistent +ip test-ip4 postrouting + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x00003500 ] + [ masq flags 0x1c ] + +# udp dport 53 masquerade persistent +ip test-ip4 postrouting + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x00003500 ] + [ masq flags 0x8 ] + +# udp dport 53 masquerade persistent,random +ip test-ip4 postrouting + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x00003500 ] + [ masq flags 0xc ] + +# udp dport 53 masquerade persistent,random,fully-random +ip test-ip4 postrouting + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x00003500 ] + [ masq flags 0x1c ] + +# udp dport 53 masquerade persistent,fully-random +ip test-ip4 postrouting + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x00003500 ] + [ masq flags 0x18 ] + +# udp dport 53 masquerade persistent,fully-random,random +ip test-ip4 postrouting + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x00003500 ] + [ masq flags 0x1c ] + +# tcp dport { 1,2,3,4,5,6,7,8,101,202,303,1001,2002,3003} masquerade +__set%d test-ip4 3 +__set%d test-ip4 0 + element 00000100 : 0 [end] element 00000200 : 0 [end] element 00000300 : 0 [end] element 00000400 : 0 [end] element 00000500 : 0 [end] element 00000600 : 0 [end] element 00000700 : 0 [end] element 00000800 : 0 [end] element 00006500 : 0 [end] element 0000ca00 : 0 [end] element 00002f01 : 0 [end] element 0000e903 : 0 [end] element 0000d207 : 0 [end] element 0000bb0b : 0 [end] +ip test-ip4 postrouting + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ lookup reg 1 set __set%d ] + [ masq ] + +# ip daddr 10.0.0.0-10.2.3.4 udp dport 53 counter masquerade +ip test-ip4 postrouting + [ payload load 4b @ network header + 16 => reg 1 ] + [ cmp gte reg 1 0x0000000a ] + [ cmp lte reg 1 0x0403020a ] + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x00003500 ] + [ counter pkts 0 bytes 0 ] + [ masq ] + +# iifname "eth0" ct state established,new tcp dport vmap {22 : drop, 222 : drop } masquerade +__map%d test-ip4 b +__map%d test-ip4 0 + element 00001600 : drop 0 [end] element 0000de00 : drop 0 [end] +ip test-ip4 postrouting + [ meta load iifname => reg 1 ] + [ cmp eq reg 1 0x30687465 0x00000000 0x00000000 0x00000000 ] + [ ct load state => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000000a ) ^ 0x00000000 ] + [ cmp neq reg 1 0x00000000 ] + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ lookup reg 1 set __map%d dreg 0 ] + [ masq ] + +# ip protocol 6 masquerade to :1024 +ip test-ip4 postrouting + [ payload load 1b @ network header + 9 => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ immediate reg 1 0x00000004 ] + [ masq proto_min reg 1 flags 0x2 ] + +# ip protocol 6 masquerade to :1024-2048 +ip test-ip4 postrouting + [ payload load 1b @ network header + 9 => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ immediate reg 1 0x00000004 ] + [ immediate reg 2 0x00000008 ] + [ masq proto_min reg 1 proto_max reg 2 flags 0x2 ] + diff --git a/tests/py/ip/meta.t b/tests/py/ip/meta.t new file mode 100644 index 0000000..a88a614 --- /dev/null +++ b/tests/py/ip/meta.t @@ -0,0 +1,22 @@ +:input;type filter hook input priority 0 + +*ip;test-ip4;input + +icmp type echo-request;ok +meta l4proto icmp icmp type echo-request;ok;icmp type echo-request +meta l4proto ipv6-icmp icmpv6 type nd-router-advert;ok;icmpv6 type nd-router-advert +meta l4proto 58 icmpv6 type nd-router-advert;ok;icmpv6 type nd-router-advert +icmpv6 type nd-router-advert;ok + +meta protocol ip udp dport 67;ok;udp dport 67 + +meta ibrname "br0";fail +meta obrname "br0";fail + +meta sdif "lo" accept;ok +meta sdifname != "vrf1" accept;ok + +meta mark set ip dscp;ok + +meta mark set ip dscp << 2 | 0x10;ok +meta mark set ip dscp << 26 | 0x10;ok diff --git a/tests/py/ip/meta.t.json b/tests/py/ip/meta.t.json new file mode 100644 index 0000000..25936db --- /dev/null +++ b/tests/py/ip/meta.t.json @@ -0,0 +1,236 @@ +# icmp type echo-request +[ + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "icmp" + } + }, + "op": "==", + "right": "echo-request" + } + } +] + +# meta l4proto icmp icmp type echo-request +[ + { + "match": { + "left": { + "meta": { "key": "l4proto" } + }, + "op": "==", + "right": "icmp" + } + }, + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "icmp" + } + }, + "op": "==", + "right": "echo-request" + } + } +] + +# meta l4proto ipv6-icmp icmpv6 type nd-router-advert +[ + { + "match": { + "left": { + "meta": { "key": "l4proto" } + }, + "op": "==", + "right": "ipv6-icmp" + } + }, + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "icmpv6" + } + }, + "op": "==", + "right": "nd-router-advert" + } + } +] + +# meta l4proto 58 icmpv6 type nd-router-advert +[ + { + "match": { + "left": { + "meta": { "key": "l4proto" } + }, + "op": "==", + "right": 58 + } + }, + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "icmpv6" + } + }, + "op": "==", + "right": "nd-router-advert" + } + } +] + +# icmpv6 type nd-router-advert +[ + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "icmpv6" + } + }, + "op": "==", + "right": "nd-router-advert" + } + } +] + +# meta sdif "lo" accept +[ + { + "match": { + "left": { + "meta": { + "key": "sdif" + } + }, + "op": "==", + "right": "lo" + } + }, + { + "accept": null + } +] + +# meta sdifname != "vrf1" accept +[ + { + "match": { + "left": { + "meta": { + "key": "sdifname" + } + }, + "op": "!=", + "right": "vrf1" + } + }, + { + "accept": null + } +] + +# meta protocol ip udp dport 67 +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 67 + } + } +] + +# meta mark set ip dscp +[ + { + "mangle": { + "key": { + "meta": { + "key": "mark" + } + }, + "value": { + "payload": { + "field": "dscp", + "protocol": "ip" + } + } + } + } +] + +# meta mark set ip dscp << 2 | 0x10 +[ + { + "mangle": { + "key": { + "meta": { + "key": "mark" + } + }, + "value": { + "|": [ + { + "<<": [ + { + "payload": { + "field": "dscp", + "protocol": "ip" + } + }, + 2 + ] + }, + 16 + ] + } + } + } +] + + +# meta mark set ip dscp << 26 | 0x10 +[ + { + "mangle": { + "key": { + "meta": { + "key": "mark" + } + }, + "value": { + "|": [ + { + "<<": [ + { + "payload": { + "field": "dscp", + "protocol": "ip" + } + }, + 26 + ] + }, + 16 + ] + } + } + } +] diff --git a/tests/py/ip/meta.t.json.output b/tests/py/ip/meta.t.json.output new file mode 100644 index 0000000..091282b --- /dev/null +++ b/tests/py/ip/meta.t.json.output @@ -0,0 +1,48 @@ +# meta l4proto icmp icmp type echo-request +[ + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "icmp" + } + }, + "op": "==", + "right": "echo-request" + } + } +] + +# meta l4proto ipv6-icmp icmpv6 type nd-router-advert +[ + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "icmpv6" + } + }, + "op": "==", + "right": "nd-router-advert" + } + } +] + +# meta l4proto 58 icmpv6 type nd-router-advert +[ + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "icmpv6" + } + }, + "op": "==", + "right": "nd-router-advert" + } + } +] + diff --git a/tests/py/ip/meta.t.payload b/tests/py/ip/meta.t.payload new file mode 100644 index 0000000..880ac5d --- /dev/null +++ b/tests/py/ip/meta.t.payload @@ -0,0 +1,78 @@ +# icmp type echo-request +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ payload load 1b @ transport header + 0 => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + +# meta l4proto icmp icmp type echo-request +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ payload load 1b @ transport header + 0 => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + +# meta l4proto ipv6-icmp icmpv6 type nd-router-advert +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x0000003a ] + [ payload load 1b @ transport header + 0 => reg 1 ] + [ cmp eq reg 1 0x00000086 ] + +# meta l4proto 58 icmpv6 type nd-router-advert +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x0000003a ] + [ payload load 1b @ transport header + 0 => reg 1 ] + [ cmp eq reg 1 0x00000086 ] + +# icmpv6 type nd-router-advert +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x0000003a ] + [ payload load 1b @ transport header + 0 => reg 1 ] + [ cmp eq reg 1 0x00000086 ] + +# meta sdif "lo" accept +ip6 test-ip4 input + [ meta load sdif => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ immediate reg 0 accept ] + +# meta sdifname != "vrf1" accept +ip6 test-ip4 input + [ meta load sdifname => reg 1 ] + [ cmp neq reg 1 0x31667276 0x00000000 0x00000000 0x00000000 ] + [ immediate reg 0 accept ] + +# meta protocol ip udp dport 67 +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x00004300 ] + +# meta mark set ip dscp +ip test-ip4 input + [ payload load 1b @ network header + 1 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 >> 0x00000002 ) ] + [ meta set mark with reg 1 ] + +# meta mark set ip dscp << 2 | 0x10 +ip test-ip4 input + [ payload load 1b @ network header + 1 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 >> 0x00000002 ) ] + [ bitwise reg 1 = ( reg 1 << 0x00000002 ) ] + [ bitwise reg 1 = ( reg 1 & 0xffffffef ) ^ 0x00000010 ] + [ meta set mark with reg 1 ] + +# meta mark set ip dscp << 26 | 0x10 +ip + [ payload load 1b @ network header + 1 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 >> 0x00000002 ) ] + [ bitwise reg 1 = ( reg 1 << 0x0000001a ) ] + [ bitwise reg 1 = ( reg 1 & 0xffffffef ) ^ 0x00000010 ] + [ meta set mark with reg 1 ] diff --git a/tests/py/ip/numgen.t b/tests/py/ip/numgen.t new file mode 100644 index 0000000..2a88146 --- /dev/null +++ b/tests/py/ip/numgen.t @@ -0,0 +1,9 @@ +:pre;type nat hook prerouting priority 0 +*ip;test-ip4;pre + +ct mark set numgen inc mod 2;ok +ct mark set numgen inc mod 2 offset 100;ok +dnat to numgen inc mod 2 map { 0 : 192.168.10.100, 1 : 192.168.20.200 };ok +dnat to numgen inc mod 10 map { 0-5 : 192.168.10.100, 6-9 : 192.168.20.200};ok +dnat to numgen inc mod 7 offset 167772161;ok +dnat to numgen inc mod 255 offset 167772161;ok diff --git a/tests/py/ip/numgen.t.json b/tests/py/ip/numgen.t.json new file mode 100644 index 0000000..6cf6604 --- /dev/null +++ b/tests/py/ip/numgen.t.json @@ -0,0 +1,129 @@ +# ct mark set numgen inc mod 2 +[ + { + "mangle": { + "key": { + "ct": { + "key": "mark" + } + }, + "value": { + "numgen": { + "mod": 2, + "mode": "inc" + } + } + } + } +] + +# ct mark set numgen inc mod 2 offset 100 +[ + { + "mangle": { + "key": { + "ct": { + "key": "mark" + } + }, + "value": { + "numgen": { + "mod": 2, + "mode": "inc", + "offset": 100 + } + } + } + } +] + +# dnat to numgen inc mod 2 map { 0 : 192.168.10.100, 1 : 192.168.20.200 } +[ + { + "dnat": { + "addr": { + "map": { + "key": { + "numgen": { + "mod": 2, + "mode": "inc" + } + }, + "data": { + "set": [ + [ + 0, + "192.168.10.100" + ], + [ + 1, + "192.168.20.200" + ] + ] + } + } + } + } + } +] + +# dnat to numgen inc mod 10 map { 0-5 : 192.168.10.100, 6-9 : 192.168.20.200} +[ + { + "dnat": { + "addr": { + "map": { + "key": { + "numgen": { + "mod": 10, + "mode": "inc" + } + }, + "data": { + "set": [ + [ + { "range": [ 0, 5 ] }, + "192.168.10.100" + ], + [ + { "range": [ 6, 9 ] }, + "192.168.20.200" + ] + ] + } + } + } + } + } +] + +# dnat to numgen inc mod 7 offset 167772161 +[ + { + "dnat": { + "addr": { + "numgen": { + "mod": 7, + "mode": "inc", + "offset": 167772161 + } + } + } + } +] + +# dnat to numgen inc mod 255 offset 167772161 +[ + { + "dnat": { + "addr": { + "numgen": { + "mod": 255, + "mode": "inc", + "offset": 167772161 + } + } + } + } +] + diff --git a/tests/py/ip/numgen.t.json.output b/tests/py/ip/numgen.t.json.output new file mode 100644 index 0000000..06ad1ec --- /dev/null +++ b/tests/py/ip/numgen.t.json.output @@ -0,0 +1,112 @@ +# ct mark set numgen inc mod 2 +[ + { + "mangle": { + "key": { + "ct": { + "key": "mark" + } + }, + "value": { + "numgen": { + "mod": 2, + "mode": "inc", + "offset": 0 + } + } + } + } +] + +# dnat to numgen inc mod 2 map { 0 : 192.168.10.100, 1 : 192.168.20.200 } +[ + { + "dnat": { + "addr": { + "map": { + "key": { + "numgen": { + "mod": 2, + "mode": "inc", + "offset": 0 + } + }, + "data": { + "set": [ + [ + 0, + "192.168.10.100" + ], + [ + 1, + "192.168.20.200" + ] + ] + } + } + } + } + } +] + +# dnat to numgen inc mod 10 map { 0-5 : 192.168.10.100, 6-9 : 192.168.20.200} +[ + { + "dnat": { + "addr": { + "map": { + "key": { + "numgen": { + "mod": 10, + "mode": "inc", + "offset": 0 + } + }, + "data": { + "set": [ + [ + { "range": [ 0, 5 ] }, + "192.168.10.100" + ], + [ + { "range": [ 6, 9 ] }, + "192.168.20.200" + ] + ] + } + } + } + } + } +] + +# dnat to numgen inc mod 7 offset 167772161 +[ + { + "dnat": { + "addr": { + "numgen": { + "mod": 7, + "mode": "inc", + "offset": 167772161 + } + } + } + } +] + +# dnat to numgen inc mod 255 offset 167772161 +[ + { + "dnat": { + "addr": { + "numgen": { + "mod": 255, + "mode": "inc", + "offset": 167772161 + } + } + } + } +] + diff --git a/tests/py/ip/numgen.t.payload b/tests/py/ip/numgen.t.payload new file mode 100644 index 0000000..b4eadf8 --- /dev/null +++ b/tests/py/ip/numgen.t.payload @@ -0,0 +1,40 @@ +# ct mark set numgen inc mod 2 +ip test-ip4 pre + [ numgen reg 1 = inc mod 2 ] + [ ct set mark with reg 1 ] + +# dnat to numgen inc mod 2 map { 0 : 192.168.10.100, 1 : 192.168.20.200 } +__map%d x b +__map%d x 0 + element 00000000 : 640aa8c0 0 [end] element 00000001 : c814a8c0 0 [end] +ip test-ip4 pre + [ numgen reg 1 = inc mod 2 ] + [ lookup reg 1 set __map%d dreg 1 ] + [ nat dnat ip addr_min reg 1 ] + +# dnat to numgen inc mod 10 map { 0-5 : 192.168.10.100, 6-9 : 192.168.20.200} +__map%d test-ip4 f +__map%d test-ip4 0 + element 00000000 : 640aa8c0 0 [end] element 06000000 : c814a8c0 0 [end] element 0a000000 : 1 [end] +ip test-ip4 pre + [ numgen reg 1 = inc mod 10 ] + [ byteorder reg 1 = hton(reg 1, 4, 4) ] + [ lookup reg 1 set __map%d dreg 1 ] + [ nat dnat ip addr_min reg 1 ] + +# ct mark set numgen inc mod 2 offset 100 +ip test-ip4 pre + [ numgen reg 1 = inc mod 2 offset 100 ] + [ ct set mark with reg 1 ] + +# dnat to numgen inc mod 7 offset 167772161 +ip test-ip4 pre + [ numgen reg 1 = inc mod 7 offset 167772161 ] + [ byteorder reg 1 = hton(reg 1, 4, 4) ] + [ nat dnat ip addr_min reg 1 ] + +# dnat to numgen inc mod 255 offset 167772161 +ip test-ip4 pre + [ numgen reg 1 = inc mod 255 offset 167772161 ] + [ byteorder reg 1 = hton(reg 1, 4, 4) ] + [ nat dnat ip addr_min reg 1 ] diff --git a/tests/py/ip/objects.t b/tests/py/ip/objects.t new file mode 100644 index 0000000..4fcde7c --- /dev/null +++ b/tests/py/ip/objects.t @@ -0,0 +1,58 @@ +:output;type filter hook output priority 0 + +*ip;test-ip4;output + +# counter +%cnt1 type counter;ok +%cnt2 type counter;ok + +ip saddr 192.168.1.3 counter name "cnt2";ok +ip saddr 192.168.1.3 counter name "cnt3";fail +counter name tcp dport map {443 : "cnt1", 80 : "cnt2", 22 : "cnt1"};ok + +# quota +%qt1 type quota 25 mbytes;ok +%qt2 type quota over 1 kbytes;ok + +ip saddr 192.168.1.3 quota name "qt1";ok +ip saddr 192.168.1.3 quota name "qt3";fail +quota name tcp dport map {443 : "qt1", 80 : "qt2", 22 : "qt1"};ok + +# ct helper +%cthelp1 type ct helper { type "ftp" protocol tcp; };ok +%cthelp2 type ct helper { type "ftp" protocol tcp; l3proto ip6; };fail + +ct helper set "cthelp1";ok +ct helper set tcp dport map {21 : "cthelp1", 2121 : "cthelp1" };ok + +# limit +%lim1 type limit rate 400/minute;ok +%lim2 type limit rate over 1024 bytes/second burst 512 bytes;ok + +ip saddr 192.168.1.3 limit name "lim1";ok +ip saddr 192.168.1.3 limit name "lim3";fail +limit name tcp dport map {443 : "lim1", 80 : "lim2", 22 : "lim1"};ok + +# ct timeout +%cttime1 type ct timeout { protocol tcp; policy = { established:122 } ;};ok +%cttime2 type ct timeout { protocol udp; policy = { syn_sent:122 } ;};fail +%cttime3 type ct timeout { protocol tcp; policy = { established:132, close:16, close_wait:16 } ; l3proto ip ;};ok +%cttime4 type ct timeout { protocol udp; policy = { replied:14, unreplied:19 } ;};ok +%cttime5 type ct timeout {protocol tcp; policy = { estalbished:100 } ;};fail + +ct timeout set "cttime1";ok + +# ct expectation +%ctexpect1 type ct expectation { protocol tcp; dport 1234; timeout 2m; size 12; };ok +%ctexpect2 type ct expectation { protocol udp; };fail +%ctexpect3 type ct expectation { protocol tcp; dport 4321; };fail +%ctexpect4 type ct expectation { protocol tcp; dport 4321; timeout 2m; };fail +%ctexpect5 type ct expectation { protocol udp; dport 9876; timeout 2m; size 12; l3proto ip; };ok + +ct expectation set "ctexpect1";ok + +# synproxy +%synproxy1 type synproxy mss 1460 wscale 7;ok +%synproxy2 type synproxy mss 1460 wscale 7 timestamp sack-perm;ok + +synproxy name tcp dport map {443 : "synproxy1", 80 : "synproxy2"};ok diff --git a/tests/py/ip/objects.t.json b/tests/py/ip/objects.t.json new file mode 100644 index 0000000..a70dd9e --- /dev/null +++ b/tests/py/ip/objects.t.json @@ -0,0 +1,229 @@ +# ip saddr 192.168.1.3 counter name "cnt2" +[ + { + "match": { + "left": { + "payload": { + "field": "saddr", + "protocol": "ip" + } + }, + "op": "==", + "right": "192.168.1.3" + } + }, + { + "counter": "cnt2" + } +] + +# counter name tcp dport map {443 : "cnt1", 80 : "cnt2", 22 : "cnt1"} +[ + { + "counter": { + "map": { + "key": { + "payload": { + "field": "dport", + "protocol": "tcp" + } + }, + "data": { + "set": [ + [ + 443, + "cnt1" + ], + [ + 80, + "cnt2" + ], + [ + 22, + "cnt1" + ] + ] + } + } + } + } +] + +# ip saddr 192.168.1.3 quota name "qt1" +[ + { + "match": { + "left": { + "payload": { + "field": "saddr", + "protocol": "ip" + } + }, + "op": "==", + "right": "192.168.1.3" + } + }, + { + "quota": "qt1" + } +] + +# quota name tcp dport map {443 : "qt1", 80 : "qt2", 22 : "qt1"} +[ + { + "quota": { + "map": { + "key": { + "payload": { + "field": "dport", + "protocol": "tcp" + } + }, + "data": { + "set": [ + [ + 443, + "qt1" + ], + [ + 80, + "qt2" + ], + [ + 22, + "qt1" + ] + ] + } + } + } + } +] + +# ct helper set "cthelp1" +[ + { + "ct helper": "cthelp1" + } +] + +# ct helper set tcp dport map {21 : "cthelp1", 2121 : "cthelp1" } +[ + { + "ct helper": { + "map": { + "key": { + "payload": { + "field": "dport", + "protocol": "tcp" + } + }, + "data": { + "set": [ + [ + 21, + "cthelp1" + ], + [ + 2121, + "cthelp1" + ] + ] + } + } + } + } +] + +# ip saddr 192.168.1.3 limit name "lim1" +[ + { + "match": { + "left": { + "payload": { + "field": "saddr", + "protocol": "ip" + } + }, + "op": "==", + "right": "192.168.1.3" + } + }, + { + "limit": "lim1" + } +] + +# limit name tcp dport map {443 : "lim1", 80 : "lim2", 22 : "lim1"} +[ + { + "limit": { + "map": { + "key": { + "payload": { + "field": "dport", + "protocol": "tcp" + } + }, + "data": { + "set": [ + [ + 22, + "lim1" + ], + [ + 80, + "lim2" + ], + [ + 443, + "lim1" + ] + ] + } + } + } + } +] + +# ct timeout set "cttime1" +[ + { + "ct timeout": "cttime1" + } +] + +# ct expectation set "ctexpect1" +[ + { + "ct expectation": "ctexpect1" + } +] + +# synproxy name tcp dport map {443 : "synproxy1", 80 : "synproxy2"} +[ + { + "synproxy": { + "map": { + "key": { + "payload": { + "field": "dport", + "protocol": "tcp" + } + }, + "data": { + "set": [ + [ + 80, + "synproxy2" + ], + [ + 443, + "synproxy1" + ] + ] + } + } + } + } +] diff --git a/tests/py/ip/objects.t.json.output b/tests/py/ip/objects.t.json.output new file mode 100644 index 0000000..ade195d --- /dev/null +++ b/tests/py/ip/objects.t.json.output @@ -0,0 +1,64 @@ +# counter name tcp dport map {443 : "cnt1", 80 : "cnt2", 22 : "cnt1"} +[ + { + "counter": { + "map": { + "key": { + "payload": { + "field": "dport", + "protocol": "tcp" + } + }, + "data": { + "set": [ + [ + 22, + "cnt1" + ], + [ + 80, + "cnt2" + ], + [ + 443, + "cnt1" + ] + ] + } + } + } + } +] + +# quota name tcp dport map {443 : "qt1", 80 : "qt2", 22 : "qt1"} +[ + { + "quota": { + "map": { + "key": { + "payload": { + "field": "dport", + "protocol": "tcp" + } + }, + "data": { + "set": [ + [ + 22, + "qt1" + ], + [ + 80, + "qt2" + ], + [ + 443, + "qt1" + ] + ] + } + } + } + } +] + diff --git a/tests/py/ip/objects.t.payload b/tests/py/ip/objects.t.payload new file mode 100644 index 0000000..5252724 --- /dev/null +++ b/tests/py/ip/objects.t.payload @@ -0,0 +1,79 @@ +# ip saddr 192.168.1.3 counter name "cnt2" +ip test-ip4 output + [ payload load 4b @ network header + 12 => reg 1 ] + [ cmp eq reg 1 0x0301a8c0 ] + [ objref type 1 name cnt2 ] + +# counter name tcp dport map {443 : "cnt1", 80 : "cnt2", 22 : "cnt1"} +__objmap%d test-ip4 43 +__objmap%d test-ip4 0 + element 0000bb01 : 0 [end] element 00005000 : 0 [end] element 00001600 : 0 [end] +ip test-ip4 output + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ objref sreg 1 set __objmap%d ] + +# ip saddr 192.168.1.3 quota name "qt1" +ip test-ip4 output + [ payload load 4b @ network header + 12 => reg 1 ] + [ cmp eq reg 1 0x0301a8c0 ] + [ objref type 2 name qt1 ] + +# quota name tcp dport map {443 : "qt1", 80 : "qt2", 22 : "qt1"} +__objmap%d test-ip4 43 +__objmap%d test-ip4 0 + element 0000bb01 : 0 [end] element 00005000 : 0 [end] element 00001600 : 0 [end] +ip test-ip4 output + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ objref sreg 1 set __objmap%d ] + +# ct helper set "cthelp1" +ip test-ip4 output + [ objref type 3 name cthelp1 ] + +# ct helper set tcp dport map {21 : "cthelp1", 2121 : "cthelp1" } +__objmap%d test-ip4 43 +__objmap%d test-ip4 0 + element 00001500 : 0 [end] element 00004908 : 0 [end] +ip test-ip4 output + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ objref sreg 1 set __objmap%d ] + +# ip saddr 192.168.1.3 limit name "lim1" +ip test-ip4 output + [ payload load 4b @ network header + 12 => reg 1 ] + [ cmp eq reg 1 0x0301a8c0 ] + [ objref type 4 name lim1 ] + +# limit name tcp dport map {443 : "lim1", 80 : "lim2", 22 : "lim1"} +__objmap%d test-ip4 43 size 3 +__objmap%d test-ip4 0 + element 0000bb01 : 0 [end] element 00005000 : 0 [end] element 00001600 : 0 [end] +ip test-ip4 output + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ objref sreg 1 set __objmap%d ] + +# ct timeout set "cttime1" +ip test-ip4 output + [ objref type 7 name cttime1 ] + +# ct expectation set "ctexpect1" +ip test-ip4 output + [ objref type 9 name ctexpect1 ] + +# synproxy name tcp dport map {443 : "synproxy1", 80 : "synproxy2"} +__objmap%d test-ip4 43 size 2 +__objmap%d test-ip4 0 + element 0000bb01 : 0 [end] element 00005000 : 0 [end] +ip test-ip4 output + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ objref sreg 1 set __objmap%d ] diff --git a/tests/py/ip/redirect.t b/tests/py/ip/redirect.t new file mode 100644 index 0000000..8c2b52f --- /dev/null +++ b/tests/py/ip/redirect.t @@ -0,0 +1,51 @@ +:output;type nat hook output priority 0 + +*ip;test-ip4;output + +# without arguments +udp dport 53 redirect;ok + +# nf_nat flags combination +udp dport 53 redirect random;ok +udp dport 53 redirect random,persistent;ok +udp dport 53 redirect random,persistent,fully-random;ok;udp dport 53 redirect random,fully-random,persistent +udp dport 53 redirect random,fully-random;ok +udp dport 53 redirect random,fully-random,persistent;ok +udp dport 53 redirect persistent;ok +udp dport 53 redirect persistent,random;ok;udp dport 53 redirect random,persistent +udp dport 53 redirect persistent,random,fully-random;ok;udp dport 53 redirect random,fully-random,persistent +udp dport 53 redirect persistent,fully-random;ok;udp dport 53 redirect fully-random,persistent +udp dport 53 redirect persistent,fully-random,random;ok;udp dport 53 redirect random,fully-random,persistent + +# port specification +tcp dport 22 redirect to :22;ok +udp dport 1234 redirect to :4321;ok +ip daddr 172.16.0.1 udp dport 9998 redirect to :6515;ok +tcp dport 39128 redirect to :993;ok +ip protocol tcp redirect to :100-200;ok;ip protocol 6 redirect to :100-200 +redirect to :1234;fail +redirect to :12341111;fail + +# both port and nf_nat flags +tcp dport 9128 redirect to :993 random;ok +tcp dport 9128 redirect to :993 fully-random;ok +tcp dport 9128 redirect to :123 persistent;ok +tcp dport 9128 redirect to :123 random,persistent;ok + +# nf_nat flags is the last argument +udp dport 1234 redirect random to 123;fail +udp dport 21234 redirect persistent,fully-random to 431;fail + +# redirect is a terminal statement +tcp dport 22 redirect counter packets 0 bytes 0 accept;fail +tcp sport 22 redirect accept;fail +ip saddr 10.1.1.1 redirect drop;fail + +# redirect with sets +tcp dport { 1, 2, 3, 4, 5, 6, 7, 8, 101, 202, 303, 1001, 2002, 3003} redirect;ok +ip daddr 10.0.0.0-10.2.3.4 udp dport 53 counter redirect;ok +iifname "eth0" ct state established,new tcp dport vmap {22 : drop, 222 : drop } redirect;ok + +# redirect with maps +redirect to :tcp dport map { 22 : 8000, 80 : 8080};ok + diff --git a/tests/py/ip/redirect.t.json b/tests/py/ip/redirect.t.json new file mode 100644 index 0000000..2afdf9b --- /dev/null +++ b/tests/py/ip/redirect.t.json @@ -0,0 +1,625 @@ +# udp dport 53 redirect +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 53 + } + }, + { + "redirect": null + } +] + +# udp dport 53 redirect random +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 53 + } + }, + { + "redirect": { + "flags": "random" + } + } +] + +# udp dport 53 redirect random,persistent +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 53 + } + }, + { + "redirect": { + "flags": [ + "random", + "persistent" + ] + } + } +] + +# udp dport 53 redirect random,persistent,fully-random +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 53 + } + }, + { + "redirect": { + "flags": [ + "random", + "persistent", + "fully-random" + ] + } + } +] + +# udp dport 53 redirect random,fully-random +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 53 + } + }, + { + "redirect": { + "flags": [ + "random", + "fully-random" + ] + } + } +] + +# udp dport 53 redirect random,fully-random,persistent +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 53 + } + }, + { + "redirect": { + "flags": [ + "random", + "fully-random", + "persistent" + ] + } + } +] + +# udp dport 53 redirect persistent +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 53 + } + }, + { + "redirect": { + "flags": "persistent" + } + } +] + +# udp dport 53 redirect persistent,random +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 53 + } + }, + { + "redirect": { + "flags": [ + "persistent", + "random" + ] + } + } +] + +# udp dport 53 redirect persistent,random,fully-random +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 53 + } + }, + { + "redirect": { + "flags": [ + "persistent", + "random", + "fully-random" + ] + } + } +] + +# udp dport 53 redirect persistent,fully-random +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 53 + } + }, + { + "redirect": { + "flags": [ + "persistent", + "fully-random" + ] + } + } +] + +# udp dport 53 redirect persistent,fully-random,random +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 53 + } + }, + { + "redirect": { + "flags": [ + "persistent", + "fully-random", + "random" + ] + } + } +] + +# tcp dport 22 redirect to :22 +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "tcp" + } + }, + "op": "==", + "right": 22 + } + }, + { + "redirect": { + "port": 22 + } + } +] + +# udp dport 1234 redirect to :4321 +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 1234 + } + }, + { + "redirect": { + "port": 4321 + } + } +] + +# ip daddr 172.16.0.1 udp dport 9998 redirect to :6515 +[ + { + "match": { + "left": { + "payload": { + "field": "daddr", + "protocol": "ip" + } + }, + "op": "==", + "right": "172.16.0.1" + } + }, + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 9998 + } + }, + { + "redirect": { + "port": 6515 + } + } +] + +# tcp dport 39128 redirect to :993 +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "tcp" + } + }, + "op": "==", + "right": 39128 + } + }, + { + "redirect": { + "port": 993 + } + } +] + +# ip protocol tcp redirect to :100-200 +[ + { + "match": { + "left": { + "payload": { + "field": "protocol", + "protocol": "ip" + } + }, + "op": "==", + "right": "tcp" + } + }, + { + "redirect": { + "port": { + "range": [ 100, 200 ] + } + } + } +] + +# tcp dport 9128 redirect to :993 random +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "tcp" + } + }, + "op": "==", + "right": 9128 + } + }, + { + "redirect": { + "flags": "random", + "port": 993 + } + } +] + +# tcp dport 9128 redirect to :993 fully-random +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "tcp" + } + }, + "op": "==", + "right": 9128 + } + }, + { + "redirect": { + "flags": "fully-random", + "port": 993 + } + } +] + +# tcp dport 9128 redirect to :123 persistent +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "tcp" + } + }, + "op": "==", + "right": 9128 + } + }, + { + "redirect": { + "flags": "persistent", + "port": 123 + } + } +] + +# tcp dport 9128 redirect to :123 random,persistent +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "tcp" + } + }, + "op": "==", + "right": 9128 + } + }, + { + "redirect": { + "flags": [ + "random", + "persistent" + ], + "port": 123 + } + } +] + +# tcp dport { 1, 2, 3, 4, 5, 6, 7, 8, 101, 202, 303, 1001, 2002, 3003} redirect +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "tcp" + } + }, + "op": "==", + "right": { + "set": [ + 1, + 2, + 3, + 4, + 5, + 6, + 7, + 8, + 101, + 202, + 303, + 1001, + 2002, + 3003 + ] + } + } + }, + { + "redirect": null + } +] + +# ip daddr 10.0.0.0-10.2.3.4 udp dport 53 counter redirect +[ + { + "match": { + "left": { + "payload": { + "field": "daddr", + "protocol": "ip" + } + }, + "op": "==", + "right": { + "range": [ "10.0.0.0", "10.2.3.4" ] + } + } + }, + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 53 + } + }, + { + "counter": null + }, + { + "redirect": null + } +] + +# iifname "eth0" ct state established,new tcp dport vmap {22 : drop, 222 : drop } redirect +[ + { + "match": { + "left": { + "meta": { "key": "iifname" } + }, + "op": "==", + "right": "eth0" + } + }, + { + "match": { + "left": { + "ct": { + "key": "state" + } + }, + "op": "in", + "right": [ + "established", + "new" + ] + } + }, + { + "vmap": { + "key": { + "payload": { + "field": "dport", + "protocol": "tcp" + } + }, + "data": { + "set": [ + [ + 22, + { + "drop": null + } + ], + [ + 222, + { + "drop": null + } + ] + ] + } + } + }, + { + "redirect": null + } +] + +# redirect to :tcp dport map { 22 : 8000, 80 : 8080} +[ + { + "redirect": { + "port": { + "map": { + "key": { + "payload": { + "field": "dport", + "protocol": "tcp" + } + }, + "data": { + "set": [ + [ + 22, + 8000 + ], + [ + 80, + 8080 + ] + ] + } + } + } + } + } +] + diff --git a/tests/py/ip/redirect.t.json.output b/tests/py/ip/redirect.t.json.output new file mode 100644 index 0000000..4646c60 --- /dev/null +++ b/tests/py/ip/redirect.t.json.output @@ -0,0 +1,146 @@ +# udp dport 53 redirect random,persistent,fully-random +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 53 + } + }, + { + "redirect": { + "flags": [ + "random", + "fully-random", + "persistent" + ] + } + } +] + +# udp dport 53 redirect persistent,random +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 53 + } + }, + { + "redirect": { + "flags": [ + "random", + "persistent" + ] + } + } +] + +# udp dport 53 redirect persistent,random,fully-random +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 53 + } + }, + { + "redirect": { + "flags": [ + "random", + "fully-random", + "persistent" + ] + } + } +] + +# udp dport 53 redirect persistent,fully-random +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 53 + } + }, + { + "redirect": { + "flags": [ + "fully-random", + "persistent" + ] + } + } +] + +# udp dport 53 redirect persistent,fully-random,random +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 53 + } + }, + { + "redirect": { + "flags": [ + "random", + "fully-random", + "persistent" + ] + } + } +] + +# ip protocol tcp redirect to :100-200 +[ + { + "match": { + "left": { + "payload": { + "field": "protocol", + "protocol": "ip" + } + }, + "op": "==", + "right": 6 + } + }, + { + "redirect": { + "port": { + "range": [ 100, 200 ] + } + } + } +] + diff --git a/tests/py/ip/redirect.t.payload b/tests/py/ip/redirect.t.payload new file mode 100644 index 0000000..4bed47c --- /dev/null +++ b/tests/py/ip/redirect.t.payload @@ -0,0 +1,220 @@ +# udp dport 53 redirect +ip test-ip4 output + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x00003500 ] + [ redir ] + +# udp dport 53 redirect random +ip test-ip4 output + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x00003500 ] + [ redir flags 0x4 ] + +# udp dport 53 redirect random,persistent +ip test-ip4 output + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x00003500 ] + [ redir flags 0xc ] + +# udp dport 53 redirect random,persistent,fully-random +ip test-ip4 output + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x00003500 ] + [ redir flags 0x1c ] + +# udp dport 53 redirect random,fully-random +ip test-ip4 output + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x00003500 ] + [ redir flags 0x14 ] + +# udp dport 53 redirect random,fully-random,persistent +ip test-ip4 output + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x00003500 ] + [ redir flags 0x1c ] + +# udp dport 53 redirect persistent +ip test-ip4 output + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x00003500 ] + [ redir flags 0x8 ] + +# udp dport 53 redirect persistent,random +ip test-ip4 output + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x00003500 ] + [ redir flags 0xc ] + +# udp dport 53 redirect persistent,random,fully-random +ip test-ip4 output + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x00003500 ] + [ redir flags 0x1c ] + +# udp dport 53 redirect persistent,fully-random +ip test-ip4 output + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x00003500 ] + [ redir flags 0x18 ] + +# udp dport 53 redirect persistent,fully-random,random +ip test-ip4 output + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x00003500 ] + [ redir flags 0x1c ] + +# tcp dport 22 redirect to :22 +ip test-ip4 output + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x00001600 ] + [ immediate reg 1 0x00001600 ] + [ redir proto_min reg 1 flags 0x2 ] + +# udp dport 1234 redirect to :4321 +ip test-ip4 output + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x0000d204 ] + [ immediate reg 1 0x0000e110 ] + [ redir proto_min reg 1 flags 0x2 ] + +# ip daddr 172.16.0.1 udp dport 9998 redirect to :6515 +ip test-ip4 output + [ payload load 4b @ network header + 16 => reg 1 ] + [ cmp eq reg 1 0x010010ac ] + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x00000e27 ] + [ immediate reg 1 0x00007319 ] + [ redir proto_min reg 1 flags 0x2 ] + +# tcp dport 39128 redirect to :993 +ip test-ip4 output + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x0000d898 ] + [ immediate reg 1 0x0000e103 ] + [ redir proto_min reg 1 flags 0x2 ] + +# ip protocol tcp redirect to :100-200 +ip test-ip4 output + [ payload load 1b @ network header + 9 => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ immediate reg 1 0x00006400 ] + [ immediate reg 2 0x0000c800 ] + [ redir proto_min reg 1 proto_max reg 2 flags 0x2 ] + +# tcp dport 9128 redirect to :993 random +ip test-ip4 output + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x0000a823 ] + [ immediate reg 1 0x0000e103 ] + [ redir proto_min reg 1 flags 0x6 ] + +# tcp dport 9128 redirect to :993 fully-random +ip test-ip4 output + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x0000a823 ] + [ immediate reg 1 0x0000e103 ] + [ redir proto_min reg 1 flags 0x12 ] + +# tcp dport 9128 redirect to :123 persistent +ip test-ip4 output + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x0000a823 ] + [ immediate reg 1 0x00007b00 ] + [ redir proto_min reg 1 flags 0xa ] + +# tcp dport 9128 redirect to :123 random,persistent +ip test-ip4 output + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x0000a823 ] + [ immediate reg 1 0x00007b00 ] + [ redir proto_min reg 1 flags 0xe ] + +# tcp dport { 1, 2, 3, 4, 5, 6, 7, 8, 101, 202, 303, 1001, 2002, 3003} redirect +__set%d test-ip4 3 +__set%d test-ip4 0 + element 00000100 : 0 [end] element 00000200 : 0 [end] element 00000300 : 0 [end] element 00000400 : 0 [end] element 00000500 : 0 [end] element 00000600 : 0 [end] element 00000700 : 0 [end] element 00000800 : 0 [end] element 00006500 : 0 [end] element 0000ca00 : 0 [end] element 00002f01 : 0 [end] element 0000e903 : 0 [end] element 0000d207 : 0 [end] element 0000bb0b : 0 [end] +ip test-ip4 output + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ lookup reg 1 set __set%d ] + [ redir ] + +# ip daddr 10.0.0.0-10.2.3.4 udp dport 53 counter redirect +ip test-ip4 output + [ payload load 4b @ network header + 16 => reg 1 ] + [ cmp gte reg 1 0x0000000a ] + [ cmp lte reg 1 0x0403020a ] + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x00003500 ] + [ counter pkts 0 bytes 0 ] + [ redir ] + +# iifname "eth0" ct state established,new tcp dport vmap {22 : drop, 222 : drop } redirect +__map%d test-ip4 b +__map%d test-ip4 0 + element 00001600 : drop 0 [end] element 0000de00 : drop 0 [end] +ip test-ip4 output + [ meta load iifname => reg 1 ] + [ cmp eq reg 1 0x30687465 0x00000000 0x00000000 0x00000000 ] + [ ct load state => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000000a ) ^ 0x00000000 ] + [ cmp neq reg 1 0x00000000 ] + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ lookup reg 1 set __map%d dreg 0 ] + [ redir ] + +# redirect to :tcp dport map { 22 : 8000, 80 : 8080} +__map%d test-ip4 b +__map%d test-ip4 0 + element 00001600 : 0000401f 0 [end] element 00005000 : 0000901f 0 [end] +ip test-ip4 output + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ lookup reg 1 set __map%d dreg 1 ] + [ redir proto_min reg 1 flags 0x2 ] + diff --git a/tests/py/ip/reject.t b/tests/py/ip/reject.t new file mode 100644 index 0000000..ad00994 --- /dev/null +++ b/tests/py/ip/reject.t @@ -0,0 +1,17 @@ +:output;type filter hook output priority 0 + +*ip;test-ip4;output + +reject;ok +reject with icmp host-unreachable;ok +reject with icmp net-unreachable;ok +reject with icmp prot-unreachable;ok +reject with icmp port-unreachable;ok;reject +reject with icmp net-prohibited;ok +reject with icmp host-prohibited;ok +reject with icmp admin-prohibited;ok +reject with icmp 3;ok;reject +mark 0x80000000 reject with tcp reset;ok;meta mark 0x80000000 reject with tcp reset + +reject with icmp no-route;fail +reject with icmpv6 no-route;fail diff --git a/tests/py/ip/reject.t.json b/tests/py/ip/reject.t.json new file mode 100644 index 0000000..3e1d28d --- /dev/null +++ b/tests/py/ip/reject.t.json @@ -0,0 +1,105 @@ +# reject +[ + { + "reject": null + } +] + +# reject with icmp host-unreachable +[ + { + "reject": { + "expr": "host-unreachable", + "type": "icmp" + } + } +] + +# reject with icmp net-unreachable +[ + { + "reject": { + "expr": "net-unreachable", + "type": "icmp" + } + } +] + +# reject with icmp prot-unreachable +[ + { + "reject": { + "expr": "prot-unreachable", + "type": "icmp" + } + } +] + +# reject with icmp port-unreachable +[ + { + "reject": { + "expr": "port-unreachable", + "type": "icmp" + } + } +] + +# reject with icmp net-prohibited +[ + { + "reject": { + "expr": "net-prohibited", + "type": "icmp" + } + } +] + +# reject with icmp host-prohibited +[ + { + "reject": { + "expr": "host-prohibited", + "type": "icmp" + } + } +] + +# reject with icmp admin-prohibited +[ + { + "reject": { + "expr": "admin-prohibited", + "type": "icmp" + } + } +] + +# reject with icmp 3 +[ + { + "reject": { + "expr": "port-unreachable", + "type": "icmp" + } + } +] + +# mark 0x80000000 reject with tcp reset +[ + { + "match": { + "left": { + "meta": { "key": "mark" } + }, + "op": "==", + "right": "0x80000000" + } + }, + { + "reject": { + "type": "tcp reset" + } + } +] + diff --git a/tests/py/ip/reject.t.json.output b/tests/py/ip/reject.t.json.output new file mode 100644 index 0000000..3917413 --- /dev/null +++ b/tests/py/ip/reject.t.json.output @@ -0,0 +1,28 @@ +# reject +[ + { + "reject": { + "expr": "port-unreachable", + "type": "icmp" + } + } +] + +# mark 0x80000000 reject with tcp reset +[ + { + "match": { + "left": { + "meta": { "key": "mark" } + }, + "op": "==", + "right": 2147483648 + } + }, + { + "reject": { + "type": "tcp reset" + } + } +] + diff --git a/tests/py/ip/reject.t.payload b/tests/py/ip/reject.t.payload new file mode 100644 index 0000000..5829065 --- /dev/null +++ b/tests/py/ip/reject.t.payload @@ -0,0 +1,44 @@ +# reject +ip test-ip4 output + [ reject type 0 code 3 ] + +# reject with icmp host-unreachable +ip test-ip4 output + [ reject type 0 code 1 ] + +# reject with icmp net-unreachable +ip test-ip4 output + [ reject type 0 code 0 ] + +# reject with icmp prot-unreachable +ip test-ip4 output + [ reject type 0 code 2 ] + +# reject with icmp port-unreachable +ip test-ip4 output + [ reject type 0 code 3 ] + +# reject with icmp net-prohibited +ip test-ip4 output + [ reject type 0 code 9 ] + +# reject with icmp host-prohibited +ip test-ip4 output + [ reject type 0 code 10 ] + +# reject with icmp admin-prohibited +ip test-ip4 output + [ reject type 0 code 13 ] + +# reject with icmp 3 +ip test-ip4 output + [ reject type 0 code 3 ] + +# mark 0x80000000 reject with tcp reset +ip test-ip4 output + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ meta load mark => reg 1 ] + [ cmp eq reg 1 0x80000000 ] + [ reject type 1 code 0 ] + diff --git a/tests/py/ip/rt.t b/tests/py/ip/rt.t new file mode 100644 index 0000000..986bf34 --- /dev/null +++ b/tests/py/ip/rt.t @@ -0,0 +1,7 @@ +:output;type filter hook input priority 0 + +*ip;test-ip4;output + +rt nexthop 192.168.0.1;ok;rt ip nexthop 192.168.0.1 +rt nexthop fd00::1;fail +rt ip6 nexthop fd00::1;fail diff --git a/tests/py/ip/rt.t.json b/tests/py/ip/rt.t.json new file mode 100644 index 0000000..41dbe34 --- /dev/null +++ b/tests/py/ip/rt.t.json @@ -0,0 +1,16 @@ +# rt nexthop 192.168.0.1 +[ + { + "match": { + "left": { + "rt": { + "family": "ip", + "key": "nexthop" + } + }, + "op": "==", + "right": "192.168.0.1" + } + } +] + diff --git a/tests/py/ip/rt.t.payload b/tests/py/ip/rt.t.payload new file mode 100644 index 0000000..93eef4a --- /dev/null +++ b/tests/py/ip/rt.t.payload @@ -0,0 +1,5 @@ +# rt nexthop 192.168.0.1 +ip test-ip4 output + [ rt load nexthop4 => reg 1 ] + [ cmp eq reg 1 0x0100a8c0 ] + diff --git a/tests/py/ip/sets.t b/tests/py/ip/sets.t new file mode 100644 index 0000000..46d9686 --- /dev/null +++ b/tests/py/ip/sets.t @@ -0,0 +1,68 @@ +:input;type filter hook input priority 0 +:ingress;type filter hook ingress device lo priority 0 +:egress;type filter hook egress device lo priority 0 + +*ip;test-ip4;input +*inet;test-inet;input +*netdev;test-netdev;ingress,egress + +!w type ipv4_addr;ok +!x type inet_proto;ok +!y type inet_service;ok +!z type time;ok + +!set1 type ipv4_addr;ok +?set1 192.168.3.4;ok + +?set1 192.168.3.4;ok +?set1 192.168.3.5, 192.168.3.6;ok +?set1 192.168.3.5, 192.168.3.6;ok +?set1 192.168.3.8, 192.168.3.9;ok +?set1 192.168.3.10, 192.168.3.11;ok +?set1 1234:1234:1234:1234:1234:1234:1234:1234;fail +?set2 192.168.3.4;fail + +!set2 type ipv4_addr;ok +?set2 192.168.3.4;ok +?set2 192.168.3.5, 192.168.3.6;ok +?set2 192.168.3.5, 192.168.3.6;ok +?set2 192.168.3.8, 192.168.3.9;ok +?set2 192.168.3.10, 192.168.3.11;ok + +ip saddr @set1 drop;ok +ip saddr != @set1 drop;ok +ip saddr @set2 drop;ok +ip saddr != @set2 drop;ok +ip saddr @set33 drop;fail +ip saddr != @set33 drop;fail + +!set3 type ipv4_addr flags interval;ok +?set3 192.168.0.0/16;ok +?set3 172.16.0.0/12;ok +?set3 10.0.0.0/8;ok + +!set4 type ipv4_addr flags interval;ok +?set4 192.168.1.0/24;ok +?set4 192.168.0.0/24;ok +?set4 192.168.2.0/24;ok +?set4 192.168.1.1;fail +?set4 192.168.3.0/24;ok + +!set5 type ipv4_addr . ipv4_addr;ok +ip saddr . ip daddr @set5 drop;ok +add @set5 { ip saddr . ip daddr };ok + +!map1 type ipv4_addr . ipv4_addr : mark;ok +add @map1 { ip saddr . ip daddr : meta mark };ok + +# test nested anonymous sets +ip saddr { { 1.1.1.0, 3.3.3.0 }, 2.2.2.0 };ok;ip saddr { 1.1.1.0, 2.2.2.0, 3.3.3.0 } +ip saddr { { 1.1.1.0/24, 3.3.3.0/24 }, 2.2.2.0/24 };ok;ip saddr { 1.1.1.0/24, 2.2.2.0/24, 3.3.3.0/24 } + +!set6 type ipv4_addr;ok +?set6 192.168.3.5, *;ok +ip saddr @set6 drop;ok + +ip saddr vmap { 1.1.1.1 : drop, * : accept };ok +meta mark set ip saddr map { 1.1.1.1 : 0x00000001, * : 0x00000002 };ok + diff --git a/tests/py/ip/sets.t.json b/tests/py/ip/sets.t.json new file mode 100644 index 0000000..44ca152 --- /dev/null +++ b/tests/py/ip/sets.t.json @@ -0,0 +1,305 @@ +# ip saddr @set1 drop +[ + { + "match": { + "left": { + "payload": { + "field": "saddr", + "protocol": "ip" + } + }, + "op": "==", + "right": "@set1" + } + }, + { + "drop": null + } +] + +# ip saddr != @set1 drop +[ + { + "match": { + "left": { + "payload": { + "field": "saddr", + "protocol": "ip" + } + }, + "op": "!=", + "right": "@set1" + } + }, + { + "drop": null + } +] + +# ip saddr @set2 drop +[ + { + "match": { + "left": { + "payload": { + "field": "saddr", + "protocol": "ip" + } + }, + "op": "==", + "right": "@set2" + } + }, + { + "drop": null + } +] + +# ip saddr != @set2 drop +[ + { + "match": { + "left": { + "payload": { + "field": "saddr", + "protocol": "ip" + } + }, + "op": "!=", + "right": "@set2" + } + }, + { + "drop": null + } +] + +# ip saddr . ip daddr @set5 drop +[ + { + "match": { + "left": { + "concat": [ + { + "payload": { + "field": "saddr", + "protocol": "ip" + } + }, + { + "payload": { + "field": "daddr", + "protocol": "ip" + } + } + ] + }, + "op": "==", + "right": "@set5" + } + }, + { + "drop": null + } +] + +# add @set5 { ip saddr . ip daddr } +[ + { + "set": { + "elem": { + "concat": [ + { + "payload": { + "field": "saddr", + "protocol": "ip" + } + }, + { + "payload": { + "field": "daddr", + "protocol": "ip" + } + } + ] + }, + "op": "add", + "set": "@set5" + } + } +] + +# ip saddr { { 1.1.1.0, 3.3.3.0 }, 2.2.2.0 } +[ + { + "match": { + "left": { + "payload": { + "field": "saddr", + "protocol": "ip" + } + }, + "op": "==", + "right": { + "set": [ + "1.1.1.0", + "2.2.2.0", + "3.3.3.0" + ] + } + } + } +] + +# ip saddr { { 1.1.1.0/24, 3.3.3.0/24 }, 2.2.2.0/24 } +[ + { + "match": { + "left": { + "payload": { + "field": "saddr", + "protocol": "ip" + } + }, + "op": "==", + "right": { + "set": [ + { + "prefix": { + "addr": "1.1.1.0", + "len": 24 + } + }, + { + "prefix": { + "addr": "2.2.2.0", + "len": 24 + } + }, + { + "prefix": { + "addr": "3.3.3.0", + "len": 24 + } + } + ] + } + } + } +] + +# ip saddr @set6 drop +[ + { + "match": { + "left": { + "payload": { + "field": "saddr", + "protocol": "ip" + } + }, + "op": "==", + "right": "@set6" + } + }, + { + "drop": null + } +] + +# ip saddr vmap { 1.1.1.1 : drop, * : accept } +[ + { + "vmap": { + "data": { + "set": [ + [ + "1.1.1.1", + { + "drop": null + } + ], + [ + "*", + { + "accept": null + } + ] + ] + }, + "key": { + "payload": { + "field": "saddr", + "protocol": "ip" + } + } + } + } +] + +# meta mark set ip saddr map { 1.1.1.1 : 0x00000001, * : 0x00000002 } +[ + { + "mangle": { + "key": { + "meta": { + "key": "mark" + } + }, + "value": { + "map": { + "data": { + "set": [ + [ + "1.1.1.1", + 1 + ], + [ + "*", + 2 + ] + ] + }, + "key": { + "payload": { + "field": "saddr", + "protocol": "ip" + } + } + } + } + } + } +] + +# add @map1 { ip saddr . ip daddr : meta mark } +[ + { + "map": { + "data": { + "meta": { + "key": "mark" + } + }, + "elem": { + "concat": [ + { + "payload": { + "field": "saddr", + "protocol": "ip" + } + }, + { + "payload": { + "field": "daddr", + "protocol": "ip" + } + } + ] + }, + "map": "@map1", + "op": "add" + } + } +] + diff --git a/tests/py/ip/sets.t.json.got b/tests/py/ip/sets.t.json.got new file mode 100644 index 0000000..8fae580 --- /dev/null +++ b/tests/py/ip/sets.t.json.got @@ -0,0 +1,62 @@ +# add @map1 { ip saddr . ip daddr : meta mark } +[ + { + "set": { + "data": { + "meta": { + "key": "mark" + } + }, + "elem": { + "concat": [ + { + "payload": { + "field": "saddr", + "protocol": "ip" + } + }, + { + "payload": { + "field": "daddr", + "protocol": "ip" + } + } + ] + }, + "map": "@map1", + "op": "add" + } + } +] + +# add @map1 { ip saddr . ip daddr : meta mark } +[ + { + "map": { + "data": { + "meta": { + "key": "mark" + } + }, + "elem": { + "concat": [ + { + "payload": { + "field": "saddr", + "protocol": "ip" + } + }, + { + "payload": { + "field": "daddr", + "protocol": "ip" + } + } + ] + }, + "map": "@map1", + "op": "add" + } + } +] + diff --git a/tests/py/ip/sets.t.json.payload.got b/tests/py/ip/sets.t.json.payload.got new file mode 100644 index 0000000..daf27aa --- /dev/null +++ b/tests/py/ip/sets.t.json.payload.got @@ -0,0 +1,157 @@ +# add @map1 { ip saddr . ip daddr : meta mark } +ip test-ip4 input + [ payload load 4b @ network header + 12 => reg 1 ] + [ payload load 4b @ network header + 16 => reg 9 ] + [ meta load mark => reg 10 ] + [ dynset add reg_key 1 set map1 sreg_data 10 ] + +# add @map1 { ip saddr . ip daddr : meta mark } +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ payload load 4b @ network header + 16 => reg 9 ] + [ meta load mark => reg 10 ] + [ dynset add reg_key 1 set map1 sreg_data 10 ] + +# add @map1 { ip saddr . ip daddr : meta mark } +netdev test-netdev egress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ payload load 4b @ network header + 16 => reg 9 ] + [ meta load mark => reg 10 ] + [ dynset add reg_key 1 set map1 sreg_data 10 ] + +# add @map1 { ip saddr . ip daddr : meta mark } +ip test-ip4 input + [ payload load 4b @ network header + 12 => reg 1 ] + [ payload load 4b @ network header + 16 => reg 9 ] + [ meta load mark => reg 10 ] + [ dynset add reg_key 1 set map1 sreg_data 10 ] + +# add @map1 { ip saddr . ip daddr : meta mark } +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ payload load 4b @ network header + 16 => reg 9 ] + [ meta load mark => reg 10 ] + [ dynset add reg_key 1 set map1 sreg_data 10 ] + +# add @map1 { ip saddr . ip daddr : meta mark } +netdev test-netdev egress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ payload load 4b @ network header + 16 => reg 9 ] + [ meta load mark => reg 10 ] + [ dynset add reg_key 1 set map1 sreg_data 10 ] + +# add @map1 { ip saddr . ip daddr : meta mark } +ip test-ip4 input + [ payload load 4b @ network header + 12 => reg 1 ] + [ payload load 4b @ network header + 16 => reg 9 ] + [ meta load mark => reg 10 ] + [ dynset add reg_key 1 set map1 sreg_data 10 ] + +# add @map1 { ip saddr . ip daddr : meta mark } +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ payload load 4b @ network header + 16 => reg 9 ] + [ meta load mark => reg 10 ] + [ dynset add reg_key 1 set map1 sreg_data 10 ] + +# add @map1 { ip saddr . ip daddr : meta mark } +netdev test-netdev egress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ payload load 4b @ network header + 16 => reg 9 ] + [ meta load mark => reg 10 ] + [ dynset add reg_key 1 set map1 sreg_data 10 ] + +# add @map1 { ip saddr . ip daddr : meta mark } +ip test-ip4 input + [ payload load 4b @ network header + 12 => reg 1 ] + [ payload load 4b @ network header + 16 => reg 9 ] + [ meta load mark => reg 10 ] + [ dynset add reg_key 1 set map1 sreg_data 10 ] + +# add @map1 { ip saddr . ip daddr : meta mark } +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ payload load 4b @ network header + 16 => reg 9 ] + [ meta load mark => reg 10 ] + [ dynset add reg_key 1 set map1 sreg_data 10 ] + +# add @map1 { ip saddr . ip daddr : meta mark } +netdev test-netdev egress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ payload load 4b @ network header + 16 => reg 9 ] + [ meta load mark => reg 10 ] + [ dynset add reg_key 1 set map1 sreg_data 10 ] + +# add @map1 { ip saddr . ip daddr : meta mark } +ip test-ip4 input + [ payload load 4b @ network header + 12 => reg 1 ] + [ payload load 4b @ network header + 16 => reg 9 ] + [ meta load mark => reg 10 ] + [ dynset add reg_key 1 set map1 sreg_data 10 ] + +# add @map1 { ip saddr . ip daddr : meta mark } +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ payload load 4b @ network header + 16 => reg 9 ] + [ meta load mark => reg 10 ] + [ dynset add reg_key 1 set map1 sreg_data 10 ] + +# add @map1 { ip saddr . ip daddr : meta mark } +netdev test-netdev egress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ payload load 4b @ network header + 16 => reg 9 ] + [ meta load mark => reg 10 ] + [ dynset add reg_key 1 set map1 sreg_data 10 ] + +# add @map1 { ip saddr . ip daddr : meta mark } +ip test-ip4 input + [ payload load 4b @ network header + 12 => reg 1 ] + [ payload load 4b @ network header + 16 => reg 9 ] + [ meta load mark => reg 10 ] + [ dynset add reg_key 1 set map1 sreg_data 10 ] + +# add @map1 { ip saddr . ip daddr : meta mark } +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ payload load 4b @ network header + 16 => reg 9 ] + [ meta load mark => reg 10 ] + [ dynset add reg_key 1 set map1 sreg_data 10 ] + +# add @map1 { ip saddr . ip daddr : meta mark } +netdev test-netdev egress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ payload load 4b @ network header + 16 => reg 9 ] + [ meta load mark => reg 10 ] + [ dynset add reg_key 1 set map1 sreg_data 10 ] + +# add @map1 { ip saddr . ip daddr : meta mark } +ip test-ip4 input + [ payload load 4b @ network header + 12 => reg 1 ] + [ payload load 4b @ network header + 16 => reg 9 ] + [ meta load mark => reg 10 ] + [ dynset add reg_key 1 set map1 sreg_data 10 ] + diff --git a/tests/py/ip/sets.t.payload.inet b/tests/py/ip/sets.t.payload.inet new file mode 100644 index 0000000..fd6517a --- /dev/null +++ b/tests/py/ip/sets.t.payload.inet @@ -0,0 +1,106 @@ +# ip saddr @set1 drop +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ lookup reg 1 set set1 ] + [ immediate reg 0 drop ] + +# ip saddr != @set1 drop +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ lookup reg 1 set set1 0x1 ] + [ immediate reg 0 drop ] + +# ip saddr @set2 drop +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ lookup reg 1 set set2 ] + [ immediate reg 0 drop ] + +# ip saddr != @set2 drop +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ lookup reg 1 set set2 0x1 ] + [ immediate reg 0 drop ] + +# ip saddr . ip daddr @set5 drop +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ payload load 4b @ network header + 16 => reg 9 ] + [ lookup reg 1 set set5 ] + [ immediate reg 0 drop ] + +# add @set5 { ip saddr . ip daddr } +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ payload load 4b @ network header + 16 => reg 9 ] + [ dynset add reg_key 1 set set5 ] + +# ip saddr { { 1.1.1.0, 3.3.3.0 }, 2.2.2.0 } +__set%d t 3 +__set%d t 0 + element 00010101 : 0 [end] element 00030303 : 0 [end] element 00020202 : 0 [end] +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ lookup reg 1 set __set%d ] + +# ip saddr { { 1.1.1.0/24, 3.3.3.0/24 }, 2.2.2.0/24 } +__set%d t 7 +__set%d t 0 + element 00000000 : 1 [end] element 00010101 : 0 [end] element 00020101 : 1 [end] element 00020202 : 0 [end] element 00030202 : 1 [end] element 00030303 : 0 [end] element 00040303 : 1 [end] +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ lookup reg 1 set __set%d ] + +# ip saddr @set6 drop +inet + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ lookup reg 1 set set6 ] + [ immediate reg 0 drop ] + +# add @map1 { ip saddr . ip daddr : meta mark } +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ payload load 4b @ network header + 16 => reg 9 ] + [ meta load mark => reg 10 ] + [ dynset add reg_key 1 set map1 sreg_data 10 ] + +# ip saddr vmap { 1.1.1.1 : drop, * : accept } +__map%d test-inet b +__map%d test-inet 0 + element 01010101 : drop 0 [end] element : accept 2 [end] +inet + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ lookup reg 1 set __map%d dreg 0 ] + +# meta mark set ip saddr map { 1.1.1.1 : 0x00000001, * : 0x00000002 } +__map%d test-inet b +__map%d test-inet 0 + element 01010101 : 00000001 0 [end] element : 00000002 2 [end] +inet + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ lookup reg 1 set __map%d dreg 1 ] + [ meta set mark with reg 1 ] diff --git a/tests/py/ip/sets.t.payload.ip b/tests/py/ip/sets.t.payload.ip new file mode 100644 index 0000000..d9cc32b --- /dev/null +++ b/tests/py/ip/sets.t.payload.ip @@ -0,0 +1,83 @@ +# ip saddr @set1 drop +ip test-ip4 input + [ payload load 4b @ network header + 12 => reg 1 ] + [ lookup reg 1 set set1 ] + [ immediate reg 0 drop ] + +# ip saddr != @set1 drop +ip test-ip4 input + [ payload load 4b @ network header + 12 => reg 1 ] + [ lookup reg 1 set set1 0x1 ] + [ immediate reg 0 drop ] + +# ip saddr @set2 drop +ip test-ip4 input + [ payload load 4b @ network header + 12 => reg 1 ] + [ lookup reg 1 set set2 ] + [ immediate reg 0 drop ] + +# ip saddr != @set2 drop +ip test-ip4 input + [ payload load 4b @ network header + 12 => reg 1 ] + [ lookup reg 1 set set2 0x1 ] + [ immediate reg 0 drop ] + +# ip saddr . ip daddr @set5 drop +ip test-ip4 input + [ payload load 4b @ network header + 12 => reg 1 ] + [ payload load 4b @ network header + 16 => reg 9 ] + [ lookup reg 1 set set5 ] + [ immediate reg 0 drop ] + +# add @set5 { ip saddr . ip daddr } +ip test-ip4 input + [ payload load 4b @ network header + 12 => reg 1 ] + [ payload load 4b @ network header + 16 => reg 9 ] + [ dynset add reg_key 1 set set5 ] + +# ip saddr { { 1.1.1.0, 3.3.3.0 }, 2.2.2.0 } +__set%d test-ip4 3 +__set%d test-ip4 0 + element 00010101 : 0 [end] element 00030303 : 0 [end] element 00020202 : 0 [end] +ip test-ip4 input + [ payload load 4b @ network header + 12 => reg 1 ] + [ lookup reg 1 set __set%d ] + +# ip saddr { { 1.1.1.0/24, 3.3.3.0/24 }, 2.2.2.0/24 } +__set%d test-ip4 7 +__set%d test-ip4 0 + element 00000000 : 1 [end] element 00010101 : 0 [end] element 00020101 : 1 [end] element 00020202 : 0 [end] element 00030202 : 1 [end] element 00030303 : 0 [end] element 00040303 : 1 [end] +ip test-ip4 input + [ payload load 4b @ network header + 12 => reg 1 ] + [ lookup reg 1 set __set%d ] + +# ip saddr @set6 drop +ip + [ payload load 4b @ network header + 12 => reg 1 ] + [ lookup reg 1 set set6 ] + [ immediate reg 0 drop ] + +# ip saddr vmap { 1.1.1.1 : drop, * : accept } +__map%d test-ip4 b +__map%d test-ip4 0 + element 01010101 : drop 0 [end] element : accept 2 [end] +ip + [ payload load 4b @ network header + 12 => reg 1 ] + [ lookup reg 1 set __map%d dreg 0 ] + +# meta mark set ip saddr map { 1.1.1.1 : 0x00000001, * : 0x00000002 } +__map%d test-ip4 b +__map%d test-ip4 0 + element 01010101 : 00000001 0 [end] element : 00000002 2 [end] +ip + [ payload load 4b @ network header + 12 => reg 1 ] + [ lookup reg 1 set __map%d dreg 1 ] + [ meta set mark with reg 1 ] + +# add @map1 { ip saddr . ip daddr : meta mark } +ip test-ip4 input + [ payload load 4b @ network header + 12 => reg 1 ] + [ payload load 4b @ network header + 16 => reg 9 ] + [ meta load mark => reg 10 ] + [ dynset add reg_key 1 set map1 sreg_data 10 ] + diff --git a/tests/py/ip/sets.t.payload.ip.got b/tests/py/ip/sets.t.payload.ip.got new file mode 100644 index 0000000..c43a0c5 --- /dev/null +++ b/tests/py/ip/sets.t.payload.ip.got @@ -0,0 +1,14 @@ +# add @map5 { ip saddr . ip daddr : meta mark } +ip test-ip4 input + [ payload load 4b @ network header + 12 => reg 1 ] + [ payload load 4b @ network header + 16 => reg 9 ] + [ meta load mark => reg 10 ] + [ dynset add reg_key 1 set map5 sreg_data 10 ] + +# add @map1 { ip saddr . ip daddr : meta mark } +ip test-ip4 input + [ payload load 4b @ network header + 12 => reg 1 ] + [ payload load 4b @ network header + 16 => reg 9 ] + [ meta load mark => reg 10 ] + [ dynset add reg_key 1 set map1 sreg_data 10 ] + diff --git a/tests/py/ip/sets.t.payload.netdev b/tests/py/ip/sets.t.payload.netdev new file mode 100644 index 0000000..d41b9e8 --- /dev/null +++ b/tests/py/ip/sets.t.payload.netdev @@ -0,0 +1,107 @@ +# ip saddr @set1 drop +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ lookup reg 1 set set1 ] + [ immediate reg 0 drop ] + +# ip saddr != @set1 drop +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ lookup reg 1 set set1 0x1 ] + [ immediate reg 0 drop ] + +# ip saddr @set2 drop +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ lookup reg 1 set set2 ] + [ immediate reg 0 drop ] + +# ip saddr != @set2 drop +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ lookup reg 1 set set2 0x1 ] + [ immediate reg 0 drop ] + +# ip saddr . ip daddr @set5 drop +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ payload load 4b @ network header + 16 => reg 9 ] + [ lookup reg 1 set set5 ] + [ immediate reg 0 drop ] + +# add @set5 { ip saddr . ip daddr } +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ payload load 4b @ network header + 16 => reg 9 ] + [ dynset add reg_key 1 set set5 ] + +# ip saddr { { 1.1.1.0, 3.3.3.0 }, 2.2.2.0 } +__set%d test-netdev 3 +__set%d test-netdev 0 + element 00010101 : 0 [end] element 00030303 : 0 [end] element 00020202 : 0 [end] +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ lookup reg 1 set __set%d ] + +# ip saddr { { 1.1.1.0/24, 3.3.3.0/24 }, 2.2.2.0/24 } +__set%d test-netdev 7 +__set%d test-netdev 0 + element 00000000 : 1 [end] element 00010101 : 0 [end] element 00020101 : 1 [end] element 00020202 : 0 [end] element 00030202 : 1 [end] element 00030303 : 0 [end] element 00040303 : 1 [end] +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ lookup reg 1 set __set%d ] + +# ip saddr @set6 drop +netdev + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ lookup reg 1 set set6 ] + [ immediate reg 0 drop ] + +# ip saddr vmap { 1.1.1.1 : drop, * : accept } +__map%d test-netdev b +__map%d test-netdev 0 + element 01010101 : drop 0 [end] element : accept 2 [end] +netdev + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ lookup reg 1 set __map%d dreg 0 ] + +# meta mark set ip saddr map { 1.1.1.1 : 0x00000001, * : 0x00000002 } +__map%d test-netdev b +__map%d test-netdev 0 + element 01010101 : 00000001 0 [end] element : 00000002 2 [end] +netdev + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ lookup reg 1 set __map%d dreg 1 ] + [ meta set mark with reg 1 ] + +# add @map1 { ip saddr . ip daddr : meta mark } +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ payload load 4b @ network header + 16 => reg 9 ] + [ meta load mark => reg 10 ] + [ dynset add reg_key 1 set map1 sreg_data 10 ] + diff --git a/tests/py/ip/sets.t.payload.netdev.got b/tests/py/ip/sets.t.payload.netdev.got new file mode 100644 index 0000000..4c80527 --- /dev/null +++ b/tests/py/ip/sets.t.payload.netdev.got @@ -0,0 +1,18 @@ +# add @map5 { ip saddr . ip daddr : meta mark } +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ payload load 4b @ network header + 16 => reg 9 ] + [ meta load mark => reg 10 ] + [ dynset add reg_key 1 set map5 sreg_data 10 ] + +# add @map1 { ip saddr . ip daddr : meta mark } +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ payload load 4b @ network header + 16 => reg 9 ] + [ meta load mark => reg 10 ] + [ dynset add reg_key 1 set map1 sreg_data 10 ] + diff --git a/tests/py/ip/snat.t b/tests/py/ip/snat.t new file mode 100644 index 0000000..d4b0d2c --- /dev/null +++ b/tests/py/ip/snat.t @@ -0,0 +1,21 @@ +:postrouting;type nat hook postrouting priority 0 + +*ip;test-ip4;postrouting + +iifname "eth0" tcp dport 80-90 snat to 192.168.3.2;ok +iifname "eth0" tcp dport != 80-90 snat to 192.168.3.2;ok +iifname "eth0" tcp dport {80, 90, 23} snat to 192.168.3.2;ok +iifname "eth0" tcp dport != {80, 90, 23} snat to 192.168.3.2;ok +iifname "eth0" tcp dport 80-90 snat to 192.168.3.0-192.168.3.255;ok;iifname "eth0" tcp dport 80-90 snat to 192.168.3.0/24 +iifname "eth0" tcp dport 80-90 snat to 192.168.3.15-192.168.3.240;ok + +iifname "eth0" tcp dport != 23-34 snat to 192.168.3.2;ok + +meta l4proto 17 snat ip to ip saddr map { 10.141.11.4 : 192.168.2.3 . 80 };ok +snat ip to ip saddr map { 10.141.11.4 : 192.168.2.2-192.168.2.4 };ok +snat ip to ip saddr map { 10.141.12.14 : 192.168.2.0/24 };ok +snat ip prefix to ip saddr map { 10.141.11.0/24 : 192.168.2.0/24 };ok + +meta l4proto { 6, 17} snat ip to ip saddr . th dport map { 10.141.11.4 . 20 : 192.168.2.3 . 80};ok +snat ip to ip saddr map { 10.141.11.4 : 192.168.2.3 . 80 };fail +snat ip to ip saddr . th dport map { 10.141.11.4 . 20 : 192.168.2.3 . 80 };fail diff --git a/tests/py/ip/snat.t.json b/tests/py/ip/snat.t.json new file mode 100644 index 0000000..967560e --- /dev/null +++ b/tests/py/ip/snat.t.json @@ -0,0 +1,530 @@ +# iifname "eth0" tcp dport 80-90 snat to 192.168.3.2 +[ + { + "match": { + "left": { + "meta": { "key": "iifname" } + }, + "op": "==", + "right": "eth0" + } + }, + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "tcp" + } + }, + "op": "==", + "right": { + "range": [ 80, 90 ] + } + } + }, + { + "snat": { + "addr": "192.168.3.2" + } + } +] + +# iifname "eth0" tcp dport != 80-90 snat to 192.168.3.2 +[ + { + "match": { + "left": { + "meta": { "key": "iifname" } + }, + "op": "==", + "right": "eth0" + } + }, + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "tcp" + } + }, + "op": "!=", + "right": { + "range": [ 80, 90 ] + } + } + }, + { + "snat": { + "addr": "192.168.3.2" + } + } +] + +# iifname "eth0" tcp dport {80, 90, 23} snat to 192.168.3.2 +[ + { + "match": { + "left": { + "meta": { "key": "iifname" } + }, + "op": "==", + "right": "eth0" + } + }, + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "tcp" + } + }, + "op": "==", + "right": { + "set": [ + 80, + 90, + 23 + ] + } + } + }, + { + "snat": { + "addr": "192.168.3.2" + } + } +] + +# iifname "eth0" tcp dport != {80, 90, 23} snat to 192.168.3.2 +[ + { + "match": { + "left": { + "meta": { "key": "iifname" } + }, + "op": "==", + "right": "eth0" + } + }, + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "tcp" + } + }, + "op": "!=", + "right": { + "set": [ + 80, + 90, + 23 + ] + } + } + }, + { + "snat": { + "addr": "192.168.3.2" + } + } +] + +# iifname "eth0" tcp dport != 23-34 snat to 192.168.3.2 +[ + { + "match": { + "left": { + "meta": { "key": "iifname" } + }, + "op": "==", + "right": "eth0" + } + }, + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "tcp" + } + }, + "op": "!=", + "right": { + "range": [ 23, 34 ] + } + } + }, + { + "snat": { + "addr": "192.168.3.2" + } + } +] + +# iifname "eth0" tcp dport 80-90 snat to 192.168.3.0-192.168.3.255 +[ + { + "match": { + "left": { + "meta": { + "key": "iifname" + } + }, + "op": "==", + "right": "eth0" + } + }, + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "tcp" + } + }, + "op": "==", + "right": { + "range": [ + 80, + 90 + ] + } + } + }, + { + "snat": { + "addr": { + "prefix": { + "addr": "192.168.3.0", + "len": 24 + } + } + } + } +] + +# iifname "eth0" tcp dport 80-90 snat to 192.168.3.15-192.168.3.240 +[ + { + "match": { + "left": { + "meta": { + "key": "iifname" + } + }, + "op": "==", + "right": "eth0" + } + }, + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "tcp" + } + }, + "op": "==", + "right": { + "range": [ + 80, + 90 + ] + } + } + }, + { + "snat": { + "addr": { + "range": [ + "192.168.3.15", + "192.168.3.240" + ] + } + } + } +] + +# snat ip to ip saddr map { 10.141.11.4 : 192.168.2.3 . 80 } +[ + { + "snat": { + "addr": { + "map": { + "data": { + "set": [ + [ + "10.141.11.4", + { + "concat": [ + "192.168.2.3", + 80 + ] + } + ] + ] + }, + "key": { + "payload": { + "field": "saddr", + "protocol": "ip" + } + } + } + }, + "family": "ip", + "type_flags": "concat" + } + } +] + +# snat ip interval to ip saddr map { 10.141.11.4 : 192.168.2.2-192.168.2.4 } +[ + { + "snat": { + "addr": { + "map": { + "data": { + "set": [ + [ + "10.141.11.4", + { + "range": [ + "192.168.2.2", + "192.168.2.4" + ] + } + ] + ] + }, + "key": { + "payload": { + "field": "saddr", + "protocol": "ip" + } + } + } + }, + "family": "ip", + "type_flags": "interval" + } + } +] + +# snat ip prefix to ip saddr map { 10.141.11.0/24 : 192.168.2.0/24 } +[ + { + "snat": { + "addr": { + "map": { + "data": { + "set": [ + [ + { + "prefix": { + "addr": "10.141.11.0", + "len": 24 + } + }, + { + "prefix": { + "addr": "192.168.2.0", + "len": 24 + } + } + ] + ] + }, + "key": { + "payload": { + "field": "saddr", + "protocol": "ip" + } + } + } + }, + "family": "ip", + "flags": "netmap", + "type_flags": [ + "interval", + "prefix" + ] + } + } +] + +# meta l4proto 17 snat ip to ip saddr map { 10.141.11.4 : 192.168.2.3 . 80 } +[ + { + "match": { + "left": { + "meta": { + "key": "l4proto" + } + }, + "op": "==", + "right": "udp" + } + }, + { + "snat": { + "addr": { + "map": { + "data": { + "set": [ + [ + "10.141.11.4", + { + "concat": [ + "192.168.2.3", + 80 + ] + } + ] + ] + }, + "key": { + "payload": { + "field": "saddr", + "protocol": "ip" + } + } + } + }, + "family": "ip" + } + } +] + +# snat ip to ip saddr map { 10.141.11.4 : 192.168.2.2-192.168.2.4 } +[ + { + "snat": { + "addr": { + "map": { + "data": { + "set": [ + [ + "10.141.11.4", + { + "range": [ + "192.168.2.2", + "192.168.2.4" + ] + } + ] + ] + }, + "key": { + "payload": { + "field": "saddr", + "protocol": "ip" + } + } + } + }, + "family": "ip" + } + } +] + +# snat ip to ip saddr map { 10.141.12.14 : 192.168.2.0/24 } +[ + { + "snat": { + "addr": { + "map": { + "data": { + "set": [ + [ + "10.141.12.14", + { + "prefix": { + "addr": "192.168.2.0", + "len": 24 + } + } + ] + ] + }, + "key": { + "payload": { + "field": "saddr", + "protocol": "ip" + } + } + } + }, + "family": "ip" + } + } +] + +# meta l4proto { 6, 17} snat ip to ip saddr . th dport map { 10.141.11.4 . 20 : 192.168.2.3 . 80} +[ + { + "match": { + "left": { + "meta": { + "key": "l4proto" + } + }, + "op": "==", + "right": { + "set": [ + "tcp", + "udp" + ] + } + } + }, + { + "snat": { + "addr": { + "map": { + "data": { + "set": [ + [ + { + "concat": [ + "10.141.11.4", + 20 + ] + }, + { + "concat": [ + "192.168.2.3", + 80 + ] + } + ] + ] + }, + "key": { + "concat": [ + { + "payload": { + "field": "saddr", + "protocol": "ip" + } + }, + { + "payload": { + "field": "dport", + "protocol": "th" + } + } + ] + } + } + }, + "family": "ip" + } + } +] + diff --git a/tests/py/ip/snat.t.json.output b/tests/py/ip/snat.t.json.output new file mode 100644 index 0000000..2a99780 --- /dev/null +++ b/tests/py/ip/snat.t.json.output @@ -0,0 +1,249 @@ +# iifname "eth0" tcp dport {80, 90, 23} snat to 192.168.3.2 +[ + { + "match": { + "left": { + "meta": { "key": "iifname" } + }, + "op": "==", + "right": "eth0" + } + }, + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "tcp" + } + }, + "op": "==", + "right": { + "set": [ + 23, + 80, + 90 + ] + } + } + }, + { + "snat": { + "addr": "192.168.3.2" + } + } +] + +# iifname "eth0" tcp dport != {80, 90, 23} snat to 192.168.3.2 +[ + { + "match": { + "left": { + "meta": { "key": "iifname" } + }, + "op": "==", + "right": "eth0" + } + }, + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "tcp" + } + }, + "op": "!=", + "right": { + "set": [ + 23, + 80, + 90 + ] + } + } + }, + { + "snat": { + "addr": "192.168.3.2" + } + } +] + +# snat ip to ip saddr map { 10.141.11.4 : 192.168.2.3 . 80 } +[ + { + "snat": { + "addr": { + "map": { + "data": { + "set": [ + [ + "10.141.11.4", + { + "concat": [ + "192.168.2.3", + 80 + ] + } + ] + ] + }, + "key": { + "payload": { + "field": "saddr", + "protocol": "ip" + } + } + } + }, + "family": "ip" + } + } +] + +# meta l4proto 17 snat ip to ip saddr map { 10.141.11.4 : 192.168.2.3 . 80 } +[ + { + "match": { + "left": { + "meta": { + "key": "l4proto" + } + }, + "op": "==", + "right": 17 + } + }, + { + "snat": { + "addr": { + "map": { + "data": { + "set": [ + [ + "10.141.11.4", + { + "concat": [ + "192.168.2.3", + 80 + ] + } + ] + ] + }, + "key": { + "payload": { + "field": "saddr", + "protocol": "ip" + } + } + } + }, + "family": "ip" + } + } +] + +# meta l4proto { 6, 17} snat ip to ip saddr . th dport map { 10.141.11.4 . 20 : 192.168.2.3 . 80} +[ + { + "match": { + "left": { + "meta": { + "key": "l4proto" + } + }, + "op": "==", + "right": { + "set": [ + 6, + 17 + ] + } + } + }, + { + "snat": { + "addr": { + "map": { + "data": { + "set": [ + [ + { + "concat": [ + "10.141.11.4", + 20 + ] + }, + { + "concat": [ + "192.168.2.3", + 80 + ] + } + ] + ] + }, + "key": { + "concat": [ + { + "payload": { + "field": "saddr", + "protocol": "ip" + } + }, + { + "payload": { + "field": "dport", + "protocol": "th" + } + } + ] + } + } + }, + "family": "ip" + } + } +] + +# snat ip prefix to ip saddr map { 10.141.11.0/24 : 192.168.2.0/24 } +[ + { + "snat": { + "addr": { + "map": { + "data": { + "set": [ + [ + { + "prefix": { + "addr": "10.141.11.0", + "len": 24 + } + }, + { + "prefix": { + "addr": "192.168.2.0", + "len": 24 + } + } + ] + ] + }, + "key": { + "payload": { + "field": "saddr", + "protocol": "ip" + } + } + } + }, + "family": "ip", + "flags": "netmap", + "type_flags": "prefix" + } + } +] + diff --git a/tests/py/ip/snat.t.payload b/tests/py/ip/snat.t.payload new file mode 100644 index 0000000..71a5e2f --- /dev/null +++ b/tests/py/ip/snat.t.payload @@ -0,0 +1,154 @@ +# iifname "eth0" tcp dport 80-90 snat to 192.168.3.2 +ip test-ip4 postrouting + [ meta load iifname => reg 1 ] + [ cmp eq reg 1 0x30687465 0x00000000 0x00000000 0x00000000 ] + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp gte reg 1 0x00005000 ] + [ cmp lte reg 1 0x00005a00 ] + [ immediate reg 1 0x0203a8c0 ] + [ nat snat ip addr_min reg 1 ] + +# iifname "eth0" tcp dport != 80-90 snat to 192.168.3.2 +ip test-ip4 postrouting + [ meta load iifname => reg 1 ] + [ cmp eq reg 1 0x30687465 0x00000000 0x00000000 0x00000000 ] + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ range neq reg 1 0x00005000 0x00005a00 ] + [ immediate reg 1 0x0203a8c0 ] + [ nat snat ip addr_min reg 1 ] + +# iifname "eth0" tcp dport {80, 90, 23} snat to 192.168.3.2 +__set%d test-ip4 3 +__set%d test-ip4 0 + element 00005000 : 0 [end] element 00005a00 : 0 [end] element 00001700 : 0 [end] +ip test-ip4 postrouting + [ meta load iifname => reg 1 ] + [ cmp eq reg 1 0x30687465 0x00000000 0x00000000 0x00000000 ] + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ lookup reg 1 set __set%d ] + [ immediate reg 1 0x0203a8c0 ] + [ nat snat ip addr_min reg 1 ] + +# iifname "eth0" tcp dport != {80, 90, 23} snat to 192.168.3.2 +__set%d test-ip4 3 +__set%d test-ip4 0 + element 00005000 : 0 [end] element 00005a00 : 0 [end] element 00001700 : 0 [end] +ip test-ip4 postrouting + [ meta load iifname => reg 1 ] + [ cmp eq reg 1 0x30687465 0x00000000 0x00000000 0x00000000 ] + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ lookup reg 1 set __set%d 0x1 ] + [ immediate reg 1 0x0203a8c0 ] + [ nat snat ip addr_min reg 1 ] + +# iifname "eth0" tcp dport != 23-34 snat to 192.168.3.2 +ip test-ip4 postrouting + [ meta load iifname => reg 1 ] + [ cmp eq reg 1 0x30687465 0x00000000 0x00000000 0x00000000 ] + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ range neq reg 1 0x00001700 0x00002200 ] + [ immediate reg 1 0x0203a8c0 ] + [ nat snat ip addr_min reg 1 ] + +# iifname "eth0" tcp dport 80-90 snat to 192.168.3.0-192.168.3.255 +ip + [ meta load iifname => reg 1 ] + [ cmp eq reg 1 0x30687465 0x00000000 0x00000000 0x00000000 ] + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp gte reg 1 0x00005000 ] + [ cmp lte reg 1 0x00005a00 ] + [ immediate reg 1 0x0003a8c0 ] + [ immediate reg 2 0xff03a8c0 ] + [ nat snat ip addr_min reg 1 addr_max reg 2 ] + +# iifname "eth0" tcp dport 80-90 snat to 192.168.3.15-192.168.3.240 +ip + [ meta load iifname => reg 1 ] + [ cmp eq reg 1 0x30687465 0x00000000 0x00000000 0x00000000 ] + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp gte reg 1 0x00005000 ] + [ cmp lte reg 1 0x00005a00 ] + [ immediate reg 1 0x0f03a8c0 ] + [ immediate reg 2 0xf003a8c0 ] + [ nat snat ip addr_min reg 1 addr_max reg 2 ] + +# meta l4proto 17 snat ip to ip saddr map { 10.141.11.4 : 192.168.2.3 . 80 } +__map%d test-ip4 b size 1 +__map%d test-ip4 0 + element 040b8d0a : 0302a8c0 00005000 0 [end] +ip + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ lookup reg 1 set __map%d dreg 1 ] + [ nat snat ip addr_min reg 1 proto_min reg 9 ] + +# snat ip to ip saddr map { 10.141.11.4 : 192.168.2.2-192.168.2.4 } +__map%d test-ip4 b size 1 +__map%d test-ip4 0 + element 040b8d0a : 0202a8c0 0402a8c0 0 [end] +ip + [ payload load 4b @ network header + 12 => reg 1 ] + [ lookup reg 1 set __map%d dreg 1 ] + [ nat snat ip addr_min reg 1 addr_max reg 9 ] + +# snat ip prefix to ip saddr map { 10.141.11.0/24 : 192.168.2.0/24 } +__map%d test-ip4 f size 3 +__map%d test-ip4 0 + element 00000000 : 1 [end] element 000b8d0a : 0002a8c0 ff02a8c0 0 [end] element 000c8d0a : 1 [end] +ip + [ payload load 4b @ network header + 12 => reg 1 ] + [ lookup reg 1 set __map%d dreg 1 ] + [ nat snat ip addr_min reg 1 addr_max reg 9 flags 0x40 ] + +# snat ip to ip saddr map { 10.141.12.14 : 192.168.2.0/24 } +__map%d test-ip4 b size 1 +__map%d test-ip4 0 + element 0e0c8d0a : 0002a8c0 ff02a8c0 0 [end] +ip + [ payload load 4b @ network header + 12 => reg 1 ] + [ lookup reg 1 set __map%d dreg 1 ] + [ nat snat ip addr_min reg 1 addr_max reg 9 ] + +# meta l4proto { 6, 17} snat ip to ip saddr . th dport map { 10.141.11.4 . 20 : 192.168.2.3 . 80} +__set%d test-ip4 3 size 2 +__set%d test-ip4 0 + element 00000006 : 0 [end] element 00000011 : 0 [end] +__map%d test-ip4 b size 1 +__map%d test-ip4 0 + element 040b8d0a 00001400 : 0302a8c0 00005000 0 [end] +ip + [ meta load l4proto => reg 1 ] + [ lookup reg 1 set __set%d ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ payload load 2b @ transport header + 2 => reg 9 ] + [ lookup reg 1 set __map%d dreg 1 ] + [ nat snat ip addr_min reg 1 proto_min reg 9 ] + +# ip daddr 192.168.0.1 dnat to tcp dport map { 443 : 10.141.10.4 . 8443, 80 : 10.141.10.4 . 8080 } +__map%d x b size 2 +__map%d x 0 + element 0000bb01 : 040a8d0a 0000fb20 0 [end] element 00005000 : 040a8d0a 0000901f 0 [end] +ip + [ payload load 4b @ network header + 16 => reg 1 ] + [ cmp eq reg 1 0x0100a8c0 ] + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ lookup reg 1 set __map%d dreg 1 ] + [ nat dnat ip addr_min reg 1 proto_min reg 9 ] + diff --git a/tests/py/ip/tcp.t b/tests/py/ip/tcp.t new file mode 100644 index 0000000..4dcfcb6 --- /dev/null +++ b/tests/py/ip/tcp.t @@ -0,0 +1,6 @@ +:input;type filter hook input priority 0 + +*ip;test-ip;input + +ip protocol tcp tcp dport ssh accept;ok;tcp dport 22 accept +ip protocol ne tcp udp dport ssh accept;ok;ip protocol != 6 udp dport 22 accept diff --git a/tests/py/ip/tcp.t.json b/tests/py/ip/tcp.t.json new file mode 100644 index 0000000..d2c0915 --- /dev/null +++ b/tests/py/ip/tcp.t.json @@ -0,0 +1,62 @@ +# ip protocol tcp tcp dport ssh accept +[ + { + "match": { + "left": { + "payload": { + "field": "protocol", + "protocol": "ip" + } + }, + "op": "==", + "right": "tcp" + } + }, + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "tcp" + } + }, + "op": "==", + "right": "ssh" + } + }, + { + "accept": null + } +] + +# ip protocol ne tcp udp dport ssh accept +[ + { + "match": { + "left": { + "payload": { + "field": "protocol", + "protocol": "ip" + } + }, + "op": "!=", + "right": "tcp" + } + }, + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": "ssh" + } + }, + { + "accept": null + } +] + diff --git a/tests/py/ip/tcp.t.json.output b/tests/py/ip/tcp.t.json.output new file mode 100644 index 0000000..7e89854 --- /dev/null +++ b/tests/py/ip/tcp.t.json.output @@ -0,0 +1,50 @@ +# ip protocol tcp tcp dport ssh accept +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "tcp" + } + }, + "op": "==", + "right": 22 + } + }, + { + "accept": null + } +] + +# ip protocol ne tcp udp dport ssh accept +[ + { + "match": { + "left": { + "payload": { + "field": "protocol", + "protocol": "ip" + } + }, + "op": "!=", + "right": 6 + } + }, + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 22 + } + }, + { + "accept": null + } +] + diff --git a/tests/py/ip/tcp.t.payload b/tests/py/ip/tcp.t.payload new file mode 100644 index 0000000..58956d9 --- /dev/null +++ b/tests/py/ip/tcp.t.payload @@ -0,0 +1,18 @@ +# ip protocol tcp tcp dport ssh accept +ip test-ip input + [ payload load 1b @ network header + 9 => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x00001600 ] + [ immediate reg 0 accept ] + +# ip protocol ne tcp udp dport ssh accept +ip test-ip input + [ payload load 1b @ network header + 9 => reg 1 ] + [ cmp neq reg 1 0x00000006 ] + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x00001600 ] + [ immediate reg 0 accept ] + diff --git a/tests/py/ip/tproxy.t b/tests/py/ip/tproxy.t new file mode 100644 index 0000000..544c519 --- /dev/null +++ b/tests/py/ip/tproxy.t @@ -0,0 +1,14 @@ +:y;type filter hook prerouting priority -150 + +*ip;x;y + +tproxy;fail +tproxy to 192.0.2.1;fail +tproxy to 192.0.2.1:50080;fail +tproxy to :50080;fail +meta l4proto 17 tproxy to 192.0.2.1;ok +meta l4proto 6 tproxy to 192.0.2.1:50080;ok +ip protocol 6 tproxy to :50080;ok +meta l4proto 17 tproxy ip to 192.0.2.1;ok;meta l4proto 17 tproxy to 192.0.2.1 +meta l4proto 6 tproxy ip to 192.0.2.1:50080;ok;meta l4proto 6 tproxy to 192.0.2.1:50080 +ip protocol 6 tproxy ip to :50080;ok;ip protocol 6 tproxy to :50080 diff --git a/tests/py/ip/tproxy.t.json b/tests/py/ip/tproxy.t.json new file mode 100644 index 0000000..4635fc1 --- /dev/null +++ b/tests/py/ip/tproxy.t.json @@ -0,0 +1,126 @@ +# meta l4proto 17 tproxy to 192.0.2.1 +[ + { + "match": { + "left": { + "meta": { + "key": "l4proto" + } + }, + "op": "==", + "right": 17 + } + }, + { + "tproxy": { + "addr": "192.0.2.1" + } + } +] + +# meta l4proto 6 tproxy to 192.0.2.1:50080 +[ + { + "match": { + "left": { + "meta": { + "key": "l4proto" + } + }, + "op": "==", + "right": 6 + } + }, + { + "tproxy": { + "addr": "192.0.2.1", + "port": 50080 + } + } +] + +# ip protocol 6 tproxy to :50080 +[ + { + "match": { + "left": { + "payload": { + "field": "protocol", + "protocol": "ip" + } + }, + "op": "==", + "right": 6 + } + }, + { + "tproxy": { + "port": 50080 + } + } +] + +# meta l4proto 17 tproxy ip to 192.0.2.1 +[ + { + "match": { + "left": { + "meta": { + "key": "l4proto" + } + }, + "op": "==", + "right": 17 + } + }, + { + "tproxy": { + "addr": "192.0.2.1", + "family": "ip" + } + } +] + +# meta l4proto 6 tproxy ip to 192.0.2.1:50080 +[ + { + "match": { + "left": { + "meta": { + "key": "l4proto" + } + }, + "op": "==", + "right": 6 + } + }, + { + "tproxy": { + "addr": "192.0.2.1", + "family": "ip", + "port": 50080 + } + } +] + +# ip protocol 6 tproxy ip to :50080 +[ + { + "match": { + "left": { + "payload": { + "field": "protocol", + "protocol": "ip" + } + }, + "op": "==", + "right": 6 + } + }, + { + "tproxy": { + "family": "ip", + "port": 50080 + } + } +] diff --git a/tests/py/ip/tproxy.t.json.output b/tests/py/ip/tproxy.t.json.output new file mode 100644 index 0000000..2690f22 --- /dev/null +++ b/tests/py/ip/tproxy.t.json.output @@ -0,0 +1,61 @@ +# meta l4proto 17 tproxy ip to 192.0.2.1 +[ + { + "match": { + "left": { + "meta": { + "key": "l4proto" + } + }, + "op": "==", + "right": 17 + } + }, + { + "tproxy": { + "addr": "192.0.2.1" + } + } +] + +# meta l4proto 6 tproxy ip to 192.0.2.1:50080 +[ + { + "match": { + "left": { + "meta": { + "key": "l4proto" + } + }, + "op": "==", + "right": 6 + } + }, + { + "tproxy": { + "addr": "192.0.2.1", + "port": 50080 + } + } +] + +# ip protocol 6 tproxy ip to :50080 +[ + { + "match": { + "left": { + "payload": { + "field": "protocol", + "protocol": "ip" + } + }, + "op": "==", + "right": 6 + } + }, + { + "tproxy": { + "port": 50080 + } + } +] diff --git a/tests/py/ip/tproxy.t.payload b/tests/py/ip/tproxy.t.payload new file mode 100644 index 0000000..dfe830e --- /dev/null +++ b/tests/py/ip/tproxy.t.payload @@ -0,0 +1,44 @@ +# meta l4proto 17 tproxy to 192.0.2.1 +ip x y + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ immediate reg 1 0x010200c0 ] + [ tproxy ip addr reg 1 ] + +# meta l4proto 6 tproxy to 192.0.2.1:50080 +ip x y + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ immediate reg 1 0x010200c0 ] + [ immediate reg 2 0x0000a0c3 ] + [ tproxy ip addr reg 1 port reg 2 ] + +# ip protocol 6 tproxy to :50080 +ip x y + [ payload load 1b @ network header + 9 => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ immediate reg 1 0x0000a0c3 ] + [ tproxy ip port reg 1 ] + +# meta l4proto 17 tproxy ip to 192.0.2.1 +ip x y + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ immediate reg 1 0x010200c0 ] + [ tproxy ip addr reg 1 ] + +# meta l4proto 6 tproxy ip to 192.0.2.1:50080 +ip x y + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ immediate reg 1 0x010200c0 ] + [ immediate reg 2 0x0000a0c3 ] + [ tproxy ip addr reg 1 port reg 2 ] + +# ip protocol 6 tproxy ip to :50080 +ip x y + [ payload load 1b @ network header + 9 => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ immediate reg 1 0x0000a0c3 ] + [ tproxy ip port reg 1 ] + |